import openssl-3.0.7-6.el9_2

.gitignore

@@ -1 +1 @@
-SOURCES/openssl-3.0.1-hobbled.tar.xz
+SOURCES/openssl-3.0.7-hobbled.tar.gz

.openssl.metadata

@@ -1 +1 @@
-1170b5119f0e591f6a2515d099abd06d0184f77c SOURCES/openssl-3.0.1-hobbled.tar.xz
+54ab0e36f279f260196ac3274631bee93ab01d81 SOURCES/openssl-3.0.7-hobbled.tar.gz

SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
 @@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure    ?	3_0_0	EXIST::FUNCTION:
- ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
  EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
+ OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 +ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 -- 
 2.26.2

SOURCES/0008-Add-FIPS_mode-compatibility-macro.patch

@@ -12,24 +12,12 @@ default context.
  3 files changed, 39 insertions(+)
  create mode 100644 include/openssl/fips.h
 
-diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
-index 1036da9a2b..9d4896fcaf 100644
---- a/include/openssl/crypto.h.in
-+++ b/include/openssl/crypto.h.in
-@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros);
- # include <openssl/opensslconf.h>
- # include <openssl/cryptoerr.h>
- # include <openssl/core.h>
-+# include <openssl/fips.h>
- 
- # ifdef CHARSET_EBCDIC
- #  include <openssl/ebcdic.h>
 diff --git a/include/openssl/fips.h b/include/openssl/fips.h
 new file mode 100644
 index 0000000000..c64f0f8e8f
 --- /dev/null
 +++ b/include/openssl/fips.h
-@@ -0,0 +1,25 @@
+@@ -0,0 +1,26 @@
 +/*
 + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 + *
@@ -43,6 +31,7 @@ index 0000000000..c64f0f8e8f
 +# define OPENSSL_FIPS_H
 +# pragma once
 +
++# include <openssl/evp.h>
 +# include <openssl/macros.h>
 +
 +# ifdef __cplusplus
@@ -58,10 +47,11 @@ index 0000000000..c64f0f8e8f
 diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
 --- openssl-3.0.0-beta1/test/property_test.c.fips-macro	2021-06-29 12:14:58.851557698 +0200
 +++ openssl-3.0.0-beta1/test/property_test.c	2021-06-29 12:17:14.630143832 +0200
-@@ -488,6 +488,18 @@ static int test_property_list_to_string(
+@@ -488,6 +488,19 @@ static int test_property_list_to_string(
      return ret;
  }
- 
+
++#include <openssl/fips.h>
 +static int test_downstream_FIPS_mode(void)
 +{
 +    int ret = 0;

SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch

@@ -2,8 +2,8 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
 --- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips	2021-03-16 00:09:55.814826432 +0100
 +++ openssl-3.0.0-alpha13/crypto/context.c	2021-03-16 00:15:55.129043811 +0100
 @@ -12,11 +12,46 @@
- #include "internal/bio.h"
  #include "internal/provider.h"
+ #include "crypto/ctype.h"
  
 +# include <sys/types.h>
 +# include <sys/stat.h>

SOURCES/0011-Remove-EC-curves.patch

@@ -5011,3 +5011,15 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov
  Title=prime256v1 curve tests
  
  PrivateKey=ALICE_cf_prime256v1
+diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t
+--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort	2022-11-23 12:40:55.324395782 +0100
++++ openssl-3.0.7/test/recipes/15-test_ec.t	2022-11-23 12:42:12.478094387 +0100
+@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
+ 
+ subtest 'Check loading of fips and non-fips keys' => sub {
+     plan skip_all => "FIPS is disabled"
+-        if $no_fips;
++        if 1; #Red Hat specific, original value is $no_fips;
+ 
+     plan tests => 2;
+ 

SOURCES/0012-Disable-explicit-ec.patch

@@ -40,17 +40,17 @@ diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/te
  static OSSL_PARAM_BLD *bld_tri_nc = NULL;
 @@ -990,9 +990,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
  DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
- IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC")
+ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
  IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
 -DOMAIN_KEYS(ECExplicitPrime2G);
--IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")
+-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
 -IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
 +/*DOMAIN_KEYS(ECExplicitPrime2G);*/
-+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/
++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
 +/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
  # ifndef OPENSSL_NO_EC2M
  DOMAIN_KEYS(ECExplicitTriNamedCurve);
- IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC")
+ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
 @@ -1318,7 +1318,7 @@ int setup_tests(void)
          || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
          || !create_ec_explicit_prime_params(bld_prime)

SOURCES/0013-FIPS-provider-explicit-ec.patch

@@ -1,77 +0,0 @@
-diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
-index 78dc69082fab..8a86c9108d0d 100644
---- a/providers/implementations/keymgmt/ec_kmgmt.c
-+++ b/providers/implementations/keymgmt/ec_kmgmt.c
-@@ -470,9 +470,6 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
-     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
-             && (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) == 0)
-         return 0;
--    if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0
--            && (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
--        return 0;
- 
-     tmpl = OSSL_PARAM_BLD_new();
-     if (tmpl == NULL)
-diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t
-index 766524e8cfa9..80bac6741290 100644
---- a/test/recipes/15-test_ecparam.t
-+++ b/test/recipes/15-test_ecparam.t
-@@ -13,7 +13,7 @@ use warnings;
- use File::Spec;
- use File::Compare qw/compare_text/;
- use OpenSSL::Glob;
--use OpenSSL::Test qw/:DEFAULT data_file/;
-+use OpenSSL::Test qw/:DEFAULT data_file srctop_file bldtop_dir/;
- use OpenSSL::Test::Utils;
- 
- setup("test_ecparam");
-@@ -25,7 +25,7 @@ my @valid = glob(data_file("valid", "*.pem"));
- my @noncanon = glob(data_file("noncanon", "*.pem"));
- my @invalid = glob(data_file("invalid", "*.pem"));
- 
--plan tests => 11;
-+plan tests => 12;
- 
- sub checkload {
-     my $files = shift; # List of files
-@@ -59,6 +59,8 @@ sub checkcompare {
-     }
- }
- 
-+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-+
- subtest "Check loading valid parameters by ecparam with -check" => sub {
-     plan tests => scalar(@valid);
-     checkload(\@valid, 1, "ecparam", "-check");
-@@ -113,3 +115,31 @@ subtest "Check pkeyparam does not change the parameter file on output" => sub {
-     plan tests => 2 * scalar(@valid);
-     checkcompare(\@valid, "pkeyparam");
- };
-+
-+subtest "Check loading of fips and non-fips params" => sub {
-+    plan skip_all => "FIPS is disabled"
-+        if $no_fips;
-+    plan tests => 3;
-+
-+    my $fipsconf = srctop_file("test", "fips-and-base.cnf");
-+    my $defaultconf = srctop_file("test", "default.cnf");
-+
-+    $ENV{OPENSSL_CONF} = $fipsconf;
-+
-+    ok(run(app(['openssl', 'ecparam',
-+                '-in', data_file('valid', 'secp384r1-explicit.pem'),
-+                '-check'])),
-+       "Loading explicitly encoded valid curve");
-+
-+    ok(run(app(['openssl', 'ecparam',
-+                '-in', data_file('valid', 'secp384r1-named.pem'),
-+                '-check'])),
-+       "Loading named valid curve");
-+
-+    ok(!run(app(['openssl', 'ecparam',
-+                '-in', data_file('valid', 'secp112r1-named.pem'),
-+                '-check'])),
-+       "Fail loading named non-fips curve");
-+
-+    $ENV{OPENSSL_CONF} = $defaultconf;
-+};

SOURCES/0014-FIPS-disable-explicit-ec.patch

@@ -1,421 +0,0 @@
-diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
-index 9dc143c2ac69..4d6f2a76ad20 100644
---- a/crypto/ec/ec_err.c
-+++ b/crypto/ec/ec_err.c
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -35,6 +35,8 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
-     "discriminant is zero"},
-     {ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),
-     "ec group new by name failure"},
-+    {ERR_PACK(ERR_LIB_EC, 0, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED),
-+    "explicit params not supported"},
-     {ERR_PACK(ERR_LIB_EC, 0, EC_R_FAILED_MAKING_PUBLIC_KEY),
-     "failed making public key"},
-     {ERR_PACK(ERR_LIB_EC, 0, EC_R_FIELD_TOO_LARGE), "field too large"},
-diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index 2aeab7e3b6b5..f686e45f899d 100644
---- a/crypto/ec/ec_lib.c
-+++ b/crypto/ec/ec_lib.c
-@@ -1387,6 +1387,7 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
- }
- #endif
- 
-+#ifndef FIPS_MODULE
- /*
-  * Check if the explicit parameters group matches any built-in curves.
-  *
-@@ -1424,7 +1425,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
-          * parameters with one created from a named group.
-          */
- 
--#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-         /*
-          * NID_wap_wsg_idm_ecid_wtls12 and NID_secp224r1 are both aliases for
-          * the same curve, we prefer the SECP nid when matching explicit
-@@ -1432,7 +1433,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
-          */
-         if (curve_name_nid == NID_wap_wsg_idm_ecid_wtls12)
-             curve_name_nid = NID_secp224r1;
--#endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
-+# endif /* !def(OPENSSL_NO_EC_NISTP_64_GCC_128) */
- 
-         ret_group = EC_GROUP_new_by_curve_name_ex(libctx, propq, curve_name_nid);
-         if (ret_group == NULL)
-@@ -1467,6 +1468,7 @@ static EC_GROUP *ec_group_explicit_to_named(const EC_GROUP *group,
-     EC_GROUP_free(ret_group);
-     return NULL;
- }
-+#endif /* FIPS_MODULE */
- 
- static EC_GROUP *group_new_from_name(const OSSL_PARAM *p,
-                                      OSSL_LIB_CTX *libctx, const char *propq)
-@@ -1536,9 +1538,13 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[])
- EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-                                    OSSL_LIB_CTX *libctx, const char *propq)
- {
--    const OSSL_PARAM *ptmp, *pa, *pb;
-+    const OSSL_PARAM *ptmp;
-+    EC_GROUP *group = NULL;
-+
-+#ifndef FIPS_MODULE
-+    const OSSL_PARAM *pa, *pb;
-     int ok = 0;
--    EC_GROUP *group = NULL, *named_group = NULL;
-+    EC_GROUP *named_group = NULL;
-     BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL, *cofactor = NULL;
-     EC_POINT *point = NULL;
-     int field_bits = 0;
-@@ -1546,6 +1552,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-     BN_CTX *bnctx = NULL;
-     const unsigned char *buf = NULL;
-     int encoding_flag = -1;
-+#endif
- 
-     /* This is the simple named group case */
-     ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME);
-@@ -1559,6 +1566,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-         }
-         return group;
-     }
-+#ifdef FIPS_MODULE
-+    ERR_raise(ERR_LIB_EC, EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED);
-+    return NULL;
-+#else
-     /* If it gets here then we are trying explicit parameters */
-     bnctx = BN_CTX_new_ex(libctx);
-     if (bnctx == NULL) {
-@@ -1623,10 +1634,10 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-         /* create the EC_GROUP structure */
-         group = EC_GROUP_new_curve_GFp(p, a, b, bnctx);
-     } else {
--#ifdef OPENSSL_NO_EC2M
-+# ifdef OPENSSL_NO_EC2M
-         ERR_raise(ERR_LIB_EC, EC_R_GF2M_NOT_SUPPORTED);
-         goto err;
--#else
-+# else
-         /* create the EC_GROUP structure */
-         group = EC_GROUP_new_curve_GF2m(p, a, b, NULL);
-         if (group != NULL) {
-@@ -1636,7 +1647,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-                 goto err;
-             }
-         }
--#endif /* OPENSSL_NO_EC2M */
-+# endif /* OPENSSL_NO_EC2M */
-     }
- 
-     if (group == NULL) {
-@@ -1733,4 +1744,5 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-     BN_CTX_free(bnctx);
- 
-     return group;
-+#endif /* FIPS_MODULE */
- }
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index c4a94f955905..41df7127403c 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -553,6 +553,7 @@ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
- EC_R_DECODE_ERROR:142:decode error
- EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
- EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
-+EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported
- EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key
- EC_R_FIELD_TOO_LARGE:143:field too large
- EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported
-diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h
-index 07b6c7aa62dd..4658ae8fb2cd 100644
---- a/include/crypto/ecerr.h
-+++ b/include/crypto/ecerr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
-index 49088d208b2c..46405ac62d91 100644
---- a/include/openssl/ecerr.h
-+++ b/include/openssl/ecerr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -35,6 +35,7 @@
- #  define EC_R_DECODE_ERROR                                142
- #  define EC_R_DISCRIMINANT_IS_ZERO                        118
- #  define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE                119
-+#  define EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED               127
- #  define EC_R_FAILED_MAKING_PUBLIC_KEY                    166
- #  define EC_R_FIELD_TOO_LARGE                             143
- #  define EC_R_GF2M_NOT_SUPPORTED                          147
-diff --git a/test/endecode_test.c b/test/endecode_test.c
-index 0c33dff0ee2b..3d78bea50ea3 100644
---- a/test/endecode_test.c
-+++ b/test/endecode_test.c
-@@ -147,6 +147,7 @@ typedef int (checker)(const char *file, const int line,
- typedef void (dumper)(const char *label, const void *data, size_t data_len);
- 
- #define FLAG_DECODE_WITH_TYPE   0x0001
-+#define FLAG_FAIL_IF_FIPS       0x0002
- 
- static int test_encode_decode(const char *file, const int line,
-                               const char *type, EVP_PKEY *pkey,
-@@ -170,8 +171,19 @@ static int test_encode_decode(const char *file, const int line,
-      * dumping purposes.
-      */
-     if (!TEST_true(encode_cb(file, line, &encoded, &encoded_len, pkey, selection,
--                             output_type, output_structure, pass, pcipher))
--        || !TEST_true(check_cb(file, line, type, encoded, encoded_len))
-+                             output_type, output_structure, pass, pcipher)))
-+        goto end;
-+
-+    if ((flags & FLAG_FAIL_IF_FIPS) != 0 && is_fips) {
-+        if (TEST_false(decode_cb(file, line, (void **)&pkey2, encoded,
-+                                  encoded_len, output_type, output_structure,
-+                                  (flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
-+                                  selection, pass)))
-+            ok = 1;
-+        goto end;
-+    }
-+
-+    if (!TEST_true(check_cb(file, line, type, encoded, encoded_len))
-         || !TEST_true(decode_cb(file, line, (void **)&pkey2, encoded, encoded_len,
-                                 output_type, output_structure,
-                                 (flags & FLAG_DECODE_WITH_TYPE ? type : NULL),
-@@ -525,7 +537,7 @@ static int check_unprotected_PKCS8_DER(const char *file, const int line,
-     return ok;
- }
- 
--static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
-+static int test_unprotected_via_DER(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_KEYPAIR
-@@ -533,7 +545,7 @@ static int test_unprotected_via_DER(const char *type, EVP_PKEY *key)
-                               "DER", "PrivateKeyInfo", NULL, NULL,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
-                               test_mem, check_unprotected_PKCS8_DER,
--                              dump_der, 0);
-+                              dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- static int check_unprotected_PKCS8_PEM(const char *file, const int line,
-@@ -547,7 +559,7 @@ static int check_unprotected_PKCS8_PEM(const char *file, const int line,
-                         sizeof(expected_pem_header) - 1);
- }
- 
--static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
-+static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_KEYPAIR
-@@ -555,7 +567,7 @@ static int test_unprotected_via_PEM(const char *type, EVP_PKEY *key)
-                               "PEM", "PrivateKeyInfo", NULL, NULL,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
-                               test_text, check_unprotected_PKCS8_PEM,
--                              dump_pem, 0);
-+                              dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- #ifndef OPENSSL_NO_KEYPARAMS
-@@ -702,7 +714,7 @@ static int check_protected_PKCS8_DER(const char *file, const int line,
-     return ok;
- }
- 
--static int test_protected_via_DER(const char *type, EVP_PKEY *key)
-+static int test_protected_via_DER(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_KEYPAIR
-@@ -711,7 +723,7 @@ static int test_protected_via_DER(const char *type, EVP_PKEY *key)
-                               pass, pass_cipher,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
-                               test_mem, check_protected_PKCS8_DER,
--                              dump_der, 0);
-+                              dump_der, fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- static int check_protected_PKCS8_PEM(const char *file, const int line,
-@@ -725,7 +737,7 @@ static int check_protected_PKCS8_PEM(const char *file, const int line,
-                         sizeof(expected_pem_header) - 1);
- }
- 
--static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
-+static int test_protected_via_PEM(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_KEYPAIR
-@@ -734,7 +746,7 @@ static int test_protected_via_PEM(const char *type, EVP_PKEY *key)
-                               pass, pass_cipher,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
-                               test_text, check_protected_PKCS8_PEM,
--                              dump_pem, 0);
-+                              dump_pem, fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- static int check_protected_legacy_PEM(const char *file, const int line,
-@@ -795,14 +807,15 @@ static int check_public_DER(const char *file, const int line,
-     return ok;
- }
- 
--static int test_public_via_DER(const char *type, EVP_PKEY *key)
-+static int test_public_via_DER(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_PUBLIC_KEY
-                               | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
-                               "DER", "SubjectPublicKeyInfo", NULL, NULL,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
--                              test_mem, check_public_DER, dump_der, 0);
-+                              test_mem, check_public_DER, dump_der,
-+                              fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- static int check_public_PEM(const char *file, const int line,
-@@ -816,14 +829,15 @@ static int check_public_PEM(const char *file, const int line,
-                      sizeof(expected_pem_header) - 1);
- }
- 
--static int test_public_via_PEM(const char *type, EVP_PKEY *key)
-+static int test_public_via_PEM(const char *type, EVP_PKEY *key, int fips)
- {
-     return test_encode_decode(__FILE__, __LINE__, type, key,
-                               OSSL_KEYMGMT_SELECT_PUBLIC_KEY
-                               | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
-                               "PEM", "SubjectPublicKeyInfo", NULL, NULL,
-                               encode_EVP_PKEY_prov, decode_EVP_PKEY_prov,
--                              test_text, check_public_PEM, dump_pem, 0);
-+                              test_text, check_public_PEM, dump_pem,
-+                              fips ? 0 : FLAG_FAIL_IF_FIPS);
- }
- 
- static int check_public_MSBLOB(const char *file, const int line,
-@@ -868,30 +882,30 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
-     EVP_PKEY_free(template_##KEYTYPE);                                  \
-     EVP_PKEY_free(key_##KEYTYPE)
- 
--#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr)                       \
-+#define IMPLEMENT_TEST_SUITE(KEYTYPE, KEYTYPEstr, fips)                 \
-     static int test_unprotected_##KEYTYPE##_via_DER(void)               \
-     {                                                                   \
--        return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE);     \
-+        return test_unprotected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
-     }                                                                   \
-     static int test_unprotected_##KEYTYPE##_via_PEM(void)               \
-     {                                                                   \
--        return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE);     \
-+        return test_unprotected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
-     }                                                                   \
-     static int test_protected_##KEYTYPE##_via_DER(void)                 \
-     {                                                                   \
--        return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE);       \
-+        return test_protected_via_DER(KEYTYPEstr, key_##KEYTYPE, fips); \
-     }                                                                   \
-     static int test_protected_##KEYTYPE##_via_PEM(void)                 \
-     {                                                                   \
--        return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE);       \
-+        return test_protected_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips); \
-     }                                                                   \
-     static int test_public_##KEYTYPE##_via_DER(void)                    \
-     {                                                                   \
--        return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE);          \
-+        return test_public_via_DER(KEYTYPEstr, key_##KEYTYPE, fips);    \
-     }                                                                   \
-     static int test_public_##KEYTYPE##_via_PEM(void)                    \
-     {                                                                   \
--        return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE);          \
-+        return test_public_via_PEM(KEYTYPEstr, key_##KEYTYPE, fips);    \
-     }
- 
- #define ADD_TEST_SUITE(KEYTYPE)                                 \
-@@ -965,10 +979,10 @@ static int test_public_via_MSBLOB(const char *type, EVP_PKEY *key)
- 
- #ifndef OPENSSL_NO_DH
- DOMAIN_KEYS(DH);
--IMPLEMENT_TEST_SUITE(DH, "DH")
-+IMPLEMENT_TEST_SUITE(DH, "DH", 1)
- IMPLEMENT_TEST_SUITE_PARAMS(DH, "DH")
- DOMAIN_KEYS(DHX);
--IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH")
-+IMPLEMENT_TEST_SUITE(DHX, "X9.42 DH", 1)
- IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
- /*
-  * DH has no support for PEM_write_bio_PrivateKey_traditional(),
-@@ -977,7 +991,7 @@ IMPLEMENT_TEST_SUITE_PARAMS(DHX, "X9.42 DH")
- #endif
- #ifndef OPENSSL_NO_DSA
- DOMAIN_KEYS(DSA);
--IMPLEMENT_TEST_SUITE(DSA, "DSA")
-+IMPLEMENT_TEST_SUITE(DSA, "DSA", 1)
- IMPLEMENT_TEST_SUITE_PARAMS(DSA, "DSA")
- IMPLEMENT_TEST_SUITE_LEGACY(DSA, "DSA")
- IMPLEMENT_TEST_SUITE_MSBLOB(DSA, "DSA")
-@@ -988,41 +1002,41 @@ IMPLEMENT_TEST_SUITE_PROTECTED_PVK(DSA, "DSA")
- #endif
- #ifndef OPENSSL_NO_EC
- DOMAIN_KEYS(EC);
--IMPLEMENT_TEST_SUITE(EC, "EC")
-+IMPLEMENT_TEST_SUITE(EC, "EC", 1)
- IMPLEMENT_TEST_SUITE_PARAMS(EC, "EC")
- IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
- DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
--IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC")
-+IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
- IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
- /*DOMAIN_KEYS(ECExplicitPrime2G);*/
--/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC")*/
-+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
- /*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
- # ifndef OPENSSL_NO_EC2M
- DOMAIN_KEYS(ECExplicitTriNamedCurve);
--IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC")
-+IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
- IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
- DOMAIN_KEYS(ECExplicitTri2G);
--IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC")
-+IMPLEMENT_TEST_SUITE(ECExplicitTri2G, "EC", 0)
- IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
- # endif
- KEYS(ED25519);
--IMPLEMENT_TEST_SUITE(ED25519, "ED25519")
-+IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1)
- KEYS(ED448);
--IMPLEMENT_TEST_SUITE(ED448, "ED448")
-+IMPLEMENT_TEST_SUITE(ED448, "ED448", 1)
- KEYS(X25519);
--IMPLEMENT_TEST_SUITE(X25519, "X25519")
-+IMPLEMENT_TEST_SUITE(X25519, "X25519", 1)
- KEYS(X448);
--IMPLEMENT_TEST_SUITE(X448, "X448")
-+IMPLEMENT_TEST_SUITE(X448, "X448", 1)
- /*
-  * ED25519, ED448, X25519 and X448 have no support for
-  * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
-  */
- #endif
- KEYS(RSA);
--IMPLEMENT_TEST_SUITE(RSA, "RSA")
-+IMPLEMENT_TEST_SUITE(RSA, "RSA", 1)
- IMPLEMENT_TEST_SUITE_LEGACY(RSA, "RSA")
- KEYS(RSA_PSS);
--IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS")
-+IMPLEMENT_TEST_SUITE(RSA_PSS, "RSA-PSS", 1)
- /*
-  * RSA-PSS has no support for PEM_write_bio_PrivateKey_traditional(),
-  * so no legacy tests.

SOURCES/0015-FIPS-decoded-from-explicit.patch

@@ -1,140 +0,0 @@
-diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c
-index bea01fb38f66..48721369ae8f 100644
---- a/crypto/ec/ec_backend.c
-+++ b/crypto/ec/ec_backend.c
-@@ -318,6 +318,11 @@ int ossl_ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
-         return 0;
-     }
- 
-+    if (!ossl_param_build_set_int(tmpl, params,
-+                                  OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
-+                                  group->decoded_from_explicit_params))
-+        return 0;
-+
-     curve_nid = EC_GROUP_get_curve_name(group);
- 
-     /*
-diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index 6b0591c6c8c7..b1696d93bd6d 100644
---- a/crypto/ec/ec_lib.c
-+++ b/crypto/ec/ec_lib.c
-@@ -1556,13 +1556,23 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-     /* This is the simple named group case */
-     ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME);
-     if (ptmp != NULL) {
--        group = group_new_from_name(ptmp, libctx, propq);
--        if (group != NULL) {
--            if (!ossl_ec_group_set_params(group, params)) {
--                EC_GROUP_free(group);
--                group = NULL;
--            }
-+        int decoded = 0;
-+
-+        if ((group = group_new_from_name(ptmp, libctx, propq)) == NULL)
-+            return NULL;
-+        if (!ossl_ec_group_set_params(group, params)) {
-+            EC_GROUP_free(group);
-+            return NULL;
-+        }
-+
-+        ptmp = OSSL_PARAM_locate_const(params,
-+                                       OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS);
-+        if (ptmp != NULL && !OSSL_PARAM_get_int(ptmp, &decoded)) {
-+            ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS);
-+            EC_GROUP_free(group);
-+            return NULL;
-         }
-+        group->decoded_from_explicit_params = decoded > 0;
-         return group;
-     }
- #ifdef FIPS_MODULE
-@@ -1733,6 +1743,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
-         EC_GROUP_free(group);
-         group = named_group;
-     }
-+    /* We've imported the group from explicit parameters, set it so. */
-+    group->decoded_from_explicit_params = 1;
-     ok = 1;
-  err:
-     if (!ok) {
-diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod
-index eed83237c3b2..ee66a074f889 100644
---- a/doc/man7/EVP_PKEY-EC.pod
-+++ b/doc/man7/EVP_PKEY-EC.pod
-@@ -70,8 +70,8 @@ I<order> multiplied by the I<cofactor> gives the number of points on the curve.
- 
- =item  "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>
- 
--Gets a flag indicating wether the key or parameters were decoded from explicit
--curve parameters. Set to 1 if so or 0 if a named curve was used.
-+Sets or gets a flag indicating whether the key or parameters were decoded from
-+explicit curve parameters. Set to 1 if so or 0 if a named curve was used.
- 
- =item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
- 
-diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
-index 9260d4bf3635..7aed057cac89 100644
---- a/providers/implementations/keymgmt/ec_kmgmt.c
-+++ b/providers/implementations/keymgmt/ec_kmgmt.c
-@@ -525,7 +525,8 @@ int ec_export(void *keydata, int selection, OSSL_CALLBACK *param_cb,
-     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_GENERATOR, NULL, 0),            \
-     OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_ORDER, NULL, 0),                          \
-     OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_COFACTOR, NULL, 0),                       \
--    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_SEED, NULL, 0)
-+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_SEED, NULL, 0),                 \
-+    OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS, NULL)
- 
- # define EC_IMEXPORTABLE_PUBLIC_KEY                                            \
-     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
-diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
-index 700bbd849c95..ede14864d5ac 100644
---- a/test/recipes/25-test_verify.t
-+++ b/test/recipes/25-test_verify.t
-@@ -12,7 +12,7 @@ use warnings;
- 
- use File::Spec::Functions qw/canonpath/;
- use File::Copy;
--use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips with/;
-+use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir ok_nofips with/;
- use OpenSSL::Test::Utils;
- 
- setup("test_verify");
-@@ -29,7 +29,7 @@ sub verify {
-     run(app([@args]));
- }
- 
--plan tests => 160;
-+plan tests => 163;
- 
- # Canonical success
- ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
-@@ -309,6 +309,29 @@ SKIP: {
-               ["ca-cert-ec-named"]),
-         "accept named curve leaf with named curve intermediate");
- }
-+# Same as above but with base provider used for decoding
-+SKIP: {
-+    my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-+    skip "EC is not supported or FIPS is disabled", 3
-+        if disabled("ec") || $no_fips;
-+
-+    my $provconf = srctop_file("test", "fips-and-base.cnf");
-+    my $provpath = bldtop_dir("providers");
-+    my @prov = ("-provider-path", $provpath);
-+    $ENV{OPENSSL_CONF} = $provconf;
-+
-+    ok(!verify("ee-cert-ec-explicit", "", ["root-cert"],
-+               ["ca-cert-ec-named"], @prov),
-+        "reject explicit curve leaf with named curve intermediate w/fips");
-+    ok(!verify("ee-cert-ec-named-explicit", "", ["root-cert"],
-+               ["ca-cert-ec-explicit"], @prov),
-+        "reject named curve leaf with explicit curve intermediate w/fips");
-+    ok(verify("ee-cert-ec-named-named", "", ["root-cert"],
-+              ["ca-cert-ec-named"], @prov),
-+        "accept named curve leaf with named curve intermediate w/fips");
-+
-+    delete $ENV{OPENSSL_CONF};
-+}
- 
- # Depth tests, note the depth limit bounds the number of CA certificates
- # between the trust-anchor and the leaf, so, for example, with a root->ca->leaf

SOURCES/0031-tmp-Fix-test-names.patch

@@ -2,9 +2,9 @@ diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/
 --- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit	2021-09-22 11:56:49.452507975 +0200
 +++ openssl-3.0.0/test/recipes/90-test_sslapi.t	2021-09-22 11:57:19.371764742 +0200
 @@ -40,7 +40,7 @@ unless ($no_fips) {
-                  srctop_file("test", "recipes", "90-test_sslapi_data",
-                              "passwd.txt"), $tmpfilename, "fips",
-                  srctop_file("test", "fips-and-base.cnf")])),
+                              "recipes",
+                              "90-test_sslapi_data",
+                              "dhparams.pem")])),
 -                 "running sslapitest");
 +                 "running sslapitest - FIPS");
  }

SOURCES/0035-speed-skip-unavailable-dgst.patch

@@ -11,16 +11,3 @@ diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
          if (!EVP_MAC_init(mctx, NULL, 0, NULL)
              || !EVP_MAC_update(mctx, buf, lengths[testnum])
              || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
-@@ -1922,8 +1925,10 @@ int speed_main(int argc, char **argv)
-             if (loopargs[i].mctx == NULL)
-                 goto end;
- 
--            if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params))
--                goto end;
-+            if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) {
-+                EVP_MAC_CTX_free(loopargs[i].mctx);
-+                loopargs[i].mctx = NULL;
-+            }
-         }
-         for (testnum = 0; testnum < size_num; testnum++) {
-             print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum],

SOURCES/0045-FIPS-services-minimize.patch

@@ -717,35 +717,3 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen
  
      if (!ossl_prov_is_running())
          return 0;
-diff -up openssl-3.0.1/ssl/t1_lib.c.groupnames openssl-3.0.1/ssl/t1_lib.c
---- openssl-3.0.1/ssl/t1_lib.c.groupnames	2022-06-17 09:42:50.866748854 +0200
-+++ openssl-3.0.1/ssl/t1_lib.c	2022-06-17 09:49:07.715973172 +0200
-@@ -345,6 +345,7 @@ static int add_provider_groups(const OSS
-      * it.
-      */
-     ret = 1;
-+    (void)ERR_set_mark();
-     keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
-     if (keymgmt != NULL) {
-         /*
-@@ -366,6 +367,7 @@ static int add_provider_groups(const OSS
-         }
-         EVP_KEYMGMT_free(keymgmt);
-     }
-+    (void)ERR_pop_to_mark();
-  err:
-     if (ginf != NULL) {
-         OPENSSL_free(ginf->tlsname);
-@@ -725,8 +727,11 @@ static int gid_cb(const char *elem, int
-     etmp[len] = 0;
- 
-     gid = tls1_group_name2id(garg->ctx, etmp);
--    if (gid == 0)
-+    if (gid == 0) {
-+        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
-+                       "group '%s' cannot be set", etmp);
-         return 0;
-+    }
-     for (i = 0; i < garg->gidcnt; i++)
-         if (garg->gid_arr[i] == gid)
-             return 0;

SOURCES/0046-FIPS-s390x-hardening.patch

@@ -1,22 +0,0 @@
-diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
-index 5c70b2d67840..c5726c638bdd 100644
---- a/crypto/ec/ecp_s390x_nistp.c
-+++ b/crypto/ec/ecp_s390x_nistp.c
-@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
-     /* Otherwise use default. */
-     if (rc == -1)
-         rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
--    OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
-+    OPENSSL_cleanse(param, sizeof(param));
-     BN_CTX_end(ctx);
-     BN_CTX_free(new_ctx);
-     return rc;
-@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
- 
-     ok = 1;
- ret:
--    OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
-+    OPENSSL_cleanse(param, sizeof(param));
-     if (ok != 1) {
-         ECDSA_SIG_free(sig);
-         sig = NULL;

SOURCES/0048-correctly-handle-records.patch

@@ -1,52 +0,0 @@
-diff -up openssl-3.0.1/apps/s_server.c.handle-records openssl-3.0.1/apps/s_server.c
---- openssl-3.0.1/apps/s_server.c.handle-records	2022-02-03 15:26:16.803434943 +0100
-+++ openssl-3.0.1/apps/s_server.c	2022-02-03 15:34:33.358298697 +0100
-@@ -2982,7 +2982,9 @@ static int www_body(int s, int stype, in
-     /* Set width for a select call if needed */
-     width = s + 1;
- 
--    buf = app_malloc(bufsize, "server www buffer");
-+    /* as we use BIO_gets(), and it always null terminates data, we need
-+     * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
-+    buf = app_malloc(bufsize + 1, "server www buffer");
-     io = BIO_new(BIO_f_buffer());
-     ssl_bio = BIO_new(BIO_f_ssl());
-     if ((io == NULL) || (ssl_bio == NULL))
-@@ -3047,7 +3049,7 @@ static int www_body(int s, int stype, in
-     }
- 
-     for (;;) {
--        i = BIO_gets(io, buf, bufsize - 1);
-+        i = BIO_gets(io, buf, bufsize + 1);
-         if (i < 0) {            /* error */
-             if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
-                 if (!s_quiet)
-@@ -3112,7 +3114,7 @@ static int www_body(int s, int stype, in
-                  * we're expecting to come from the client. If they haven't
-                  * sent one there's not much we can do.
-                  */
--                BIO_gets(io, buf, bufsize - 1);
-+                BIO_gets(io, buf, bufsize + 1);
-             }
- 
-             BIO_puts(io,
-@@ -3401,7 +3403,9 @@ static int rev_body(int s, int stype, in
-     SSL *con;
-     BIO *io, *ssl_bio, *sbio;
- 
--    buf = app_malloc(bufsize, "server rev buffer");
-+    /* as we use BIO_gets(), and it always null terminates data, we need
-+     * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
-+    buf = app_malloc(bufsize + 1, "server rev buffer");
-     io = BIO_new(BIO_f_buffer());
-     ssl_bio = BIO_new(BIO_f_ssl());
-     if ((io == NULL) || (ssl_bio == NULL))
-@@ -3476,7 +3480,7 @@ static int rev_body(int s, int stype, in
-     print_ssl_summary(con);
- 
-     for (;;) {
--        i = BIO_gets(io, buf, bufsize - 1);
-+        i = BIO_gets(io, buf, bufsize + 1);
-         if (i < 0) {            /* error */
-             if (!BIO_should_retry(io)) {
-                 if (!s_quiet)

SOURCES/0049-Selectively-disallow-SHA1-signatures.patch

@@ -479,8 +479,8 @@ index 10b4e57d79..2d3c363bb0 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
 @@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
+ OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
  ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:

SOURCES/0053-CVE-2022-0778.patch

@@ -1,188 +0,0 @@
-From 23f1773ddf92979006d0f438523f3c73320c384f Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:30 +0100
-Subject: [PATCH] Add documentation of BN_mod_sqrt()
-
----
- doc/man3/BN_add.pod    | 15 +++++++++++++--
- util/missingcrypto.txt |  1 -
- 2 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
-index 62d3ee7205..cf6c49c0e3 100644
---- a/doc/man3/BN_add.pod
-+++ b/doc/man3/BN_add.pod
-@@ -3,7 +3,7 @@
- =head1 NAME
- 
- BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
--BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
-+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
- arithmetic operations on BIGNUMs
- 
- =head1 SYNOPSIS
-@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
- 
-  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- 
-+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
-+
-  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
- 
-  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
- BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
- result in I<r>.
- 
-+BN_mod_sqrt() returns the modular square root of I<a> such that
-+C<in^2 = a (mod p)>. The modulus I<p> must be a
-+prime, otherwise an error or an incorrect "result" will be returned.
-+The result is stored into I<in> which can be NULL. The result will be
-+newly allocated in that case.
-+
- BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
- (C<r=a^p>). This function is faster than repeated applications of
- BN_mul().
-@@ -108,7 +116,10 @@ the arguments.
- 
- =head1 RETURN VALUES
- 
--For all functions, 1 is returned for success, 0 on error. The return
-+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
-+not a prime), or NULL.
-+
-+For all remaining functions, 1 is returned for success, 0 on error. The return
- value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
- The error codes can be obtained by L<ERR_get_error(3)>.
- 
-diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
-index b61bdeb880..4d2fd7f6b7 100644
---- a/util/missingcrypto.txt
-+++ b/util/missingcrypto.txt
-@@ -264,7 +264,6 @@ BN_mod_lshift(3)
- BN_mod_lshift1(3)
- BN_mod_lshift1_quick(3)
- BN_mod_lshift_quick(3)
--BN_mod_sqrt(3)
- BN_mod_sub_quick(3)
- BN_nist_mod_192(3)
- BN_nist_mod_224(3)
-
-From 46673310c9a755b2a56f53d115854983d6ada11a Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:35 +0100
-Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
-
----
- test/bntest.c                          | 11 ++++++++++-
- test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
- 2 files changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/test/bntest.c b/test/bntest.c
-index efdb3ef963..d49f87373a 100644
---- a/test/bntest.c
-+++ b/test/bntest.c
-@@ -1732,8 +1732,17 @@ static int file_modsqrt(STANZA *s)
-             || !TEST_ptr(ret2 = BN_new()))
-         goto err;
- 
-+    if (BN_is_negative(mod_sqrt)) {
-+        /* A negative testcase */
-+        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
-+            goto err;
-+
-+        st = 1;
-+        goto err;
-+    }
-+
-     /* There are two possible answers. */
--    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
-+    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
-             || !TEST_true(BN_sub(ret2, p, ret)))
-         goto err;
- 
-diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
-index e22d656091..bc8a434ea5 100644
---- a/test/recipes/10-test_bn_data/bnmod.txt
-+++ b/test/recipes/10-test_bn_data/bnmod.txt
-@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
- ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
- A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
- P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
-+
-+# Negative testcases for BN_mod_sqrt()
-+
-+# This one triggers an infinite loop with unfixed implementation
-+# It should just fail.
-+ModSqrt = -1
-+A = 20a7ee
-+P = 460201
-+
-+ModSqrt = -1
-+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
-+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
-
-From cafcc62d7719dea73f334c9ef763d1e215fcd94d Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:21 +0100
-Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
-
-The calculation in some cases does not finish for non-prime p.
-
-This fixes CVE-2022-0778.
-
-Based on patch by David Benjamin <davidben@google.com>.
----
- crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
- 1 file changed, 18 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
-index b663ae5ec5..c5ea7ab194 100644
---- a/crypto/bn/bn_sqrt.c
-+++ b/crypto/bn/bn_sqrt.c
-@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
- /*
-  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
-  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
-- * Theory", algorithm 1.5.1). 'p' must be prime!
-+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
-+ * an incorrect "result" will be returned.
-  */
- {
-     BIGNUM *ret = in;
-@@ -303,18 +304,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
-             goto vrfy;
-         }
- 
--        /* find smallest  i  such that  b^(2^i) = 1 */
--        i = 1;
--        if (!BN_mod_sqr(t, b, p, ctx))
--            goto end;
--        while (!BN_is_one(t)) {
--            i++;
--            if (i == e) {
--                ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE);
--                goto end;
-+        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
-+        for (i = 1; i < e; i++) {
-+            if (i == 1) {
-+                if (!BN_mod_sqr(t, b, p, ctx))
-+                    goto end;
-+
-+            } else {
-+                if (!BN_mod_mul(t, t, t, p, ctx))
-+                    goto end;
-             }
--            if (!BN_mod_mul(t, t, t, p, ctx))
--                goto end;
-+            if (BN_is_one(t))
-+                break;
-+        }
-+        /* If not found, a is not a square or p is not prime. */
-+        if (i >= e) {
-+            ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE);
-+            goto end;
-         }
- 
-         /* t := y^2^(e - i - 1) */
-

SOURCES/0054-Replace-size-check-with-more-meaningful-pubkey-check.patch

@@ -1,53 +0,0 @@
-From 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Wed, 2 Feb 2022 17:47:26 +0100
-Subject: [PATCH] Replace size check with more meaningful pubkey check
-
-It does not make sense to check the size because this
-function can be used in other contexts than in TLS-1.3 and
-the value might not be padded to the size of p.
-
-However it makes sense to do the partial pubkey check because
-there is no valid reason having the pubkey value outside the
-1 < pubkey < p-1 bounds.
-
-Fixes #15465
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/17630)
----
- crypto/dh/dh_key.c | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 6b8cd550f2..c78ed618bf 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
-     int err_reason = DH_R_BN_ERROR;
-     BIGNUM *pubkey = NULL;
-     const BIGNUM *p;
--    size_t p_size;
-+    int ret;
- 
-     if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
-         goto err;
-     DH_get0_pqg(dh, &p, NULL, NULL);
--    if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
-+    if (p == NULL || BN_num_bytes(p) == 0) {
-         err_reason = DH_R_NO_PARAMETERS_SET;
-         goto err;
-     }
--    /*
--     * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
--     * public key is of size not equal to size of p
--     */
--    if (BN_is_zero(pubkey) || p_size != len) {
-+    /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
-+    if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
-         err_reason = DH_R_INVALID_PUBKEY;
-         goto err;
-     }
--- 
-2.35.1
-

SOURCES/0055-nonlegacy-fetch-null-deref.patch

@@ -1,23 +0,0 @@
-diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c
-index e1da724bd2f4..2bee5ef19447 100644
---- a/crypto/core_namemap.c
-+++ b/crypto/core_namemap.c
-@@ -409,14 +409,16 @@ static void get_legacy_cipher_names(const OBJ_NAME *on, void *arg)
- {
-     const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
- 
--    get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
-+    if (cipher != NULL)
-+        get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
- }
- 
- static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
- {
-     const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
- 
--    get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
-+    if (md != NULL)
-+        get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
- }
- 
- static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,

SOURCES/0057-strcasecmp-fix.patch

@@ -1,104 +0,0 @@
-From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 22 Apr 2022 18:16:56 +0200
-Subject: [PATCH 1/2] Ensure we initialized the locale before
- evp_pkey_name2type
-
-Fixes #18158
----
- crypto/evp/pmeth_lib.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 2b9c6c2351da..92d25de44532 100644
---- a/crypto/evp/pmeth_lib.c
-+++ b/crypto/evp/pmeth_lib.c
-@@ -27,6 +27,7 @@
- #ifndef FIPS_MODULE
- # include "crypto/asn1.h"
- #endif
-+#include "crypto/ctype.h"
- #include "crypto/evp.h"
- #include "crypto/dh.h"
- #include "crypto/ec.h"
-@@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
-             }
- #ifndef FIPS_MODULE
-             if (keytype != NULL) {
-+                ossl_init_casecmp();
-                 id = evp_pkey_name2type(keytype);
-                 if (id == NID_undef)
-                     id = -1;
-
-From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 22 Apr 2022 19:26:08 +0200
-Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without
- preliminary init
-
----
- test/build.info                   |  6 +++++-
- test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++
- test/recipes/02-test_localetest.t |  4 +++-
- 3 files changed, 22 insertions(+), 2 deletions(-)
- create mode 100644 test/evp_pkey_ctx_new_from_name.c
-
-diff --git a/test/build.info b/test/build.info
-index 14a84f00a258..ee059973d31a 100644
---- a/test/build.info
-+++ b/test/build.info
-@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]
-           sanitytest rsa_complex exdatatest bntest \
-           ecstresstest gmdifftest pbelutest \
-           destest mdc2test sha_test \
--          exptest pbetest localetest \
-+          exptest pbetest localetest evp_pkey_ctx_new_from_name\
-           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
-           evp_fetch_prov_test evp_libctx_test ossl_store_test \
-           v3nametest v3ext \
-@@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}]
-   INCLUDE[localetest]=../include ../apps/include
-   DEPEND[localetest]=../libcrypto libtestutil.a
- 
-+  SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c
-+  INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include
-+  DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto
-+
-   SOURCE[pbetest]=pbetest.c
-   INCLUDE[pbetest]=../include ../apps/include
-   DEPEND[pbetest]=../libcrypto libtestutil.a
-diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c
-new file mode 100644
-index 000000000000..24063ea05ea5
---- /dev/null
-+++ b/test/evp_pkey_ctx_new_from_name.c
-@@ -0,0 +1,14 @@
-+#include <stdio.h>
-+#include <openssl/ec.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+
-+int main(int argc, char *argv[])
-+{
-+    EVP_PKEY_CTX *pctx = NULL;
-+
-+    pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL);
-+    EVP_PKEY_CTX_free(pctx);
-+
-+    return 0;
-+}
-diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t
-index 1bccd57d4c63..77fba7d819ab 100644
---- a/test/recipes/02-test_localetest.t
-+++ b/test/recipes/02-test_localetest.t
-@@ -15,7 +15,9 @@ setup("locale tests");
- plan skip_all => "Locale tests not available on Windows or VMS"
-     if $^O =~ /^(VMS|MSWin32)$/;
- 
--plan tests => 2;
-+plan tests => 3;
-+
-+ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init");
- 
- $ENV{LANG} = "C";
- ok(run(test(["localetest"])), "running localetest");

SOURCES/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch

@@ -567,554 +567,4 @@ index 8c52b637fc..ff75c5b6ec 100644
 +         }
  
          SKIP: {
-             skip "No IPv4 available on this machine", 1
-diff --git a/test/smime-certs/smdh.pem b/test/smime-certs/smdh.pem
-index 7d66a6b421..894461f6da 100644
---- a/test/smime-certs/smdh.pem
-+++ b/test/smime-certs/smdh.pem
-@@ -14,10 +14,10 @@ ta+9S7L4zNsvbg8RtJyH8i4CHQCY12PTXj6Ipxbqq4d1Q+AoUqnN/H9lAS46teXv
- BB8CHQCGE6pxpX5lWcH6+TGLDoLo3T5L2/5KTd0tRNdj
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIFljCCBH6gAwIBAgIUYmx57362u3KsYCqtKby2mYi+pLMwDQYJKoZIhvcNAQEL
-+MIIFljCCBH6gAwIBAgIUMNF4DNf+H6AXGApe99UrJWFcAnwwDQYJKoZIhvcNAQEL
- BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
--BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIxMDExNTEwMDk1MloXDTMwMTEy
--NDEwMDk1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MzM0NloXDTMyMDMz
-+MTE0MzM0NlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
- HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIERIICMxMIIDQjCCAjUGByqGSM4+AgEw
- ggIoAoIBAQCCyx9ZhD6HY5xgusGDrJZJ+FdTe9OxD/p9DQNKqoLyJ10TAUXuycoz
- VqDAD4v1wsOAPH0TDOX9Ns87PXgTbd6DpSJtF1ZLW+1pklZs2m0cLl4raOe8CZGH
-@@ -38,10 +38,10 @@ Ixe06fY0eA9sfxx7+4lm2Jhw7XaIfguo8mgrfWjBzkkT2mcAHss/fdKcXNYrg+A+
- xgApPiyuy7S4YkQSsdV5Ns8UFttBCuojzEuWQ49fMZcv/rIHSHSxpbg2Sdka+d6h
- wOQHK6NgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYE
- FLG7SOccVVRWmPw87GRrYH/NCegTMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaI
--qSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQA5r5k39ghJIgQKjOXSffhtAaBPT0Um
--WtLjijp/iBUAowFpncDRIp+Ng7n/feJHDdnh59H0ZHGljWqZ3rgG3HjjArvG+iUm
--6aaS4KdM6OwK60JTUXBQ/InISXzrZof2oZ5BjO6L6yV6cpaYOLlLo3QjU8HE54G9
--7UyR48NSvhwPw+vS1Abjib+K1En/ctnlm0CurHgP56LrJxguFZZP6+UjCnEy0wxm
--VRr+y4+IgWikdOumMelJ+x9O9R7EPVfwQ9TYBtpo5hZQiGhSJ3Di9LZO5i0h2xjj
--AhtR8zmzusFX2Ruh2dXQWeNx/dMEcYRJLU1P+IxUq2g1GUiCgq2Xc7ZY
-+qSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQB9J2dIIbIAiB8ToXJcyO7HRPhdWC/Y
-+TE8cqeL+JiWNvIMB9fl2gOx6gj2h+yEr3lCpK/XDoWOs576UScS/vvs6fOjFHfkb
-+L4i9nHXD2KizXkM2hr9FzTRXd9c3XXLyB9t1z38qcpOMxoxAbnH8hWLQDPjFdArC
-+KWIqK/Vqxz4ZcIveM9GcVf78FU2DbQF4pwHjO9TsG7AbXiV4PXyJK75W5okAbZmQ
-+EmMmVXEJdXSOS4prP8DCW/LYJ5UddsVZba2BCHD3c1c2YTA4GsP3ZMoXvQoyj0L2
-+/xazs/AS373Of6H0s00itRTFABxve1I7kE5dQdc3oZjn6A/DbfjYUmr5
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
-index b424f6704e..597d98f827 100644
---- a/test/smime-certs/smdsa1.pem
-+++ b/test/smime-certs/smdsa1.pem
-@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
- TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
--uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
--7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
--wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
--+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
--Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
--AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
--0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
--g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
--0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
--yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
--7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
--aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
--EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
--86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
--DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
--O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
--1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
--MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
--xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
--MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
--d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
--MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
--Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
--17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
--0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
-+MIIFmzCCBIOgAwIBAgIUWGMqmBZZ1ykguVDk2Whn+2uKMA0wDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjA0OFoXDTMyMDMz
-+MTE0MjA0OFowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMTCCA0YwggI5BgcqhkjOOAQB
-+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw
-+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs
-+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4
-+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt
-+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J
-+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0
-+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3
-+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ
-+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV
-+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv
-+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA
-+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQAZdJAANu5E
-+hkGOJDo2KTBmX7EQMR98gTRFZu/B/W19bHDhm9qc792PLPkV487QAgkMEItSOv0P
-+faeSYgbUe7d1aBXzqSdCwzq4WIxLNj2eQkZk6UffDg0csTvymTvnFHWyDUwRmvjH
-++35r95r1jgBeSUQMJxoe2kwZ4DHdkCpIp5z7NA44DvclY/X+BgcZ1jJNClC3BFOy
-+HQaLmY452mgnS+k7zfFhsUJn5lkpfVFY6Ml7Y5AFG3Dvf2rWdGBrVUwsBP8sVJCx
-+ITcg6nyGJZuOeK3VITqrcgjZr9odkf/Hg7OzN+a1B+Z6u3Ld5BKrduBqN/EKxxyd
-+GNJst42JrNFIo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV
-+HQ4EFgQU0dBhM47Fpn83rw6nGqMcq5q3DqwwHwYDVR0jBBgwFoAUyZFTCmN7FluL
-+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBAC3W5L4plRWiaX03PncMHnaL
-+sp48+2jJen4avzNpRZF/bTQ621x/KLWelbMzBTMxU6jtU1LwCvsiOTSenUZ6W5vq
-+TGy6nwkMUrBN0nHmymVz5v40VBLtc2/5xF9UBZ1GMnmYko+d7VHBD6qu4hpi6OD1
-+3Z2kxCRaZ87y3IbVnl6zqdqxDxKCj4Ca+TT6AApm/MYVwpuvCVmuXrBBvJYTFFeZ
-+2J90jHlQep2rAaZu41oiIlmQUEf9flV0iPYjj+Pqdzr9ovWVbqt7l1WKOBDYdzJW
-+fQ8TvFSExkDQsDc0nkkLIfJBFUFuOpNmODvq+Ac8AGUBnl/Z3pAV4KVnnobIXHw=
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
-index 648447fc89..a995f665bb 100644
---- a/test/smime-certs/smdsa2.pem
-+++ b/test/smime-certs/smdsa2.pem
-@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
- TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
--uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
--7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
--wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
--+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
--Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
--AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
--0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
--g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
--0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
--yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
--7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
--aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
--h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
--tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
--LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
--3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
--KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
--MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
--qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
--MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
--VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
--uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
--6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
--2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
--GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
-+MIIFmzCCBIOgAwIBAgIUXgHGnvOCmrOH9biRq3yTCcDsliUwDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjIyNloXDTMyMDMz
-+MTE0MjIyNlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMjCCA0YwggI5BgcqhkjOOAQB
-+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw
-+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs
-+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4
-+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt
-+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J
-+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0
-+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3
-+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ
-+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV
-+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv
-+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA
-+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQAi1CUW7S3s
-+zDUcdE667AotL4SHZY01k/3owtBPKA5WWqBolj7WYkvO+X/nUssfph7NfS3z1nYO
-+b/dI4kR02t1sgS21u7mvPKZfEWFzy5ohhkWFJPfyhDAk6MzzAWK0BARJ7r/0dmOR
-+7EypKrH+vloQpNosGKeoDUElEjvZKjX/V2/w/30Vq88AN2PxXt8BxxF4oRAqd+fA
-+DuaucP46UioUoWffAIaTxLDu1In2DqOAIj7MXCsqfbD7D6Ki386DGX3IwC0qYB3r
-+z0gBmvkY8+9XbLQo6iAKJRiBJNJrBmGv6uPIVq98jl0FbMyri0rH/MCLown7qEYm
-+MnyMehP0kA+Zo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV
-+HQ4EFgQUZrHDTiSqm594ZkL5NMGrygydfKswHwYDVR0jBBgwFoAUyZFTCmN7FluL
-+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBADhpm4d9pgdWTiX1ci4qxOat
-+MK+eAc3y8dwjacwiTD94fFy+MFzItAI2msF+ILXDCYDUpFZpBjlCNRzMu/ETghJx
-+53g4Hg6ioYmtLcYIAFQVIz4skdgV8npztK3ZQMSN3dcateZBf8KaEdP+cRtQs4IW
-+Y+EAZ6Fve2j/kz1x/cmhSFQdWhhS+WzYUCY+FLWDXMuNLh7rDWy1t8VaRHLBU4TU
-+q6W/qDaN2e6dKrzjEkqUstdGZ+JAkAZ+6CIABEnHeco1dEQUU5Atry7djeRhY68r
-+us++ajRd6DLWXrD4KePyTYSPc7rAcbBBYSwe48cTxlPfKItTCrRXmWJHCCZ0UBA=
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
-index 77acc5e46f..9f703e52f0 100644
---- a/test/smime-certs/smdsa3.pem
-+++ b/test/smime-certs/smdsa3.pem
-@@ -14,34 +14,34 @@ Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
- TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
--uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
--7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
--wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
--+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
--Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
--AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
--0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
--g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
--0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
--yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
--7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
--aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
--msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
--zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
--cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
--N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
--2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
--MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
--FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
--MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
--pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
--YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
--khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
--Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
--4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
-+MIIFmzCCBIOgAwIBAgIUMMzeluWS9FTgzFM2PCI6rSt0++QwDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjI0MloXDTMyMDMz
-+MTE0MjI0MlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIERTQSAjMzCCA0YwggI5BgcqhkjOOAQB
-+MIICLAKCAQEAkHy5TXXoT506xiDIcOK5NLrmupNZwht83Mn15YtewXQdpNBwT2kw
-+N2t2R3zrdQMMtFLtMGd4HT6/c9COuIZyVyBqLsyGp2e52ESJh7V+STBW13ssaNTs
-+HdmbN6BJPZ0FKFLDMb5mAv4ITy+WcdaT8XBwjsM1saBuMmTI4plznNf1u87yv+P4
-+Pws/XyLQ983XMnX4DP4StPwnmENtcX4an+Joyr/aZZwnFoE6BiPux/FSvNDBW5Dt
-+kCkc97z9f04yuj0ZvbBHgeW9dPkrxr9o9sPggtH1y+LOp+z7QZZv28MPMS9fwM/J
-+MHo1HCCNQ3PLjcMCEsBm8Ghgb5eyB6ZttQIhAK6HWYvpwimXUy/CIAo1959A7oT0
-+ZFUD48/welcHi1vTAoIBAH4ppFDcJ7Bhae5ijMySoR6EJDAdaic8iB4w80PydcY3
-+6Beotu2n8Nf1im6DQ+XrHmYZYQNkzuWSQepxsQzhPZVUMWFZpfvnEI+n6B4dU1SQ
-+IBpeJlrr3lv0c/jRIaSuM1XhLHzK25AcqTwcsscxdWePbeevMXSKPnvIyyPBYxHV
-+ziFIOHoQdzWOki/K+KCePY/7CVnx3A6Fh/yyvWWgRfDaX5SXtxeNEvEQ7zPI9hwv
-+stkOEMipNQ1xoh/u8kCxls69zO95At1AZ5x9IR8W+yEgwk+3QsP5R9Zwm1RQTjNA
-+EiNukkrBUl0K7w9pK8kXE2dCpMsoYaDzg1qVPk0DLMUDggEFAAKCAQBxe+1+Il8h
-+nTCAak3vZl4asn2axRc7GjDvDd8Ns/yvyd9WQE1t+FryvHR5jp9REVVnMg53wQcY
-+rKlwfWBLp5k25x/OCwfWDmvlxFqExmaAZcEQGxauHYhoMbtVIq372CHPbsQqCMBA
-+LPIdAvkUImBHanty/RXhJGqCIAZiUnX3WTZa0s6xV3yRf/+OPWXxNSATtOqm5ISl
-+pLJDifMlE6llZmk3VHAWYJRFF7KQAFT83OKf/6tme9munxahdJcSrF4HiZKFFJof
-+nvEWckKlHAonipLa6EBPMloofu+7reTcON+1tIFWH7fZhfC0dz4EaOzxLZoO0Jbc
-+W0MDtnonwEjFo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV
-+HQ4EFgQUwnFq0MQUIQUaXi6iJBDXTnQm71EwHwYDVR0jBBgwFoAUyZFTCmN7FluL
-+vUTwdoipJObltmwwDQYJKoZIhvcNAQELBQADggEBAJNW/oEmpz6jZ7EjUkHhxDXR
-+egsZVjBO+E2hPCciEoZaM6jIDYphrCVbdOOyy1RvLBv3SRblaECmInsRpCNwf5B5
-+OaGN3hdsvx23IKnLJ7EKDauIOGhkzCMWjO8tez48UL0Wgta0+TpuiOT+UBoKb9fw
-+f0f4ab9wD9pED7ghMKlwI6/oppS4PrhwYS2nwYwGXpmgu6QZDln/cgoU7cQV7r3J
-+deMCpKGPyS429B9mUxlggZYvvJOm35ZiI7UAcGhJWIUrdXBxqx3DQ3CSf75vGP87
-+2vn6ZoXRXSLfE48GpUtQzP6/gZti68vZrHdzKWTyZxMs4+PGoHrW5hbNDsghKDs=
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem
-index 75a862666b..05754f3963 100644
---- a/test/smime-certs/smec1.pem
-+++ b/test/smime-certs/smec1.pem
-@@ -4,19 +4,19 @@ DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV
- 3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
--ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I
--iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi
--ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
--MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK
--Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy
--WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt
--7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV
--FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y
--S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1
--DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7
--qtcHJA==
-+MIICqzCCAZOgAwIBAgIUZsuXIOmILju0nz1jVSgag5GrPyMwDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjUyNFoXDTMyMDMz
-+MTE0MjUyNFowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMxMFkwEwYHKoZIzj0CAQYIKoZI
-+zj0DAQcDQgAEvkiI9hWNg6Lj0bjQ6fVlabKnn+fLVd4CMFdBDlf8cmE82Ybn2Yv2
-+gXF7oFkdce+fMeJx7rNrhLhBYtzK9yt/saNgMF4wDAYDVR0TAQH/BAIwADAOBgNV
-+HQ8BAf8EBAMCBeAwHQYDVR0OBBYEFH/JvELYMj4nJ2HHUUyA9sxOYvNHMB8GA1Ud
-+IwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQCp
-+sSEupiqT7S6oPS/5qtRF6POyxmhkH/Eh+RJitOODutxneJh+NdDqAQAOCexqcsF9
-+1BH9hB/H6b3mS4CbcRG6R/EwzqMPUgy8OYXTrqWI9jzMKGyrBo59QFfGrwP1h8hj
-+weVOVQU1iOloWPOfvMHehjX1Wt79/6BMMBvw+2qXXLAw2xpLFa4lU6HSoTiwoS5R
-+mimrHnZ9tQZb54bsvdrW84kV3u1FIQ5G7jAduu97Wfr3eZGaJhW1MZLeoL7Z4Usy
-+hRd2TJ6bZanb+wUJBcHOeW5ETj9MPtPsGIp8vETmY5XDm4UlX6tp4gAe4oeoIXFQ
-+V5ASvNRiGWIJK5XF+zRY
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem
-index 457297a760..7c502d8799 100644
---- a/test/smime-certs/smec2.pem
-+++ b/test/smime-certs/smec2.pem
-@@ -5,19 +5,19 @@ uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8
- 6bQ=
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
--ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+
--huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj
--JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
--BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA
--FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez
--ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK
--xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0
--uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P
--rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq
--IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0
--4ZdCllHZkhop
-+MIICsDCCAZigAwIBAgIUWJSICrM9ZdmN6/jF/PoKng63XR0wDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MjgxOVoXDTMyMDMz
-+MTE0MjgxOVowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMyMF4wEAYHKoZIzj0CAQYFK4EE
-+ABADSgAEBds7Or6G5qE/jPj9vvS2e2rLxQTYu7gsy2Bf/I9UnJ/7KXM6Avbzc1YT
-+cPi4O3Z4zS+BAyMmGS5exNL+vZbs278vquOP/Om0o2AwXjAMBgNVHRMBAf8EAjAA
-+MA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUZ/5BJCWQ3bQ+w03vH6OZAgkENxcw
-+HwYDVR0jBBgwFoAUyZFTCmN7FluLvUTwdoipJObltmwwDQYJKoZIhvcNAQELBQAD
-+ggEBACMGL6tuV/1lfrnx7TN/CnWdLEp55AlmzJ3MT9dXSOO1/df/fO3uAiiBNMyQ
-+Rcf4vOeBZEk/Xq6GIaAbuuT5ECg50uopEGjUDR9sRWC5yiw2CRQ5ZWTcqMapv+E5
-+7/1/tpaVHy+ZkJpbTV6O9gogEPy6uoft+tsel6NFoAj9ulkjuX9TortkVGPTfedd
-+oevI32G3z4L4Gv1PCZvFMwEIiAuFDZBbD86gw7rH4BNihRujJRhpnxeRu8zJYB60
-+cNeR2N7humdUy5uZnj6YHy3g2j0EDKOITHydIvL1KkSlihQrxEX5kMRr9RWRyFXJ
-+/UfNk+5Y3g5Mm642MLvjBEUqurw=
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smec3.pem b/test/smime-certs/smec3.pem
-index 90eac867d0..5110e2984b 100644
---- a/test/smime-certs/smec3.pem
-+++ b/test/smime-certs/smec3.pem
-@@ -4,19 +4,19 @@ zSy+knGorGWZBGG5p//ke0WUSbqhRANCAARH8uHBHkuOfuyXgJj7V3lNqUEPiQNo
- xG8ntGjVmKRHfywdUoQJ1PgfbkCEsBk334rRFmja1r+MYyqn/A9ARiGB
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIICoDCCAYigAwIBAgIJAPaEOllWs/pjMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xNzA4MTAxNTQyMDhaFw0yNzA2MTkxNTQyMDhaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
--ZXN0IFMvTUlNRSBFRSBFQyAjMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEfy
--4cEeS45+7JeAmPtXeU2pQQ+JA2jEbye0aNWYpEd/LB1ShAnU+B9uQISwGTffitEW
--aNrWv4xjKqf8D0BGIYGjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
--MB0GA1UdDgQWBBQLR+H9CmAY/KDyXWdVUM9FP766WzAfBgNVHSMEGDAWgBT3YQTy
--KJTdSIrnOcPj3pm5oVNtazANBgkqhkiG9w0BAQsFAAOCAQEAmMRuf8Iz5fr9f0GA
--HaNiOM5S7AIfZ6W7zzdeF63EF1j9HqP1DJsUW4y5b9azWmpp62kKuNaM4CGPUVvm
--diLKJVlrDcc+6lW9oROpnBsskhjqFMTjTANPQSAKZeKiG2W3U8Q103VQpuYvE4Nj
--OU9JT+5e4RZS7wxYk/IsvnyF/DkoF1FTMHo9/3Wiw4V4KRhpJIPnqojWNcfipmhM
--UDpbw0Oyj5fE7x6wvaoOUr8GNJE5NudtV/5QDh9REkjyKUdVYsuUrWwKqn3NT8EI
--OLl8wx3RqA8htRg/W+SoESx87rvW1saPGvfypBp4cl18B1IzTlC+FMbHFJvZqQn8
--Ci1l4Q==
-+MIICqzCCAZOgAwIBAgIUSG5MT0bOz48OfBayRWfoQwUcA50wDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0Mjg1MloXDTMyMDMz
-+MTE0Mjg1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIEVFIEVDICMzMFkwEwYHKoZIzj0CAQYIKoZI
-+zj0DAQcDQgAER/LhwR5Ljn7sl4CY+1d5TalBD4kDaMRvJ7Ro1ZikR38sHVKECdT4
-+H25AhLAZN9+K0RZo2ta/jGMqp/wPQEYhgaNgMF4wDAYDVR0TAQH/BAIwADAOBgNV
-+HQ8BAf8EBAMCBeAwHQYDVR0OBBYEFAtH4f0KYBj8oPJdZ1VQz0U/vrpbMB8GA1Ud
-+IwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBCwUAA4IBAQBY
-+xXTNWQz38q37bRjyl6FWMdIaVRkle1Qzjo0bAVHsrYNwY36PBnJpfZE8aJS6WwD2
-+PUHWVLc0zd50pXbAa41FlquOdP5FNa8wOc+jHIiyWaE8SEdt0jsxPRTJ9kElXuJ5
-+wFx7icmRde7DWLG32SWwR1pFi4R/aDOOxpTzUuYvKuawfAUVQtQyCz8sahbmI8EW
-+H0KDuiyuncq1YjvHfaUR7QKijMJ0eBRsjUls0HeMjkehBkTrz78u7TJBWKE/BCiB
-+HzuZeMqHpSXtK6ZCRtQXTLv0HyenFmbdVSDiOFSnvdL5lyLT3aFQ19DVtGFCAUwZ
-+HQdD3KNn4i073Z7Ia2Xa
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
-index d1a253f409..f62a54e2a3 100644
---- a/test/smime-certs/smroot.pem
-+++ b/test/smime-certs/smroot.pem
-@@ -27,23 +27,23 @@ vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
- KfvPCYimQwBjVrEnSntLPR0=
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
--ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
--ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
--JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
--LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
--J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
--MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
--untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
--i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
--A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
--AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
--Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
--zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
--9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
--7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
--Emsny2ah6fU2z7PztrUy/A80
-+MIIDeTCCAmGgAwIBAgIUF/2lFo3fH3uYuFalQVSIFqcYtd4wDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDE1MloXDTMyMDUy
-+MDE0MDE1MlowRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HTAbBgNVBAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MIIBIjANBgkqhkiG9w0BAQEF
-+AAOCAQ8AMIIBCgKCAQEAsskFxA+R8lVsKp18s5mN9e8jFCayH7Cr0RBtguvdXSTR
-+4DYPqKubI7f385MkvOAL3ToonALGqOHGCw7pbYWi6Wwu5rBAYb8AIpdBTW+YNxEb
-+qXtSrk3VFdVLg/4uktlaGjV1AQZ9aw/VnAQXNJZ8f+FrfdnkEyOvduabe2Rz0MNj
-+pae00AxJcouaj8QnpuLk9IN822bFqpprCDF27vit3RKa86gNbnCl28VJmTZDMFbN
-+lwppS8a0VI/At/8xDbR9ex1gs54UfyFXFZICLpJZHog7BIW1r1ELplV0e6D4fwj2
-+QG4xqquZlbnh0h66e26wVWSh2b6FJGtvEC1oratVuQIDAQABo2MwYTAdBgNVHQ4E
-+FgQUyZFTCmN7FluLvUTwdoipJObltmwwHwYDVR0jBBgwFoAUyZFTCmN7FluLvUTw
-+doipJObltmwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI
-+hvcNAQELBQADggEBAFUbNCqSA5JTIk4wkLiDxs6sGVgSGS/XyFurT5WtyLwR6eiN
-+r1Osq3DrF1805xzOjFfk3yYk2ctMMMXVEfXZavfNWgGSyUi6GrS+X1+y5snMpP7Z
-+tFlb7iXxiSn5lUE1IS3y9bAlWUwTnOwdX2RuALVAzQ6oAvGIIOhb7FTkMqwsQBDx
-+kBA9sgdCKv4d7zgFGdDMh1PGuia7+ZPWS9Nt3+WfRKzy4cf2p8+FTWkv1z7PtCSo
-+bZySoXgav6WYGdA0VZY29HzVWC5d/LwSkeJr7pw09UjXBPnrDHbJRa+4JpwwsMT2
-+b1E+cp36aagmQW97e8dCf3VzZWcD2bNJ9QM59d8=
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
-index d0d0b9e66b..7eb331e2c9 100644
---- a/test/smime-certs/smrsa1.pem
-+++ b/test/smime-certs/smrsa1.pem
-@@ -27,23 +27,23 @@ iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
- zQpuMJliRlrq/5JkIbH6SA==
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
--AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
--2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
--+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
--Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
--bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
--kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
--VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
--HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
--dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
--E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
--WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
--lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
--GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
--9Hjq6s316fk4Ne0EUF3PbA==
-+MIIDdzCCAl+gAwIBAgIUNrEw2I4NEV0Nbo7AVOF9z4mPBiYwDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDczN1oXDTMyMDMz
-+MTE0MDczN1owRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMTCCASIwDQYJKoZIhvcNAQEB
-+BQADggEPADCCAQoCggEBANev27MH/bRBcoLGGR82cm+XbGXWHN05ytCYCqj4AABw
-+D8Pj0ia4kNVBForZtyPnhcHbqLWRe46vEgPf961RvzK51/Hw4BXCHwbTFUDjOGvy
-+5dbzlba0Gvi/Qu35bqVJ3oeZ+uTgaYT0tNT+/OX0dQ9bpJlKE3UbSdjqh5Re8uLS
-+9qwRQq/drnVPokViDhzuq3lEKT/DyTCtDQOitDAJ2Q48QiILhv6c9K0XXZJWblvH
-+yttjOKjG5j891J5u+3QA96qBHFKkLGpicewKg14fNKsZdw/QI7MV5Q7Pa12uGYfT
-+0ktsZmziduiM/EySOklK/f96QMbYIdjFdIdfGkmy3FkCAwEAAaNgMF4wDAYDVR0T
-+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFOaNz6WtNC5jH9UE4EaM
-+y+59qO+EMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3
-+DQEBCwUAA4IBAQBMz3Ef3U0blTGhfP9HIBq09fWCgUN3aDDLZ/B6biFfWM87wlAm
-+CdIuy2jhiEt8Ld8U9y8dbO7c2gzHBGc9FhScBkfQInrbhSctXL/r/wOc0divK9rq
-+oXL2cL/CFfzcYPWNN3w6JAJyOhkhWnqF+/0T8+NdiRLE3a9NfX3a83GpfBVccYKQ
-+kKKeVIw2K1dYbtlSo1HwOckxqUzN00IPs3xC8U9KNXKy7o0kdetKhk70DzXQ64j0
-+EcmXxqPaCkgo3fl9z9nzKlWhg/qIi/1Bd1bpMP8IXAPEURDqhi0KI0w9GPCQRjfY
-+7NwXrLEayBoL8TNxcJ3FwdI20+bmhhILBZgO
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
-index 2f17cb2978..4262742176 100644
---- a/test/smime-certs/smrsa2.pem
-+++ b/test/smime-certs/smrsa2.pem
-@@ -27,23 +27,23 @@ hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
- yrLyf+8hjm6H6zkjqiOkHAl+
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
--AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
--AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
--cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
--0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
--NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
--EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
--VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
--HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
--I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
--Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
--/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
--XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
--6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
--NzYzLAPBkHCMY0Is3KKIBw==
-+MIIDdzCCAl+gAwIBAgIUdWyHziJTdWjooy8SanPMwLxNsPEwDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MDkyNVoXDTMyMDMz
-+MTE0MDkyNVowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMjCCASIwDQYJKoZIhvcNAQEB
-+BQADggEPADCCAQoCggEBANxgLi1LZS+fVnaIOC1+QkDm0CqBs3pfjIrTZG1UfnF6
-+RX37r55O3/1L6IUDMCfCpH9QHVHrsROuxapXy73EuDl8cjAiSa73/o/fVRT1yCE7
-+snWVyuEe+igdoWlxd6k9ZBpym4GrZW9wpEOUN9WZ0znPp5Ld1Jk9M4ww//GTieFk
-+HyZzDbuqJxw+J5LQ9n0RkHrdPWCbBorVF3lT3g+XT7OkOqFWK5eYF+IgNaOPPQHM
-+ecdLPlGDhLehcXU1yiOGm0hbIjSvt2Cfknc3ELiSAp2PPKzGjqJZ3ScuDPuHSNR2
-+Pv0Q6Kzh+D0bh/QQVbJB/uIPEZoD3dj148Em/mIVlVkCAwEAAaNgMF4wDAYDVR0T
-+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFPRqunJgwdcM9Uvsy/MT
-+6XHvUvuyMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3
-+DQEBCwUAA4IBAQBz02v4hd+EjW5NaMubkqPbgUTDRKdRq1RZM+C6m1MTMKy+8zTD
-+QSKRCFf0UmSPMsdTArry9x15fmHIJW21F3bw4ISeVXRyzBhOnrGKXUt2Lg9c2MLa
-+9C394ex0vw4ZGSNkrIARbM3084Chegs4PLMWLFam1H5J6wpvH8iXXYvhESW98luv
-+i3HVQzqLXw7/9XHxf8RnrRcy/WhAA+KegAQMGHTo5KPLliXtypYdCxBHNcmOwJlR
-+pSOp6fxhiRKN5DzcBPHOE/brZc4aNGgBHZgGg1g1Wb2lAylopgJrbyNkhEEwHVNM
-+1uLCnXKV1nX+EiMKkhSV761ozdhMGljYb+GE
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
-index 14c27f64aa..f7dca3a004 100644
---- a/test/smime-certs/smrsa3.pem
-+++ b/test/smime-certs/smrsa3.pem
-@@ -27,23 +27,23 @@ yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
- RvOAi5wVkYylDxV4238MAZIq
- -----END PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
--MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
--BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
--TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
--CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
--ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
--AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
--FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
--STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
--m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
--v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
--1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
--VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
--HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
--JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
--sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
--VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
--O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
--tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
--CscFo2Z2pYROGtZDmYqhRw==
-+MIIDdzCCAl+gAwIBAgIUAKvI4FWjFLx8iBGifOW3mG/xkT0wDQYJKoZIhvcNAQEL
-+BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
-+BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MB4XDTIyMDUyMzE0MTEwNloXDTMyMDMz
-+MTE0MTEwNlowRTELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAx
-+HjAcBgNVBAMMFVRlc3QgUy9NSU1FIEVFIFJTQSAjMzCCASIwDQYJKoZIhvcNAQEB
-+BQADggEPADCCAQoCggEBALIr4FMA4komOOI6FjrQ15mPMYZnEQF8KbrafSbCTO6x
-+b9X97re7CPq45UIWhUHPl2gx/czpAhLaMvcDDpCzn69y4sDSAeuojCNhDPVRnkRM
-+sosptDDpg4hV+wVJPHK1RWl9wHKu5taIspfre2F4bX8hWiQMr/3+TnYrK37BwKO5
-+FvsAlAWPY4sNG5ab+Bq+jOQrXTeBD51SrgddqZky1OrUSFA59zQhR4I4QvrHPiPO
-+Ucd/Mt2S9vsSeFq/axcN86Zmn8Nh/0ipLuW8WSQg09VtgUFN7Fo9mUXCakZGOSaj
-+If/D4mVynOz7DqnV2JZGlpKfrZtuRE3j2PovZ1Vv4N8CAwEAAaNgMF4wDAYDVR0T
-+AQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFDoKRbmxroesGxa+4868
-+yPIvkCewMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3
-+DQEBCwUAA4IBAQBfCCzWyZzIvq/ci6E74ovJ8mMel5Z9MU9EcvY0k7pJSUbpCg3c
-+P48CiAzt8r8Em4AymADfK1pYvvpTNVpU/USbdKR1hyxZjqWrYdsY7tlVuvZ92oFs
-+s3komuKHCx2SQAe5b+LWjC1Bf8JUFx+XTjYb/BBg7nQRwi3TkYVVmW7hXLYvf4Jn
-+Uyu0x02pDzUu+62jeYbNIVJnYwSU0gLHEo81QmNs06RLjnAhbneUZ6P6YuJOdDo7
-+xMw/ywijZM0FxsWxRSsCBwavhabg1Kb1lO//pbgcSa9T0D7ax1XoMni3RJnHj6gu
-+r0Mi3QjgZaxghR3TPh83dQLilECYDuD0uTzf
- -----END CERTIFICATE-----
--- 
-2.35.3
-
+             skip "No IPv4 available on this machine", 4

SOURCES/0062-fips-Expose-a-FIPS-indicator.patch

@@ -325,7 +325,7 @@ index de391ce067..1cfd71c5cf 100644
      { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
      { NULL, NULL, NULL }
 @@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
-     freelocale(loc);
+     return NULL;
  }
  
 +const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {

SOURCES/0063-CVE-2022-1473.patch

@@ -1,13 +0,0 @@
-diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
-index 2a574fbfe6aa..16f482db68a9 100644
---- a/crypto/lhash/lhash.c
-+++ b/crypto/lhash/lhash.c
-@@ -100,6 +100,8 @@ void OPENSSL_LH_flush(OPENSSL_LHASH *lh)
-         }
-         lh->b[i] = NULL;
-     }
-+
-+    lh->num_items = 0;
- }
- 
- void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)

SOURCES/0064-CVE-2022-1343.diff

@@ -1,263 +0,0 @@
-diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
-index 7a4a45d537..3c5f48ec0a 100644
---- a/crypto/ocsp/ocsp_vfy.c
-+++ b/crypto/ocsp/ocsp_vfy.c
-@@ -59,9 +59,10 @@ static int ocsp_verify_signer(X509 *signer, int response,
- 
-     ret = X509_verify_cert(ctx);
-     if (ret <= 0) {
--        ret = X509_STORE_CTX_get_error(ctx);
-+        int err = X509_STORE_CTX_get_error(ctx);
-+
-         ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR,
--                       "Verify error: %s", X509_verify_cert_error_string(ret));
-+                       "Verify error: %s", X509_verify_cert_error_string(err));
-         goto end;
-     }
-     if (chain != NULL)
-diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
-index d42030cb89..34fdfcbccc 100644
---- a/test/recipes/80-test_ocsp.t
-+++ b/test/recipes/80-test_ocsp.t
-@@ -35,6 +35,7 @@ sub test_ocsp {
-         $untrusted = $CAfile;
-     }
-     my $expected_exit = shift;
-+    my $nochecks = shift;
-     my $outputfile = basename($inputfile, '.ors') . '.dat';
- 
-     run(app(["openssl", "base64", "-d",
-@@ -45,7 +46,8 @@ sub test_ocsp {
-                            "-partial_chain", @check_time,
-                            "-CAfile", catfile($ocspdir, $CAfile),
-                            "-verify_other", catfile($ocspdir, $untrusted),
--                           "-no-CApath", "-no-CAstore"])),
-+                           "-no-CApath", "-no-CAstore",
-+                           $nochecks ? "-no_cert_checks" : ()])),
-                   $title); });
- }
- 
-@@ -55,143 +57,149 @@ subtest "=== VALID OCSP RESPONSES ===" => sub {
-     plan tests => 7;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0);
-+              "ND1.ors", "ND1_Issuer_ICA.pem", "", 0, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "ND2.ors", "ND2_Issuer_Root.pem", "", 0);
-+              "ND2.ors", "ND2_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "ND3.ors", "ND3_Issuer_Root.pem", "", 0);
-+              "ND3.ors", "ND3_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("NON-DELEGATED; 3-level CA hierarchy",
--              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0);
-+              "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "D1.ors", "D1_Issuer_ICA.pem", "", 0);
-+              "D1.ors", "D1_Issuer_ICA.pem", "", 0, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "D2.ors", "D2_Issuer_Root.pem", "", 0);
-+              "D2.ors", "D2_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "D3.ors", "D3_Issuer_Root.pem", "", 0);
-+              "D3.ors", "D3_Issuer_Root.pem", "", 0, 0);
- };
- 
- subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
-+              "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
-+              "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
-+              "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
-+              "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
-+              "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
-+              "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
-+              "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
-+              "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
-+              "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1);
-+              "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1);
-+              "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1);
-+              "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
-     plan tests => 3;
- 
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
--    plan tests => 3;
-+    plan tests => 6;
- 
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1);
-+              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 0);
-+    test_ocsp("DELEGATED; Root CA -> Intermediate CA",
-+              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 0);
-+    test_ocsp("DELEGATED; Root CA -> EE",
-+              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 0);
-+    test_ocsp("DELEGATED; Intermediate CA -> EE",
-+              "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1, 1);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1);
-+              "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1, 1);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1);
-+              "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1, 1);
- };
- 
- subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1);
-+              "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1);
-+              "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1);
-+              "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1);
-+              "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1);
-+              "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1);
-+              "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
-     plan tests => 6;
- 
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1);
-+              "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1);
-+              "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1);
-+              "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1);
-+              "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1);
-+              "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1);
-+              "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1, 0);
- };
- 
- subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
-@@ -199,17 +207,17 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
- 
-     # Expect success, because we're explicitly trusting the issuer certificate.
-     test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
--              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0);
-+              "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
--              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0);
-+              "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("NON-DELEGATED; Root CA -> EE",
--              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0);
-+              "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("DELEGATED; Intermediate CA -> EE",
--              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0);
-+              "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0, 0);
-     test_ocsp("DELEGATED; Root CA -> Intermediate CA",
--              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0);
-+              "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0, 0);
-     test_ocsp("DELEGATED; Root CA -> EE",
--              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
-+              "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0, 0);
- };
- 
- subtest "=== OCSP API TESTS===" => sub {

SOURCES/0065-CVE-2022-1292.patch

@@ -1,58 +0,0 @@
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index d51d8856d7..a630773a02 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -152,6 +152,23 @@ sub check_file {
-     return ($is_cert, $is_crl);
- }
- 
-+sub compute_hash {
-+    my $fh;
-+    if ( $^O eq "VMS" ) {
-+        # VMS uses the open through shell
-+        # The file names are safe there and list form is unsupported
-+        if (!open($fh, "-|", join(' ', @_))) {
-+            print STDERR "Cannot compute hash on '$fname'\n";
-+            return;
-+        }
-+    } else {
-+        if (!open($fh, "-|", @_)) {
-+            print STDERR "Cannot compute hash on '$fname'\n";
-+            return;
-+        }
-+    }
-+    return (<$fh>, <$fh>);
-+}
- 
- # Link a certificate to its subject name hash value, each hash is of
- # the form <hash>.<n> where n is an integer. If the hash value already exists
-@@ -161,10 +178,12 @@ sub check_file {
- 
- sub link_hash_cert {
-     my $fname = $_[0];
--    $fname =~ s/\"/\\\"/g;
--    my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
-+    my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
-+                                       "-fingerprint", "-noout",
-+                                       "-in", $fname);
-     chomp $hash;
-     chomp $fprint;
-+    return if !$hash;
-     $fprint =~ s/^.*=//;
-     $fprint =~ tr/://d;
-     my $suffix = 0;
-@@ -202,10 +221,12 @@ sub link_hash_cert {
- 
- sub link_hash_crl {
-     my $fname = $_[0];
--    $fname =~ s/'/'\\''/g;
--    my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
-+    my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
-+                                       "-fingerprint", "-noout",
-+                                       "-in", $fname);
-     chomp $hash;
-     chomp $fprint;
-+    return if !$hash;
-     $fprint =~ s/^.*=//;
-     $fprint =~ tr/://d;
-     my $suffix = 0;

SOURCES/0066-replace-expired-certs.patch

@@ -1,212 +0,0 @@
-diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem
-index 1fa449d5a098..6aa9455f09ed 100644
---- a/test/certs/embeddedSCTs1_issuer.pem
-+++ b/test/certs/embeddedSCTs1_issuer.pem
-@@ -1,18 +1,18 @@
- -----BEGIN CERTIFICATE-----
--MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
-+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
- MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
--YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
--MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu
--c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf
--MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7
--jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP
--KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL
--svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk
--tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG
--A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO
--MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB
--/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt
--OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy
--f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP
--OwqULg==
-+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw
-+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy
-+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w
-+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG
-+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4
-+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG
-+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw
-+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw
-+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB
-+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD
-+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq
-++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo
-+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c
-+Doud4XrO
- -----END CERTIFICATE-----
-diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem
-index 5677ac6c9f6a..70ce71e43091 100644
---- a/test/certs/sm2-ca-cert.pem
-+++ b/test/certs/sm2-ca-cert.pem
-@@ -1,14 +1,14 @@
- -----BEGIN CERTIFICATE-----
--MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
-+MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
- AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
--c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
--Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
--CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
--MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
--SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
--5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
--BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
--5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
--ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
--YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
-+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg
-+Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x
-+CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP
-+cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH
-+KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+
-+ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O
-+BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp
-+SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1
-+A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC
-+WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu
- -----END CERTIFICATE-----
-diff --git a/test/certs/sm2-root.crt b/test/certs/sm2-root.crt
-index 5677ac6c9f6a..70ce71e43091 100644
---- a/test/certs/sm2-root.crt
-+++ b/test/certs/sm2-root.crt
-@@ -1,14 +1,14 @@
- -----BEGIN CERTIFICATE-----
--MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
-+MIICJzCCAcygAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
- AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
--c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
--Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
--CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
--MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
--SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
--5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
--BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
--5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
--ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
--YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
-+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAg
-+Fw0yMjA2MDIxNTQ5MzlaGA8yMTIyMDUwOTE1NDkzOVowaDELMAkGA1UEBhMCQ04x
-+CzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzERMA8GA1UECgwIVGVzdCBP
-+cmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rlc3QgU00yIENBMFkwEwYH
-+KoZIzj0CAQYIKoEcz1UBgi0DQgAEdFieoSuh8F1c+m2+87v4FJUnFyke5Madn5Q+
-+ttTmRURQxpSc054wlmX+9EaKZkKb8CRF4mZF+dvXkRIdH6yynqNdMFswHQYDVR0O
-+BBYEFMWNxa7/MmBJnlIpSVTlXHj/Rbl0MB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIp
-+SVTlXHj/Rbl0MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqBHM9VAYN1
-+A0kAMEYCIQC3c2TkO6Lyxt5GNZqoZNuMEphjL9K7W1TsX6mHzlhHDwIhAICXy2XC
-+WsTzdrMZUXLtrDDFOq+3FaD4pe1HP2LZFNpu
- -----END CERTIFICATE-----
-diff --git a/test/certs/sm2.pem b/test/certs/sm2.pem
-index 189abb137625..daf12926aff9 100644
---- a/test/certs/sm2.pem
-+++ b/test/certs/sm2.pem
-@@ -1,13 +1,14 @@
- -----BEGIN CERTIFICATE-----
--MIIB6DCCAY6gAwIBAgIJAKH2BR6ITHZeMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
--AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
--c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
--Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMG8xCzAJBgNVBAYTAkNOMQsw
--CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
--MRAwDgYDVQQLDAdUZXN0IE9VMRswGQYDVQQDDBJUZXN0IFNNMiBTaWduIENlcnQw
--WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQwqeNkWp7fiu1KZnuDkAucpM8piEzE
--TL1ymrcrOBvv8mhNNkeb20asbWgFQI2zOrSM99/sXGn9rM2/usM/MlcaoxowGDAJ
--BgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA9edBnAqT
--TNuGIUIvXsj6/nP+AzXA9HGtAIY4nrqW8LkCIHyZzhRTlxYtgfqkDl0OK5QQRCZH
--OZOfmtx613VyzXwc
-+MIICNDCCAdugAwIBAgIUOMbsiFLCy2BCPtfHQSdG4R1+3BowCgYIKoEcz1UBg3Uw
-+aDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkxOMREwDwYDVQQHDAhTaGVueWFuZzER
-+MA8GA1UECgwIVGVzdCBPcmcxEDAOBgNVBAsMB1Rlc3QgT1UxFDASBgNVBAMMC1Rl
-+c3QgU00yIENBMCAXDTIyMDYwMjE1NTU0OFoYDzIxMjIwNTA5MTU1NTQ4WjBvMQsw
-+CQYDVQQGEwJDTjELMAkGA1UECAwCTE4xETAPBgNVBAcMCFNoZW55YW5nMREwDwYD
-+VQQKDAhUZXN0IE9yZzEQMA4GA1UECwwHVGVzdCBPVTEbMBkGA1UEAwwSVGVzdCBT
-+TTIgU2lnbiBDZXJ0MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEMKnjZFqe34rt
-+SmZ7g5ALnKTPKYhMxEy9cpq3Kzgb7/JoTTZHm9tGrG1oBUCNszq0jPff7Fxp/azN
-+v7rDPzJXGqNaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBsAwHQYDVR0OBBYEFNPl
-+u8JjXkhQPiJ5bYrrq+voqBUlMB8GA1UdIwQYMBaAFMWNxa7/MmBJnlIpSVTlXHj/
-+Rbl0MAoGCCqBHM9VAYN1A0cAMEQCIG3gG1D7T7ltn6Gz1UksBZahgBE6jmkQ9Sp9
-+/3aY5trlAiB5adxiK0avV0LEKfbzTdff9skoZpd7vje1QTW0l0HaGg==
- -----END CERTIFICATE-----
-diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
-index 12e8a7305402..109b9c4abc28 100644
---- a/test/smime-certs/mksmime-certs.sh
-+++ b/test/smime-certs/mksmime-certs.sh
-@@ -15,23 +15,23 @@ export OPENSSL_CONF
- 
- # Root CA: create certificate directly
- CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -noenc \
--	-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
-+	-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501
- 
- # EE RSA certificates: create request first
- CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smrsa1.pem -out req.pem -newkey rsa:2048
- # Sign request: end entity extensions
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
- 
- CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smrsa2.pem -out req.pem -newkey rsa:2048
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
- 
- CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smrsa3.pem -out req.pem -newkey rsa:2048
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
- 
- # Create DSA parameters
-@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048
- 
- CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
- CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
- CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
- 
- # Create EC parameters
-@@ -58,16 +58,17 @@ $OPENSSL ecparam -out ecp2.pem -name K-283
- 
- CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smec1.pem -out req.pem -newkey ec:ecp.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
- CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
--CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
--	-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
--	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
-+# Do not renew this cert as it is used for legacy data decrypt test
-+#CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -noenc \
-+#	-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
-+#$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
-+#	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
- # Create X9.42 DH parameters.
- $OPENSSL genpkey -genparam -algorithm DHX -out dhp.pem
- # Generate X9.42 DH key.
-@@ -77,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
- CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -noenc \
- 	-keyout smtmp.pem -out req.pem -newkey rsa:2048
- # Sign request but force public key to DH
--$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
-+$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
- 	-force_pubkey dhpub.pem \
- 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
- # Remove temp files.

SOURCES/0067-fix-ppc64-montgomery.patch

@@ -1,662 +0,0 @@
-diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
-index 56df89dc27da..e69de29bb2d1 100755
---- a/crypto/bn/asm/ppc64-mont-fixed.pl
-+++ b/crypto/bn/asm/ppc64-mont-fixed.pl
-@@ -1,581 +0,0 @@
--#! /usr/bin/env perl
--# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
--#
--# Licensed under the Apache License 2.0 (the "License").  You may not use
--# this file except in compliance with the License.  You can obtain a copy
--# in the file LICENSE in the source distribution or at
--# https://www.openssl.org/source/license.html
--
--# ====================================================================
--# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
--# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
--# the OpenSSL project.
--# ====================================================================
--
--#
--# Fixed length (n=6), unrolled PPC Montgomery Multiplication
--#
--
--# 2021
--#
--# Although this is a generic implementation for unrolling Montgomery
--# Multiplication for arbitrary values of n, this is currently only
--# used for n = 6 to improve the performance of ECC p384.
--#
--# Unrolling allows intermediate results to be stored in registers,
--# rather than on the stack, improving performance by ~7% compared to
--# the existing PPC assembly code.
--#
--# The ISA 3.0 implementation uses combination multiply/add
--# instructions (maddld, maddhdu) to improve performance by an
--# additional ~10% on Power 9.
--#
--# Finally, saving non-volatile registers into volatile vector
--# registers instead of onto the stack saves a little more.
--#
--# On a Power 9 machine we see an overall improvement of ~18%.
--#
--
--use strict;
--use warnings;
--
--my ($flavour, $output, $dir, $xlate);
--
--# $output is the last argument if it looks like a file (it has an extension)
--# $flavour is the first argument if it doesn't look like a file
--$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
--$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
--
--$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
--( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
--( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
--die "can't locate ppc-xlate.pl";
--
--open STDOUT,"| $^X $xlate $flavour \"$output\""
--    or die "can't call $xlate: $!";
--
--if ($flavour !~ /64/) {
--	die "bad flavour ($flavour) - only ppc64 permitted";
--}
--
--my $SIZE_T= 8;
--
--# Registers are global so the code is remotely readable
--
--# Parameters for Montgomery multiplication
--my $sp	= "r1";
--my $toc	= "r2";
--my $rp	= "r3";
--my $ap	= "r4";
--my $bp	= "r5";
--my $np	= "r6";
--my $n0	= "r7";
--my $num	= "r8";
--
--my $i	= "r9";
--my $c0	= "r10";
--my $bp0	= "r11";
--my $bpi	= "r11";
--my $bpj	= "r11";
--my $tj	= "r12";
--my $apj	= "r12";
--my $npj	= "r12";
--my $lo	= "r14";
--my $c1	= "r14";
--
--# Non-volatile registers used for tp[i]
--#
--# 12 registers are available but the limit on unrolling is 10,
--# since registers from $tp[0] to $tp[$n+1] are used.
--my @tp = ("r20" .. "r31");
--
--# volatile VSRs for saving non-volatile GPRs - faster than stack
--my @vsrs = ("v32" .. "v46");
--
--package Mont;
--
--sub new($$)
--{
--	my ($class, $n) = @_;
--
--	if ($n > 10) {
--		die "Can't unroll for BN length ${n} (maximum 10)"
--	}
--
--	my $self = {
--		code => "",
--		n => $n,
--	};
--	bless $self, $class;
--
--	return $self;
--}
--
--sub add_code($$)
--{
--	my ($self, $c) = @_;
--
--	$self->{code} .= $c;
--}
--
--sub get_code($)
--{
--	my ($self) = @_;
--
--	return $self->{code};
--}
--
--sub get_function_name($)
--{
--	my ($self) = @_;
--
--	return "bn_mul_mont_fixed_n" . $self->{n};
--}
--
--sub get_label($$)
--{
--	my ($self, $l) = @_;
--
--	return "L" . $l . "_" . $self->{n};
--}
--
--sub get_labels($@)
--{
--	my ($self, @labels) = @_;
--
--	my %out = ();
--
--	foreach my $l (@labels) {
--		$out{"$l"} = $self->get_label("$l");
--	}
--
--	return \%out;
--}
--
--sub nl($)
--{
--	my ($self) = @_;
--
--	$self->add_code("\n");
--}
--
--sub copy_result($)
--{
--	my ($self) = @_;
--
--	my ($n) = $self->{n};
--
--	for (my $j = 0; $j < $n; $j++) {
--		$self->add_code(<<___);
--	std		$tp[$j],`$j*$SIZE_T`($rp)
--___
--	}
--
--}
--
--sub mul_mont_fixed($)
--{
--	my ($self) = @_;
--
--	my ($n) = $self->{n};
--	my $fname = $self->get_function_name();
--	my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
--
--	$self->add_code(<<___);
--
--.globl	.${fname}
--.align	5
--.${fname}:
--
--___
--
--	$self->save_registers();
--
--	$self->add_code(<<___);
--	ld		$n0,0($n0)
--
--	ld		$bp0,0($bp)
--
--	ld		$apj,0($ap)
--___
--
--	$self->mul_c_0($tp[0], $apj, $bp0, $c0);
--
--	for (my $j = 1; $j < $n - 1; $j++) {
--		$self->add_code(<<___);
--	ld		$apj,`$j*$SIZE_T`($ap)
--___
--		$self->mul($tp[$j], $apj, $bp0, $c0);
--	}
--
--	$self->add_code(<<___);
--	ld		$apj,`($n-1)*$SIZE_T`($ap)
--___
--
--	$self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
--
--	$self->add_code(<<___);
--	li		$tp[$n+1],0
--
--___
--
--	$self->add_code(<<___);
--	li		$i,0
--	mtctr		$num
--	b		$label->{"enter"}
--
--.align	4
--$label->{"outer"}:
--	ldx		$bpi,$bp,$i
--
--	ld		$apj,0($ap)
--___
--
--	$self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
--
--	for (my $j = 1; $j < $n; $j++) {
--		$self->add_code(<<___);
--	ld		$apj,`$j*$SIZE_T`($ap)
--___
--		$self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
--	}
--
--	$self->add_code(<<___);
--	addc		$tp[$n],$tp[$n],$c0
--	addze		$tp[$n+1],$tp[$n+1]
--___
--
--	$self->add_code(<<___);
--.align	4
--$label->{"enter"}:
--	mulld		$bpi,$tp[0],$n0
--
--	ld		$npj,0($np)
--___
--
--	$self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
--
--	for (my $j = 1; $j < $n; $j++) {
--		$self->add_code(<<___);
--	ld		$npj,`$j*$SIZE_T`($np)
--___
--		$self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
--	}
--
--	$self->add_code(<<___);
--	addc		$tp[$n-1],$tp[$n],$c0
--	addze		$tp[$n],$tp[$n+1]
--
--	addi		$i,$i,$SIZE_T
--	bdnz		$label->{"outer"}
--
--	and.		$tp[$n],$tp[$n],$tp[$n]
--	bne		$label->{"sub"}
--
--	cmpld	$tp[$n-1],$npj
--	blt		$label->{"copy"}
--
--$label->{"sub"}:
--___
--
--	#
--	# Reduction
--	#
--
--		$self->add_code(<<___);
--	ld		$bpj,`0*$SIZE_T`($np)
--	subfc		$c1,$bpj,$tp[0]
--	std		$c1,`0*$SIZE_T`($rp)
--
--___
--	for (my $j = 1; $j < $n - 1; $j++) {
--		$self->add_code(<<___);
--	ld		$bpj,`$j*$SIZE_T`($np)
--	subfe		$c1,$bpj,$tp[$j]
--	std		$c1,`$j*$SIZE_T`($rp)
--
--___
--	}
--
--		$self->add_code(<<___);
--	subfe		$c1,$npj,$tp[$n-1]
--	std		$c1,`($n-1)*$SIZE_T`($rp)
--
--___
--
--	$self->add_code(<<___);
--	addme.		$tp[$n],$tp[$n]
--	beq		$label->{"end"}
--
--$label->{"copy"}:
--___
--
--	$self->copy_result();
--
--	$self->add_code(<<___);
--
--$label->{"end"}:
--___
--
--	$self->restore_registers();
--
--	$self->add_code(<<___);
--	li		r3,1
--	blr
--.size .${fname},.-.${fname}
--___
--
--}
--
--package Mont::GPR;
--
--our @ISA = ('Mont');
--
--sub new($$)
--{
--    my ($class, $n) = @_;
--
--    return $class->SUPER::new($n);
--}
--
--sub save_registers($)
--{
--	my ($self) = @_;
--
--	my $n = $self->{n};
--
--	$self->add_code(<<___);
--	std	$lo,-8($sp)
--___
--
--	for (my $j = 0; $j <= $n+1; $j++) {
--		$self->{code}.=<<___;
--	std	$tp[$j],-`($j+2)*8`($sp)
--___
--	}
--
--	$self->add_code(<<___);
--
--___
--}
--
--sub restore_registers($)
--{
--	my ($self) = @_;
--
--	my $n = $self->{n};
--
--	$self->add_code(<<___);
--	ld	$lo,-8($sp)
--___
--
--	for (my $j = 0; $j <= $n+1; $j++) {
--		$self->{code}.=<<___;
--	ld	$tp[$j],-`($j+2)*8`($sp)
--___
--	}
--
--	$self->{code} .=<<___;
--
--___
--}
--
--# Direct translation of C mul()
--sub mul($$$$$)
--{
--	my ($self, $r, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld		$lo,$a,$w
--	addc		$r,$lo,$c
--	mulhdu		$c,$a,$w
--	addze		$c,$c
--
--___
--}
--
--# Like mul() but $c is ignored as an input - an optimisation to save a
--# preliminary instruction that would set input $c to 0
--sub mul_c_0($$$$$)
--{
--	my ($self, $r, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld		$r,$a,$w
--	mulhdu		$c,$a,$w
--
--___
--}
--
--# Like mul() but does not to the final addition of CA into $c - an
--# optimisation to save an instruction
--sub mul_last($$$$$$)
--{
--	my ($self, $r1, $r2, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld		$lo,$a,$w
--	addc		$r1,$lo,$c
--	mulhdu		$c,$a,$w
--
--	addze		$r2,$c
--___
--}
--
--# Like C mul_add() but allow $r_out and $r_in to be different
--sub mul_add($$$$$$)
--{
--	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld		$lo,$a,$w
--	addc		$lo,$lo,$c
--	mulhdu		$c,$a,$w
--	addze		$c,$c
--	addc		$r_out,$r_in,$lo
--	addze		$c,$c
--
--___
--}
--
--# Like mul_add() but $c is ignored as an input - an optimisation to save a
--# preliminary instruction that would set input $c to 0
--sub mul_add_c_0($$$$$$)
--{
--	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld		$lo,$a,$w
--	addc		$r_out,$r_in,$lo
--	mulhdu		$c,$a,$w
--	addze		$c,$c
--
--___
--}
--
--package Mont::GPR_300;
--
--our @ISA = ('Mont::GPR');
--
--sub new($$)
--{
--	my ($class, $n) = @_;
--
--	my $mont = $class->SUPER::new($n);
--
--	return $mont;
--}
--
--sub get_function_name($)
--{
--	my ($self) = @_;
--
--	return "bn_mul_mont_300_fixed_n" . $self->{n};
--}
--
--sub get_label($$)
--{
--	my ($self, $l) = @_;
--
--	return "L" . $l . "_300_" . $self->{n};
--}
--
--# Direct translation of C mul()
--sub mul($$$$$)
--{
--	my ($self, $r, $a, $w, $c, $last) = @_;
--
--	$self->add_code(<<___);
--	maddld		$r,$a,$w,$c
--	maddhdu		$c,$a,$w,$c
--
--___
--}
--
--# Save the last carry as the final entry
--sub mul_last($$$$$)
--{
--	my ($self, $r1, $r2, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	maddld		$r1,$a,$w,$c
--	maddhdu		$r2,$a,$w,$c
--
--___
--}
--
--# Like mul() but $c is ignored as an input - an optimisation to save a
--# preliminary instruction that would set input $c to 0
--sub mul_c_0($$$$$)
--{
--	my ($self, $r, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	mulld          $r,$a,$w
--	mulhdu          $c,$a,$w
--
--___
--}
--
--# Like C mul_add() but allow $r_out and $r_in to be different
--sub mul_add($$$$$$)
--{
--	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	maddld		$lo,$a,$w,$c
--	maddhdu		$c,$a,$w,$c
--	addc		$r_out,$r_in,$lo
--	addze		$c,$c
--
--___
--}
--
--# Like mul_add() but $c is ignored as an input - an optimisation to save a
--# preliminary instruction that would set input $c to 0
--sub mul_add_c_0($$$$$$)
--{
--	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
--
--	$self->add_code(<<___);
--	maddld		$lo,$a,$w,$r_in
--	maddhdu		$c,$a,$w,$r_in
--___
--
--	if ($r_out ne $lo) {
--		$self->add_code(<<___);
--	mr			$r_out,$lo
--___
--	}
--
--	$self->nl();
--}
--
--
--package main;
--
--my $code;
--
--$code.=<<___;
--.machine "any"
--.text
--___
--
--my $mont;
--
--$mont = new Mont::GPR(6);
--$mont->mul_mont_fixed();
--$code .= $mont->get_code();
--
--$mont = new Mont::GPR_300(6);
--$mont->mul_mont_fixed();
--$code .= $mont->get_code();
--
--$code =~ s/\`([^\`]*)\`/eval $1/gem;
--
--$code.=<<___;
--.asciz  "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
--___
--
--print $code;
--close STDOUT or die "error closing STDOUT: $!";
-diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
-index 1e9421bee213..3ee76ea96574 100644
---- a/crypto/bn/bn_ppc.c
-+++ b/crypto/bn/bn_ppc.c
-@@ -19,12 +19,6 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                         const BN_ULONG *np, const BN_ULONG *n0, int num);
-     int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                           const BN_ULONG *np, const BN_ULONG *n0, int num);
--    int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
--                             const BN_ULONG *bp, const BN_ULONG *np,
--                             const BN_ULONG *n0, int num);
--    int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
--                                 const BN_ULONG *bp, const BN_ULONG *np,
--                                 const BN_ULONG *n0, int num);
- 
-     if (num < 4)
-         return 0;
-@@ -40,14 +34,5 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-      * no opportunity to figure it out...
-      */
- 
--#if defined(_ARCH_PPC64)
--    if (num == 6) {
--        if (OPENSSL_ppccap_P & PPC_MADD300)
--            return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
--        else
--            return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
--    }
--#endif
--
-     return bn_mul_mont_int(rp, ap, bp, np, n0, num);
- }
-diff --git a/crypto/bn/build.info b/crypto/bn/build.info
-index 987a70ae263b..4f8d0689b5ea 100644
---- a/crypto/bn/build.info
-+++ b/crypto/bn/build.info
-@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}]
- 
-   $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s
-   $BNDEF_ppc32=OPENSSL_BN_ASM_MONT
--  $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s
-+  $BNASM_ppc64=$BNASM_ppc32
-   $BNDEF_ppc64=$BNDEF_ppc32
- 
-   $BNASM_c64xplus=asm/bn-c64xplus.asm
-@@ -173,7 +173,6 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl
- GENERATE[bn-ppc.s]=asm/ppc.pl
- GENERATE[ppc-mont.s]=asm/ppc-mont.pl
- GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl
--GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl
- 
- GENERATE[alpha-mont.S]=asm/alpha-mont.pl
- 
-diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-index f36982845db4..1543ed9f7534 100644
---- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-@@ -97,6 +97,18 @@ Key = P-256-PUBLIC
- Input = "Hello World"
- Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862
- 
-+PublicKey=P-384-PUBLIC
-+-----BEGIN PUBLIC KEY-----
-+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAES/TlL5WEJ+u1kV+4yVlVUbTTo/2rZ7rd
-+nWwwk/QlukNjDfcfQvDrfOqpTZ9kSKhd0wMxWIJJ/S/cCzCex+2EgbwW8ngAwT19
-+twD8guGxyFRaoMDTtW47/nifwYqRaIfC
-+-----END PUBLIC KEY-----
-+
-+DigestVerify = SHA384
-+Key = P-384-PUBLIC
-+Input = "123400"
-+Output = 304d0218389cb27e0bc8d21fa7e5f24cb74f58851313e696333ad68b023100ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52970
-+
- # Oneshot tests
- OneShotDigestVerify = SHA256
- Key = P-256-PUBLIC

SOURCES/0067-ppc64le-Montgomery-multiply.patch

@@ -0,0 +1,703 @@
+From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001
+From: Rohan McLure <rohanmclure@linux.ibm.com>
+Date: Mon, 27 Jun 2022 12:14:55 +1000
+Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC
+ Montgomery Multiplication""
+
+This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e.
+---
+ crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++
+ crypto/bn/bn_ppc.c                |  15 +
+ crypto/bn/build.info              |   3 +-
+ 3 files changed, 598 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
+index e69de29bb2d1..0fb397bc5f12 100755
+--- a/crypto/bn/asm/ppc64-mont-fixed.pl
++++ b/crypto/bn/asm/ppc64-mont-fixed.pl
+@@ -0,0 +1,581 @@
++#! /usr/bin/env perl
++# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++# ====================================================================
++# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
++# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
++# the OpenSSL project.
++# ====================================================================
++
++#
++# Fixed length (n=6), unrolled PPC Montgomery Multiplication
++#
++
++# 2021
++#
++# Although this is a generic implementation for unrolling Montgomery
++# Multiplication for arbitrary values of n, this is currently only
++# used for n = 6 to improve the performance of ECC p384.
++#
++# Unrolling allows intermediate results to be stored in registers,
++# rather than on the stack, improving performance by ~7% compared to
++# the existing PPC assembly code.
++#
++# The ISA 3.0 implementation uses combination multiply/add
++# instructions (maddld, maddhdu) to improve performance by an
++# additional ~10% on Power 9.
++#
++# Finally, saving non-volatile registers into volatile vector
++# registers instead of onto the stack saves a little more.
++#
++# On a Power 9 machine we see an overall improvement of ~18%.
++#
++
++use strict;
++use warnings;
++
++my ($flavour, $output, $dir, $xlate);
++
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
++die "can't locate ppc-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour \"$output\""
++    or die "can't call $xlate: $!";
++
++if ($flavour !~ /64/) {
++	die "bad flavour ($flavour) - only ppc64 permitted";
++}
++
++my $SIZE_T= 8;
++
++# Registers are global so the code is remotely readable
++
++# Parameters for Montgomery multiplication
++my $sp	= "r1";
++my $toc	= "r2";
++my $rp	= "r3";
++my $ap	= "r4";
++my $bp	= "r5";
++my $np	= "r6";
++my $n0	= "r7";
++my $num	= "r8";
++
++my $i	= "r9";
++my $c0	= "r10";
++my $bp0	= "r11";
++my $bpi	= "r11";
++my $bpj	= "r11";
++my $tj	= "r12";
++my $apj	= "r12";
++my $npj	= "r12";
++my $lo	= "r14";
++my $c1	= "r14";
++
++# Non-volatile registers used for tp[i]
++#
++# 12 registers are available but the limit on unrolling is 10,
++# since registers from $tp[0] to $tp[$n+1] are used.
++my @tp = ("r20" .. "r31");
++
++# volatile VSRs for saving non-volatile GPRs - faster than stack
++my @vsrs = ("v32" .. "v46");
++
++package Mont;
++
++sub new($$)
++{
++	my ($class, $n) = @_;
++
++	if ($n > 10) {
++		die "Can't unroll for BN length ${n} (maximum 10)"
++	}
++
++	my $self = {
++		code => "",
++		n => $n,
++	};
++	bless $self, $class;
++
++	return $self;
++}
++
++sub add_code($$)
++{
++	my ($self, $c) = @_;
++
++	$self->{code} .= $c;
++}
++
++sub get_code($)
++{
++	my ($self) = @_;
++
++	return $self->{code};
++}
++
++sub get_function_name($)
++{
++	my ($self) = @_;
++
++	return "bn_mul_mont_fixed_n" . $self->{n};
++}
++
++sub get_label($$)
++{
++	my ($self, $l) = @_;
++
++	return "L" . $l . "_" . $self->{n};
++}
++
++sub get_labels($@)
++{
++	my ($self, @labels) = @_;
++
++	my %out = ();
++
++	foreach my $l (@labels) {
++		$out{"$l"} = $self->get_label("$l");
++	}
++
++	return \%out;
++}
++
++sub nl($)
++{
++	my ($self) = @_;
++
++	$self->add_code("\n");
++}
++
++sub copy_result($)
++{
++	my ($self) = @_;
++
++	my ($n) = $self->{n};
++
++	for (my $j = 0; $j < $n; $j++) {
++		$self->add_code(<<___);
++	std		$tp[$j],`$j*$SIZE_T`($rp)
++___
++	}
++
++}
++
++sub mul_mont_fixed($)
++{
++	my ($self) = @_;
++
++	my ($n) = $self->{n};
++	my $fname = $self->get_function_name();
++	my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
++
++	$self->add_code(<<___);
++
++.globl	.${fname}
++.align	5
++.${fname}:
++
++___
++
++	$self->save_registers();
++
++	$self->add_code(<<___);
++	ld		$n0,0($n0)
++
++	ld		$bp0,0($bp)
++
++	ld		$apj,0($ap)
++___
++
++	$self->mul_c_0($tp[0], $apj, $bp0, $c0);
++
++	for (my $j = 1; $j < $n - 1; $j++) {
++		$self->add_code(<<___);
++	ld		$apj,`$j*$SIZE_T`($ap)
++___
++		$self->mul($tp[$j], $apj, $bp0, $c0);
++	}
++
++	$self->add_code(<<___);
++	ld		$apj,`($n-1)*$SIZE_T`($ap)
++___
++
++	$self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
++
++	$self->add_code(<<___);
++	li		$tp[$n+1],0
++
++___
++
++	$self->add_code(<<___);
++	li		$i,0
++	mtctr		$num
++	b		$label->{"enter"}
++
++.align	4
++$label->{"outer"}:
++	ldx		$bpi,$bp,$i
++
++	ld		$apj,0($ap)
++___
++
++	$self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
++
++	for (my $j = 1; $j < $n; $j++) {
++		$self->add_code(<<___);
++	ld		$apj,`$j*$SIZE_T`($ap)
++___
++		$self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
++	}
++
++	$self->add_code(<<___);
++	addc		$tp[$n],$tp[$n],$c0
++	addze		$tp[$n+1],$tp[$n+1]
++___
++
++	$self->add_code(<<___);
++.align	4
++$label->{"enter"}:
++	mulld		$bpi,$tp[0],$n0
++
++	ld		$npj,0($np)
++___
++
++	$self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
++
++	for (my $j = 1; $j < $n; $j++) {
++		$self->add_code(<<___);
++	ld		$npj,`$j*$SIZE_T`($np)
++___
++		$self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
++	}
++
++	$self->add_code(<<___);
++	addc		$tp[$n-1],$tp[$n],$c0
++	addze		$tp[$n],$tp[$n+1]
++
++	addi		$i,$i,$SIZE_T
++	bdnz		$label->{"outer"}
++
++	and.		$tp[$n],$tp[$n],$tp[$n]
++	bne		$label->{"sub"}
++
++	cmpld	$tp[$n-1],$npj
++	blt		$label->{"copy"}
++
++$label->{"sub"}:
++___
++
++	#
++	# Reduction
++	#
++
++		$self->add_code(<<___);
++	ld		$bpj,`0*$SIZE_T`($np)
++	subfc		$c1,$bpj,$tp[0]
++	std		$c1,`0*$SIZE_T`($rp)
++
++___
++	for (my $j = 1; $j < $n - 1; $j++) {
++		$self->add_code(<<___);
++	ld		$bpj,`$j*$SIZE_T`($np)
++	subfe		$c1,$bpj,$tp[$j]
++	std		$c1,`$j*$SIZE_T`($rp)
++
++___
++	}
++
++		$self->add_code(<<___);
++	subfe		$c1,$npj,$tp[$n-1]
++	std		$c1,`($n-1)*$SIZE_T`($rp)
++
++___
++
++	$self->add_code(<<___);
++	addme.		$tp[$n],$tp[$n]
++	beq		$label->{"end"}
++
++$label->{"copy"}:
++___
++
++	$self->copy_result();
++
++	$self->add_code(<<___);
++
++$label->{"end"}:
++___
++
++	$self->restore_registers();
++
++	$self->add_code(<<___);
++	li		r3,1
++	blr
++.size .${fname},.-.${fname}
++___
++
++}
++
++package Mont::GPR;
++
++our @ISA = ('Mont');
++
++sub new($$)
++{
++    my ($class, $n) = @_;
++
++    return $class->SUPER::new($n);
++}
++
++sub save_registers($)
++{
++	my ($self) = @_;
++
++	my $n = $self->{n};
++
++	$self->add_code(<<___);
++	std	$lo,-8($sp)
++___
++
++	for (my $j = 0; $j <= $n+1; $j++) {
++		$self->{code}.=<<___;
++	std	$tp[$j],-`($j+2)*8`($sp)
++___
++	}
++
++	$self->add_code(<<___);
++
++___
++}
++
++sub restore_registers($)
++{
++	my ($self) = @_;
++
++	my $n = $self->{n};
++
++	$self->add_code(<<___);
++	ld	$lo,-8($sp)
++___
++
++	for (my $j = 0; $j <= $n+1; $j++) {
++		$self->{code}.=<<___;
++	ld	$tp[$j],-`($j+2)*8`($sp)
++___
++	}
++
++	$self->{code} .=<<___;
++
++___
++}
++
++# Direct translation of C mul()
++sub mul($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r,$lo,$c
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++
++___
++}
++
++# Like mul() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_c_0($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$r,$a,$w
++	mulhdu		$c,$a,$w
++
++___
++}
++
++# Like mul() but does not to the final addition of CA into $c - an
++# optimisation to save an instruction
++sub mul_last($$$$$$)
++{
++	my ($self, $r1, $r2, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r1,$lo,$c
++	mulhdu		$c,$a,$w
++
++	addze		$r2,$c
++___
++}
++
++# Like C mul_add() but allow $r_out and $r_in to be different
++sub mul_add($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$lo,$lo,$c
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++	addc		$r_out,$r_in,$lo
++	addze		$c,$c
++
++___
++}
++
++# Like mul_add() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_add_c_0($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r_out,$r_in,$lo
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++
++___
++}
++
++package Mont::GPR_300;
++
++our @ISA = ('Mont::GPR');
++
++sub new($$)
++{
++	my ($class, $n) = @_;
++
++	my $mont = $class->SUPER::new($n);
++
++	return $mont;
++}
++
++sub get_function_name($)
++{
++	my ($self) = @_;
++
++	return "bn_mul_mont_300_fixed_n" . $self->{n};
++}
++
++sub get_label($$)
++{
++	my ($self, $l) = @_;
++
++	return "L" . $l . "_300_" . $self->{n};
++}
++
++# Direct translation of C mul()
++sub mul($$$$$)
++{
++	my ($self, $r, $a, $w, $c, $last) = @_;
++
++	$self->add_code(<<___);
++	maddld		$r,$a,$w,$c
++	maddhdu		$c,$a,$w,$c
++
++___
++}
++
++# Save the last carry as the final entry
++sub mul_last($$$$$)
++{
++	my ($self, $r1, $r2, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$r1,$a,$w,$c
++	maddhdu		$r2,$a,$w,$c
++
++___
++}
++
++# Like mul() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_c_0($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld          $r,$a,$w
++	mulhdu          $c,$a,$w
++
++___
++}
++
++# Like C mul_add() but allow $r_out and $r_in to be different
++sub mul_add($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$lo,$a,$w,$c
++	maddhdu		$c,$a,$w,$c
++	addc		$r_out,$r_in,$lo
++	addze		$c,$c
++
++___
++}
++
++# Like mul_add() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_add_c_0($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$lo,$a,$w,$r_in
++	maddhdu		$c,$a,$w,$r_in
++___
++
++	if ($r_out ne $lo) {
++		$self->add_code(<<___);
++	mr			$r_out,$lo
++___
++	}
++
++	$self->nl();
++}
++
++
++package main;
++
++my $code;
++
++$code.=<<___;
++.machine "any"
++.text
++___
++
++my $mont;
++
++$mont = new Mont::GPR(6);
++$mont->mul_mont_fixed();
++$code .= $mont->get_code();
++
++$mont = new Mont::GPR_300(6);
++$mont->mul_mont_fixed();
++$code .= $mont->get_code();
++
++$code =~ s/\`([^\`]*)\`/eval $1/gem;
++
++$code.=<<___;
++.asciz  "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
++___
++
++print $code;
++close STDOUT or die "error closing STDOUT: $!";
+diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
+index 3ee76ea96574..1e9421bee213 100644
+--- a/crypto/bn/bn_ppc.c
++++ b/crypto/bn/bn_ppc.c
+@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                         const BN_ULONG *np, const BN_ULONG *n0, int num);
+     int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                           const BN_ULONG *np, const BN_ULONG *n0, int num);
++    int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
++                             const BN_ULONG *bp, const BN_ULONG *np,
++                             const BN_ULONG *n0, int num);
++    int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
++                                 const BN_ULONG *bp, const BN_ULONG *np,
++                                 const BN_ULONG *n0, int num);
+ 
+     if (num < 4)
+         return 0;
+@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+      * no opportunity to figure it out...
+      */
+ 
++#if defined(_ARCH_PPC64) && !defined(__ILP32__)
++    if (num == 6) {
++        if (OPENSSL_ppccap_P & PPC_MADD300)
++            return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
++        else
++            return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
++    }
++#endif
++
+     return bn_mul_mont_int(rp, ap, bp, np, n0, num);
+ }
+diff --git a/crypto/bn/build.info b/crypto/bn/build.info
+index 4f8d0689b5ea..987a70ae263b 100644
+--- a/crypto/bn/build.info
++++ b/crypto/bn/build.info
+@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}]
+ 
+   $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s
+   $BNDEF_ppc32=OPENSSL_BN_ASM_MONT
+-  $BNASM_ppc64=$BNASM_ppc32
++  $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s
+   $BNDEF_ppc64=$BNDEF_ppc32
+ 
+   $BNASM_c64xplus=asm/bn-c64xplus.asm
+@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl
+ GENERATE[bn-ppc.s]=asm/ppc.pl
+ GENERATE[ppc-mont.s]=asm/ppc-mont.pl
+ GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl
++GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl
+ 
+ GENERATE[alpha-mont.S]=asm/alpha-mont.pl
+ 
+
+From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001
+From: Rohan McLure <rohanmclure@linux.ibm.com>
+Date: Thu, 30 Jun 2022 16:21:06 +1000
+Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9
+
+In the reference C implementation in bn_asm.c, tp[num + 1] contains the
+carry bit for accumulations into tp[num]. tp[num + 1] is only ever
+assigned, never itself incremented.
+---
+ crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl
+index 0fb397bc5f12..e27d0ad93d85 100755
+--- a/crypto/bn/asm/ppc64-mont-fixed.pl
++++ b/crypto/bn/asm/ppc64-mont-fixed.pl
+@@ -63,6 +63,7 @@
+ # Registers are global so the code is remotely readable
+ 
+ # Parameters for Montgomery multiplication
++my $ze	= "r0";
+ my $sp	= "r1";
+ my $toc	= "r2";
+ my $rp	= "r3";
+@@ -192,6 +193,7 @@ ($)
+ 	$self->save_registers();
+ 
+ 	$self->add_code(<<___);
++	li		$ze,0
+ 	ld		$n0,0($n0)
+ 
+ 	ld		$bp0,0($bp)
+@@ -242,7 +244,7 @@ ($)
+ 
+ 	$self->add_code(<<___);
+ 	addc		$tp[$n],$tp[$n],$c0
+-	addze		$tp[$n+1],$tp[$n+1]
++	addze		$tp[$n+1],$ze
+ ___
+ 
+ 	$self->add_code(<<___);
+@@ -272,7 +274,7 @@ ($)
+ 	and.		$tp[$n],$tp[$n],$tp[$n]
+ 	bne		$label->{"sub"}
+ 
+-	cmpld	$tp[$n-1],$npj
++	cmpld		$tp[$n-1],$npj
+ 	blt		$label->{"copy"}
+ 
+ $label->{"sub"}:

SOURCES/0068-CVE-2022-2068.patch

@@ -1,174 +0,0 @@
-diff -up openssl-3.0.1/tools/c_rehash.in.cve20222068 openssl-3.0.1/tools/c_rehash.in
---- openssl-3.0.1/tools/c_rehash.in.cve20222068	2022-06-22 13:15:57.347421765 +0200
-+++ openssl-3.0.1/tools/c_rehash.in	2022-06-22 13:16:14.797576250 +0200
-@@ -104,18 +104,41 @@ foreach (@dirlist) {
- }
- exit($errorcount);
- 
-+sub copy_file {
-+    my ($src_fname, $dst_fname) = @_;
-+
-+    if (open(my $in, "<", $src_fname)) {
-+        if (open(my $out, ">", $dst_fname)) {
-+            print $out $_ while (<$in>);
-+            close $out;
-+        } else {
-+            warn "Cannot open $dst_fname for write, $!";
-+        }
-+        close $in;
-+    } else {
-+        warn "Cannot open $src_fname for read, $!";
-+    }
-+}
-+
- sub hash_dir {
-+    my $dir = shift;
-     my %hashlist;
--    print "Doing $_[0]\n";
--    chdir $_[0];
--    opendir(DIR, ".");
-+
-+    print "Doing $dir\n";
-+
-+    if (!chdir $dir) {
-+        print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
-+        return;
-+    }
-+
-+    opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
-     my @flist = sort readdir(DIR);
-     closedir DIR;
-     if ( $removelinks ) {
-         # Delete any existing symbolic links
-         foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-             if (-l $_) {
--                print "unlink $_" if $verbose;
-+                print "unlink $_\n" if $verbose;
-                 unlink $_ || warn "Can't unlink $_, $!\n";
-             }
-         }
-@@ -130,13 +153,16 @@ sub hash_dir {
-         link_hash_cert($fname) if ($cert);
-         link_hash_crl($fname) if ($crl);
-     }
-+
-+    chdir $pwd;
- }
- 
- sub check_file {
-     my ($is_cert, $is_crl) = (0,0);
-     my $fname = $_[0];
--    open IN, $fname;
--    while(<IN>) {
-+
-+    open(my $in, "<", $fname);
-+    while(<$in>) {
-         if (/^-----BEGIN (.*)-----/) {
-             my $hdr = $1;
-             if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-@@ -148,7 +174,7 @@ sub check_file {
-             }
-         }
-     }
--    close IN;
-+    close $in;
-     return ($is_cert, $is_crl);
- }
- 
-@@ -177,76 +203,49 @@ sub compute_hash {
- # certificate fingerprints
- 
- sub link_hash_cert {
--    my $fname = $_[0];
--    my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
--                                       "-fingerprint", "-noout",
--                                       "-in", $fname);
--    chomp $hash;
--    chomp $fprint;
--    return if !$hash;
--    $fprint =~ s/^.*=//;
--    $fprint =~ tr/://d;
--    my $suffix = 0;
--    # Search for an unused hash filename
--    while(exists $hashlist{"$hash.$suffix"}) {
--        # Hash matches: if fingerprint matches its a duplicate cert
--        if ($hashlist{"$hash.$suffix"} eq $fprint) {
--            print STDERR "WARNING: Skipping duplicate certificate $fname\n";
--            return;
--        }
--        $suffix++;
--    }
--    $hash .= ".$suffix";
--    if ($symlink_exists) {
--        print "link $fname -> $hash\n" if $verbose;
--        symlink $fname, $hash || warn "Can't symlink, $!";
--    } else {
--        print "copy $fname -> $hash\n" if $verbose;
--        if (open($in, "<", $fname)) {
--            if (open($out,">", $hash)) {
--                print $out $_ while (<$in>);
--                close $out;
--            } else {
--                warn "can't open $hash for write, $!";
--            }
--            close $in;
--        } else {
--            warn "can't open $fname for read, $!";
--        }
--    }
--    $hashlist{$hash} = $fprint;
-+    link_hash($_[0], 'cert');
- }
- 
- # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
- 
- sub link_hash_crl {
--    my $fname = $_[0];
--    my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
-+    link_hash($_[0], 'crl');
-+}
-+
-+sub link_hash {
-+    my ($fname, $type) = @_;
-+    my $is_cert = $type eq 'cert';
-+
-+    my ($hash, $fprint) = compute_hash($openssl,
-+                                       $is_cert ? "x509" : "crl",
-+                                       $is_cert ? $x509hash : $crlhash,
-                                        "-fingerprint", "-noout",
-                                        "-in", $fname);
-     chomp $hash;
-+    $hash =~ s/^.*=// if !$is_cert;
-     chomp $fprint;
-     return if !$hash;
-     $fprint =~ s/^.*=//;
-     $fprint =~ tr/://d;
-     my $suffix = 0;
-     # Search for an unused hash filename
--    while(exists $hashlist{"$hash.r$suffix"}) {
-+    my $crlmark = $is_cert ? "" : "r";
-+    while(exists $hashlist{"$hash.$crlmark$suffix"}) {
-         # Hash matches: if fingerprint matches its a duplicate cert
--        if ($hashlist{"$hash.r$suffix"} eq $fprint) {
--            print STDERR "WARNING: Skipping duplicate CRL $fname\n";
-+        if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
-+            my $what = $is_cert ? 'certificate' : 'CRL';
-+            print STDERR "WARNING: Skipping duplicate $what $fname\n";
-             return;
-         }
-         $suffix++;
-     }
--    $hash .= ".r$suffix";
-+    $hash .= ".$crlmark$suffix";
-     if ($symlink_exists) {
-         print "link $fname -> $hash\n" if $verbose;
-         symlink $fname, $hash || warn "Can't symlink, $!";
-     } else {
--        print "cp $fname -> $hash\n" if $verbose;
--        system ("cp", $fname, $hash);
--        warn "Can't copy, $!" if ($? >> 8) != 0;
-+        print "copy $fname -> $hash\n" if $verbose;
-+        copy_file($fname, $hash);
-     }
-     $hashlist{$hash} = $fprint;
- }

SOURCES/0069-CVE-2022-2097.patch

@@ -1,151 +0,0 @@
-From a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mon Sep 17 00:00:00 2001
-From: Alex Chernyakhovsky <achernya@google.com>
-Date: Thu, 16 Jun 2022 12:00:22 +1000
-Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
-that performs operations on 6 16-byte blocks concurrently (the
-"grandloop") and then proceeds to handle the "short" tail (which can
-be anywhere from 0 to 5 blocks) that remain.
-
-As part of initialization, the assembly initializes $len to the true
-length, less 96 bytes and converts it to a pointer so that the $inp
-can be compared to it. Each iteration of "grandloop" checks to see if
-there's a full 96-byte chunk to process, and if so, continues. Once
-this has been exhausted, it falls through to "short", which handles
-the remaining zero to five blocks.
-
-Unfortunately, the jump at the end of "grandloop" had a fencepost
-error, doing a `jb` ("jump below") rather than `jbe` (jump below or
-equal). This should be `jbe`, as $inp is pointing to the *end* of the
-chunk currently being handled. If $inp == $len, that means that
-there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
-then there's 5 or fewer 16-byte blocks left to be handled, and the
-fall-through is intended.
-
-The net effect of `jb` instead of `jbe` is that the last 16-byte block
-of the last 96-byte chunk was completely omitted. The contents of
-`out` in this position were never written to. Additionally, since
-those bytes were never processed, the authentication tag generated is
-also incorrect.
-
-The same fencepost error, and identical logic, exists in both
-aesni_ocb_encrypt and aesni_ocb_decrypt.
-
-This addresses CVE-2022-2097.
-
-Co-authored-by: Alejandro Sedeño <asedeno@google.com>
-Co-authored-by: David Benjamin <davidben@google.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(cherry picked from commit 6ebf6d51596f51d23ccbc17930778d104a57d99c)
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93]
----
- crypto/aes/asm/aesni-x86.pl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
-index 4245fe34e17e..7cf838db170b 100644
---- a/crypto/aes/asm/aesni-x86.pl
-+++ b/crypto/aes/asm/aesni-x86.pl
-@@ -2025,7 +2025,7 @@ sub aesni_generate6
- 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
- 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
- 	&cmp		($inp,$len);			# done yet?
--	&jb		(&label("grandloop"));
-+	&jbe		(&label("grandloop"));
- 
- &set_label("short");
- 	&add		($len,16*6);
-@@ -2451,7 +2451,7 @@ sub aesni_generate6
- 	&pxor		($rndkey1,$inout5);
- 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
- 	&cmp		($inp,$len);			# done yet?
--	&jb		(&label("grandloop"));
-+	&jbe		(&label("grandloop"));
- 
- &set_label("short");
- 	&add		($len,16*6);
-From 52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8 Mon Sep 17 00:00:00 2001
-From: Alex Chernyakhovsky <achernya@google.com>
-Date: Thu, 16 Jun 2022 12:02:37 +1000
-Subject: [PATCH] AES OCB test vectors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
-
-Co-authored-by: Alejandro Sedeño <asedeno@google.com>
-Co-authored-by: David Benjamin <davidben@google.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(cherry picked from commit 2f19ab18a29cf9c82cdd68bc8c7e5be5061b19be)
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8]
----
- .../30-test_evp_data/evpciph_aes_ocb.txt      | 50 +++++++++++++++++++
- 1 file changed, 50 insertions(+)
-
-diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
-index e58ee34b6b3f..de098905230b 100644
---- a/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
-+++ b/test/recipes/30-test_evp_data/evpciph_aes_ocb.txt
-@@ -207,3 +207,53 @@ Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021
- Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B2176C12F110DD441B7CAA3A509B13C86A023AFCEE998BEE42028D44507B15F77C528A1DE6406B519BCEE8FCB829417001E54E15A7576C4DF32366E0F439C7051CB4824B8114E9A720CBC1CE0185B156B486
- Operation = DECRYPT
- Result = CIPHERFINAL_ERROR
-+
-+#Test vectors generated to validate aesni_ocb_encrypt on x86
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = C14DFF7D62A13C4A3422456207453190
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = BE0228651ED4E48A11BDED68D953F3A0
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 17BC6E10B16E5FDC52836E7D589518C7
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = E84AAC18666116990A3A37B3A5FC55BD
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C

SOURCES/0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch

@@ -1,56 +0,0 @@
-From edceec7fe0c9a5534ae155c8398c63dd7dd95483 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Thu, 5 May 2022 08:11:24 +0200
-Subject: [PATCH] EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init
- strcasecmp
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/18247)
-
-(cherry picked from commit b807c2fbab2128cf3746bb2ebd51cbe3bb6914a9)
-
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483]
----
- crypto/evp/evp_lib.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
-index 3fe4743761..d9b8c0af41 100644
---- a/crypto/evp/evp_lib.c
-+++ b/crypto/evp/evp_lib.c
-@@ -24,6 +24,7 @@
- #include <openssl/dh.h>
- #include <openssl/ec.h>
- #include "crypto/evp.h"
-+#include "crypto/cryptlib.h"
- #include "internal/provider.h"
- #include "evp_local.h"
- 
-@@ -1094,6 +1095,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
-     return (ctx->flags & flags);
- }
- 
-+#if !defined(FIPS_MODULE)
-+
- int EVP_PKEY_CTX_set_group_name(EVP_PKEY_CTX *ctx, const char *name)
- {
-     OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
-@@ -1169,6 +1172,8 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
- 
-     va_start(args, type);
- 
-+    OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL);
-+
-     if (OPENSSL_strcasecmp(type, "RSA") == 0) {
-         bits = va_arg(args, size_t);
-         params[0] = OSSL_PARAM_construct_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bits);
-@@ -1189,3 +1194,5 @@ EVP_PKEY *EVP_PKEY_Q_keygen(OSSL_LIB_CTX *libctx, const char *propq,
-     va_end(args);
-     return ret;
- }
-+
-+#endif /* !defined(FIPS_MODULE) */
--- 
-2.35.3
-

SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch

@@ -1311,7 +1311,7 @@ index c12cb9c..2a819b2 100644
  
    $CHACHAASM_c64xplus=chacha-c64xplus.s
 @@ -29,6 +29,7 @@ SOURCE[../../libcrypto]=$CHACHAASM
- GENERATE[chacha-x86.s]=asm/chacha-x86.pl
+ GENERATE[chacha-x86.S]=asm/chacha-x86.pl
  GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl
  GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl
 +GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl

SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch

@@ -136,10 +136,17 @@ diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.i
 index 4e30ec56dd..0103c87528 100644
 --- a/providers/fips/self_test_data.inc
 +++ b/providers/fips/self_test_data.inc
-@@ -1294,9 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
+@@ -1294,15 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
      ST_KAT_PARAM_END()
  };
  
+-/*-
+- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
+- * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
+- * HP/UX PA-RISC compilers.
+- */
+-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
+-
 +/*-
 + * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
 + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
@@ -153,8 +160,7 @@ index 4e30ec56dd..0103c87528 100644
 +};
 +
  static const ST_KAT_PARAM rsa_enc_params[] = {
--    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE,
--                            OSSL_PKEY_RSA_PAD_MODE_NONE),
+-    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
 +    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
 +    ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
 +                       oaep_fixed_seed),

SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch

@@ -149,14 +149,14 @@ index db1a1d7bc3..c94c3c53bd 100644
      if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
          return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
                                                           sigret, siglen,
-                                                          (siglen == NULL) ? 0 : *siglen);
+                                                          sigret == NULL ? 0 : *siglen);
 +#ifndef FIPS_MODULE
      dctx = EVP_PKEY_CTX_dup(pctx);
      if (dctx == NULL)
          return 0;
 @@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                                                    sigret, siglen,
-                                                   (siglen == NULL) ? 0 : *siglen);
+                                                   *siglen);
      EVP_PKEY_CTX_free(dctx);
 +#endif /* defined(FIPS_MODULE) */
      return r;

SOURCES/0076-FIPS-140-3-DRBG.patch

@@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3
      /* Reseed using our sources in addition */
      entropylen = get_entropy(drbg, &entropy, drbg->strength,
                               drbg->min_entropylen, drbg->max_entropylen,
+@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
+             reseed_required = 1;
+     }
+     if (drbg->parent != NULL
+-            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
++#ifdef FIPS_MODULE
++        /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
++        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
++#else
+         reseed_required = 1;
++#endif
++        }
+ 
+     if (reseed_required || prediction_resistance) {
+         if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
 diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c
 --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand	2022-08-04 12:17:52.148556301 +0200
 +++ openssl-3.0.1/crypto/rand/prov_seed.c	2022-08-04 12:19:41.783533552 +0200

SOURCES/0079-CVE-2022-3602.patch

@@ -1,399 +0,0 @@
-diff --git a/crypto/punycode.c b/crypto/punycode.c
-index 385b4b1df4..b9b4e3d785 100644
---- a/crypto/punycode.c
-+++ b/crypto/punycode.c
-@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
-     unsigned int bias = initial_bias;
-     size_t processed_in = 0, written_out = 0;
-     unsigned int max_out = *pout_length;
--
-     unsigned int basic_count = 0;
-     unsigned int loop;
- 
-@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
-         n = n + i / (written_out + 1);
-         i %= (written_out + 1);
- 
--        if (written_out > max_out)
-+        if (written_out >= max_out)
-             return 0;
- 
-         memmove(pDecoded + i + 1, pDecoded + i,
--                (written_out - i) * sizeof *pDecoded);
-+                (written_out - i) * sizeof(*pDecoded));
-         pDecoded[i] = n;
-         i++;
-         written_out++;
-@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
-      */
-     char *outptr = out;
-     const char *inptr = in;
--    size_t size = 0;
-+    size_t size = 0, maxsize;
-     int result = 1;
--
-+    unsigned int i, j;
-     unsigned int buf[LABEL_BUF_SIZE];      /* It's a hostname */
--    if (out == NULL)
-+
-+    if (out == NULL) {
-         result = 0;
-+        maxsize = 0;
-+    } else {
-+        maxsize = *outlen;
-+    }
-+
-+#define PUSHC(c)                    \
-+    do                              \
-+        if (size++ < maxsize)       \
-+            *outptr++ = c;          \
-+        else                        \
-+            result = 0;             \
-+    while (0)
- 
-     while (1) {
-         char *tmpptr = strchr(inptr, '.');
--        size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr);
-+        size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr);
- 
-         if (strncmp(inptr, "xn--", 4) != 0) {
--            size += delta + 1;
--
--            if (size >= *outlen - 1)
--                result = 0;
--
--            if (result > 0) {
--                memcpy(outptr, inptr, delta + 1);
--                outptr += delta + 1;
--            }
-+            for (i = 0; i < delta + 1; i++)
-+                PUSHC(inptr[i]);
-         } else {
-             unsigned int bufsize = LABEL_BUF_SIZE;
--            unsigned int i;
- 
-             if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0)
-                 return -1;
-@@ -286,26 +290,15 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
-             for (i = 0; i < bufsize; i++) {
-                 unsigned char seed[6];
-                 size_t utfsize = codepoint2utf8(seed, buf[i]);
-+
-                 if (utfsize == 0)
-                     return -1;
- 
--                size += utfsize;
--                if (size >= *outlen - 1)
--                    result = 0;
--
--                if (result > 0) {
--                    memcpy(outptr, seed, utfsize);
--                    outptr += utfsize;
--                }
-+                for (j = 0; j < utfsize; j++)
-+                    PUSHC(seed[j]);
-             }
- 
--            if (tmpptr != NULL) {
--                *outptr = '.';
--                outptr++;
--                size++;
--                if (size >= *outlen - 1)
--                    result = 0;
--            }
-+            PUSHC(tmpptr != NULL ? '.' : '\0');
-         }
- 
-         if (tmpptr == NULL)
-@@ -313,7 +306,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
- 
-         inptr = tmpptr + 1;
-     }
-+#undef PUSHC
- 
-+    *outlen = size;
-     return result;
- }
- 
-@@ -327,12 +322,11 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen)
- 
- int ossl_a2ucompare(const char *a, const char *u)
- {
--    char a_ulabel[LABEL_BUF_SIZE];
-+    char a_ulabel[LABEL_BUF_SIZE + 1];
-     size_t a_size = sizeof(a_ulabel);
- 
--    if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) {
-+    if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0)
-         return -1;
--    }
- 
--    return (strcmp(a_ulabel, u) == 0) ? 0 : 1;
-+    return strcmp(a_ulabel, u) != 0;
- }
-diff --git a/test/build.info b/test/build.info
-index 9d2d41e417..638f215da6 100644
---- a/test/build.info
-+++ b/test/build.info
-@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}]
-           exptest pbetest localetest evp_pkey_ctx_new_from_name\
-           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
-           evp_fetch_prov_test evp_libctx_test ossl_store_test \
--          v3nametest v3ext \
-+          v3nametest v3ext punycode_test \
-           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
-           evp_fetch_prov_test v3nametest v3ext \
-           crltest danetest bad_dtls_test lhash_test sparse_array_test \
-@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}]
-   INCLUDE[pkcs7_test]=../include ../apps/include
-   DEPEND[pkcs7_test]=../libcrypto libtestutil.a
- 
-+  SOURCE[punycode_test]=punycode_test.c
-+  INCLUDE[punycode_test]=../include ../apps/include
-+  DEPEND[punycode_test]=../libcrypto.a libtestutil.a
-+
-   SOURCE[stack_test]=stack_test.c
-   INCLUDE[stack_test]=../include ../apps/include
-   DEPEND[stack_test]=../libcrypto libtestutil.a
-diff --git a/test/punycode_test.c b/test/punycode_test.c
-new file mode 100644
-index 0000000000..285ead6966
---- /dev/null
-+++ b/test/punycode_test.c
-@@ -0,0 +1,219 @@
-+/*
-+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <openssl/crypto.h>
-+
-+#include "crypto/punycode.h"
-+#include "internal/nelem.h"
-+#include "testutil.h"
-+
-+
-+static const struct puny_test {
-+    unsigned int raw[50];
-+    const char *encoded;
-+} puny_cases[] = {
-+    /* Test cases from RFC 3492 */
-+    {   /* Arabic (Egyptian) */
-+        { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644,
-+          0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F
-+        },
-+        "egbpdaj6bu4bxfgehfvwxn"
-+    },
-+    {   /* Chinese (simplified) */
-+        { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587
-+        },
-+        "ihqwcrb4cv8a8dqg056pqjye"
-+    },
-+    {   /* Chinese (traditional) */
-+        { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587
-+        },
-+        "ihqwctvzc91f659drss3x8bo0yb"
-+    },
-+    {    /* Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky */
-+        { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074,
-+          0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D,
-+          0x0065, 0x0073, 0x006B, 0x0079
-+       },
-+        "Proprostnemluvesky-uyb24dma41a"
-+    },
-+    {   /* Hebrew */
-+        { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8,
-+          0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2,
-+          0x05D1, 0x05E8, 0x05D9, 0x05EA
-+        },
-+        "4dbcagdahymbxekheh6e0a7fei0b"
-+    },
-+    {   /* Hindi (Devanagari) */
-+        { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D,
-+          0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939,
-+          0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947,
-+          0x0939, 0x0948, 0x0902
-+        },
-+        "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd"
-+    },
-+    {   /* Japanese (kanji and hiragana) */
-+        { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092,
-+          0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B
-+        },
-+        "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa"
-+    },
-+    {   /* Korean (Hangul syllables) */
-+        { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774,
-+          0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74,
-+          0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C
-+        },
-+        "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c"
-+    },
-+    {   /* Russian (Cyrillic) */
-+        { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E,
-+          0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440,
-+          0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A,
-+          0x0438
-+        },
-+        "b1abfaaepdrnnbgefbaDotcwatmq2g4l"
-+    },
-+    {   /* Spanish */
-+        { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070,
-+          0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070,
-+          0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061,
-+          0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070,
-+          0x0061, 0x00F1, 0x006F, 0x006C
-+        },
-+        "PorqunopuedensimplementehablarenEspaol-fmd56a"
-+    },
-+    {   /* Vietnamese */
-+        { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B,
-+          0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068,
-+          0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067,
-+          0x0056, 0x0069, 0x1EC7, 0x0074
-+        },
-+        "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g"
-+    },
-+    {   /* Japanese: 3<nen>B<gumi><kinpachi><sensei> */
-+        { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
-+        },
-+        "3B-ww4c5e180e575a65lsy2b"
-+    },
-+    {   /* Japanese: <amuro><namie>-with-SUPER-MONKEYS */
-+        { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074,
-+          0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D,
-+          0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053
-+        },
-+        "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n"
-+    },
-+    {   /* Japanese: Hello-Another-Way-<sorezore><no><basho> */
-+        { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F,
-+          0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D,
-+          0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240
-+        },
-+        "Hello-Another-Way--fc4qua05auwb3674vfr0b"
-+    },
-+    {   /* Japanese: <hitotsu><yane><no><shita>2 */
-+        { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032
-+        },
-+        "2-u9tlzr9756bt3uc0v"
-+    },
-+    {   /* Japanese: Maji<de>Koi<suru>5<byou><mae> */
-+        { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059,
-+          0x308B, 0x0035, 0x79D2, 0x524D
-+        },
-+        "MajiKoi5-783gue6qz075azm5e"
-+    },
-+    {   /* Japanese: <pafii>de<runba> */
-+        { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0
-+        },
-+        "de-jg4avhby1noc0d"
-+    },
-+    {   /* Japanese: <sono><supiido><de> */
-+        { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067
-+        },
-+        "d9juau41awczczp"
-+    },
-+    {   /* -> $1.00 <- */
-+        { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020,
-+          0x003C, 0x002D
-+        },
-+        "-> $1.00 <--"
-+    }
-+};
-+
-+static int test_punycode(int n)
-+{
-+    const struct puny_test *tc = puny_cases + n;
-+    unsigned int buffer[50];
-+    unsigned int bsize = OSSL_NELEM(buffer);
-+    size_t i;
-+
-+    if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded),
-+                                        buffer, &bsize)))
-+        return 0;
-+    for (i = 0; i < sizeof(tc->raw); i++)
-+        if (tc->raw[i] == 0)
-+            break;
-+    if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer),
-+                     tc->raw, i * sizeof(*tc->raw)))
-+        return 0;
-+    return 1;
-+}
-+
-+static int test_a2ulabel(void)
-+{
-+    char out[50];
-+    size_t outlen;
-+
-+    /*
-+     * Test that no buffer correctly returns the true length.
-+     * The punycode being passed in and parsed is malformed but we're not
-+     * verifying that behaviour here.
-+     */
-+    if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0)
-+            || !TEST_size_t_eq(outlen, 7)
-+            || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1))
-+        return 0;
-+    /* Test that a short input length returns the true length */
-+    outlen = 1;
-+    if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
-+            || !TEST_size_t_eq(outlen, 7)
-+            || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
-+            || !TEST_str_eq(out,"\xc2\x80.b.c"))
-+        return 0;
-+    /* Test for an off by one on the buffer size works */
-+    outlen = 6;
-+    if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0)
-+            || !TEST_size_t_eq(outlen, 7)
-+            || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)
-+            || !TEST_str_eq(out,"\xc2\x80.b.c"))
-+        return 0;
-+    return 1;
-+}
-+
-+static int test_puny_overrun(void)
-+{
-+    static const unsigned int out[] = {
-+        0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
-+    };
-+    static const char *in = "3B-ww4c5e180e575a65lsy2b";
-+    unsigned int buf[OSSL_NELEM(out)];
-+    unsigned int bsize = OSSL_NELEM(buf) - 1;
-+
-+    if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) {
-+        if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out)))
-+            TEST_error("CRITICAL: buffer overrun detected!");
-+        return 0;
-+    }
-+    return 1;
-+}
-+
-+int setup_tests(void)
-+{
-+    ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases));
-+    ADD_TEST(test_a2ulabel);
-+    ADD_TEST(test_puny_overrun);
-+    return 1;
-+}
-diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t
-new file mode 100644
-index 0000000000..de213c7e15
---- /dev/null
-+++ b/test/recipes/04-test_punycode.t
-@@ -0,0 +1,11 @@
-+#! /usr/bin/env perl
-+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use OpenSSL::Test::Simple;
-+
-+simple_test("test_punycode", "punycode_test");

SOURCES/0086-avoid-bio-memleak.patch

@@ -1,48 +0,0 @@
-From 3d046c4d047a55123beeceffe9f8bae09159445e Mon Sep 17 00:00:00 2001
-From: yangyangtiantianlonglong <yangtianlong1224@163.com>
-Date: Wed, 19 Jan 2022 11:19:52 +0800
-Subject: [PATCH] Fix the same BIO_FLAGS macro definition
-
-Also add comment to the public header to avoid
-making another conflict in future.
-
-Fixes #17545
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/17546)
-
-(cherry picked from commit e278f18563dd3dd67c00200ee30402f48023c6ef)
----
- include/internal/bio.h   | 2 +-
- include/openssl/bio.h.in | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/include/internal/bio.h b/include/internal/bio.h
-index 2d36a7b980f2..02f7222ab4f1 100644
---- a/include/internal/bio.h
-+++ b/include/internal/bio.h
-@@ -48,9 +48,9 @@ int bread_conv(BIO *bio, char *data, size_t datal, size_t *read);
-  * BIO_FLAGS_KTLS_TX_CTRL_MSG means we are about to send a ctrl message next.
-  * BIO_FLAGS_KTLS_RX means we are using ktls with this BIO for receiving.
-  */
--# define BIO_FLAGS_KTLS_TX          0x800
- # define BIO_FLAGS_KTLS_TX_CTRL_MSG 0x1000
- # define BIO_FLAGS_KTLS_RX          0x2000
-+# define BIO_FLAGS_KTLS_TX          0x4000
- 
- /* KTLS related controls and flags */
- # define BIO_set_ktls_flag(b, is_tx) \
-diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in
-index 2c65b7e1a79b..686dad3099b7 100644
---- a/include/openssl/bio.h.in
-+++ b/include/openssl/bio.h.in
-@@ -209,6 +209,8 @@ extern "C" {
- # define BIO_FLAGS_NONCLEAR_RST  0x400
- # define BIO_FLAGS_IN_EOF        0x800
- 
-+/* the BIO FLAGS values 0x1000 to 0x4000 are reserved for internal KTLS flags */
-+
- typedef union bio_addr_st BIO_ADDR;
- typedef struct bio_addrinfo_st BIO_ADDRINFO;
- 

SOURCES/0087-FIPS-RSA-selftest-params.patch

@@ -1,41 +0,0 @@
-From 34e3cbf99f2113ca01b460cf37b56460262979af Mon Sep 17 00:00:00 2001
-From: slontis <shane.lontis@oracle.com>
-Date: Wed, 26 Oct 2022 11:10:50 +1000
-Subject: [PATCH] Use RSA CRT parameters in FIPS self tests.
-
-Fixes #19488
-
-Use the correct OSSL_PKEY_PARAM_RSA CRT names fior the self tests.
-The invalid names cause CRT parameters to be silently ignored.
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19501)
-
-(cherry picked from commit c7424fe68c65aa2187a8e4028d7dea742b95d81a)
-(cherry picked from commit 4215d649e92bc4c42997ec4a1e65beba1055bbe1)
----
- providers/fips/self_test_data.inc | 10 +++++-----
-
-diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 5f057d5679f1..8ae8cd6f4a5a 100644
---- a/providers/fips/self_test_data.inc
-+++ b/providers/fips/self_test_data.inc
-@@ -1270,11 +1270,11 @@ static const ST_KAT_PARAM rsa_crt_key[] = {
-     ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_N, rsa_n),
-     ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_E, rsa_e),
-     ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_D, rsa_d),
--    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR, rsa_p),
--    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR, rsa_q),
--    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT, rsa_dp),
--    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT, rsa_dq),
--    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_COEFFICIENT, rsa_qInv),
-+    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR1, rsa_p),
-+    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_FACTOR2, rsa_q),
-+    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT1, rsa_dp),
-+    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_EXPONENT2, rsa_dq),
-+    ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, rsa_qInv),
-     ST_KAT_PARAM_END()
- };
- 

SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch

@@ -48,7 +48,7 @@ index 61ec53d424..e69a98d116 100644
          return NULL;
 @@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx)
          return NULL;
-     if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen))
+     if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0)
          return NULL;
 -    if (saltlen == -1) {
 +    if (saltlen == RSA_PSS_SALTLEN_DIGEST) {

SOURCES/0092-provider-improvements.patch

@@ -0,0 +1,705 @@
+From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 10 Nov 2022 10:46:32 -0500
+Subject: [PATCH 1/3] Propagate selection all the way on key export
+
+EVP_PKEY_eq() is used to check, among other things, if a certificate
+public key corresponds to a private key. When the private key belongs to
+a provider that does not allow to export private keys this currently
+fails as the internal functions used to import/export keys ignored the
+selection given (which specifies that only the public key needs to be
+considered) and instead tries to export everything.
+
+This patch allows to propagate the selection all the way down including
+adding it in the cache so that a following operation actually looking
+for other selection parameters does not mistakenly pick up an export
+containing only partial information.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
+index b06730dc7a..2d0238ee27 100644
+--- a/crypto/evp/keymgmt_lib.c
++++ b/crypto/evp/keymgmt_lib.c
+@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+                               export_cb, export_cbarg);
+ }
+ 
+-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                          int selection)
+ {
+     struct evp_keymgmt_util_try_import_data_st import_data;
+     OP_CACHE_ELEM *op;
+@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+      */
+     if (pk->dirty_cnt == pk->dirty_cnt_copy) {
+         /* If this key is already exported to |keymgmt|, no more to do */
+-        op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
++        op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
+         if (op != NULL && op->keymgmt != NULL) {
+             void *ret = op->keydata;
+ 
+@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+     /* Setup for the export callback */
+     import_data.keydata = NULL;  /* evp_keymgmt_util_try_import will create it */
+     import_data.keymgmt = keymgmt;
+-    import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
++    import_data.selection = selection;
+ 
+     /*
+      * The export function calls the callback (evp_keymgmt_util_try_import),
+      * which does the import for us.  If successful, we're done.
+      */
+-    if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
++    if (!evp_keymgmt_util_export(pk, selection,
+                                  &evp_keymgmt_util_try_import, &import_data))
+         /* If there was an error, bail out */
+         return NULL;
+@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+         return NULL;
+     }
+     /* Check to make sure some other thread didn't get there first */
+-    op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
++    op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
+     if (op != NULL && op->keydata != NULL) {
+         void *ret = op->keydata;
+ 
+@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+         evp_keymgmt_util_clear_operation_cache(pk, 0);
+ 
+     /* Add the new export to the operation cache */
+-    if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
++    if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
++                                        selection)) {
+         CRYPTO_THREAD_unlock(pk->lock);
+         evp_keymgmt_freedata(keymgmt, import_data.keydata);
+         return NULL;
+@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
+ }
+ 
+ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+-                                                     EVP_KEYMGMT *keymgmt)
++                                                     EVP_KEYMGMT *keymgmt,
++                                                     int selection)
+ {
+     int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
+     OP_CACHE_ELEM *p;
+@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+      */
+     for (i = 0; i < end; i++) {
+         p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
+-        if (keymgmt == p->keymgmt)
++        if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
+             return p;
+     }
+     return NULL;
+ }
+ 
+-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+-                                   EVP_KEYMGMT *keymgmt, void *keydata)
++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                   void *keydata, int selection)
+ {
+     OP_CACHE_ELEM *p = NULL;
+ 
+@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+             return 0;
+         p->keydata = keydata;
+         p->keymgmt = keymgmt;
++        p->selection = selection;
+ 
+         if (!EVP_KEYMGMT_up_ref(keymgmt)) {
+             OPENSSL_free(p);
+@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
+             ok = 1;
+             if (keydata1 != NULL) {
+                 tmp_keydata =
+-                    evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
++                    evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
++                                                        selection);
+                 ok = (tmp_keydata != NULL);
+             }
+             if (ok) {
+@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
+             ok = 1;
+             if (keydata2 != NULL) {
+                 tmp_keydata =
+-                    evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
++                    evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
++                                                        selection);
+                 ok = (tmp_keydata != NULL);
+             }
+             if (ok) {
+diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
+index 70d17ec37e..905e9c9ce4 100644
+--- a/crypto/evp/p_lib.c
++++ b/crypto/evp/p_lib.c
+@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ {
+     EVP_KEYMGMT *allocated_keymgmt = NULL;
+     EVP_KEYMGMT *tmp_keymgmt = NULL;
++    int selection = OSSL_KEYMGMT_SELECT_ALL;
+     void *keydata = NULL;
+     int check;
+ 
+@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+         if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
+             if (!CRYPTO_THREAD_read_lock(pk->lock))
+                 goto end;
+-            op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
++            op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
++                                                       selection);
+ 
+             /*
+              * If |tmp_keymgmt| is present in the operation cache, it means
+@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+         EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
+ 
+         /* Check to make sure some other thread didn't get there first */
+-        op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
++        op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
+         if (op != NULL && op->keymgmt != NULL) {
+             void *tmp_keydata = op->keydata;
+ 
+@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+         }
+ 
+         /* Add the new export to the operation cache */
+-        if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
++        if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
++                                            selection)) {
+             CRYPTO_THREAD_unlock(pk->lock);
+             evp_keymgmt_freedata(tmp_keymgmt, keydata);
+             keydata = NULL;
+@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+     }
+ #endif  /* FIPS_MODULE */
+ 
+-    keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
++    keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
+ 
+  end:
+     /*
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index f601b72807..dbbdcccbda 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+ typedef struct {
+     EVP_KEYMGMT *keymgmt;
+     void *keydata;
++    int selection;
+ } OP_CACHE_ELEM;
+ 
+ DEFINE_STACK_OF(OP_CACHE_ELEM)
+@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
+ 
+ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+                             OSSL_CALLBACK *export_cb, void *export_cbarg);
+-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                          int selection);
+ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+-                                                     EVP_KEYMGMT *keymgmt);
++                                                     EVP_KEYMGMT *keymgmt,
++                                                     int selection);
+ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
+-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+-                                   EVP_KEYMGMT *keymgmt, void *keydata);
++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                   void *keydata, int selection);
+ void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
+ void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
+                                 int selection, const OSSL_PARAM params[]);
+-- 
+2.38.1
+
+From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 10 Nov 2022 16:58:28 -0500
+Subject: [PATCH 2/3] Update documentation for keymgmt export utils
+
+Change function prototypes and explain how to use the selection
+argument.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+index 1fee9f6ff9..7099e44964 100644
+--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
++++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+@@ -20,12 +20,14 @@ OP_CACHE_ELEM
+ 
+  int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+                              OSSL_CALLBACK *export_cb, void *export_cbarg);
+- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
++ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                           int selection);
+  OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+-                                                      EVP_KEYMGMT *keymgmt);
++                                                      EVP_KEYMGMT *keymgmt,
++                                                      int selection);
+  int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
+- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+-                                    EVP_KEYMGMT *keymgmt, void *keydata);
++ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++                                    void *keydata, int selection);
+  void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
+  void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
+                                  int selection, const OSSL_PARAM params[]);
+@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
+ given key I<target> via a B<EVP_KEYMGMT> interface.  This is used as a
+ helper for L<EVP_PKEY_fromdata(3)>.
+ 
++In all functions that take a I<selection> argument, the selection is used to
++constraint the information requested on export. It is also used in the cache
++so that key data is guaranteed to contain all the information requested in
++the selection.
++
+ =head1 RETURN VALUES
+ 
+ evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
+-- 
+2.38.1
+
+From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 11 Nov 2022 12:18:26 -0500
+Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
+
+This tests that the comparison work even if a provider can only return
+a public key.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
+index d556551bb6..5e92e72d4b 100644
+--- a/test/fake_rsaprov.c
++++ b/test/fake_rsaprov.c
+@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
+ static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
+ static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
+ static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
++static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
++static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
+ static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
+ 
+ static int has_selection;
+ static int imptypes_selection;
++static int exptypes_selection;
+ static int query_id;
+ 
++struct fake_rsa_keydata {
++    int selection;
++    int status;
++};
++
+ static void *fake_rsa_keymgmt_new(void *provctx)
+ {
+-    unsigned char *keydata = OPENSSL_zalloc(1);
++    struct fake_rsa_keydata *key;
+ 
+-    TEST_ptr(keydata);
++    if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
++        return NULL;
+ 
+     /* clear test globals */
+     has_selection = 0;
+     imptypes_selection = 0;
++    exptypes_selection = 0;
+     query_id = 0;
+ 
+-    return keydata;
++    return key;
+ }
+ 
+ static void fake_rsa_keymgmt_free(void *keydata)
+@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
+ static int fake_rsa_keymgmt_import(void *keydata, int selection,
+                                    const OSSL_PARAM *p)
+ {
+-    unsigned char *fake_rsa_key = keydata;
++    struct fake_rsa_keydata *fake_rsa_key = keydata;
+ 
+     /* key was imported */
+-    *fake_rsa_key = 1;
++    fake_rsa_key->status = 1;
+ 
+     return 1;
+ }
+ 
++static unsigned char fake_rsa_n[] =
++   "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
++   "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
++   "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
++   "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
++   "\xF5";
++
++static unsigned char fake_rsa_e[] = "\x11";
++
++static unsigned char fake_rsa_d[] =
++    "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
++    "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
++    "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
++    "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
++
++static unsigned char fake_rsa_p[] =
++    "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++    "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
++    "\x0D";
++
++static unsigned char fake_rsa_q[] =
++    "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++    "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++    "\x89";
++
++static unsigned char fake_rsa_dmp1[] =
++    "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
++    "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
++
++static unsigned char fake_rsa_dmq1[] =
++    "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
++    "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
++    "\x51";
++
++static unsigned char fake_rsa_iqmp[] =
++    "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
++    "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
++
++OSSL_PARAM *fake_rsa_key_params(int priv)
++{
++    if (priv) {
++        OSSL_PARAM params[] = {
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
++                          sizeof(fake_rsa_n) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
++                          sizeof(fake_rsa_e) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
++                          sizeof(fake_rsa_d) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
++                          sizeof(fake_rsa_p) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
++                          sizeof(fake_rsa_q) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
++                          sizeof(fake_rsa_dmp1) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
++                          sizeof(fake_rsa_dmq1) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
++                          sizeof(fake_rsa_iqmp) -1),
++            OSSL_PARAM_END
++        };
++        return OSSL_PARAM_dup(params);
++    } else {
++        OSSL_PARAM params[] = {
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
++                          sizeof(fake_rsa_n) -1),
++            OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
++                          sizeof(fake_rsa_e) -1),
++            OSSL_PARAM_END
++        };
++        return OSSL_PARAM_dup(params);
++    }
++}
++
++static int fake_rsa_keymgmt_export(void *keydata, int selection,
++                                   OSSL_CALLBACK *param_callback, void *cbarg)
++{
++    OSSL_PARAM *params = NULL;
++    int ret;
++
++    if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
++        return 0;
++
++    if (!TEST_ptr(params = fake_rsa_key_params(0)))
++        return 0;
++
++    ret = param_callback(params, cbarg);
++    OSSL_PARAM_free(params);
++    return ret;
++}
++
+ static const OSSL_PARAM fake_rsa_import_key_types[] = {
+     OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
+     OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
+@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
+     return fake_rsa_import_key_types;
+ }
+ 
++static const OSSL_PARAM fake_rsa_export_key_types[] = {
++    OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
++    OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
++    OSSL_PARAM_END
++};
++
++static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
++{
++    /* record global for checking */
++    exptypes_selection = selection;
++
++    return fake_rsa_export_key_types;
++}
++
+ static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
+ {
+-    unsigned char *key = NULL;
++    struct fake_rsa_keydata *key = NULL;
+ 
+-    if (reference_sz != sizeof(key))
++    if (reference_sz != sizeof(*key))
+         return NULL;
+ 
+-    key = *(unsigned char **)reference;
+-    if (*key != 1)
++    key = *(struct fake_rsa_keydata **)reference;
++    if (key->status != 1)
+         return NULL;
+ 
+     /* detach the reference */
+-    *(unsigned char **)reference = NULL;
++    *(struct fake_rsa_keydata  **)reference = NULL;
+ 
+     return key;
+ }
+@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ {
+     unsigned char *gctx = genctx;
+     static const unsigned char inited[] = { 1 };
+-    unsigned char *keydata;
++    struct fake_rsa_keydata *keydata;
+ 
+     if (!TEST_ptr(gctx)
+         || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
+@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+     if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
+         return NULL;
+ 
+-    *keydata = 2;
++    keydata->status = 2;
+     return keydata;
+ }
+ 
+@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
+     { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
+     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
+         (void (*)(void))fake_rsa_keymgmt_imptypes },
++    { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
++    { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
++        (void (*)(void))fake_rsa_keymgmt_exptypes },
+     { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
+     { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
+     { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
+@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
+                                   const OSSL_PARAM params[])
+ {
+     unsigned char *sigctx = ctx;
+-    unsigned char *keydata = provkey;
++    struct fake_rsa_keydata *keydata = provkey;
+ 
+     /* we must have a ctx */
+     if (!TEST_ptr(sigctx))
+         return 0;
+ 
+     /* we must have some initialized key */
+-    if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
++    if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
+         return 0;
+ 
+     /* record that sign init was called */
+@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
+     unsigned char *storectx = loaderctx;
+     OSSL_PARAM params[4];
+     int object_type = OSSL_OBJECT_PKEY;
+-    void *key = NULL;
++    struct fake_rsa_keydata *key = NULL;
+     int rv = 0;
+ 
+     switch (*storectx) {
+@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
+         /* The address of the key becomes the octet string */
+         params[2] =
+             OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
+-                                              &key, sizeof(key));
++                                              &key, sizeof(*key));
+         params[3] = OSSL_PARAM_construct_end();
+         rv = object_cb(params, object_cbarg);
+         *storectx = 1;
+diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
+index 57de1ecf8d..190c46a285 100644
+--- a/test/fake_rsaprov.h
++++ b/test/fake_rsaprov.h
+@@ -12,3 +12,4 @@
+ /* Fake RSA provider implementation */
+ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
+ void fake_rsa_finish(OSSL_PROVIDER *p);
++OSSL_PARAM *fake_rsa_key_params(int priv);
+diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
+index 5c398398f4..3b190baa5e 100644
+--- a/test/provider_pkey_test.c
++++ b/test/provider_pkey_test.c
+@@ -176,6 +176,67 @@ end:
+     return ret;
+ }
+ 
++static int test_pkey_eq(void)
++{
++    OSSL_PROVIDER *deflt = NULL;
++    OSSL_PROVIDER *fake_rsa = NULL;
++    EVP_PKEY *pkey_fake = NULL;
++    EVP_PKEY *pkey_dflt = NULL;
++    EVP_PKEY_CTX *ctx = NULL;
++    OSSL_PARAM *params = NULL;
++    int ret = 0;
++
++    if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
++        return 0;
++
++    if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
++        goto end;
++
++    /* Construct a public key for fake-rsa */
++    if (!TEST_ptr(params = fake_rsa_key_params(0))
++        || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
++                                                      "provider=fake-rsa"))
++        || !TEST_true(EVP_PKEY_fromdata_init(ctx))
++        || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
++                                        params))
++        || !TEST_ptr(pkey_fake))
++        goto end;
++
++    EVP_PKEY_CTX_free(ctx);
++    ctx = NULL;
++    OSSL_PARAM_free(params);
++    params = NULL;
++
++    /* Construct a public key for default */
++    if (!TEST_ptr(params = fake_rsa_key_params(0))
++        || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
++                                                      "provider=default"))
++        || !TEST_true(EVP_PKEY_fromdata_init(ctx))
++        || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
++                                        params))
++        || !TEST_ptr(pkey_dflt))
++        goto end;
++
++    EVP_PKEY_CTX_free(ctx);
++    ctx = NULL;
++    OSSL_PARAM_free(params);
++    params = NULL;
++
++    /* now test for equality */
++    if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
++        goto end;
++
++    ret = 1;
++end:
++    fake_rsa_finish(fake_rsa);
++    OSSL_PROVIDER_unload(deflt);
++    EVP_PKEY_CTX_free(ctx);
++    EVP_PKEY_free(pkey_fake);
++    EVP_PKEY_free(pkey_dflt);
++    OSSL_PARAM_free(params);
++    return ret;
++}
++
+ static int test_pkey_store(int idx)
+ {
+     OSSL_PROVIDER *deflt = NULL;
+@@ -235,6 +296,7 @@ int setup_tests(void)
+ 
+     ADD_TEST(test_pkey_sig);
+     ADD_TEST(test_alternative_keygen_init);
++    ADD_TEST(test_pkey_eq);
+     ADD_ALL_TESTS(test_pkey_store, 2);
+ 
+     return 1;
+-- 
+2.38.1
+
+From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Nov 2022 10:25:15 -0500
+Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
+
+The providers indication should always indicate that this is not a
+legacy request.
+This makes a check for engines redundant as the default return is that
+legacy is ok if there are no explicit providers.
+
+Fixes #19662
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19671)
+---
+ apps/lib/apps.c                    |  8 --------
+ test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+ create mode 100755 test/recipes/20-test_legacy_okay.t
+
+diff --git a/apps/lib/apps.c b/apps/lib/apps.c
+index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
+--- a/apps/lib/apps.c
++++ b/apps/lib/apps.c
+@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
+ {
+     int provider_options = opt_provider_option_given();
+     int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
+-#ifndef OPENSSL_NO_ENGINE
+-    ENGINE *e = ENGINE_get_first();
+-
+-    if (e != NULL) {
+-        ENGINE_free(e);
+-        return 1;
+-    }
+-#endif
+     /*
+      * Having a provider option specified or a custom library context or
+      * property query, is a sure sign we're not using legacy.
+diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
+new file mode 100755
+index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
+--- /dev/null
++++ b/test/recipes/20-test_legacy_okay.t
+@@ -0,0 +1,23 @@
++#! /usr/bin/env perl
++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++use strict;
++use warnings;
++
++use OpenSSL::Test;
++
++setup("test_legacy");
++
++plan tests => 3;
++
++ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
++
++ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
++
++ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
++             'rand.txt'])), "Fail to generate a digest");
+-- 
+2.38.1
+

SOURCES/0094-ibmca-engine-compat.patch

@@ -1,82 +0,0 @@
-From b00f2cab6b8dfc4ffb23fd50b049b4a443910946 Mon Sep 17 00:00:00 2001
-From: Juergen Christ <jchrist@linux.ibm.com>
-Date: Wed, 5 Oct 2022 13:57:21 +0200
-Subject: [PATCH] Add translation for ECX group parameter
-
-Legacy EVP_PKEY_CTX objects did not support the "group" parameter for X25519
-and X448.  The translation of this parameter resulted in an error.  This
-caused errors for legacy keys and engines.
-
-Fix this situation by adding a translation that simply checks that the correct
-parameter is to be set, but does not actually set anything.  This is correct
-since the group name is anyway optional for these two curves.
-
-Fixes #19313
-
-Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
----
- crypto/evp/ctrl_params_translate.c | 37 +++++++++++++++++++++++++++++-
- 1 file changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
-index ffea7b108b6f..47a935ce9cca 100644
---- a/crypto/evp/ctrl_params_translate.c
-+++ b/crypto/evp/ctrl_params_translate.c
-@@ -1955,6 +1955,32 @@ IMPL_GET_RSA_PAYLOAD_COEFFICIENT(7)
- IMPL_GET_RSA_PAYLOAD_COEFFICIENT(8)
- IMPL_GET_RSA_PAYLOAD_COEFFICIENT(9)
- 
-+static int fix_group_ecx(enum state state,
-+                         const struct translation_st *translation,
-+                         struct translation_ctx_st *ctx)
-+{
-+    const char *value = NULL;
-+
-+    switch (state) {
-+    case PRE_PARAMS_TO_CTRL:
-+        if (!EVP_PKEY_CTX_IS_GEN_OP(ctx->pctx))
-+            return 0;
-+        ctx->action_type = NONE;
-+        return 1;
-+    case POST_PARAMS_TO_CTRL:
-+        if (OSSL_PARAM_get_utf8_string_ptr(ctx->params, &value) == 0 ||
-+            OPENSSL_strcasecmp(ctx->pctx->keytype, value) != 0) {
-+            ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT);
-+            ctx->p1 = 0;
-+            return 0;
-+        }
-+        ctx->p1 = 1;
-+        return 1;
-+    default:
-+        return 0;
-+    }
-+}
-+
- /*-
-  * The translation table itself
-  * ============================
-@@ -2274,6 +2300,15 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
-     { GET, -1, -1, EVP_PKEY_OP_TYPE_SIG,
-       EVP_PKEY_CTRL_GET_MD, NULL, NULL,
-       OSSL_SIGNATURE_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
-+
-+    /*-
-+     * ECX
-+     * ===
-+     */
-+    { SET, EVP_PKEY_X25519, EVP_PKEY_X25519, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL,
-+      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
-+    { SET, EVP_PKEY_X448, EVP_PKEY_X448, EVP_PKEY_OP_KEYGEN, -1, NULL, NULL,
-+      OSSL_PKEY_PARAM_GROUP_NAME, OSSL_PARAM_UTF8_STRING, fix_group_ecx },
- };
- 
- static const struct translation_st evp_pkey_translations[] = {
-@@ -2692,7 +2727,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
- 
-         ret = fixup(PRE_PARAMS_TO_CTRL, translation, &ctx);
- 
--        if (ret > 0 && action_type != NONE)
-+        if (ret > 0 && ctx.action_type != NONE)
-             ret = EVP_PKEY_CTX_ctrl(pctx, keytype, optype,
-                                     ctx.ctrl_cmd, ctx.p1, ctx.p2);
- 

SOURCES/0103-CVE-2022-4450-pem-read-bio.patch

@@ -27,15 +27,15 @@ index f9ff80162a..85c47fb627 100644
 --- a/crypto/pem/pem_lib.c
 +++ b/crypto/pem/pem_lib.c
 @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
-     *data = pem_malloc(len, flags);
-     if (*header == NULL || *data == NULL) {
-         pem_free(*header, flags, 0);
-+        *header = NULL;
-         pem_free(*data, flags, 0);
-+        *data = NULL;
-         goto end;
-     }
-     BIO_read(headerB, *header, headerlen);
+ 
+ out_free:
+     pem_free(*header, flags, 0);
++    *header = NULL;
+     pem_free(*data, flags, 0);
++    *data = NULL;
+ end:
+     EVP_ENCODE_CTX_free(ctx);
+     pem_free(name, flags, 0);
 -- 
 2.39.1
 

SOURCES/0106-CVE-2023-0217-dsa.patch

@@ -138,8 +138,8 @@ index 58a5fd009f..c2d87b4a7f 100644
 +    /* a key without parameters is meaningless */
 +    ok = ok && ossl_dh_params_fromdata(dh, params);
  
-     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
-         ok = ok && ossl_dh_key_fromdata(dh, params);
+     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+         int include_private =
 diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
 index 100e917167..881680c085 100644
 --- a/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -153,9 +153,9 @@ index 100e917167..881680c085 100644
 +    /* a key without parameters is meaningless */
 +    ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params);
 +
-     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
-         ok = ok && ossl_dsa_key_fromdata(dsa, params);
- 
+     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+         int include_private =
+             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
 -- 
 2.39.1
 
@@ -252,16 +252,11 @@ Reviewed-by: Paul Dale <pauli@openssl.org>
  create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem
  create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der
 
---- openssl-3.0.1/test/recipes/91-test_pkey_check.t	2023-02-08 13:43:56.228487948 +0100
-+++ openssl-3.0.7/test/recipes/91-test_pkey_check.t	2023-02-08 12:47:13.531027540 +0100
-@@ -1,5 +1,5 @@
- #! /usr/bin/env perl
--# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
-+# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the Apache License 2.0 (the "License").  You may not use
- # this file except in compliance with the License.  You can obtain a copy
-@@ -11,24 +11,37 @@
+diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
+index 612a3e3d6c..015d7805db 100644
+--- a/test/recipes/91-test_pkey_check.t
++++ b/test/recipes/91-test_pkey_check.t
+@@ -11,19 +11,24 @@ use strict;
  use warnings;
  
  use File::Spec;
@@ -269,35 +264,34 @@ Reviewed-by: Paul Dale <pauli@openssl.org>
 +use OpenSSL::Test qw/:DEFAULT data_file with/;
  use OpenSSL::Test::Utils;
  
--sub check_key {
-+sub pkey_check {
+ sub pkey_check {
      my $f = shift;
 +    my $pubcheck = shift;
 +    my @checkopt = ('-check');
-+
-+    @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
  
 -    return run(app(['openssl', 'pkey', '-check', '-text',
++    @checkopt = ('-pubcheck', '-pubin') if $pubcheck;
++
 +    return run(app(['openssl', 'pkey', @checkopt, '-text',
                      '-in', $f]));
  }
  
--sub check_key_notok {
-+sub check_key {
+ sub check_key {
      my $f = shift;
--    my $str = "$f should fail validation";
-+    my $should_fail = shift;
+     my $should_fail = shift;
 +    my $pubcheck = shift;
-+    my $str;
-+
-+
-+    $str = "$f should fail validation" if $should_fail;
-+    $str = "$f should pass validation" unless $should_fail;
+     my $str;
  
+ 
+@@ -33,11 +38,10 @@ sub check_key {
      $f = data_file($f);
  
      if ( -s $f ) {
--        ok(!check_key($f), $str);
+-        if ($should_fail) {
+-            ok(!pkey_check($f), $str);
+-        } else {
+-            ok(pkey_check($f), $str);
+-        }
 +        with({ exit_checker => sub { return shift == $should_fail; } },
 +            sub {
 +                ok(pkey_check($f, $pubcheck), $str);
@@ -305,30 +299,10 @@ Reviewed-by: Paul Dale <pauli@openssl.org>
      } else {
          fail("Missing file $f");
      }
-@@ -36,26 +49,54 @@
+@@ -66,15 +70,37 @@ push(@positive_tests, (
+     "dhpkey.pem"
+     )) unless disabled("dh");
  
- setup("test_pkey_check");
- 
--my @tests = ();
-+my @negative_tests = ();
- 
--push(@tests, (
-+push(@negative_tests, (
-     # For EC keys the range for the secret scalar `k` is `1 <= k <= n-1`
-     "ec_p256_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid)
-     "ec_p256_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid)
-     )) unless disabled("ec");
- 
--push(@tests, (
-+push(@negative_tests, (
-     # For SM2 keys the range for the secret scalar `k` is `1 <= k < n-1`
-     "sm2_bad_neg1.pem", # `k` set to `n-1` (invalid, because SM2 range)
-     "sm2_bad_0.pem", # `k` set to `n` (equivalent to `0 mod n`, invalid)
-     "sm2_bad_1.pem", # `k` set to `n+1` (equivalent to `1 mod n`, invalid)
-     )) unless disabled("sm2");
- 
-+my @positive_tests = ();
-+
 +my @negative_pubtests = ();
 +
 +push(@negative_pubtests, (
@@ -342,28 +316,28 @@ Reviewed-by: Paul Dale <pauli@openssl.org>
 +    )) unless disabled("dsa");
 +
  plan skip_all => "No tests within the current enabled feature set"
--    unless @tests;
+-    unless @negative_tests && @positive_tests;
 +    unless @negative_tests && @positive_tests
 +           && @negative_pubtests && @positive_pubtests;
-+
+ 
+-plan tests => scalar(@negative_tests) + scalar(@positive_tests);
 +plan tests => scalar(@negative_tests) + scalar(@positive_tests)
 +              + scalar(@negative_pubtests) + scalar(@positive_pubtests);
-+
-+foreach my $t (@negative_tests) {
+ 
+ foreach my $t (@negative_tests) {
+-    check_key($t, 1);
 +    check_key($t, 1, 0);
-+}
-+
-+foreach my $t (@positive_tests) {
+ }
+ 
+ foreach my $t (@positive_tests) {
+-    check_key($t, 0);
 +    check_key($t, 0, 0);
 +}
- 
--plan tests => scalar(@tests);
++
 +foreach my $t (@negative_pubtests) {
 +    check_key($t, 1, 1);
 +}
- 
--foreach my $t (@tests) {
--    check_key_notok($t);
++
 +foreach my $t (@positive_pubtests) {
 +    check_key($t, 0, 1);
  }

SPECS/openssl.spec

@@ -28,13 +28,13 @@ print(string.sub(hash, 0, 16))
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.0.1
-Release: 47%{?dist}
+Version: 3.0.7
+Release: 6%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.gz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source3: genpatches
@@ -70,12 +70,6 @@ Patch11: 0011-Remove-EC-curves.patch
 # Disable explicit EC curves
 # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
 Patch12: 0012-Disable-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/17981
-Patch13: 0013-FIPS-provider-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/17998
-Patch14: 0014-FIPS-disable-explicit-ec.patch
-# https://github.com/openssl/openssl/pull/18609
-Patch15: 0015-FIPS-decoded-from-explicit.patch
 # Instructions to load legacy provider in openssl.cnf
 Patch24: 0024-load-legacy-prov.patch
 # Tmp: test name change
@@ -92,12 +86,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
 Patch44: 0044-FIPS-140-3-keychecks.patch
 # Minimize fips services
 Patch45: 0045-FIPS-services-minimize.patch
-# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
-Patch46: 0046-FIPS-s390x-hardening.patch
 # Execute KATS before HMAC verification
 Patch47: 0047-FIPS-early-KATS.patch
-# Backport of correctly handle 2^14 byte long records #17538
-Patch48: 0048-correctly-handle-records.patch
 # Selectively disallow SHA1 signatures
 Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2049265
@@ -106,16 +96,12 @@ Patch50: 0050-FIPS-enable-pkcs12-mac.patch
 Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
 # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
 Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
-# CVE 2022-0778
-Patch53: 0053-CVE-2022-0778.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62
-Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
-# https://github.com/openssl/openssl/pull/17324
-Patch55: 0055-nonlegacy-fetch-null-deref.patch
-# https://github.com/openssl/openssl/pull/18103
+# Originally from https://github.com/openssl/openssl/pull/18103
+# As we rebased to 3.0.7 and used the version of the function
+# not matching the upstream one, we have to use aliasing.
+# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
+# should also be removed
 Patch56: 0056-strcasecmp.patch
-# https://github.com/openssl/openssl/pull/18175
-Patch57: 0057-strcasecmp-fix.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
 Patch58: 0058-FIPS-limit-rsa-encrypt.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2069235
@@ -123,25 +109,9 @@ Patch60: 0060-FIPS-KAT-signature-tests.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
 Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
-# https://github.com/openssl/openssl/pull/18141
-Patch63: 0063-CVE-2022-1473.patch
-# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
-Patch64: 0064-CVE-2022-1343.diff
-# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
-Patch65: 0065-CVE-2022-1292.patch
-# https://github.com/openssl/openssl/pull/18444
-# https://github.com/openssl/openssl/pull/18467
-Patch66: 0066-replace-expired-certs.patch
-# https://github.com/openssl/openssl/pull/18512
-Patch67: 0067-fix-ppc64-montgomery.patch
-#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa
-#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739
-Patch68: 0068-CVE-2022-2068.patch
-# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
-# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
-Patch69: 0069-CVE-2022-2097.patch
-# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
-Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2130708
+# https://github.com/openssl/openssl/pull/18883
+Patch67: 0067-ppc64le-Montgomery-multiply.patch
 # https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
 # https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
 Patch71: 0071-AES-GCM-performance-optimization.patch
@@ -162,8 +132,6 @@ Patch76: 0076-FIPS-140-3-DRBG.patch
 Patch77: 0077-FIPS-140-3-zeroization.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
 Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
-#https://bugzilla.redhat.com/show_bug.cgi?id=2137723
-Patch79: 0079-CVE-2022-3602.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=2141748
 Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2142131
@@ -176,10 +144,6 @@ Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
 Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=2142121
 Patch85: 0085-FIPS-RSA-disable-shake.patch
-#https://github.com/openssl/openssl/pull/17546
-Patch86: 0086-avoid-bio-memleak.patch
-#https://github.com/openssl/openssl/pull/19501
-Patch87: 0087-FIPS-RSA-selftest-params.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
 Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
@@ -188,9 +152,8 @@ Patch89: 0089-PSS-salt-length-from-provider.patch
 Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2144561
 Patch91: 0091-FIPS-RSA-encapsulate.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2149010
-#https://github.com/openssl/openssl/pull/19348
-Patch94: 0094-ibmca-engine-compat.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2142517
+Patch92: 0092-provider-improvements.patch
 
 # OpenSSL 3.0.8 CVEs
 Patch101: 0101-CVE-2022-4203-nc-match.patch
@@ -228,7 +191,6 @@ protocols.
 Summary: A general purpose cryptography library with TLS implementation
 Requires: ca-certificates >= 2008-5
 Requires: crypto-policies >= 20180730
-Recommends: openssl-pkcs11%{?_isa}
 
 %description libs
 OpenSSL is a toolkit for supporting cryptography. The openssl-libs
@@ -344,7 +306,8 @@ export HASHBANGPERL=/usr/bin/perl
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
 	no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
-	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'
+	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
+	-Wl,--allow-multiple-definition
 
 # Do not run this in a production package the FIPS symbols must be patched-in
 #util/mkdef.pl crypto update
@@ -531,7 +494,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
-* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-47
+* Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
+- Fixes RNG slowdown in FIPS mode
+  Resolves: rhbz#2168224
+
+* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5
 - Fixed X.509 Name Constraints Read Buffer Overflow
   Resolves: CVE-2022-4203
 - Fixed Timing Oracle in RSA Decryption
@@ -549,20 +516,34 @@ install -m644 %{SOURCE9} \
 - Fixed NULL dereference during PKCS7 data verification
   Resolves: CVE-2023-0401
 
-* Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-46
-- Refactor OpenSSL fips module MAC verification
-  Resolves: rhbz#2158412
+* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
 - Disallow SHAKE in RSA-OAEP decryption in FIPS mode
-  Resolves: rhbz#2144010
+  Resolves: rhbz#2142121
 
-* Mon Nov 28 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-45
-- Add support of X25519 and X448 "group" parameter in EVP_PKEY_CTX objects
-  Resolves: rhbz#2149010
+* Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3
+- Refactor OpenSSL fips module MAC verification
+  Resolves: rhbz#2157965
+
+* Thu Nov 24 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-2
+- Various provider-related imrovements necessary for PKCS#11 provider correct operations
+  Resolves: rhbz#2142517
+- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
+  Resolves: rhbz#2133809
+- Removed recommended package for openssl-libs
+  Resolves: rhbz#2093804
+- Adjusting include for the FIPS_mode macro
+  Resolves: rhbz#2083879
+- Backport of ppc64le Montgomery multiply enhancement
+  Resolves: rhbz#2130708
 - Fix explicit indicator for PSS salt length in FIPS mode when used with
   negative magic values
-  Resolves: rhbz#2144012
+  Resolves: rhbz#2142087
 - Update change to default PSS salt length with patch state from upstream 
-  Related: rhbz#2144012
+  Related: rhbz#2142087
+
+* Tue Nov 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-1
+- Rebasing to OpenSSL 3.0.7
+  Resolves: rhbz#2129063
 
 * Mon Nov 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-44
 - SHAKE-128/256 are not allowed with RSA in FIPS mode