.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,66 @@
-SOURCES/openssl-1.1.1k-hobbled.tar.xz
+.build*.log
+clog
+*.src.rpm
+openssl-1.0.0a-usa.tar.bz2
+/openssl-1.0.0b-usa.tar.bz2
+/openssl-1.0.0c-usa.tar.bz2
+/openssl-1.0.0d-usa.tar.bz2
+/openssl-1.0.0e-usa.tar.bz2
+/openssl-1.0.0f-usa.tar.bz2
+/openssl-1.0.0g-usa.tar.xz
+/openssl-1.0.1-beta2-usa.tar.xz
+/openssl-1.0.1-beta3-usa.tar.xz
+/openssl-1.0.1-usa.tar.xz
+/openssl-1.0.1a-usa.tar.xz
+/openssl-1.0.1b-usa.tar.xz
+/openssl-1.0.1c-usa.tar.xz
+/openssl-1.0.1e-usa.tar.xz
+/openssl-1.0.1e-hobbled.tar.xz
+/openssl-1.0.1g-hobbled.tar.xz
+/openssl-1.0.1h-hobbled.tar.xz
+/openssl-1.0.1i-hobbled.tar.xz
+/openssl-1.0.1j-hobbled.tar.xz
+/openssl-1.0.1k-hobbled.tar.xz
+/openssl-1.0.2a-hobbled.tar.xz
+/openssl-1.0.2c-hobbled.tar.xz
+/openssl-1.0.2d-hobbled.tar.xz
+/openssl-1.0.2e-hobbled.tar.xz
+/openssl-1.0.2f-hobbled.tar.xz
+/openssl-1.0.2g-hobbled.tar.xz
+/openssl-1.0.2h-hobbled.tar.xz
+/openssl-1.0.2i-hobbled.tar.xz
+/openssl-1.0.2j-hobbled.tar.xz
+/openssl-1.1.0b-hobbled.tar.xz
+/openssl-1.1.0c-hobbled.tar.xz
+/openssl-1.1.0d-hobbled.tar.xz
+/openssl-1.1.0e-hobbled.tar.xz
+/openssl-1.1.0f-hobbled.tar.xz
+/openssl-1.1.0g-hobbled.tar.xz
+/openssl-1.1.0h-hobbled.tar.xz
+/openssl-1.1.1-pre8-hobbled.tar.xz
+/openssl-1.1.1-pre9-hobbled.tar.xz
+/openssl-1.1.1-hobbled.tar.xz
+/openssl-1.1.1a-hobbled.tar.xz
+/openssl-1.1.1b-hobbled.tar.xz
+/openssl-1.1.1c-hobbled.tar.xz
+/openssl-1.1.1d-hobbled.tar.xz
+/openssl-1.1.1e-hobbled.tar.xz
+/openssl-1.1.1f-hobbled.tar.xz
+/openssl-1.1.1g-hobbled.tar.xz
+/openssl-1.1.1h-hobbled.tar.xz
+/openssl-1.1.1i-hobbled.tar.xz
+/openssl-1.1.1j-hobbled.tar.xz
+/openssl-1.1.1k-hobbled.tar.xz
+/openssl-3.0.0-hobbled.tar.xz
+/openssl-3.0.2-hobbled.tar.gz
+/openssl-3.0.3-hobbled.tar.gz
+/openssl-3.0.5-hobbled.tar.xz
+/openssl-3.0.7-hobbled.tar.gz
+/openssl-3.0.8-hobbled.tar.gz
+/openssl-3.0.8.tar.gz
+/openssl-3.1.1.tar.gz
+/openssl-3.1.4.tar.gz
+/openssl-3.2.1.tar.gz
+/openssl-3.2.2.tar.gz
+/openssl-3.5.0.tar.gz
+/openssl-3.5.1.tar.gz

.openssl.metadata

@@ -1 +0,0 @@
-6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz

0001-RH-Aarch64-and-ppc64le-use-lib64.patch

@@ -0,0 +1,38 @@
+From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:14 +0100
+Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64
+
+Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
+Patch-id: 1
+Patch-status: |
+    # # Patches exported from source git
+    # # Aarch64 and ppc64le use lib64
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ Configurations/10-main.conf | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
+index cba57b4127..3e327017ef 100644
+--- a/Configurations/10-main.conf
++++ b/Configurations/10-main.conf
+@@ -726,6 +726,7 @@ my %targets = (
+         lib_cppflags     => add("-DL_ENDIAN"),
+         asm_arch         => 'ppc64',
+         perlasm_scheme   => "linux64le",
++        multilib         => "64",
+     },
+ 
+     "linux-armv4" => {
+@@ -768,6 +769,7 @@ my %targets = (
+         inherit_from     => [ "linux-generic64" ],
+         asm_arch         => 'aarch64',
+         perlasm_scheme   => "linux64",
++        multilib         => "64",
+     },
+     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
+         inherit_from     => [ "linux-generic32" ],
+-- 
+2.50.0
+

0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch

@@ -0,0 +1,456 @@
+From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 6 Mar 2025 08:40:29 -0500
+Subject: [PATCH 02/53] Add a separate config file to use for rpm installs
+
+In RHEL/Fedora systems we want to use a slightly different set
+of defaults, but we do not want to change the standard config file
+because there are many assumptions about its configuration in
+openssl upstream tests.
+
+So we create a separate one to use to override the default on on
+installation.
+
+This config file differs from upstream for:
+- CA directory tree paths
+- Instructions about legacy provider
+- Default certificate digest (set to sha256)
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ doc/man5/config.pod |   8 +
+ rh-openssl.cnf      | 403 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 411 insertions(+)
+ create mode 100644 rh-openssl.cnf
+
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index e24ea0c595..39fa468320 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -284,6 +284,14 @@ Note this setting defaults to off if not provided
+ All parameters in the section as well as sub-sections are made
+ available to the provider.
+ 
++=head3 Loading the legacy provider
++
++Uncomment the sections that start with ## in openssl.cnf
++to enable the legacy provider.
++Note: In general it is not recommended to use the above mentioned algorithms for
++security critical operations, as they are cryptographically weak or vulnerable
++to side-channel attacks and as such have been deprecated.
++
+ =head3 Default provider and its activation
+ 
+ If no providers are activated explicitly, the default one is activated implicitly.
+diff --git a/rh-openssl.cnf b/rh-openssl.cnf
+new file mode 100644
+index 0000000000..fe2346eb2b
+--- /dev/null
++++ b/rh-openssl.cnf
+@@ -0,0 +1,403 @@
++#
++# OpenSSL example configuration file.
++# See doc/man5/config.pod for more info.
++#
++# This is mostly being used for generation of certificate requests,
++# but may be used for auto loading of providers
++
++# Note that you can include other files from the main configuration
++# file using the .include directive.
++#.include filename
++
++# This definition stops the following lines choking if HOME isn't
++# defined.
++HOME			= .
++
++# Use this in order to automatically load providers.
++openssl_conf = openssl_init
++
++# Ignore configuration errors
++config_diagnostics = 0
++
++# Extra OBJECT IDENTIFIER info:
++# oid_file       = $ENV::HOME/.oid
++oid_section = new_oids
++
++# To use this configuration file with the "-extfile" option of the
++# "openssl x509" utility, name here the section containing the
++# X.509v3 extensions to use:
++# extensions		=
++# (Alternatively, use a configuration file that has only
++# X.509v3 extensions in its main [= default] section.)
++
++[ new_oids ]
++# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
++# Add a simple OID like this:
++# testoid1=1.2.3.4
++# Or use config file substitution like this:
++# testoid2=${testoid1}.5.6
++
++# Policies used by the TSA examples.
++tsa_policy1 = 1.2.3.4.1
++tsa_policy2 = 1.2.3.4.5.6
++tsa_policy3 = 1.2.3.4.5.7
++
++[openssl_init]
++providers = provider_sect
++# Uncomment the sections that start with ## below to enable the legacy provider.
++# Loading the legacy provider enables support for the following algorithms:
++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
++# Key Derivation Function (KDF): PBKDF1
++# In general it is not recommended to use the above mentioned algorithms for
++# security critical operations, as they are cryptographically weak or vulnerable
++# to side-channel attacks and as such have been deprecated.
++
++# Load default TLS policy configuration
++ssl_conf = ssl_module
++alg_section = evp_properties
++
++[ evp_properties ]
++#This section is intentionally added empty here
++#to be tuned on particular systems
++
++# List of providers to load
++[provider_sect]
++default = default_sect
++##legacy = legacy_sect
++##
++[default_sect]
++activate = 1
++
++##[legacy_sect]
++##activate = 1
++
++#Place the third party provider configuration files into this folder
++.include /etc/pki/tls/openssl.d
++
++
++[ ssl_module ]
++
++system_default = crypto_policy
++
++[ crypto_policy ]
++
++.include = /etc/crypto-policies/back-ends/opensslcnf.config
++
++####################################################################
++[ ca ]
++default_ca	= CA_default		# The default ca section
++
++####################################################################
++[ CA_default ]
++
++dir		= /etc/pki/CA		# Where everything is kept
++certs		= $dir/certs		# Where the issued certs are kept
++crl_dir		= $dir/crl		# Where the issued crl are kept
++database	= $dir/index.txt	# database index file.
++#unique_subject	= no			# Set to 'no' to allow creation of
++					# several certs with same subject.
++new_certs_dir	= $dir/newcerts		# default place for new certs.
++
++certificate	= $dir/cacert.pem 	# The CA certificate
++serial		= $dir/serial 		# The current serial number
++crlnumber	= $dir/crlnumber	# the current crl number
++					# must be commented out to leave a V1 CRL
++crl		= $dir/crl.pem 		# The current CRL
++private_key	= $dir/private/cakey.pem # The private key
++
++x509_extensions	= usr_cert		# The extensions to add to the cert
++
++# Comment out the following two lines for the "traditional"
++# (and highly broken) format.
++name_opt 	= ca_default		# Subject Name options
++cert_opt 	= ca_default		# Certificate field options
++
++# Extension copying option: use with caution.
++# copy_extensions = copy
++
++# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
++# so this is commented out by default to leave a V1 CRL.
++# crlnumber must also be commented out to leave a V1 CRL.
++# crl_extensions	= crl_ext
++
++default_days	= 365			# how long to certify for
++default_crl_days= 30			# how long before next CRL
++default_md	= sha256		# use SHA-256 by default
++preserve	= no			# keep passed DN ordering
++
++# A few difference way of specifying how similar the request should look
++# For type CA, the listed attributes must be the same, and the optional
++# and supplied fields are just that :-)
++policy		= policy_match
++
++# For the CA policy
++[ policy_match ]
++countryName		= match
++stateOrProvinceName	= match
++organizationName	= match
++organizationalUnitName	= optional
++commonName		= supplied
++emailAddress		= optional
++
++# For the 'anything' policy
++# At this point in time, you must list all acceptable 'object'
++# types.
++[ policy_anything ]
++countryName		= optional
++stateOrProvinceName	= optional
++localityName		= optional
++organizationName	= optional
++organizationalUnitName	= optional
++commonName		= supplied
++emailAddress		= optional
++
++####################################################################
++[ req ]
++default_bits		= 2048
++default_keyfile 	= privkey.pem
++distinguished_name	= req_distinguished_name
++attributes		= req_attributes
++x509_extensions	= v3_ca	# The extensions to add to the self signed cert
++
++# Passwords for private keys if not present they will be prompted for
++# input_password = secret
++# output_password = secret
++
++# This sets a mask for permitted string types. There are several options.
++# default: PrintableString, T61String, BMPString.
++# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
++# utf8only: only UTF8Strings (PKIX recommendation after 2004).
++# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
++# MASK:XXXX a literal mask value.
++# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
++string_mask = utf8only
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName			= Country Name (2 letter code)
++countryName_default		= XX
++countryName_min			= 2
++countryName_max			= 2
++
++stateOrProvinceName		= State or Province Name (full name)
++#stateOrProvinceName_default	= Default Province
++
++localityName			= Locality Name (eg, city)
++localityName_default		= Default City
++
++0.organizationName		= Organization Name (eg, company)
++0.organizationName_default	= Default Company Ltd
++
++# we can do this but it is not needed normally :-)
++#1.organizationName		= Second Organization Name (eg, company)
++#1.organizationName_default	= World Wide Web Pty Ltd
++
++organizationalUnitName		= Organizational Unit Name (eg, section)
++#organizationalUnitName_default	=
++
++commonName			= Common Name (eg, your name or your server\'s hostname)
++commonName_max			= 64
++
++emailAddress			= Email Address
++emailAddress_max		= 64
++
++# SET-ex3			= SET extension number 3
++
++[ req_attributes ]
++challengePassword		= A challenge password
++challengePassword_min		= 4
++challengePassword_max		= 20
++
++unstructuredName		= An optional company name
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request.
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++# This is required for TSA certificates.
++# extendedKeyUsage = critical,timeStamping
++
++[ v3_req ]
++
++# Extensions to add to a certificate request
++
++basicConstraints = CA:FALSE
++keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++
++authorityKeyIdentifier=keyid:always,issuer
++
++basicConstraints = critical,CA:true
++
++# Key usage: this is typical for a CA certificate. However since it will
++# prevent it being used as an test self-signed certificate it is best
++# left out by default.
++# keyUsage = cRLSign, keyCertSign
++
++# Include email address in subject alt name: another PKIX recommendation
++# subjectAltName=email:copy
++# Copy issuer details
++# issuerAltName=issuer:copy
++
++# DER hex encoding of an extension: beware experts only!
++# obj=DER:02:03
++# Where 'obj' is a standard or added object
++# You can even override a supported extension:
++# basicConstraints= critical, DER:30:03:01:01:FF
++
++[ crl_ext ]
++
++# CRL extensions.
++# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
++
++# issuerAltName=issuer:copy
++authorityKeyIdentifier=keyid:always
++
++[ proxy_cert_ext ]
++# These extensions should be added when creating a proxy certificate
++
++# This goes against PKIX guidelines but some CAs do it and some software
++# requires this to avoid interpreting an end user certificate as a CA.
++
++basicConstraints=CA:FALSE
++
++# This is typical in keyUsage for a client certificate.
++# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid,issuer
++
++# This stuff is for subjectAltName and issuerAltname.
++# Import the email address.
++# subjectAltName=email:copy
++# An alternative to produce certificates that aren't
++# deprecated according to PKIX.
++# subjectAltName=email:move
++
++# Copy subject details
++# issuerAltName=issuer:copy
++
++# This really needs to be in place for it to be a proxy certificate.
++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
++
++####################################################################
++[ tsa ]
++
++default_tsa = tsa_config1	# the default TSA section
++
++[ tsa_config1 ]
++
++# These are used by the TSA reply generation only.
++dir		= /etc/pki/CA		# TSA root directory
++serial		= $dir/tsaserial	# The current serial number (mandatory)
++crypto_device	= builtin		# OpenSSL engine to use for signing
++signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
++					# (optional)
++certs		= $dir/cacert.pem	# Certificate chain to include in reply
++					# (optional)
++signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
++signer_digest  = sha256			# Signing digest to use. (Optional)
++default_policy	= tsa_policy1		# Policy if request did not specify it
++					# (optional)
++other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
++digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
++accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
++clock_precision_digits  = 0	# number of digits after dot. (optional)
++ordering		= yes	# Is ordering defined for timestamps?
++				# (optional, default: no)
++tsa_name		= yes	# Must the TSA name be included in the reply?
++				# (optional, default: no)
++ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
++				# (optional, default: no)
++ess_cert_id_alg		= sha256	# algorithm to compute certificate
++				# identifier (optional, default: sha256)
++
++[insta] # CMP using Insta Demo CA
++# Message transfer
++server = pki.certificate.fi:8700
++# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
++# tls_use = 0
++path = pkix/
++
++# Server authentication
++recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
++ignore_keyusage = 1 # potentially needed quirk
++unprotected_errors = 1 # potentially needed quirk
++extracertsout = insta.extracerts.pem
++
++# Client authentication
++ref = 3078 # user identification
++secret = pass:insta # can be used for both client and server side
++
++# Generic message options
++cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
++
++# Certificate enrollment
++subject = "/CN=openssl-cmp-test"
++newkey = insta.priv.pem
++out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
++certout = insta.cert.pem
++
++[pbm] # Password-based protection for Insta CA
++# Server and client authentication
++ref = $insta::ref # 3078
++secret = $insta::secret # pass:insta
++
++[signature] # Signature-based protection for Insta CA
++# Server authentication
++trusted = $insta::out_trusted # apps/insta.ca.crt
++
++# Client authentication
++secret = # disable PBM
++key = $insta::newkey # insta.priv.pem
++cert = $insta::certout # insta.cert.pem
++
++[ir]
++cmd = ir
++
++[cr]
++cmd = cr
++
++[kur]
++# Certificate update
++cmd = kur
++oldcert = $insta::certout # insta.cert.pem
++
++[rr]
++# Certificate revocation
++cmd = rr
++oldcert = $insta::certout # insta.cert.pem
+-- 
+2.50.0
+

0003-RH-Do-not-install-html-docs.patch

@@ -0,0 +1,30 @@
+From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:14 +0100
+Subject: [PATCH 03/53] RH: Do not install html docs
+
+Patch-name: 0003-Do-not-install-html-docs.patch
+Patch-id: 3
+Patch-status: |
+    # # Do not install html docs
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index a6f666957e..b1d8b00755 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
+ 
+ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
+ 
+-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
++install_docs: install_man_docs ## Install manpages
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"
+-- 
+2.50.0
+

0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch

@@ -0,0 +1,30 @@
+From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:14 +0100
+Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP?
+
+Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
+Patch-id: 5
+Patch-status: |
+    # # apps/ca: fix md option help text
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ apps/ca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apps/ca.c b/apps/ca.c
+index 6d1d1c0a6e..a7553ba609 100644
+--- a/apps/ca.c
++++ b/apps/ca.c
+@@ -216,7 +216,7 @@ const OPTIONS ca_options[] = {
+     {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+ 
+     OPT_SECTION("Signing"),
+-    {"md", OPT_MD, 's', "Digest to use, such as sha256"},
++    {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
+     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
+     {"keyform", OPT_KEYFORM, 'f',
+      "Private key file format (ENGINE, other values ignored)"},
+-- 
+2.50.0
+

0005-RH-Disable-signature-verification-with-bad-digests-R.patch

@@ -0,0 +1,34 @@
+From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:14 +0100
+Subject: [PATCH 05/53] RH: Disable signature verification with bad digests -
+ REVIEW
+
+Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
+Patch-id: 6
+Patch-status: |
+    # # Disable signature verification with totally unsafe hash algorithms
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/asn1/a_verify.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index f6cac80962..fbc6ce6e30 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+             ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
+         if (ret <= 1)
+             goto err;
++    } else if ((mdnid == NID_md5
++               && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
++               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
++        ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++        goto err;
+     } else {
+         const EVP_MD *type = NULL;
+ 
+-- 
+2.50.0
+

0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch

@@ -1,7 +1,29 @@
-diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
+From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001
---- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist	2019-05-29 15:42:27.951329271 +0200
+From: rpm-build <rpm-build>
-+++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl	2019-05-29 15:42:27.974328867 +0200
+Date: Wed, 6 Mar 2024 19:17:14 +0100
-@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
+Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default
+ cipher
+
+Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+Patch-id: 7
+Patch-status: |
+    # # Add support for PROFILE=SYSTEM system default cipherlist
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ Configurations/unix-Makefile.tmpl |  5 ++
+ Configure                         | 11 +++-
+ doc/man1/openssl-ciphers.pod.in   |  9 ++++
+ include/openssl/ssl.h.in          |  5 ++
+ ssl/ssl_ciph.c                    | 83 +++++++++++++++++++++++++++----
+ ssl/ssl_lib.c                     |  4 +-
+ test/cipherlist_test.c            |  2 +
+ 7 files changed, 105 insertions(+), 14 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index b1d8b00755..91fd703afa 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
  DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
  HTMLDIR=$(DOCDIR)/html
  
@@ -12,7 +34,7 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
  # MANSUFFIX is for the benefit of anyone who may want to have a suffix
  # appended after the manpage file section number.  "ssl" is popular,
  # resulting in files such as config.5ssl rather than config.5.
-@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
  CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
  CPPFLAGS={- our $cppflags1 = join(" ",
                                    (map { "-D".$_} @{$config{CPPDEFINES}}),
@@ -20,29 +42,31 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
                                    (map { "-I".$_} @{$config{CPPINCLUDES}}),
                                    @{$config{CPPFLAGS}}) -}
  CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
+diff --git a/Configure b/Configure
---- openssl-1.1.1c/Configure.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
+index 499585438a..e1b908fe13 100755
-+++ openssl-1.1.1c/Configure	2019-05-29 15:45:10.465469533 +0200
+--- a/Configure
-@@ -24,7 +24,7 @@ use OpenSSL::Glob;
++++ b/Configure
+@@ -27,7 +27,7 @@ use OpenSSL::config;
  my $orig_death_handler = $SIG{__DIE__};
  $SIG{__DIE__} = \&death_handler;
  
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
  
- # Options:
+ my $banner = <<"EOF";
- #
+ 
-@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
+@@ -61,6 +61,10 @@ EOF
+ #               given with --prefix.
  #               This becomes the value of OPENSSLDIR in Makefile and in C.
  #               (Default: PREFIX/ssl)
- #
++#
 +# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
 +#		cipher is specified (default).
 +#
- # --cross-compile-prefix Add specified prefix to binutils components.
+ # --banner=".." Output specified text instead of default completion banner
  #
- # --api         One of 0.9.8, 1.0.0 or 1.1.0.  Do not compile support for
+ # -w            Don't wait after showing a Configure warning
-@@ -295,6 +298,7 @@ $config{prefix}="";
+@@ -409,6 +413,7 @@ $config{prefix}="";
  $config{openssldir}="";
  $config{processor}="";
  $config{libdir}="";
@@ -50,30 +74,22 @@ diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
  my $auto_threads=1;    # enable threads automatically? true by default
  my $default_ranlib;
  
-@@ -824,6 +828,10 @@ while (@argvcopy)
+@@ -1105,6 +1110,10 @@ while (@argvcopy)
-                             push @seed_sources, $x;
+                         die "FIPS key too long (64 bytes max)\n"
-                             }
+                            if length $1 > 64;
                          }
 +		elsif (/^--system-ciphers-file=(.*)$/)
 +			{
 +			$config{system_ciphers_file}=$1;
 +			}
-                 elsif (/^--cross-compile-prefix=(.*)$/)
+                 elsif (/^--banner=(.*)$/)
                          {
-                         $user{CROSS_COMPILE}=$1;
+                         $banner = $1 . "\n";
-@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
+diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
-     exit 0;
+index 69195bcdcb..a6e0ede570 100644
- }
+--- a/doc/man1/openssl-ciphers.pod.in
- 
++++ b/doc/man1/openssl-ciphers.pod.in
-+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
+@@ -189,6 +189,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
-+
- print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
- print "for $target\n";
- 
-diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
---- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/doc/man1/ciphers.pod	2019-05-29 15:42:27.975328849 +0200
-@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
  
  The cipher suites not enabled by B<ALL>, currently B<eNULL>.
  
@@ -89,41 +105,41 @@ diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/do
  =item B<HIGH>
  
  "High" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
---- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
+index 383c5bc411..d1b00e8454 100644
-+++ openssl-1.1.1c/include/openssl/ssl.h	2019-05-29 15:42:27.975328849 +0200
+--- a/include/openssl/ssl.h.in
-@@ -186,6 +186,11 @@ extern "C" {
++++ b/include/openssl/ssl.h.in
+@@ -209,6 +209,11 @@ extern "C" {
   * throwing out anonymous and unencrypted ciphersuites! (The latter are not
   * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
   */
 +# ifdef SYSTEM_CIPHERS_FILE
 +#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
 +# else
-+#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
 +# endif
  
  /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
  # define SSL_SENT_SHUTDOWN       1
-diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
---- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
+index 6127cb7a4b..19420d6c6a 100644
-+++ openssl-1.1.1c/ssl/ssl_ciph.c	2019-05-29 15:42:27.976328831 +0200
+--- a/ssl/ssl_ciph.c
-@@ -9,6 +9,8 @@
++++ b/ssl/ssl_ciph.c
+@@ -9,6 +9,7 @@
   * https://www.openssl.org/source/license.html
   */
  
-+/* for secure_getenv */
 +#define _GNU_SOURCE
  #include <stdio.h>
  #include <ctype.h>
  #include <openssl/objects.h>
-@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+@@ -1421,6 +1422,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
      return ret;
  }
  
 +#ifdef SYSTEM_CIPHERS_FILE
 +static char *load_system_str(const char *suffix)
 +{
-+    FILE *fp;
 +    char buf[1024];
 +    char *new_rules;
 +    const char *ciphers_path;
@@ -131,29 +147,26 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +
 +    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
 +        ciphers_path = SYSTEM_CIPHERS_FILE;
-+    fp = fopen(ciphers_path, "r");
++    ERR_set_mark();
-+    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++    if (access(ciphers_path, R_OK) == 0) {
-+        /* cannot open or file is empty */
++        CONF *conf = NCONF_new_ex(NULL, NCONF_default());
++        char *value = NULL;
++
++        if (NCONF_load(conf, ciphers_path, NULL) > 0)
++            value = NCONF_get_string(conf, "global", "CipherString");
++
++        snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
++
++        NCONF_free(conf);
++    } else {
 +        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
 +    }
-+
++    ERR_pop_to_mark();
-+    if (fp)
-+        fclose(fp);
-+
 +    slen = strlen(suffix);
 +    len = strlen(buf);
 +
-+    if (buf[len - 1] == '\n') {
++    new_rules = OPENSSL_zalloc(len + slen + 1);
-+        len--;
++    if (new_rules == NULL)
-+        buf[len] = 0;
-+    }
-+    if (buf[len - 1] == '\r') {
-+        len--;
-+        buf[len] = 0;
-+    }
-+
-+    new_rules = OPENSSL_malloc(len + slen + 1);
-+    if (new_rules == 0)
 +        return NULL;
 +
 +    memcpy(new_rules, buf, len);
@@ -167,18 +180,18 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +}
 +#endif
 +
- STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
                                               STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
                                               STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1435,15 +1479,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
-     const char *rule_p;
      CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
      const SSL_CIPHER **ca_list = NULL;
+     const SSL_METHOD *ssl_method = ctx->method;
 +#ifdef SYSTEM_CIPHERS_FILE
 +    char *new_rules = NULL;
 +
 +    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
-+        char *p = rule_str + 14;
++        const char *p = rule_str + 14;
 +
 +        new_rules = load_system_str(p);
 +        rule_str = new_rules;
@@ -191,23 +204,23 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
 -        return NULL;
 +        goto err;
- #ifndef OPENSSL_NO_EC
+ 
      if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
 -        return NULL;
 +        goto err;
- #endif
  
      /*
-@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * To reduce the work to do we only want to process the compiled
+@@ -1465,7 +1519,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+     if (num_of_ciphers > 0) {
          co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
-     if (co_list == NULL) {
+         if (co_list == NULL)
-         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
 -            return NULL;          /* Failure */
 +            goto err;
      }
  
      ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1531,8 +1585,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
       * in force within each class
       */
      if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -217,18 +230,17 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      }
  
      /*
-@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1576,8 +1629,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
      ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
      if (ca_list == NULL) {
 -        OPENSSL_free(co_list);
-         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
 -        return NULL;          /* Failure */
 +        goto err;
      }
      ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                 disabled_mkey, disabled_auth, disabled_enc,
-@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1603,8 +1655,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      OPENSSL_free(ca_list);      /* Not needed anymore */
  
      if (!ok) {                  /* Rule processing failure */
@@ -238,7 +250,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      }
  
      /*
-@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1612,10 +1663,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
       * if we cannot get one.
       */
      if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -253,13 +265,8 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +
      /* Add TLSv1.3 ciphers first - we always prefer those if possible */
      for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
-         if (!sk_SSL_CIPHER_push(cipherstack,
+         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
+@@ -1667,6 +1721,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
-+            OPENSSL_free(co_list);
-             sk_SSL_CIPHER_free(cipherstack);
-             return NULL;
-         }
-@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      *cipher_list = cipherstack;
  
      return cipherstack;
@@ -270,35 +277,36 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +    OPENSSL_free(new_rules);
 +#endif
 +    return NULL;
-+  
  }
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
---- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist	2019-05-29 15:42:27.970328937 +0200
+index 9696a4c55f..4bd3318407 100644
-+++ openssl-1.1.1c/ssl/ssl_lib.c	2019-05-29 15:42:27.977328814 +0200
+--- a/ssl/ssl_lib.c
-@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
++++ b/ssl/ssl_lib.c
+@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
                                  ctx->tls13_ciphersuites,
                                  &(ctx->cipher_list),
                                  &(ctx->cipher_list_by_id),
--                                SSL_DEFAULT_CIPHER_LIST, ctx->cert);
+-                                OSSL_default_cipher_list(), ctx->cert);
 +                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
      if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-         SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
          return 0;
-@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
-     if (!ssl_create_cipher_list(ret->method,
+     if (!ssl_create_cipher_list(ret,
                                  ret->tls13_ciphersuites,
                                  &ret->cipher_list, &ret->cipher_list_by_id,
--                                SSL_DEFAULT_CIPHER_LIST, ret->cert)
+-                                OSSL_default_cipher_list(), ret->cert)
 +                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
          || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
-         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+         ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
-         goto err2;
+         goto err;
-diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
+diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
---- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
+index c46e431b00..19d05e860b 100644
-+++ openssl-1.1.1c/test/cipherlist_test.c	2019-05-29 15:42:27.977328814 +0200
+--- a/test/cipherlist_test.c
-@@ -251,7 +251,9 @@ end:
++++ b/test/cipherlist_test.c
+@@ -261,7 +261,9 @@ end:
  
  int setup_tests(void)
  {
@@ -307,4 +315,7 @@ diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/
 +#endif
      ADD_TEST(test_default_cipherlist_explicit);
      ADD_TEST(test_default_cipherlist_clear);
-     return 1;
+     ADD_TEST(test_stdname_cipherlist);
+-- 
+2.50.0
+

0007-RH-Add-FIPS_mode-compatibility-macro.patch

@@ -0,0 +1,83 @@
+From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro
+
+Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
+Patch-id: 8
+Patch-status: |
+    # # Add FIPS_mode() compatibility macro
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ include/openssl/fips.h | 26 ++++++++++++++++++++++++++
+ test/property_test.c   | 14 ++++++++++++++
+ 2 files changed, 40 insertions(+)
+ create mode 100644 include/openssl/fips.h
+
+diff --git a/include/openssl/fips.h b/include/openssl/fips.h
+new file mode 100644
+index 0000000000..4162cbf88e
+--- /dev/null
++++ b/include/openssl/fips.h
+@@ -0,0 +1,26 @@
++/*
++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_FIPS_H
++# define OPENSSL_FIPS_H
++# pragma once
++
++# include <openssl/evp.h>
++# include <openssl/macros.h>
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff --git a/test/property_test.c b/test/property_test.c
+index 18f8cc8740..6864b1a3c1 100644
+--- a/test/property_test.c
++++ b/test/property_test.c
+@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i)
+     return ret;
+ }
+ 
++#include <openssl/fips.h>
++static int test_downstream_FIPS_mode(void)
++{
++    int ret = 0;
++
++    ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
++          && TEST_true(FIPS_mode())
++          && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
++          && TEST_false(FIPS_mode());
++
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_TEST(test_property_string);
+@@ -700,6 +713,7 @@ int setup_tests(void)
+     ADD_TEST(test_property);
+     ADD_TEST(test_query_cache_stochastic);
+     ADD_TEST(test_fips_mode);
++    ADD_TEST(test_downstream_FIPS_mode);
+     ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
+     return 1;
+ }
+-- 
+2.50.0
+

0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch

@@ -0,0 +1,92 @@
+From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+
+Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
+Patch-id: 9
+Patch-status: |
+    # # Add check to see if fips flag is enabled in kernel
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/context.c            | 35 +++++++++++++++++++++++++++++++++++
+ include/internal/provider.h |  3 +++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/crypto/context.c b/crypto/context.c
+index f15bc3d755..614c8a2c88 100644
+--- a/crypto/context.c
++++ b/crypto/context.c
+@@ -7,6 +7,7 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++#define _GNU_SOURCE /* needed for secure_getenv */
+ #include "crypto/cryptlib.h"
+ #include <openssl/conf.h>
+ #include <openssl/trace.h>
+@@ -19,6 +20,38 @@
+ #include "crypto/decoder.h"
+ #include "crypto/context.h"
+ 
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <openssl/evp.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static int kernel_fips_flag;
++
++static void read_kernel_fips_flag(void)
++{
++    char buf[2] = "0";
++    int fd;
++
++    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++        buf[0] = '1';
++    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++        close(fd);
++    }
++
++    if (buf[0] == '1') {
++        kernel_fips_flag = 1;
++    }
++}
++
++int ossl_get_kernel_fips_flag()
++{
++    return kernel_fips_flag;
++}
++
+ struct ossl_lib_ctx_st {
+     CRYPTO_RWLOCK *lock;
+     OSSL_EX_DATA_GLOBAL global;
+@@ -393,6 +426,8 @@ static int default_context_inited = 0;
+ 
+ DEFINE_RUN_ONCE_STATIC(default_context_do_init)
+ {
++    read_kernel_fips_flag();
++
+     if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
+         goto err;
+ 
+diff --git a/include/internal/provider.h b/include/internal/provider.h
+index 7d94346155..c0f1d00da9 100644
+--- a/include/internal/provider.h
++++ b/include/internal/provider.h
+@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
+                                 const OSSL_DISPATCH *in);
+ void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+ 
++/* FIPS flag access */
++int ossl_get_kernel_fips_flag(void);
++
+ # ifdef __cplusplus
+ }
+ # endif
+-- 
+2.50.0
+

0010-RH-Disable-explicit-ec-curves.patch

@@ -0,0 +1,244 @@
+From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 10/53] RH: Disable explicit ec curves
+
+Patch-name: 0012-Disable-explicit-ec.patch
+Patch-id: 12
+Patch-status: |
+    # # Disable explicit EC curves
+    # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/ec/ec_asn1.c                           | 11 ++++++++++
+ crypto/ec/ec_lib.c                            |  8 ++++++-
+ test/ectest.c                                 | 22 ++++++++++---------
+ test/endecode_test.c                          | 20 ++++++++---------
+ .../30-test_evp_data/evppkey_ecdsa.txt        | 12 ----------
+ 5 files changed, 40 insertions(+), 33 deletions(-)
+
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
+index 643d2d8d7b..5895606176 100644
+--- a/crypto/ec/ec_asn1.c
++++ b/crypto/ec/ec_asn1.c
+@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
+     if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
+         group->decoded_from_explicit_params = 1;
+ 
++    if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++        EC_GROUP_free(group);
++        ECPKPARAMETERS_free(params);
++        return NULL;
++    }
++
+     if (a) {
+         EC_GROUP_free(*a);
+         *a = group;
+@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
+         goto err;
+     }
+ 
++    if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
++        ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++        goto err;
++    }
++
+     ret->version = priv_key->version;
+ 
+     if (priv_key->privateKey) {
+diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
+index b55677fb1f..1df40018ac 100644
+--- a/crypto/ec/ec_lib.c
++++ b/crypto/ec/ec_lib.c
+@@ -1554,7 +1554,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+     int is_prime_field = 1;
+     BN_CTX *bnctx = NULL;
+     const unsigned char *buf = NULL;
+-    int encoding_flag = -1;
++    /* int encoding_flag = -1; */
+ #endif
+ 
+     /* This is the simple named group case */
+@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+         goto err;
+     }
+     if (named_group == group) {
++        if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++            ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++            goto err;
++        }
++#if 0
+         /*
+          * If we did not find a named group then the encoding should be explicit
+          * if it was specified
+@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+             goto err;
+         }
+         EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
++#endif
+     } else {
+         EC_GROUP_free(group);
+         group = named_group;
+diff --git a/test/ectest.c b/test/ectest.c
+index b852381924..6eac5de4fa 100644
+--- a/test/ectest.c
++++ b/test/ectest.c
+@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
+         || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
+         || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+-        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
++        || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
+                                           EVP_PKEY_KEY_PARAMETERS, params), 0))
+         goto err;
+-
++/* As creating the key should fail, the rest of the test is pointless */
++# if 0
+     /*- Check that all the set values are retrievable -*/
+ 
+     /* There should be no match to a group name since the generator changed */
+@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+ #endif
+         )
+         goto err;
++#endif
+     ret = 1;
+ err:
+     BN_free(order_out);
+@@ -2826,21 +2828,21 @@ static int custom_params_test(int id)
+ 
+     /* Compute keyexchange in both directions */
+     if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
+             || !TEST_int_gt(bsize, sslen)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
+         goto err;
+     if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
+             || !TEST_int_gt(bsize, t)
+             || !TEST_int_le(sslen, t)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
+         goto err;
+-
++#if 0
+     /* Both sides should expect the same shared secret */
+     if (!TEST_mem_eq(buf1, sslen, buf2, t))
+         goto err;
+@@ -2893,7 +2895,7 @@ static int custom_params_test(int id)
+             /* compare with previous result */
+             || !TEST_mem_eq(buf1, t, buf2, sslen))
+         goto err;
+-
++#endif
+     ret = 1;
+ 
+  err:
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 028deb4ed1..85c84f6592 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL;
+ static OSSL_PARAM_BLD *bld_prime_nc = NULL;
+ static OSSL_PARAM_BLD *bld_prime = NULL;
+ static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
+-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
+ 
+ # ifndef OPENSSL_NO_EC2M
+ static OSSL_PARAM_BLD *bld_tri_nc = NULL;
+@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
+ DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
+ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
+-DOMAIN_KEYS(ECExplicitPrime2G);
+-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
+-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
++/*DOMAIN_KEYS(ECExplicitPrime2G);*/
++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
+ # ifndef OPENSSL_NO_EC2M
+ DOMAIN_KEYS(ECExplicitTriNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
+@@ -1445,7 +1445,7 @@ int setup_tests(void)
+         || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
+         || !create_ec_explicit_prime_params(bld_prime)
+         || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
+-        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
++/*        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
+ # ifndef OPENSSL_NO_EC2M
+         || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
+         || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
+@@ -1473,7 +1473,7 @@ int setup_tests(void)
+     TEST_info("Generating EC keys...");
+     MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
+     MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
+-    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
++/*    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
+ # ifndef OPENSSL_NO_EC2M
+     MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
+     MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
+@@ -1553,8 +1553,8 @@ int setup_tests(void)
+         ADD_TEST_SUITE_LEGACY(EC);
+         ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
+-        ADD_TEST_SUITE(ECExplicitPrime2G);
+-        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
++/*        ADD_TEST_SUITE(ECExplicitPrime2G);*/
++/*        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+         ADD_TEST_SUITE(ECExplicitTriNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
+@@ -1631,7 +1631,7 @@ void cleanup_tests(void)
+ {
+ #ifndef OPENSSL_NO_EC
+     OSSL_PARAM_free(ec_explicit_prime_params_nc);
+-    OSSL_PARAM_free(ec_explicit_prime_params_explicit);
++/*    OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
+     OSSL_PARAM_BLD_free(bld_prime_nc);
+     OSSL_PARAM_BLD_free(bld_prime);
+ # ifndef OPENSSL_NO_EC2M
+@@ -1653,7 +1653,7 @@ void cleanup_tests(void)
+ #ifndef OPENSSL_NO_EC
+     FREE_DOMAIN_KEYS(EC);
+     FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+-    FREE_DOMAIN_KEYS(ECExplicitPrime2G);
++/*    FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+     FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
+     FREE_DOMAIN_KEYS(ECExplicitTri2G);
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index 54b143bead..06ec905be0 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
+ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
+ -----END PRIVATE KEY-----
+ 
+-PrivateKey = EC_EXPLICIT
+------BEGIN PRIVATE KEY-----
+-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
+-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
+-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
+-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
+-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
+------END PRIVATE KEY-----
+-
+ PrivateKey = B-163
+ -----BEGIN PRIVATE KEY-----
+ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+-- 
+2.50.0
+

0011-RH-skipped-tests-EC-curves.patch

@@ -0,0 +1,82 @@
+From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 11/53] RH: skipped tests EC curves
+
+Patch-name: 0013-skipped-tests-EC-curves.patch
+Patch-id: 13
+Patch-status: |
+    # # Skipped tests from former 0011-Remove-EC-curves.patch
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ test/recipes/15-test_ec.t                            |  2 +-
+ .../30-test_evp_data/evppkey_ecdsa_sigalg.txt        | 12 ------------
+ test/recipes/65-test_cmp_protect.t                   |  2 +-
+ test/recipes/65-test_cmp_vfy.t                       |  2 +-
+ 4 files changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
+index c953fad9f1..906769a12e 100644
+--- a/test/recipes/15-test_ec.t
++++ b/test/recipes/15-test_ec.t
+@@ -94,7 +94,7 @@ SKIP: {
+ 
+ subtest 'Check loading of fips and non-fips keys' => sub {
+     plan skip_all => "FIPS is disabled"
+-        if $no_fips;
++        if 1; #Red Hat specific, original value is $no_fips;
+ 
+     plan tests => 2;
+ 
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+index 7c339c272b..0ff482e4e8 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+@@ -132,18 +132,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
+ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
+ -----END PRIVATE KEY-----
+ 
+-PrivateKey = EC_EXPLICIT
+------BEGIN PRIVATE KEY-----
+-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
+-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
+-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
+-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
+-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
+------END PRIVATE KEY-----
+-
+ PrivateKey = B-163
+ -----BEGIN PRIVATE KEY-----
+ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
+index 92c91d8b88..294491fff4 100644
+--- a/test/recipes/65-test_cmp_protect.t
++++ b/test/recipes/65-test_cmp_protect.t
+@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
+ plan skip_all => "This test is not supported in a shared library build on Windows"
+     if $^O eq 'MSWin32' && !disabled("shared");
+ 
+-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
+ 
+ my @basic_cmd = ("cmp_protect_test",
+                  data_file("prot_RSA.pem"),
+diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
+index f722800e27..26a01786bb 100644
+--- a/test/recipes/65-test_cmp_vfy.t
++++ b/test/recipes/65-test_cmp_vfy.t
+@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
+ plan skip_all => "This test is not supported in a no-ec build"
+     if disabled("ec");
+ 
+-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
+ 
+ my @basic_cmd = ("cmp_vfy_test",
+                  data_file("server.crt"),     data_file("client.crt"),
+-- 
+2.50.0
+

0012-RH-skip-quic-pairwise.patch

@@ -0,0 +1,86 @@
+From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Thu, 7 Mar 2024 17:37:09 +0100
+Subject: [PATCH 12/53] RH: skip quic pairwise
+
+Patch-name: 0115-skip-quic-pairwise.patch
+Patch-id: 115
+Patch-status: |
+    # skip quic and pairwise tests temporarily
+---
+ test/quicapitest.c                     |  4 +++-
+ test/recipes/01-test_symbol_presence.t |  1 +
+ test/recipes/30-test_pairwise_fail.t   | 10 ++++++++--
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/test/quicapitest.c b/test/quicapitest.c
+index b98a940553..3d946ae93c 100644
+--- a/test/quicapitest.c
++++ b/test/quicapitest.c
+@@ -2937,7 +2937,9 @@ int setup_tests(void)
+     ADD_TEST(test_cipher_find);
+     ADD_TEST(test_version);
+ #if defined(DO_SSL_TRACE_TEST)
+-    ADD_TEST(test_ssl_trace);
++    if (is_fips == 0) {
++        ADD_TEST(test_ssl_trace);
++    }
+ #endif
+     ADD_TEST(test_quic_forbidden_apis_ctx);
+     ADD_TEST(test_quic_forbidden_apis);
+diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
+index 222b1886ae..7e2f65cccb 100644
+--- a/test/recipes/01-test_symbol_presence.t
++++ b/test/recipes/01-test_symbol_presence.t
+@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) {
+     }
+ }
+ my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
+ if (@duplicates) {
+     note "Duplicates:";
+     note join('\n', @duplicates);
+diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
+index eaf0dbbb42..21864ad319 100644
+--- a/test/recipes/30-test_pairwise_fail.t
++++ b/test/recipes/30-test_pairwise_fail.t
+@@ -9,7 +9,7 @@
+ use strict;
+ use warnings;
+ 
+-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file);
++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with);
+ use OpenSSL::Test::Utils;
+ 
+ BEGIN {
+@@ -39,20 +39,26 @@ SKIP: {
+ SKIP: {
+     skip "Skip EC test because of no ec in this build", 2
+         if disabled("ec");
++    with({ exit_checker => sub {my $val = shift; return $val == 134; } },
++    sub {
+     ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                  "-pairwise", "ec"])),
+        "fips provider ec keygen pairwise failure test");
++    });
+ 
+     skip "FIPS provider version is too old", 1
+         if !$fips_exit;
++    with({ exit_checker => sub {my $val = shift; return $val == 134; } },
++    sub {
+     ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                  "-pairwise", "eckat"])),
+        "fips provider ec keygen kat failure test");
++    });
+ }
+ 
+ SKIP: {
+     skip "Skip DSA tests because of no dsa in this build", 2
+-        if disabled("dsa");
++        if 1; #if disabled("dsa");
+     ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                  "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
+        "fips provider dsa keygen pairwise failure test");
+-- 
+2.50.0
+

0013-RH-version-aliasing.patch

@@ -0,0 +1,83 @@
+From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 13/53] RH: version aliasing
+
+Patch-name: 0116-version-aliasing.patch
+Patch-id: 116
+Patch-status: |
+    # Add version aliasing due to
+    # https://github.com/openssl/openssl/issues/23534
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/evp/digest.c                    | 7 ++++++-
+ crypto/evp/evp_enc.c                   | 7 ++++++-
+ test/recipes/01-test_symbol_presence.t | 1 +
+ util/libcrypto.num                     | 2 ++
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 6fc201bcfe..3c80b9dfe1 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -572,7 +572,12 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+     return ctx->digest->dsqueeze(ctx->algctx, md, &size, size);
+ }
+ 
+-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in)
++EVP_MD_CTX
++#if !defined(FIPS_MODULE)
++__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
++                    symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
++#endif
++*EVP_MD_CTX_dup(const EVP_MD_CTX *in)
+ {
+     EVP_MD_CTX *out = EVP_MD_CTX_new();
+ 
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index eee00a0780..7c51786515 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1762,7 +1762,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ #endif /* FIPS_MODULE */
+ }
+ 
+-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
++EVP_CIPHER_CTX
++#if !defined(FIPS_MODULE)
++__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
++                    symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
++#endif
++*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in)
+ {
+     EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
+ 
+diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
+index 7e2f65cccb..cc947d4821 100644
+--- a/test/recipes/01-test_symbol_presence.t
++++ b/test/recipes/01-test_symbol_presence.t
+@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
+                   s| .*||;
+                   # Drop OpenSSL dynamic version information if there is any
+                   s|\@\@.+$||;
++                  s|\@.+$||;
+                   # Return the result
+                   $_
+               }
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index ceb4948839..eab3987a6b 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key             5562	3_2_0	EXIST::FUNCTION:
+ OSSL_STACK_OF_X509_free                 5563	3_2_0	EXIST::FUNCTION:
+ OSSL_trace_string                       5564	3_2_0	EXIST::FUNCTION:
+ EVP_MD_CTX_dup                          5565	3_2_0	EXIST::FUNCTION:
++EVP_MD_CTX_dup                          ?	    3_1_0	EXIST::FUNCTION:
+ EVP_CIPHER_CTX_dup                      5566	3_2_0	EXIST::FUNCTION:
++EVP_CIPHER_CTX_dup                      ?    	3_1_0	EXIST::FUNCTION:
+ BN_signed_bin2bn                        5567	3_2_0	EXIST::FUNCTION:
+ BN_signed_bn2bin                        5568	3_2_0	EXIST::FUNCTION:
+ BN_signed_lebin2bn                      5569	3_2_0	EXIST::FUNCTION:
+-- 
+2.50.0
+

0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch

@@ -0,0 +1,108 @@
+From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 13 Feb 2025 16:09:09 -0500
+Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp
+
+We accidentally exported the symbols with the incorrect verison number
+in an early version of RHEL-9 so we need to keep the wrong symbols for
+ABI backwards compatibility and the correct symbols to be compatible
+with upstream.
+---
+ crypto/evp/digest.c                    |  2 +-
+ crypto/evp/evp_enc.c                   |  2 +-
+ crypto/o_str.c                         | 14 ++++++++++++--
+ test/recipes/01-test_symbol_presence.t |  2 +-
+ util/libcrypto.num                     |  2 ++
+ 5 files changed, 17 insertions(+), 5 deletions(-)
+ mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 3c80b9dfe1..8ee9db73dd 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+ 
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 7c51786515..619cf4f385 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+ 
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 93af73561f..86442a939e 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -403,7 +403,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ #endif
+ }
+ 
+-int OPENSSL_strcasecmp(const char *s1, const char *s2)
++int
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
++                    symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strcasecmp(const char *s1, const char *s2)
+ {
+     int t;
+ 
+@@ -413,7 +418,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
+     return t;
+ }
+ 
+-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
++int
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
++                    symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+ {
+     int t;
+     size_t i;
+diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
+old mode 100644
+new mode 100755
+index cc947d4821..de2dcd90c2
+--- a/test/recipes/01-test_symbol_presence.t
++++ b/test/recipes/01-test_symbol_presence.t
+@@ -186,7 +186,7 @@ foreach (sort keys %stlibname) {
+     }
+ }
+ my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
+-@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates;
++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") && ($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp")} @duplicates;
+ if (@duplicates) {
+     note "Duplicates:";
+     note join('\n', @duplicates);
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index eab3987a6b..d377d542db 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5426,7 +5426,9 @@ ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
+ EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
+ EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
++OPENSSL_strcasecmp                      ?	3_0_1	EXIST::FUNCTION:
+ OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
++OPENSSL_strncasecmp                     ? 	3_0_1	EXIST::FUNCTION:
+ EVP_RAND_CTX_up_ref                     5558	3_1_0	EXIST::FUNCTION:
+ RAND_set0_public                        5559	3_1_0	EXIST::FUNCTION:
+ RAND_set0_private                       5560	3_1_0	EXIST::FUNCTION:
+-- 
+2.50.0
+

0015-RH-TMP-KTLS-test-skip.patch

@@ -0,0 +1,30 @@
+From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 13 Feb 2025 18:11:19 -0500
+Subject: [PATCH 15/53] RH: TMP KTLS test skip
+
+From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
+---
+ test/sslapitest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index b83dd6c552..250a439137 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
+ /* sock must be connected */
+ static int ktls_chk_platform(int sock)
+ {
+-    if (!ktls_enable(sock))
++/*    if (!ktls_enable(sock))
+         return 0;
+-    return 1;
++    return 1; */
++    return 0;
+ }
+ 
+ static int ping_pong_query(SSL *clientssl, SSL *serverssl)
+-- 
+2.50.0
+

0016-RH-Allow-disabling-of-SHA1-signatures.patch

@@ -0,0 +1,490 @@
+From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 13:07:07 +0200
+Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures
+
+Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
+Patch-id: 49
+Patch-status: |
+    # Selectively disallow SHA1 signatures rhbz#2070977
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/context.c                              | 70 +++++++++++++++++++
+ crypto/evp/evp_cnf.c                          | 13 ++++
+ crypto/evp/m_sigver.c                         | 14 ++++
+ crypto/evp/pmeth_lib.c                        | 15 ++++
+ doc/man5/config.pod                           | 13 ++++
+ include/crypto/context.h                      |  8 +++
+ include/internal/cryptlib.h                   |  3 +-
+ include/internal/sslconf.h                    |  4 ++
+ providers/common/include/prov/securitycheck.h |  2 +
+ providers/common/securitycheck.c              | 14 ++++
+ providers/common/securitycheck_default.c      |  1 +
+ providers/implementations/signature/dsa_sig.c |  1 +
+ .../implementations/signature/ecdsa_sig.c     |  8 ++-
+ providers/implementations/signature/rsa_sig.c | 14 +++-
+ ssl/t1_lib.c                                  |  8 +++
+ util/libcrypto.num                            |  2 +
+ 16 files changed, 183 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/context.c b/crypto/context.c
+index 614c8a2c88..323615e300 100644
+--- a/crypto/context.c
++++ b/crypto/context.c
+@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
+ #endif
+     STACK_OF(SSL_COMP) *comp_methods;
+ 
++    void *legacy_digest_signatures;
++
+     int ischild;
+     int conf_diagnostics;
+ };
+@@ -119,6 +121,22 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx)
+     return ctx->ischild;
+ }
+ 
++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
++
++    if (ldsigs != NULL) {
++        OPENSSL_free(ldsigs);
++    }
++}
++
++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
++    ldsigs->allowed = 0;
++    return ldsigs;
++}
++
+ static void context_deinit_objs(OSSL_LIB_CTX *ctx);
+ 
+ static int context_init(OSSL_LIB_CTX *ctx)
+@@ -235,6 +253,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
+         goto err;
+ #endif
+ 
++    ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
++    if (ctx->legacy_digest_signatures == NULL)
++        goto err;
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     ctx->child_provider = ossl_child_prov_ctx_new(ctx);
+@@ -382,6 +404,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
+     }
+ #endif
+ 
++    if (ctx->legacy_digest_signatures != NULL) {
++        ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
++        ctx->legacy_digest_signatures = NULL;
++    }
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     if (ctx->child_provider != NULL) {
+@@ -660,6 +687,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
+     case OSSL_LIB_CTX_COMP_METHODS:
+         return (void *)&ctx->comp_methods;
+ 
++    case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
++        return ctx->legacy_digest_signatures;
++
+     default:
+         return NULL;
+     }
+@@ -714,3 +744,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
+         return;
+     libctx->conf_diagnostics = value;
+ }
++
++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
++        OSSL_LIB_CTX *libctx, int loadconfig)
++{
++#ifndef FIPS_MODULE
++    if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
++        return NULL;
++#endif
++
++    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++ #ifndef FIPS_MODULE
++     if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
++        /* used in tests */
++         return 1;
++ #endif
++
++    return ldsigs != NULL ? ldsigs->allowed : 0;
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++    if (ldsigs == NULL) {
++        ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
++        return 0;
++    }
++
++    ldsigs->allowed = allow;
++    return 1;
++}
+diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
+index 0e7fe64cf9..b9d3b6d226 100644
+--- a/crypto/evp/evp_cnf.c
++++ b/crypto/evp/evp_cnf.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <openssl/crypto.h>
+ #include "internal/cryptlib.h"
++#include "internal/sslconf.h"
+ #include <openssl/conf.h>
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
+                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+                 return 0;
+             }
++        } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
++            int m;
++
++            /* Detailed error already reported. */
++            if (!X509V3_get_value_bool(oval, &m))
++                return 0;
++
++            if (!ossl_ctx_legacy_digest_signatures_allowed_set(
++                    NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
++                ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
++                return 0;
++            }
+         } else {
+             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
+                            "name=%s, value=%s", oval->name, oval->value);
+diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
+index d5df497da7..53044238a1 100644
+--- a/crypto/evp/m_sigver.c
++++ b/crypto/evp/m_sigver.c
+@@ -15,6 +15,7 @@
+ #include "internal/provider.h"
+ #include "internal/numbers.h"   /* includes SIZE_MAX */
+ #include "evp_local.h"
++#include "internal/sslconf.h"
+ 
+ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
+ {
+@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+     }
+ 
+     desc = signature->description != NULL ? signature->description : "";
++
++    if (ctx->reqdigest != NULL
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(ctx->reqdigest);
++        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
++                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            goto err;
++        }
++    }
++
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+             ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED,
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index 08c0d6a7b2..b936ad4447 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -33,6 +33,7 @@
+ #include "internal/ffc.h"
+ #include "internal/numbers.h"
+ #include "internal/provider.h"
++#include "internal/sslconf.h"
+ #include "evp_local.h"
+ 
+ #ifndef FIPS_MODULE
+@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+         return -2;
+     }
+ 
++    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
++            && md != NULL
++            && ctx->pkey != NULL
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            return -1;
++        }
++    }
++
+     if (fallback)
+         return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
+ 
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 39fa468320..b994081924 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -315,6 +315,19 @@ Within the algorithm properties section, the following names have meaning:
+ The value may be anything that is acceptable as a property query
+ string for EVP_set_default_properties().
+ 
++=item B<rh-allow-sha1-signatures>
++
++The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
++it behaves as if it was set to B<yes>.
++
++When set to B<no>, any attempt to create or verify a signature with a SHA1
++digest will fail.  To test whether your software will work with future versions
++of OpenSSL, set this option to B<no>.  This setting also affects TLS, where
++signature algorithms that use SHA1 as digest will no longer be supported if
++this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
++pseudorandom function (PRF) to derive key material, disabling
++B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
++
+ =item B<fips_mode> (deprecated)
+ 
+ The value is a boolean that can be B<yes> or B<no>.  If the value is
+diff --git a/include/crypto/context.h b/include/crypto/context.h
+index 1c181933e0..35bdfdb52d 100644
+--- a/include/crypto/context.h
++++ b/include/crypto/context.h
+@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void);
+ #if defined(OPENSSL_THREADS)
+ void ossl_threads_ctx_free(void *);
+ #endif
++
++#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
++#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
++typedef struct ossl_legacy_digest_signatures_st {
++    int allowed;
++} OSSL_LEGACY_DIGEST_SIGNATURES;
++#endif
++
+diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
+index da442f8a86..44a5e8a99a 100644
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
+ # define OSSL_LIB_CTX_DECODER_CACHE_INDEX           20
+ # define OSSL_LIB_CTX_COMP_METHODS                  21
+ # define OSSL_LIB_CTX_INDICATOR_CB_INDEX            22
+-# define OSSL_LIB_CTX_MAX_INDEXES                   22
++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
++# define OSSL_LIB_CTX_MAX_INDEXES                   23
+ 
+ OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
+ int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
+diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
+index fd7f7e3331..05464b0655 100644
+--- a/include/internal/sslconf.h
++++ b/include/internal/sslconf.h
+@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
+ void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                       char **arg);
+ 
++/* Methods to support disabling all signatures with legacy digests */
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig);
+ #endif
+diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h
+index 29a2b7fbf8..a48cbb03d2 100644
+--- a/providers/common/include/prov/securitycheck.h
++++ b/providers/common/include/prov/securitycheck.h
+@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const EVP_MD *md);
+ /* Functions that have different implementations for the FIPS_MODULE */
+ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
+ int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
++
++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
+diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
+index 8ef8dc2a81..79a9c48ce2 100644
+--- a/providers/common/securitycheck.c
++++ b/providers/common/securitycheck.c
+@@ -19,6 +19,7 @@
+ #include <openssl/core_names.h>
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
++#include "internal/sslconf.h"
+ 
+ #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
+ 
+@@ -219,3 +220,16 @@ int ossl_dh_check_key(const DH *dh)
+     return (L == 2048 && (N == 224 || N == 256));
+ }
+ #endif /* OPENSSL_NO_DH */
++
++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid)
++{
++#ifndef FIPS_MODULE
++    if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0))
++        /* SHA1 is globally disabled, check whether we want to locally allow
++         * it. */
++#endif
++        if (mdnid == NID_sha1)
++            mdnid = -1;
++
++     return mdnid;
++}
+diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
+index dd71fd91eb..9019fd2a80 100644
+--- a/providers/common/securitycheck_default.c
++++ b/providers/common/securitycheck_default.c
+@@ -15,6 +15,7 @@
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
+ #include "internal/nelem.h"
++#include "internal/sslconf.h"
+ 
+ /* Disable the security checks in the default provider */
+ int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
+index c5adbf8002..52ed52482d 100644
+--- a/providers/implementations/signature/dsa_sig.c
++++ b/providers/implementations/signature/dsa_sig.c
+@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
+ 
+         md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         md_nid = ossl_digest_get_approved_nid(md);
++        md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ 
+         if (md == NULL) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 4018a772ff..04d4009ab5 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -197,13 +197,15 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
+         goto err;
+     }
+     md_nid = ossl_digest_get_approved_nid(md);
+-#ifdef FIPS_MODULE
+-    if (md_nid == NID_undef) {
++
++    md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
++    /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
++    if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
+         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+                        "digest=%s", mdname);
+         goto err;
+     }
+-#endif
++
+     /* XOF digests don't work */
+     if (EVP_MD_xof(md)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index e75b90840b..645304b951 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -26,6 +26,7 @@
+ #include "internal/cryptlib.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
++#include "internal/sslconf.h"
+ #include "crypto/rsa.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -34,6 +35,7 @@
+ #include "prov/securitycheck.h"
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
+ 
+ static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+             goto err;
+         }
+         md_nid = ossl_digest_rsa_sign_get_md_nid(md);
+-        if (md_nid == NID_undef) {
++        md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
++        if (md_nid <= 0) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+                            "digest=%s", mdname);
+             goto err;
+@@ -1765,8 +1768,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+     prsactx->pad_mode = pad_mode;
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+-        && pad_mode == RSA_PKCS1_PSS_PADDING)
+-        pmdname = RSA_DEFAULT_DIGEST_NAME;
++        && pad_mode == RSA_PKCS1_PSS_PADDING) {
++        if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
++            pmdname = RSA_DEFAULT_DIGEST_NAME;
++        } else {
++            pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++        }
++    }
+ 
+     if (pmgf1mdname != NULL
+         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 2f71f95438..bea5cab253 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -21,6 +21,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+ #include "internal/tlsgroups.h"
+@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+     EVP_PKEY *tmpkey = EVP_PKEY_new();
+     int istls;
+     int ret = 0;
++    int ldsigs_allowed;
+ 
+     if (ctx == NULL)
+         goto err;
+@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+         goto err;
+ 
+     ERR_set_mark();
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
+     /* First fill cache and tls12_sigalgs list from legacy algorithm list */
+     for (i = 0, lu = sigalg_lookup_tbl;
+          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+             cache[i].available = 0;
+             continue;
+         }
++        if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++                && !ldsigs_allowed) {
++            cache[i].available = 0;
++            continue;
++        }
+ 
+         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
+             cache[i].available = 0;
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index d377d542db..c2c55129ae 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5928,3 +5928,5 @@ OSSL_AA_DIST_POINT_free                 6051	3_5_0	EXIST::FUNCTION:
+ OSSL_AA_DIST_POINT_new                  6052	3_5_0	EXIST::FUNCTION:
+ OSSL_AA_DIST_POINT_it                   6053	3_5_0	EXIST::FUNCTION:
+ PEM_ASN1_write_bio_ctx                  6054	3_5_0	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
+-- 
+2.50.0
+

0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch

@@ -0,0 +1,34 @@
+From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:12:33 -0500
+Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 4b9a057462..1e90f363af 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VENDOR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
+-- 
+2.50.0
+

0018-FIPS-disable-fipsinstall.patch

@@ -0,0 +1,870 @@
+From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 18/53] FIPS: disable fipsinstall
+
+Patch-name: 0034.fipsinstall_disable.patch
+Patch-id: 34
+Patch-status: |
+    # # Comment out fipsinstall command-line utility
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ apps/fipsinstall.c                    |   3 +
+ doc/man1/openssl-fipsinstall.pod.in   | 485 +-------------------------
+ doc/man1/openssl.pod                  |   4 -
+ doc/man5/config.pod                   |   1 -
+ doc/man5/fips_config.pod              | 228 +-----------
+ doc/man7/OSSL_PROVIDER-FIPS.pod       |   1 -
+ test/recipes/00-prep_fipsmodule_cnf.t |  10 +-
+ test/recipes/01-test_fipsmodule_cnf.t |   7 +-
+ test/recipes/03-test_fipsinstall.t    |   2 +
+ 9 files changed, 22 insertions(+), 719 deletions(-)
+ mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t
+ mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t
+ mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
+
+diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
+index 0daa55a1b8..b4e29ac301 100644
+--- a/apps/fipsinstall.c
++++ b/apps/fipsinstall.c
+@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **argv)
+     EVP_MAC *mac = NULL;
+     CONF *conf = NULL;
+ 
++    BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
++    return 1;
++
+     if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
+         goto end;
+ 
+diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
+index 9dd4f5a49f..9a063022a9 100644
+--- a/doc/man1/openssl-fipsinstall.pod.in
++++ b/doc/man1/openssl-fipsinstall.pod.in
+@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
+ =head1 SYNOPSIS
+ 
+ B<openssl fipsinstall>
+-[B<-help>]
+-[B<-in> I<configfilename>]
+-[B<-out> I<configfilename>]
+-[B<-module> I<modulefilename>]
+-[B<-provider_name> I<providername>]
+-[B<-section_name> I<sectionname>]
+-[B<-verify>]
+-[B<-mac_name> I<macname>]
+-[B<-macopt> I<nm>:I<v>]
+-[B<-noout>]
+-[B<-quiet>]
+-[B<-pedantic>]
+-[B<-no_conditional_errors>]
+-[B<-no_security_checks>]
+-[B<-hmac_key_check>]
+-[B<-kmac_key_check>]
+-[B<-ems_check>]
+-[B<-no_drbg_truncated_digests>]
+-[B<-signature_digest_check>]
+-[B<-hkdf_digest_check>]
+-[B<-tls13_kdf_digest_check>]
+-[B<-tls1_prf_digest_check>]
+-[B<-sshkdf_digest_check>]
+-[B<-sskdf_digest_check>]
+-[B<-x963kdf_digest_check>]
+-[B<-dsa_sign_disabled>]
+-[B<-no_pbkdf2_lower_bound_check>]
+-[B<-no_short_mac>]
+-[B<-tdes_encrypt_disabled>]
+-[B<-rsa_pkcs15_padding_disabled>]
+-[B<-rsa_pss_saltlen_check>]
+-[B<-rsa_sign_x931_disabled>]
+-[B<-hkdf_key_check>]
+-[B<-kbkdf_key_check>]
+-[B<-tls13_kdf_key_check>]
+-[B<-tls1_prf_key_check>]
+-[B<-sshkdf_key_check>]
+-[B<-sskdf_key_check>]
+-[B<-x963kdf_key_check>]
+-[B<-x942kdf_key_check>]
+-[B<-ecdh_cofactor_check>]
+-[B<-self_test_onload>]
+-[B<-self_test_oninstall>]
+-[B<-corrupt_desc> I<selftest_description>]
+-[B<-corrupt_type> I<selftest_type>]
+-[B<-config> I<parent_config>]
+-
+-=head1 DESCRIPTION
+-
+-This command is used to generate a FIPS module configuration file.
+-This configuration file can be used each time a FIPS module is loaded
+-in order to pass data to the FIPS module self tests. The FIPS module always
+-verifies its MAC, but optionally only needs to run the KAT's once,
+-at installation.
+-
+-The generated configuration file consists of:
+-
+-=over 4
+-
+-=item - A MAC of the FIPS module file.
+-
+-=item - A test status indicator.
+-
+-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
+-
+-=item - A MAC of the status indicator.
+-
+-=item - A control for conditional self tests errors.
+-
+-By default if a continuous test (e.g a key pair test) fails then the FIPS module
+-will enter an error state, and no services or cryptographic algorithms will be
+-able to be accessed after this point.
+-The default value of '1' will cause the fips module error state to be entered.
+-If the value is '0' then the module error state will not be entered.
+-Regardless of whether the error state is entered or not, the current operation
+-(e.g. key generation) will return an error. The user is responsible for retrying
+-the operation if the module error state is not entered.
+-
+-=item - A control to indicate whether run-time security checks are done.
+-
+-This indicates if run-time checks related to enforcement of security parameters
+-such as minimum security strength of keys and approved curve names are used.
+-The default value of '1' will perform the checks.
+-If the value is '0' the checks are not performed and FIPS compliance must
+-be done by procedures documented in the relevant Security Policy.
+-
+-=back
+-
+-This file is described in L<fips_config(5)>.
+-
+-=head1 OPTIONS
+-
+-=over 4
+-
+-=item B<-help>
+-
+-Print a usage message.
+-
+-=item B<-module> I<filename>
+-
+-Filename of the FIPS module to perform an integrity check on.
+-The path provided in the filename is used to load the module when it is
+-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
+-
+-=item B<-out> I<configfilename>
+-
+-Filename to output the configuration data to; the default is standard output.
+-
+-=item B<-in> I<configfilename>
+-
+-Input filename to load configuration data from.
+-Must be used if the B<-verify> option is specified.
+-
+-=item B<-verify>
+-
+-Verify that the input configuration file contains the correct information.
+-
+-=item B<-provider_name> I<providername>
+-
+-Name of the provider inside the configuration file.
+-The default value is C<fips>.
+-
+-=item B<-section_name> I<sectionname>
+-
+-Name of the section inside the configuration file.
+-The default value is C<fips_sect>.
+-
+-=item B<-mac_name> I<name>
+-
+-Specifies the name of a supported MAC algorithm which will be used.
+-The MAC mechanisms that are available will depend on the options
+-used when building OpenSSL.
+-To see the list of supported MAC's use the command
+-C<openssl list -mac-algorithms>.  The default is B<HMAC>.
+-
+-=item B<-macopt> I<nm>:I<v>
+-
+-Passes options to the MAC algorithm.
+-A comprehensive list of controls can be found in the EVP_MAC implementation
+-documentation.
+-Common control strings used for this command are:
+-
+-=over 4
+-
+-=item B<key>:I<string>
+-
+-Specifies the MAC key as an alphanumeric string (use if the key contains
+-printable characters only).
+-The string length must conform to any restrictions of the MAC algorithm.
+-A key must be specified for every MAC algorithm.
+-If no key is provided, the default that was specified when OpenSSL was
+-configured is used.
+-
+-=item B<hexkey>:I<string>
+-
+-Specifies the MAC key in hexadecimal form (two hex digits per byte).
+-The key length must conform to any restrictions of the MAC algorithm.
+-A key must be specified for every MAC algorithm.
+-If no key is provided, the default that was specified when OpenSSL was
+-configured is used.
+-
+-=item B<digest>:I<string>
+-
+-Used by HMAC as an alphanumeric string (use if the key contains printable
+-characters only).
+-The string length must conform to any restrictions of the MAC algorithm.
+-To see the list of supported digests, use the command
+-C<openssl list -digest-commands>.
+-The default digest is SHA-256.
+-
+-=back
+-
+-=item B<-noout>
+-
+-Disable logging of the self tests.
+-
+-=item B<-pedantic>
+-
+-Configure the module so that it is strictly FIPS compliant rather
+-than being backwards compatible.  This enables conditional errors,
+-security checks etc.  Note that any previous configuration options will
+-be overwritten and any subsequent configuration options that violate
+-FIPS compliance will result in an error.
+-
+-=item B<-no_conditional_errors>
+-
+-Configure the module to not enter an error state if a conditional self test
+-fails as described above.
+-
+-=item B<-no_security_checks>
+-
+-Configure the module to not perform run-time security checks as described above.
+-
+-Enabling the configuration option "no-fips-securitychecks" provides another way to
+-turn off the check at compile time.
+-
+-=item B<-ems_check>
+-
+-Configure the module to enable a run-time Extended Master Secret (EMS) check
+-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
+-See RFC 7627 for information related to EMS.
+-
+-=item B<-no_short_mac>
+-
+-Configure the module to not allow short MAC outputs.
+-See SP 800-185 8.4.2 and FIPS 140-3 ID C.D for details.
+-
+-=item B<-hmac_key_check>
+-
+-Configure the module to not allow small keys sizes when using HMAC.
+-See SP 800-131Ar2 for details.
+-
+-=item B<-kmac_key_check>
+-
+-Configure the module to not allow small keys sizes when using KMAC.
+-See SP 800-131Ar2 for details.
+-
+-=item B<-no_drbg_truncated_digests>
+-
+-Configure the module to not allow truncated digests to be used with Hash and
+-HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
+-
+-=item B<-signature_digest_check>
+-
+-Configure the module to enforce signature algorithms to use digests that are
+-explicitly permitted by the various standards.
+-
+-=item B<-hkdf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-HKDF.
+-See NIST SP 800-56Cr2 for details.
+-
+-=item B<-tls13_kdf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-TLS13 KDF.
+-See RFC 8446 for details.
+-
+-=item B<-tls1_prf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-TLS_PRF.
+-See NIST SP 800-135r1 for details.
+-
+-=item B<-sshkdf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-SSHKDF.
+-See NIST SP 800-135r1 for details.
+-
+-=item B<-sskdf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-SSKDF.
+-See NIST SP 800-56Cr2 for details.
+-
+-=item B<-x963kdf_digest_check>
+-
+-Configure the module to enable a run-time digest check when deriving a key by
+-X963KDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-dsa_sign_disabled>
+-
+-Configure the module to not allow DSA signing (DSA signature verification is
+-still allowed). See FIPS 140-3 IG C.K for details.
+-
+-=item B<-tdes_encrypt_disabled>
+-
+-Configure the module to not allow Triple-DES encryption.
+-Triple-DES decryption is still allowed for legacy purposes.
+-See SP800-131Ar2 for details.
+-
+-=item B<-rsa_pkcs15_padding_disabled>
+-
+-Configure the module to not allow PKCS#1 version 1.5 padding to be used with
+-RSA for key transport and key agreement.  See NIST's SP 800-131A Revision 2
+-for details.
+-
+-=item B<-rsa_pss_saltlen_check>
+-
+-Configure the module to enable a run-time salt length check when generating or
+-verifying a RSA-PSS signature.
+-See FIPS 186-5 5.4 (g) for details.
+-
+-=item B<-rsa_sign_x931_disabled>
+-
+-Configure the module to not allow X9.31 padding to be used when signing with
+-RSA.  See FIPS 140-3 IG C.K for details.
+-
+-=item B<-hkdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by HKDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-kbkdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by KBKDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-tls13_kdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by TLS13 KDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-tls1_prf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by TLS_PRF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-sshkdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by SSHKDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-sskdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by SSKDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-x963kdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by X963KDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-x942kdf_key_check>
+-
+-Configure the module to enable a run-time short key-derivation key check when
+-deriving a key by X942KDF.
+-See NIST SP 800-131Ar2 for details.
+-
+-=item B<-no_pbkdf2_lower_bound_check>
+-
+-Configure the module to not perform run-time lower bound check for PBKDF2.
+-See NIST SP 800-132 for details.
+-
+-=item B<-ecdh_cofactor_check>
+-
+-Configure the module to enable a run-time check that ECDH uses the EC curves
+-cofactor value when deriving a key. This only affects the 'B' and 'K' curves.
+-See SP 800-56A r3 Section 5.7.1.2 for details.
+-
+-=item B<-self_test_onload>
+-
+-Do not write the two fields related to the "test status indicator" and
+-"MAC status indicator" to the output configuration file. Without these fields
+-the self tests KATS will run each time the module is loaded. This option could be
+-used for cross compiling, since the self tests need to run at least once on each
+-target machine. Once the self tests have run on the target machine the user
+-could possibly then add the 2 fields into the configuration using some other
+-mechanism.
+-This option defaults to 0 for any OpenSSL FIPS 140-2 provider (OpenSSL 3.0.X).
+-and is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
+-longer allowed.
+-
+-=item B<-self_test_oninstall>
+-
+-The converse of B<-self_test_oninstall>.  The two fields related to the
+-"test status indicator" and "MAC status indicator" are written to the
+-output configuration file.
+-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
+-longer allowed.
+-
+-=item B<-quiet>
+-
+-Do not output pass/fail messages. Implies B<-noout>.
+-
+-=item B<-corrupt_desc> I<selftest_description>,
+-B<-corrupt_type> I<selftest_type>
+-
+-The corrupt options can be used to test failure of one or more self tests by
+-name.
+-Either option or both may be used to select the tests to corrupt.
+-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
+-values that can be used.
+-
+-=item B<-config> I<parent_config>
+-
+-Test that a FIPS provider can be loaded from the specified configuration file.
+-A previous call to this application needs to generate the extra configuration
+-data that is included by the base C<parent_config> configuration file.
+-See L<config(5)> for further information on how to set up a provider section.
+-All other options are ignored if '-config' is used.
+-
+-=back
+-
+-=head1 NOTES
+-
+-Self tests results are logged by default if the options B<-quiet> and B<-noout>
+-are not specified, or if either of the options B<-corrupt_desc> or
+-B<-corrupt_type> are used.
+-If the base configuration file is set up to autoload the fips module, then the
+-fips module will be loaded and self tested BEFORE the fipsinstall application
+-has a chance to set up its own self test callback. As a result of this the self
+-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
+-For normal usage the base configuration file should use the default provider
+-when generating the fips configuration file.
+-
+-The B<-self_test_oninstall> option was added and the
+-B<-self_test_onload> option was made the default in OpenSSL 3.1.
+-
+-The command and all remaining options were added in OpenSSL 3.0.
+-
+-=head1 EXAMPLES
+-
+-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
+-for the module, and save the F<fips.cnf> configuration file:
+-
+- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
+-
+-Verify that the configuration file F<fips.cnf> contains the correct info:
+-
+- openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
+-
+-Corrupt any self tests which have the description C<SHA1>:
+-
+- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
+-         -corrupt_desc 'SHA1'
+-
+-Validate that the fips module can be loaded from a base configuration file:
+-
+- export OPENSSL_CONF_INCLUDE=<path of configuration files>
+- export OPENSSL_MODULES=<provider-path>
+- openssl fipsinstall -config' 'default.cnf'
+-
+-
+-=head1 SEE ALSO
+-
+-L<config(5)>,
+-L<fips_config(5)>,
+-L<OSSL_PROVIDER-FIPS(7)>,
+-L<EVP_MAC(3)>
+-
+-=head1 HISTORY
+-
+-The B<openssl-fipsinstall> application was added in OpenSSL 3.0.
+-
+-The following options were added in OpenSSL 3.1:
+-
+-B<-ems_check>,
+-B<-self_test_oninstall>
+-
+-The following options were added in OpenSSL 3.2:
+-
+-B<-pedantic>,
+-B<-no_drbg_truncated_digests>
+-
+-The following options were added in OpenSSL 3.4:
+-
+-B<-hmac_key_check>,
+-B<-kmac_key_check>,
+-B<-signature_digest_check>,
+-B<-hkdf_digest_check>,
+-B<-tls13_kdf_digest_check>,
+-B<-tls1_prf_digest_check>,
+-B<-sshkdf_digest_check>,
+-B<-sskdf_digest_check>,
+-B<-x963kdf_digest_check>,
+-B<-dsa_sign_disabled>,
+-B<-no_pbkdf2_lower_bound_check>,
+-B<-no_short_mac>,
+-B<-tdes_encrypt_disabled>,
+-B<-rsa_pkcs15_padding_disabled>,
+-B<-rsa_pss_saltlen_check>,
+-B<-rsa_sign_x931_disabled>,
+-B<-hkdf_key_check>,
+-B<-kbkdf_key_check>,
+-B<-tls13_kdf_key_check>,
+-B<-tls1_prf_key_check>,
+-B<-sshkdf_key_check>,
+-B<-sskdf_key_check>,
+-B<-x963kdf_key_check>,
+-B<-x942kdf_key_check>,
+-B<-ecdh_cofactor_check>
++This command is disabled.
++Please consult Red Hat Enterprise Linux documentation to learn how to correctly
++enable FIPS mode on Red Hat Enterprise
+ 
+ =head1 COPYRIGHT
+ 
+diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
+index edef2ff598..0762a00d74 100644
+--- a/doc/man1/openssl.pod
++++ b/doc/man1/openssl.pod
+@@ -139,10 +139,6 @@ Engine (loadable module) information and manipulation.
+ 
+ Error Number to Error String Conversion.
+ 
+-=item B<fipsinstall>
+-
+-FIPS configuration installation.
+-
+ =item B<gendsa>
+ 
+ Generation of DSA Private Key from Parameters. Superseded by
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index b994081924..7a6d7fab4a 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -603,7 +603,6 @@ configuration files using that syntax will have to be modified.
+ =head1 SEE ALSO
+ 
+ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
+-L<openssl-fipsinstall(1)>,
+ L<ASN1_generate_nconf(3)>,
+ L<EVP_set_default_properties(3)>,
+ L<CONF_modules_load(3)>,
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index a25ced3383..15748c5756 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration
+ 
+ =head1 DESCRIPTION
+ 
+-A separate configuration file, using the OpenSSL L<config(5)> syntax,
+-is used to hold information about the FIPS module. This includes a digest
+-of the shared library file, and status about the self-testing.
+-This data is used automatically by the module itself for two
+-purposes:
+-
+-=over 4
+-
+-=item - Run the startup FIPS self-test known answer tests (KATS).
+-
+-This is normally done once, at installation time, but may also be set up to
+-run each time the module is used.
+-
+-=item - Verify the module's checksum.
+-
+-This is done each time the module is used.
+-
+-=back
+-
+-This file is generated by the L<openssl-fipsinstall(1)> program, and
+-used internally by the FIPS module during its initialization.
+-
+-The following options are supported. They should all appear in a section
+-whose name is identified by the B<fips> option in the B<providers>
+-section, as described in L<config(5)/Provider Configuration Module>.
+-
+-=over 4
+-
+-=item B<activate>
+-
+-If present, the module is activated. The value assigned to this name is not
+-significant.
+-
+-=item B<conditional-errors>
+-
+-The FIPS module normally enters an internal error mode if any self test fails.
+-Once this error mode is active, no services or cryptographic algorithms are
+-accessible from this point on.
+-Continuous tests are a subset of the self tests (e.g., a key pair test during key
+-generation, or the CRNG output test).
+-Setting this value to C<0> allows the error mode to not be triggered if any
+-continuous test fails. The default value of C<1> will trigger the error mode.
+-Regardless of the value, the operation (e.g., key generation) that called the
+-continuous test will return an error code if its continuous test fails. The
+-operation may then be retried if the error mode has not been triggered.
+-
+-=item B<module-mac>
+-
+-The calculated MAC of the FIPS provider file.
+-
+-=item B<install-version>
+-
+-A version number for the fips install process. Should be 1.
+-
+-=item B<install-status>
+-
+-An indicator that the self-tests were successfully run.
+-This should only be written after the module has
+-successfully passed its self tests during installation.
+-If this field is not present, then the self tests will run when the module
+-loads.
+-
+-=item B<install-mac>
+-
+-A MAC of the value of the B<install-status> option, to prevent accidental
+-changes to that value.
+-It is written-to at the same time as B<install-status> is updated.
+-
+-=back
+-
+-=head2 FIPS indicator options
+-
+-The following FIPS configuration options indicate if run-time checks related to
+-enforcement of FIPS security parameters such as minimum security strength of
+-keys and approved curve names are used.
+-A value of '1' will perform the checks, otherwise if the value is '0' the checks
+-are not performed and FIPS compliance must be done by procedures documented in
+-the relevant Security Policy.
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> for further information related to these
+-options.
+-
+-=over 4
+-
+-=item B<security-checks>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_security_checks>
+-
+-=item B<tls1-prf-ems-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-ems_check>
+-
+-=item B<no-short-mac>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_short_mac>
+-
+-=item B<drbg-no-trunc-md>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_drbg_truncated_digests>
+-
+-=item B<signature-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-signature_digest_check>
+-
+-=item B<hkdf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
+-
+-=item B<tls13-kdf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_digest_check>
+-
+-=item B<tls1-prf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_digest_check>
+-
+-=item B<sshkdf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_digest_check>
+-
+-=item B<sskdf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
+-
+-=item B<x963kdf-digest-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_digest_check>
+-
+-=item B<dsa-sign-disabled>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-dsa_sign_disabled>
+-
+-=item B<tdes-encrypt-disabled>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-tdes_encrypt_disabled>
+-
+-=item B<rsa-pkcs15-pad-disabled>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pkcs15_pad_disabled>
+-
+-=item B<rsa-pss-saltlen-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_pss_saltlen_check>
+-
+-=item B<rsa-sign-x931-pad-disabled>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-rsa_sign_x931_disabled>
+-
+-=item B<hkdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_key_check>
+-
+-=item B<kbkdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-kbkdf_key_check>
+-
+-=item B<tls13-kdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls13_kdf_key_check>
+-
+-=item B<tls1-prf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-tls1_prf_key_check>
+-
+-=item B<sshkdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-sshkdf_key_check>
+-
+-=item B<sskdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_key_check>
+-
+-=item B<x963kdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-x963kdf_key_check>
+-
+-=item B<x942kdf-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-x942kdf_key_check>
+-
+-=item B<pbkdf2-lower-bound-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-no_pbkdf2_lower_bound_check>
+-
+-=item B<ecdh-cofactor-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-ecdh_cofactor_check>
+-
+-=item B<hmac-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-hmac_key_check>
+-
+-=item B<kmac-key-check>
+-
+-See L<openssl-fipsinstall(1)/OPTIONS> B<-kmac_key_check>
+-
+-=back
+-
+-For example:
+-
+- [fips_sect]
+- activate = 1
+- install-version = 1
+- conditional-errors = 1
+- security-checks = 1
+- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
+- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
+- install-status = INSTALL_SELF_TEST_KATS_RUN
+-
+-=head1 NOTES
+-
+-When using the FIPS provider, it is recommended that the
+-B<config_diagnostics> option is enabled to prevent accidental use of
+-non-FIPS validated algorithms via broken or mistaken configuration.
+-See L<config(5)>.
+-
+-=head1 SEE ALSO
+-
+-L<config(5)>
+-L<openssl-fipsinstall(1)>
+-
+-=head1 HISTORY
+-
+-This functionality was added in OpenSSL 3.0.
++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
++automatically loaded when the system is booted in FIPS mode, or when the
++environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
++for more information.
+ 
+ =head1 COPYRIGHT
+ 
+diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
+index 571a1e99e0..1e384a4ff3 100644
+--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
++++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
+@@ -588,7 +588,6 @@ process.
+ 
+ =head1 SEE ALSO
+ 
+-L<openssl-fipsinstall(1)>,
+ L<fips_config(5)>,
+ L<OSSL_SELF_TEST_set_callback(3)>,
+ L<OSSL_SELF_TEST_new(3)>,
+diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
+old mode 100644
+new mode 100755
+index 4e3a6d85e8..48869b2568
+--- a/test/recipes/00-prep_fipsmodule_cnf.t
++++ b/test/recipes/00-prep_fipsmodule_cnf.t
+@@ -29,8 +29,10 @@ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
+ 
+ plan tests => 1;
+ 
++ok(1 == 1);
++
+ # Create the $fipsmoduleconf file
+-ok(run(app(['openssl', 'fipsinstall', '-pedantic',
+-            '-module', $fipsmodule, '-provider_name', 'fips',
+-            '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
+-   "fips install");
++#ok(run(app(['openssl', 'fipsinstall', '-pedantic',
++#            '-module', $fipsmodule, '-provider_name', 'fips',
++#            '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
++#   "fips install");
+diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
+old mode 100644
+new mode 100755
+index ce594817d5..4530a46dd0
+--- a/test/recipes/01-test_fipsmodule_cnf.t
++++ b/test/recipes/01-test_fipsmodule_cnf.t
+@@ -31,7 +31,8 @@ plan tests => 1;
+ my $fipsmodule = bldtop_file('providers', platform->dso('fips'));
+ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
+ 
++ok(1 == 1)
+ # verify the $fipsconf file
+-ok(run(app(['openssl', 'fipsinstall',
+-            '-in',  $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
+-   "fipsinstall verify");
++#ok(run(app(['openssl', 'fipsinstall',
++#            '-in',  $fipsmoduleconf, '-module', $fipsmodule, '-verify'])),
++#   "fipsinstall verify");
+diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
+old mode 100644
+new mode 100755
+index 1f9110ef60..7e80637bd5
+--- a/test/recipes/03-test_fipsinstall.t
++++ b/test/recipes/03-test_fipsinstall.t
+@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
++plan skip_all => "Fipsinstall not available in Red Hat FIPS build";
++
+ plan skip_all => "Test only supported in a fips build" if disabled("fips");
+ 
+ # Compatible options for pedantic FIPS compliance
+-- 
+2.50.0
+

0019-FIPS-Force-fips-provider-on.patch

@@ -0,0 +1,79 @@
+From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 19/53] FIPS: Force fips provider on
+
+Patch-name: 0032-Force-fips.patch
+Patch-id: 32
+Patch-status: |
+    # # We load FIPS provider and set FIPS properties implicitly
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
+index 9649517dd2..1e5053cbce 100644
+--- a/crypto/provider_conf.c
++++ b/crypto/provider_conf.c
+@@ -10,6 +10,8 @@
+ #include <string.h>
+ #include <openssl/trace.h>
+ #include <openssl/err.h>
++#include <openssl/evp.h>
++#include <unistd.h>
+ #include <openssl/conf.h>
+ #include <openssl/safestack.h>
+ #include <openssl/provider.h>
+@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+         if (path != NULL)
+             ossl_provider_set_module_path(prov, path);
+ 
+-        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
++        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
+ 
+         if (ok == 1) {
+             if (!ossl_provider_activate(prov, 1, 0)) {
+@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+ 
+         if (ok <= 0)
+             ossl_provider_free(prov);
++    } else {
++        ok = 1;
+     }
+     CRYPTO_THREAD_unlock(pcgbl->lock);
+ 
+@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+             return 0;
+     }
+ 
++    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
++        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
++#  define FIPS_LOCAL_CONF           OPENSSLDIR "/fips_local.cnf"
++
++        if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
++            CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
++            if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
++                return 0;
++
++            if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
++                NCONF_free(fips_conf);
++                return 0;
++            }
++            NCONF_free(fips_conf);
++        } else {
++            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
++                return 0;
++        }
++        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
++            return 0;
++        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
++            return 0;
++    }
++
+     return 1;
+ }
+ 
+-- 
+2.50.0
+

0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch

@@ -0,0 +1,265 @@
+From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
+
+Corrected by squashing in:
+0052-Restore-the-correct-verify_integrity-function.patch
+
+Patch-name: 0033-FIPS-embed-hmac.patch
+Patch-id: 33
+Patch-status: |
+    # # Embed HMAC into the fips.so
+    # Modify fips self test as per
+    # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/fips/self_test.c | 170 ++++++++++++++++++++++++++++++++++---
+ test/fipsmodule.cnf        |   2 +
+ 2 files changed, 161 insertions(+), 11 deletions(-)
+ create mode 100644 test/fipsmodule.cnf
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index ef7be26ca7..8b17b8ca94 100644
+--- a/providers/fips/self_test.c
++++ b/providers/fips/self_test.c
+@@ -235,13 +235,137 @@ err:
+     return ok;
+ }
+ 
++#define HMAC_LEN 32
++/*
++ * The __attribute__ ensures we've created the .rodata1 section
++ * static ensures it's zero filled
++*/
++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
++
+ /*
+  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
+  * the result matches the expected value.
+  * Return 1 if verified, or 0 if it fails.
+  */
++
++#ifndef __USE_GNU
++#define __USE_GNU
++#include <dlfcn.h>
++#undef __USE_GNU
++#else
++#include <dlfcn.h>
++#endif
++#include <link.h>
++
++static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
++                                   OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
++                                   const unsigned char *expected,
++                                   size_t expected_len, OSSL_LIB_CTX *libctx,
++                                   OSSL_SELF_TEST *ev, const char *event_type)
++{
++    int ret = 0, status;
++    unsigned char out[MAX_MD_SIZE];
++    unsigned char buf[INTEGRITY_BUF_SIZE];
++    size_t bytes_read = 0, out_len = 0;
++    EVP_MAC *mac = NULL;
++    EVP_MAC_CTX *ctx = NULL;
++    OSSL_PARAM params[2], *p = params;
++    Dl_info info;
++    void *extra_info = NULL;
++    struct link_map *lm = NULL;
++    unsigned long paddr;
++    unsigned long off = 0;
++
++    if (expected_len != HMAC_LEN)
++        goto err;
++
++    if (!integrity_self_test(ev, libctx))
++        goto err;
++
++    OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
++
++    if (!dladdr1 ((const void *)fips_hmac_container,
++                &info, &extra_info, RTLD_DL_LINKMAP))
++        goto err;
++    lm = extra_info;
++    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
++
++    mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
++    if (mac == NULL)
++        goto err;
++    ctx = EVP_MAC_CTX_new(mac);
++    if (ctx == NULL)
++        goto err;
++
++    *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
++    *p = OSSL_PARAM_construct_end();
++
++    if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
++        goto err;
++
++    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
++        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++    }
++
++    if (off < paddr) {
++        int delta = paddr - off;
++        status = read_ex_cb(bio, buf, delta, &bytes_read);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++    }
++
++    /* read away the buffer */
++    status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
++    if (status != 1)
++        goto err;
++
++    /* check that it is the expect bytes, no point in continuing otherwise */
++   if (memcmp(expected, buf, HMAC_LEN) != 0)
++        goto err;
++
++    /* replace in-file HMAC buffer with the original zeros */
++    memset(buf, 0, HMAC_LEN);
++    if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
++        goto err;
++    off += HMAC_LEN;
++
++    while (bytes_read > 0) {
++        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++    }
++
++    if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
++        goto err;
++
++    OSSL_SELF_TEST_oncorrupt_byte(ev, out);
++    if (expected_len != out_len
++            || memcmp(expected, out, out_len) != 0)
++        goto err;
++    ret = 1;
++err:
++    OSSL_SELF_TEST_onend(ev, ret);
++    EVP_MAC_CTX_free(ctx);
++    EVP_MAC_free(mac);
++# ifdef OPENSSL_PEDANTIC_ZEROIZATION
++    OPENSSL_cleanse(out, sizeof(out));
++# endif
++    return ret;
++}
++
+ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+-                            unsigned char *expected, size_t expected_len,
++                            const unsigned char *expected, size_t expected_len,
+                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+                             const char *event_type)
+ {
+@@ -253,6 +377,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+     EVP_MAC_CTX *ctx = NULL;
+     OSSL_PARAM params[2], *p = params;
+ 
++    if (expected_len != HMAC_LEN)
++        goto err;
++
+     if (!integrity_self_test(ev, libctx))
+         goto err;
+ 
+@@ -316,7 +443,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     int ok = 0;
+     long checksum_len;
+     OSSL_CORE_BIO *bio_module = NULL;
+-    unsigned char *module_checksum = NULL;
++    const unsigned char *module_checksum = NULL;
++    unsigned char *alloc_checksum = NULL;
+     OSSL_SELF_TEST *ev = NULL;
+     EVP_RAND *testrand = NULL;
+     EVP_RAND_CTX *rng;
+@@ -352,8 +480,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+         return 0;
+     }
+ 
+-    if (st == NULL
+-            || st->module_checksum_data == NULL) {
++    if (st == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
+         goto end;
+     }
+@@ -362,8 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     if (ev == NULL)
+         goto end;
+ 
+-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+-                                         &checksum_len);
++    if (st->module_checksum_data == NULL) {
++        module_checksum = fips_hmac_container;
++        checksum_len = sizeof(fips_hmac_container);
++    } else {
++        alloc_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
++                                            &checksum_len);
++        module_checksum = alloc_checksum;
++    }
++
+     if (module_checksum == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
+         goto end;
+@@ -371,14 +505,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
+ 
+     /* Always check the integrity of the fips module */
+-    if (bio_module == NULL
+-            || !verify_integrity(bio_module, st->bio_read_ex_cb,
+-                                 module_checksum, checksum_len, st->libctx,
+-                                 ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++    if (bio_module == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+         goto end;
+     }
+ 
++    if (st->module_checksum_data == NULL) {
++        if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
++                                     module_checksum, checksum_len,
++                                     st->libctx, ev,
++                                     OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
++            goto end;
++        }
++    } else {
++        if (!verify_integrity(bio_module, st->bio_read_ex_cb,
++                              module_checksum, checksum_len, st->libctx,
++                              ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
++            goto end;
++        }
++    }
++
+     if (!SELF_TEST_kats(ev, st->libctx)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+         goto end;
+@@ -398,7 +546,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+ end:
+     EVP_RAND_free(testrand);
+     OSSL_SELF_TEST_free(ev);
+-    OPENSSL_free(module_checksum);
++    OPENSSL_free(alloc_checksum);
+ 
+     if (st != NULL)
+         (*st->bio_free_cb)(bio_module);
+diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
+new file mode 100644
+index 0000000000..f05d0dedbe
+--- /dev/null
++++ b/test/fipsmodule.cnf
+@@ -0,0 +1,2 @@
++[fips_sect]
++activate = 1
+-- 
+2.50.0
+

0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch

@@ -0,0 +1,32 @@
+From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 20 Feb 2025 15:30:32 -0500
+Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
+
+This script rewrites the fips.so binary to embed the hmac result into it
+so that after a build it can be called to make the fips.so as modified
+by Red Hat to properly pass the integrty test
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ fips-hmacify.sh | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100755 fips-hmacify.sh
+
+diff --git a/fips-hmacify.sh b/fips-hmacify.sh
+new file mode 100755
+index 0000000000..54ae60b07f
+--- /dev/null
++++ b/fips-hmacify.sh
+@@ -0,0 +1,8 @@
++#!/bin/bash
++
++dd if=/dev/zero bs=1 count=32 of=tmp.mac >/dev/null 2>&1
++objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac
++mv providers/fips.so.zeromac providers/fips.so
++LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
++objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
++mv providers/fips.so.mac providers/fips.so
+-- 
+2.50.0
+

0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch

@@ -0,0 +1,49 @@
+From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
+
+Patch-name: 0047-FIPS-early-KATS.patch
+Patch-id: 47
+Patch-status: |
+    # # Execute KATS before HMAC verification
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/fips/self_test.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index 8b17b8ca94..0f5074936f 100644
+--- a/providers/fips/self_test.c
++++ b/providers/fips/self_test.c
+@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     if (ev == NULL)
+         goto end;
+ 
++    /*
++     * Run the KAT's before HMAC verification according to FIPS-140-3
++     * requirements
++     */
++    if (!SELF_TEST_kats(ev, st->libctx)) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
++        goto end;
++    }
++
+     if (st->module_checksum_data == NULL) {
+         module_checksum = fips_hmac_container;
+         checksum_len = sizeof(fips_hmac_container);
+@@ -527,11 +536,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+         }
+     }
+ 
+-    if (!SELF_TEST_kats(ev, st->libctx)) {
+-        ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+-        goto end;
+-    }
+-
+     /* Verify that the RNG has been restored properly */
+     rng = ossl_rand_get0_private_noncreating(st->libctx);
+     if (rng != NULL)
+-- 
+2.50.0
+

0023-FIPS-RSA-encrypt-limits-REVIEW.patch

@@ -0,0 +1,985 @@
+From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW
+
+Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
+Patch-id: 58
+Patch-status: |
+    # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/common/securitycheck.c              |   1 +
+ .../fips/include/fips_indicator_params.inc    |   2 +-
+ .../implementations/asymciphers/rsa_enc.c     |  26 ++++
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 146 +++++++++++++-----
+ test/recipes/80-test_cms.t                    |   5 +-
+ test/recipes/80-test_ssl_old.t                |  27 +++-
+ 6 files changed, 164 insertions(+), 43 deletions(-)
+ mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
+
+diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
+index 79a9c48ce2..0e517542bc 100644
+--- a/providers/common/securitycheck.c
++++ b/providers/common/securitycheck.c
+@@ -65,6 +65,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
+  * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
+  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
+  */
++/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
+ int ossl_rsa_check_key_size(const RSA *rsa, int protect)
+ {
+     int sz = RSA_bits(rsa);
+diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
+index 78f9fc0655..6bd783eb0a 100644
+--- a/providers/fips/include/fips_indicator_params.inc
++++ b/providers/fips/include/fips_indicator_params.inc
+@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKDF_DIGEST_CHECK, 0)
+ OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
+ OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
+ OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
+-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
++OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1)
+ OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
+ OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
+ OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index 6ee127caff..2a7c2f159e 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+     }
+ #endif
+ 
++# ifdef FIPS_MODULE
++    if (prsactx->pad_mode == RSA_NO_PADDING) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (out == NULL) {
+         size_t len = RSA_size(prsactx->rsa);
+ 
+@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if ((prsactx->pad_mode == RSA_PKCS1_PADDING
++         || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING
++         || prsactx->pad_mode == RSA_NO_PADDING)) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
+         if (out == NULL) {
+             *outlen = SSL_MAX_MASTER_KEY_LENGTH;
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 18e11bdaa9..17ceb59148 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
+ Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ 
+ # RSA decrypt
+-
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Output = "Hello World"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Note: disable the Bleichenbacher workaround to see if it passes
+ Decrypt = RSA-2048
+ Ctrl = rsa_pkcs1_implicit_rejection:0
+@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
+ Output = "Hello World"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Corrupted ciphertext
+ # Note: output is generated synthethically by the Bleichenbacher workaround
+ Decrypt = RSA-2048
+@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70
+ Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Corrupted ciphertext
+ # Note: disable the Bleichenbacher workaround to see if it fails
+ Decrypt = RSA-2048
+@@ -296,13 +296,14 @@ Input = 0000000000000000000000000000000000000001
+ Result = KEYOP_ERROR
+ 
+ # RSADP Ciphertext = 2 should pass
++Availablein = default
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = 0000000000000000000000000000000000000002
+ Output = 93d0bae8ad0d94de400eb078dd10edd7418ef1bf11b8e8b5d2b86b142e77d603e108fbcca2b976aa7b5326e5369db3bb73bf74f8d47c36a6318e913888c873502a561fc69329e7c24a0a016d81310449a52b29e49a6a41bdfe6c10a8d90072d64b4486756fd007c0071da2a8c7107a904621c11f0d81aa80b655a713c28170594ece28133dfbfddd61d4e4dad0d6781f6145a351a994054993fd57cd1330966ce97d7ac259b15616fd7235e2cac29fdc1c05f1612c61785614b80e7b650c03ef77d64163d75fa637cc2a9a7e570b3176fdcfb6ad6d25e8515f6ced02cfb3a441c87220044110fd27dcb53888f0377e1797bf297b7da27d3f033cd8b5d60ececc
+ 
+ # RSADP Ciphertext = n-2 should pass
+-Availablein = fips
++Availablein = none
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44d
+@@ -317,6 +318,7 @@ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b0
+ Result = KEYOP_ERROR
+ 
+ # RSADP Ciphertext = n should fail
++Availablein = default
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f
+@@ -406,82 +408,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
+ # RSA decrypt
+ 
+ # a random positive test case
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
+ Output = "lorem ipsum dolor sit amet"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case decrypting to empty
+ Decrypt = RSA-2048-2
+ Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
+ Output =
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # invalid decrypting to max length message
+ Decrypt = RSA-2048-2
+ Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
+ Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
+ # invalid decrypting to message with length specified by second to last value from PRF
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
+ Output = 0f9b
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # invalid decrypting to message with length specified by third to last value from PRF
+ Decrypt = RSA-2048-2
+ Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
+ Output = 4f02
+ 
+ # positive test with 11 byte long value
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and zero padded ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and zero truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and double zero padded ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and double zero truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
+ Output = "lorem ipsum"
+ 
+ # positive that generates a 0 byte long synthetic message internally
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
+ Output = "lorem ipsum"
+ 
+ # positive that generates a 245 byte long synthetic message internally
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
+ Output = "lorem ipsum"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test that generates an 11 byte long message
+ Decrypt = RSA-2048-2
+ Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
+ Output = af9ac70191c92413cb9f2d
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise correct plaintext, but with wrong first byte
+ # (0x01 instead of 0x00), generates a random 11 byte long plaintext
+ Decrypt = RSA-2048-2
+@@ -489,7 +499,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc
+ Output = a1f8c9255c35cfba403ccc
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise correct plaintext, but with wrong second byte
+ # (0x01 instead of 0x02), generates a random 11 byte long plaintext
+ Decrypt = RSA-2048-2
+@@ -497,7 +507,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d
+ Output = e6d700309ca0ed62452254
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with a zero byte in first byte of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -506,7 +516,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a
+ Output = ba27b1842e7c21c0e7ef6a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with a zero byte removed from first byte of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -515,7 +525,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3
+ Output = ba27b1842e7c21c0e7ef6a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with two zero bytes in first bytes of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -524,7 +534,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f
+ Output = d5cf555b1d6151029a429a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with two zero bytes removed from first bytes of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -533,7 +543,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c
+ Output = d5cf555b1d6151029a429a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # and invalid ciphertext, otherwise valid but starting with 000002, decrypts
+ # to random 11 byte long synthetic plaintext
+ Decrypt = RSA-2048-2
+@@ -541,7 +551,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802
+ Output = 3d4a054d9358209e9cbbb9
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with otherwise valid padding but a zero byte in first byte
+ # of padding
+ Decrypt = RSA-2048-2
+@@ -549,7 +559,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94
+ Output = 1f037dd717b07d3e7f7359
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with otherwise valid padding but a zero byte at the eighth
+ # byte of padding
+ Decrypt = RSA-2048-2
+@@ -557,7 +567,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646
+ Output = 63cb0bf65fc8255dd29e17
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with an otherwise valid plaintext but with missing separator
+ # byte
+ Decrypt = RSA-2048-2
+@@ -612,53 +622,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
+ # RSA decrypt
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # malformed that generates length specified by 3rd last value from PRF
+ Decrypt = RSA-2049
+ Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
+ Output = 42
+ 
+ # simple positive test case
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
+ Output = "lorem ipsum"
+ 
+ # positive test case with null padded ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
+ Output = "lorem ipsum"
+ 
+ # positive test case with null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
+ Output = "lorem ipsum"
+ 
+ # positive test case with double null padded ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
+ Output = "lorem ipsum"
+ 
+ # positive test case with double null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
+ Output = "lorem ipsum"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates an 11 byte long message
+ Decrypt = RSA-2049
+ Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
+ Output = 1189b6f5498fd6df532b00
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
+ Decrypt = RSA-2049
+ Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
+ Output = f6d0f5b78082fe61c04674
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
+ Decrypt = RSA-2049
+ Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
+@@ -722,14 +737,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
+ PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid ciphertext that generates an empty synthetic one
+ Decrypt = RSA-3072
+ Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
+ Output =
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid that has PRF output with a length one byte too long
+ # in the last value
+ Decrypt = RSA-3072
+@@ -737,46 +752,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa
+ Output = 56a3bea054e01338be9b7d7957539c
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid that generates a synthetic of maximum size
+ Decrypt = RSA-3072
+ Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
+ Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
+ 
+ # a positive test case that decrypts to 9 byte long value
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
+ Output = "forty two"
+ 
+ # a positive test case with null padded ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
+ Output = "forty two"
+ 
+ # a positive test case with null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
+ Output = "forty two"
+ 
+ # a positive test case with double null padded ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
+ Output = "forty two"
+ 
+ # a positive test case with double null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
+ Output = "forty two"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates a 9 byte long message
+ Decrypt = RSA-3072
+ Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
+ Output = 257906ca6de8307728
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates a 9 byte long message based on
+ # second to last value from PRF
+ Decrypt = RSA-3072
+@@ -784,7 +804,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0
+ Output = 043383c929060374ed
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test that generates message based on 3rd last value from
+ # PRF
+ Decrypt = RSA-3072
+@@ -792,35 +812,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48
+ Output = 70263fa6050534b9e0
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
+ Decrypt = RSA-3072
+ Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
+ Output = 6d8d3a094ff3afff4c
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
+ Decrypt = RSA-3072
+ Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
+ Output = c6ae80ffa80bc184b0
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with zero byte in first byte of padding
+ Decrypt = RSA-3072
+ Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
+ Output = a8a9301daa01bb25c7
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with zero byte in eight byte of padding
+ Decrypt = RSA-3072
+ Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
+ Output = 6c716fe01d44398018
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with null separator missing
+ Decrypt = RSA-3072
+ Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
+@@ -912,9 +932,9 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ 
+ # Verify of above signature
+ Verify = RSA-2048-PUBLIC
++Ctrl = digest:sha256
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+-Ctrl = digest:sha256
+ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+@@ -1207,36 +1227,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
+ h90qjKHS9PvY4Q==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
+ Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
+ Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
+ Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
+ Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
+ Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1261,36 +1287,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
+ eG2e4XlBcKjI6A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
+ Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
+ Output=2d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
+ Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
+ Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
+ Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1315,36 +1347,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
+ Ya4qnqZe1onjY5o=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
+ Output=087820b569e8fa8d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
+ Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
+ Output=d94cd0e08fa404ed89
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
+ Output=6cc641b6b61e6f963974dad23a9013284ef1
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
+ Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1369,36 +1407,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
+ aD0x7TDrmEvkEro=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
+ Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
+ Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
+ Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
+ Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
+ Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1423,36 +1467,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
+ MSwGUGLx60i3nRyDyw==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
+ Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
+ Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
+ Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
+ Output=15c5b9ee1185
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
+ Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1477,36 +1527,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
+ Yejn5Ly8mU2q+jBcRQ==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
+ Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
+ Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
+ Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
+ Output=684e3038c5c041f7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
+ Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1531,36 +1587,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
+ FMlxv0gq65dqc3DC
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
+ Output=47aae909
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
+ Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
+ Output=d976fc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
+ Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
+ Output=bb47231ca5ea1d3ad46c99345d9a8a61
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1585,36 +1647,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
+ 2MiPa249Z+lh3Luj0A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
+ Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
+ Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
+ Output=8604ac56328c1ab5ad917861
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
+ Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
+ Output=4a5f4914bee25de3c69341de07
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1645,36 +1713,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
+ tKo5Eb69iFQvBb4=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
+ Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
+ Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
+ Output=fd326429df9b890e09b54b18b8f34f1e24
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
+ Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
+ Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 5c967c5818..d13dceaac5 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
+ 
+ if ($no_fips || $old_fips) {
+     push(@smime_pkcs7_tests,
+-         [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
++         [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
+            [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+              "-aes256", "-stream", "-out", "{output}.cms",
+              $smrsa1,
+@@ -1267,6 +1267,9 @@ sub check_availability {
+     return "$tnam: skipped, DSA disabled\n"
+         if ($no_dsa && $tnam =~ / DSA/);
+ 
++    return "$tnam: skipped, Red Hat FIPS\n"
++        if ($tnam =~ /no Red Hat FIPS/);
++
+     return "";
+ }
+ 
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+old mode 100644
+new mode 100755
+index f7be2e1872..568a1ddba4
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -561,6 +561,18 @@ sub testssl {
+             # the default choice if TLSv1.3 enabled
+             my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
+             my $ciphersuites = "";
++            my %redhat_skip_cipher = map {$_ => 1} qw(
++AES256-GCM-SHA384:@SECLEVEL=0
++AES256-CCM8:@SECLEVEL=0
++AES256-CCM:@SECLEVEL=0
++AES128-GCM-SHA256:@SECLEVEL=0
++AES128-CCM8:@SECLEVEL=0
++AES128-CCM:@SECLEVEL=0
++AES256-SHA256:@SECLEVEL=0
++AES128-SHA256:@SECLEVEL=0
++AES256-SHA:@SECLEVEL=0
++AES128-SHA:@SECLEVEL=0
++	    );
+             foreach my $cipher (@{$ciphersuites{$protocol}}) {
+                 if ($dsaallow == '0' && index($cipher, "DSS") != -1) {
+                     # DSA is not allowed in FIPS 140-3
+@@ -576,11 +588,16 @@ sub testssl {
+                     } else {
+                         $cipher = $cipher.':@SECLEVEL=0';
+                     }
+-                    ok(run(test([@ssltest, @exkeys, "-cipher",
+-                                 $cipher,
+-                                 "-ciphersuites", $ciphersuites,
+-                                 $flag || ()])),
+-                       "Testing $cipher");
++                    if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
++                        note "*****SKIPPING $cipher in Red Hat FIPS mode";
++                        ok(1);
++                    } else {
++                        ok(run(test([@ssltest, @exkeys, "-cipher",
++                                     $cipher,
++                                     "-ciphersuites", $ciphersuites,
++                                     $flag || ()])),
++                           "Testing $cipher");
++                    }
+                 }
+             }
+             next if $protocol eq "-tls1_3";
+-- 
+2.50.0
+

0024-FIPS-RSA-PCTs.patch

@@ -0,0 +1,157 @@
+From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 24 Mar 2025 10:50:37 -0400
+Subject: [PATCH 24/53] FIPS: RSA: PCTs
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
+ providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
+ 2 files changed, 61 insertions(+), 4 deletions(-)
+
+diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
+index 77d0950094..f0e71beb43 100644
+--- a/providers/implementations/keymgmt/rsa_kmgmt.c
++++ b/providers/implementations/keymgmt/rsa_kmgmt.c
+@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     /* ACVP test parameters */
+     OSSL_PARAM *acvp_test_params;
++    void *prov_rsa_ctx;
+ #endif
+ };
+ 
+@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
+     return gctx->cb(params, gctx->cbarg);
+ }
+ 
++#ifdef FIPS_MODULE
++void *rsa_newctx(void *provctx, const char *propq);
++void rsa_freectx(void *vctx);
++int do_rsa_pct(void *, const char *, void *);
++#endif
++
+ static void *gen_init(void *provctx, int selection, int rsa_type,
+                       const OSSL_PARAM params[])
+ {
+@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
+ 
+     if (!rsa_gen_set_params(gctx, params))
+         goto err;
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ 
+ err:
+@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ 
+     rsa = rsa_tmp;
+     rsa_tmp = NULL;
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
++        abort();
++#endif
+  err:
+     BN_GENCB_free(gencb);
+     RSA_free(rsa_tmp);
+@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx)
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+     gctx->acvp_test_params = NULL;
++    rsa_freectx(gctx->prov_rsa_ctx);
++    gctx->prov_rsa_ctx = NULL;
+ #endif
+     BN_clear_free(gctx->pub_exp);
+     OPENSSL_free(gctx);
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 645304b951..3d5af1046a 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -37,7 +37,7 @@
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+ #define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
+ 
+-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
++OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
+ static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
+@@ -54,7 +54,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
++OSSL_FUNC_signature_freectx_fn rsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
+ static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
+ static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
+@@ -226,7 +226,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
+     return 1;
+ }
+ 
+-static void *rsa_newctx(void *provctx, const char *propq)
++void *rsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_RSA_CTX *prsactx = NULL;
+     char *propq_copy = NULL;
+@@ -1316,7 +1316,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+     return ok;
+ }
+ 
+-static void rsa_freectx(void *vprsactx)
++void rsa_freectx(void *vprsactx)
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ 
+@@ -1866,6 +1866,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+     return EVP_MD_settable_ctx_params(prsactx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
++{
++    static const unsigned char data[32];
++    unsigned char *sigbuf = NULL;
++    size_t siglen = 0;
++    int ret = 0;
++
++    if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
++        return 0;
++
++    if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_update(vctx, data, sizeof(data)) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        goto err;
++    ret = 1;
++
++ err:
++    OPENSSL_free(sigbuf);
++    return ret;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
+-- 
+2.50.0
+

0025-FIPS-RSA-encapsulate-limits.patch

@@ -0,0 +1,59 @@
+From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits
+
+Patch-name: 0091-FIPS-RSA-encapsulate.patch
+Patch-id: 91
+Patch-status: |
+    # 0091-FIPS-RSA-encapsulate.patch
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/implementations/kem/rsa_kem.c           | 14 ++++++++++++++
+ test/recipes/30-test_evp_data/evppkey_rsa_kem.txt |  1 +
+ 2 files changed, 15 insertions(+)
+
+diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
+index 7494dcc010..5d6123e8cb 100644
+--- a/providers/implementations/kem/rsa_kem.c
++++ b/providers/implementations/kem/rsa_kem.c
+@@ -284,6 +284,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
+     /* Step (1): nlen = Ceil(len(n)/8) */
+     nlen = RSA_size(prsactx->rsa);
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     if (out == NULL) {
+         if (nlen == 0) {
+             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
+@@ -360,6 +367,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
+     /* Step (1): get the byte length of n */
+     nlen = RSA_size(prsactx->rsa);
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     if (out == NULL) {
+         if (nlen == 0) {
+             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
+index ecab1454e7..8e5edd35fe 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_kem.txt
+@@ -108,3 +108,4 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = key-check:0
+ Op = RSASVE
++Result = TEST_ENCAPSULATE_LEN_ERROR
+-- 
+2.50.0
+

0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch

@@ -0,0 +1,97 @@
+From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+
+According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
+must not be used in higher-level algorithms (such as RSA-OAEP and
+RSASSA-PSS):
+
+"To be used in an approved mode of operation, the SHA-3 hash functions
+may be implemented either as part of an approved higher-level algorithm,
+for example, a digital signature algorithm, or as the standalone
+functions. The SHAKE128 and SHAKE256 extendable-output functions may
+only be used as the standalone algorithms."
+
+Add a check to prevent their use as message digest in PSS signatures and
+as MGF1 hash function in both OAEP and PSS.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/rsa/rsa_oaep.c | 16 ++++++++++++++++
+ crypto/rsa/rsa_pss.c  | 16 ++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index 5a1c080fcd..11cd78618b 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
++        EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return 0;
++    }
++#endif
++
+ #ifdef FIPS_MODULE
+     /* XOF are approved as standalone; Shake256 in Ed448; MGF */
+     if (EVP_MD_xof(md)) {
+@@ -194,6 +202,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
++        EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return -1;
++    }
++#endif
++
+ #ifdef FIPS_MODULE
+     /* XOF are approved as standalone; Shake256 in Ed448; MGF */
+     if (EVP_MD_xof(md)) {
+diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
+index a2bc198a89..2833ca50f3 100644
+--- a/crypto/rsa/rsa_pss.c
++++ b/crypto/rsa/rsa_pss.c
+@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen <= 0)
+         goto err;
+@@ -186,6 +194,14 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen <= 0)
+         goto err;
+-- 
+2.50.0
+

0027-FIPS-RSA-size-mode-restrictions.patch

@@ -0,0 +1,441 @@
+From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:20:30 -0500
+Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/implementations/signature/rsa_sig.c | 26 +++++++++
+ ssl/ssl_ciph.c                                |  3 ++
+ test/recipes/30-test_evp_data/evppkey_rsa.txt | 53 +++++++++++++++++++
+ .../30-test_evp_data/evppkey_rsa_common.txt   |  8 +--
+ 4 files changed, 86 insertions(+), 4 deletions(-)
+
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 3d5af1046a..09c202f87c 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -939,6 +939,19 @@ static int rsa_verify_recover(void *vprsactx,
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     int ret;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+@@ -1033,6 +1046,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
+                                const unsigned char *tbs, size_t tbslen)
+ {
+     size_t rslen;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 19420d6c6a..5ab1ccee93 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -350,6 +350,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
+     ctx->disabled_mkey_mask = 0;
+     ctx->disabled_auth_mask = 0;
+ 
++    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
++        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
++
+     /*
+      * We ignore any errors from the fetches below. They are expected to fail
+      * if these algorithms are not available.
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
+index f1dc5dd2a2..6ae973eaac 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
+@@ -268,8 +268,19 @@ TwIDAQAB
+ 
+ PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT
+ 
++# Wrong MGF1 digest
++Availablein = default
++Verify = RSA-2048
++Ctrl = rsa_padding_mode:pss
++Ctrl = rsa_pss_saltlen:0
++Ctrl = digest:sha256
++Ctrl = rsa_mgf1_md:sha1
++Input="0123456789ABCDEF0123456789ABCDEF"
++Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
++Result = VERIFY_ERROR
+ 
+ # Wrong MGF1 digest
++Availablein = fips
+ Verify = RSA-2048
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -280,6 +291,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+@@ -303,36 +315,42 @@ fc6CnohE9iWxFeXpxKWc+PgRO2g0M2ov0mibRyy7Xlyr5nQ1DFm2wX4XaHT7Qvj8
+ PRdqAX7cYf0ybEszyQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=5c81a3e2a658246628cd0ee8b00bb4c012bc9739
+ Output=014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=27f71611446aa6eabf037f7dedeede3203244991
+ Output=010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=03ecc2c33e93f05fc7224fcc0d461356cb897217
+ Output=007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=246c727b4b9494849dddb068d582e179ac20999c
+ Output=009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912
+ Output=00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -348,36 +366,42 @@ nQ6tsIdYbKSJM9o8yVPZW9DtUN4Q3ctnNhB9bIMcf2Y+gzykwJfnAM4PuUX4j7hf
+ 6OWncxclZbkUpHGkQwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3552be69dd74bdc56d2cf8c38ef7bafe269040fe
+ Output=0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=609143ff7240e55c062aba8b9e4426a781919bc9
+ Output=02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0afd22f879a9cda7c584f4135f8f1c961db114c0
+ Output=0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=405dd56d395ef0f01b555c48f748cc32b210650b
+ Output=0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=a2c313b0440c8a0c47233b87f0a160c61af3eae7
+ Output=021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -393,36 +417,42 @@ MAz5u2xTrR3IoXi4FdtCNamp2gwG3k5hXqEnfOVZ6cEI3ljBSoGqd/Wm+NEzVJRJ
+ iEjIuVlAdAvnv3w3BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd
+ Output=0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=04a10944bfe11ab801e77889f3fd3d7f4ff0b629
+ Output=049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ba01243db223eb97fb86d746c3148adaaa0ca344
+ Output=03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=934bb0d38d6836daec9de82a9648d4593da67cd2
+ Output=0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ec35d81abd1cceac425a935758b683465c8bd879
+ Output=022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -438,18 +468,21 @@ pLDMjaMl7YqmdrDQ9ibgp38HaSFwrKyAgvQvqn3HzRI+cw4xqHmFIEyry+ZnDUOi
+ 3Sst3vXgU5L8ITvFBwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=d98b7061943510bc3dd9162f7169aabdbdcd0222
+ Output=0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7ae8e699f754988f4fd645e463302e49a2552072
+ Output=08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -463,12 +496,14 @@ Ctrl = rsa_mgf1_md:sha1
+ Input=ee3de96783fd0a157c8b20bf5566124124dcfe65
+ Output=0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1204df0b03c2724e2709c23fc71789a21b00ae4c
+ Output=0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -484,36 +519,42 @@ Kl8QsJwxGvjA/7W3opfy78Y7jWsFEJMfC5jki/X8bsTnuNsf+usIw44CrbjwOkgi
+ nJnpaUMfYcuMTcaY0QIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6
+ Output=04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=92d0bcae82b641f578f040f5151be8eda6d42299
+ Output=0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3569bd8fd2e28f2443375efa94f186f6911ffc2b
+ Output=086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7abbb7b42de335730a0b641f1e314b6950b84f98
+ Output=0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=55b7eb27be7a787a59eb7e5fac468db8917a7725
+ Output=02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -529,36 +570,42 @@ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTfJ2kpmyMQIuNon0MnXn4zLHq/B
+ 2LXF01SAItcGTqKaswIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d
+ Output=187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=402140dc605b2f5c5ec0d15bce9f9ba8857fe117
+ Output=10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20
+ Output=2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1fc2201d0c442a4736cd8b2cd00c959c47a3bf42
+ Output=32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e4351b66819e5a31501f89acc7faf57030e9aac5
+ Output=07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -574,36 +621,42 @@ R1PbPO4O4Gx9+uix1TtZUyGPnM7qaVsIZo7eqtztlGOx15DV6/J+kRW0bK1NmiuO
+ +rBWGwgQNEc5raBzPwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=a1dd230d8ead860199b6277c2ecfe3d95f6d9160
+ Output=0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=f6e68e53c602c5c65fa67b5aa6d786e5524b12ab
+ Output=2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=d6f9fcd3ae27f32bb2c7c93536782eba52af1f76
+ Output=2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7ff2a53ce2e2d900d468e498f230a5f5dd0020de
+ Output=1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=4eb309f7022ba0b03bb78601b12931ec7c1be8d3
+ Output=33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 17ceb59148..972e90f32f 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -285,7 +285,7 @@ FIPSversion = >=3.4.0
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = 0000000000000000000000000000000000000000
+-Result = KEYOP_ERROR
++Result = KEYOP_LENGTH_ERROR
+ 
+ # RSADP Ciphertext = 1 should fail
+ Availablein = fips
+@@ -293,7 +293,7 @@ FIPSversion = >=3.4.0
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = 0000000000000000000000000000000000000001
+-Result = KEYOP_ERROR
++Result = KEYOP_LENGTH_ERROR
+ 
+ # RSADP Ciphertext = 2 should pass
+ Availablein = default
+@@ -315,7 +315,7 @@ FIPSversion = >=3.4.0
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44e
+-Result = KEYOP_ERROR
++Result = KEYOP_LENGTH_ERROR
+ 
+ # RSADP Ciphertext = n should fail
+ Availablein = default
+@@ -2074,7 +2074,7 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = key-check:0
+ Input = 550AF55A2904E7B9762352F8FB7FA235
+-Result = KEYOP_MISMATCH
++Result = KEYOP_LENGTH_ERROR
+ 
+ # Signing with SHA1 is not allowed in fips mode
+ Availablein = fips
+-- 
+2.50.0
+

0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch

@@ -0,0 +1,26 @@
+From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 24 Mar 2025 11:03:45 -0400
+Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/include/fips_indicator_params.inc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
+index 6bd783eb0a..c1b029de86 100644
+--- a/providers/fips/include/fips_indicator_params.inc
++++ b/providers/fips/include/fips_indicator_params.inc
+@@ -15,7 +15,7 @@ OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
+ OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
+ OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1)
+ OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
+-OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
++OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 1)
+ OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
+ OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
+ OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
+-- 
+2.50.0
+

0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch

@@ -0,0 +1,282 @@
+From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:16 +0100
+Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests
+
+The current draft of FIPS 186-5 [1] no longer contains specifications
+for X9.31 signature padding. Instead, it contains the following
+information in Appendix E:
+
+> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
+> this standard.
+
+Since this situation is unlikely to change in future revisions of the
+draft, and future FIPS 140-3 validations of the provider will require
+X9.31 to be disabled or marked as not approved with an explicit
+indicator, disallow this padding mode now.
+
+Remove the X9.31 tests from the acvp test, since they will always fail
+now.
+
+ [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ test/acvp_test.inc | 225 ---------------------------------------------
+ 1 file changed, 225 deletions(-)
+
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index 97ec1ff3e5..31fa0eafc6 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -1354,13 +1354,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
+         ITM(rsa_siggen0_msg),
+         NO_PSS_SALT_LEN,
+     },
+-    {
+-        "x931",
+-        2048,
+-        "SHA384",
+-        ITM(rsa_siggen0_msg),
+-        NO_PSS_SALT_LEN,
+-    },
+     {
+         "pss",
+         2048,
+@@ -1772,202 +1765,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
+     0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1
+ };
+ 
+-static const unsigned char rsa_sigverx931_0_n[] = {
+-    0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
+-    0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
+-    0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
+-    0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
+-    0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
+-    0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
+-    0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
+-    0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
+-    0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
+-    0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
+-    0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
+-    0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
+-    0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
+-    0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
+-    0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
+-    0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
+-    0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
+-    0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
+-    0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
+-    0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
+-    0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
+-    0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
+-    0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
+-    0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
+-    0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
+-    0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
+-    0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
+-    0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
+-    0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
+-    0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
+-    0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
+-    0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
+-    0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
+-    0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
+-    0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
+-    0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
+-    0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
+-    0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
+-    0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
+-    0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
+-    0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
+-    0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
+-    0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
+-    0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
+-    0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
+-    0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
+-    0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
+-    0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_e[] = {
+-    0x01, 0x00, 0x01,
+-};
+-static const unsigned char rsa_sigverx931_0_msg[] = {
+-    0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
+-    0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
+-    0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
+-    0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
+-    0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
+-    0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
+-    0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
+-    0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
+-    0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
+-    0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
+-    0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
+-    0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
+-    0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
+-    0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
+-    0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
+-    0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_sig[] = {
+-    0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
+-    0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
+-    0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
+-    0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
+-    0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
+-    0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
+-    0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
+-    0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
+-    0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
+-    0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
+-    0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
+-    0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
+-    0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
+-    0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
+-    0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
+-    0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
+-    0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
+-    0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
+-    0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
+-    0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
+-    0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
+-    0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
+-    0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
+-    0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
+-    0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
+-    0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
+-    0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
+-    0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
+-    0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
+-    0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
+-    0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
+-    0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
+-    0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
+-    0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
+-    0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
+-    0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
+-    0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
+-    0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
+-    0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
+-    0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
+-    0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
+-    0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
+-    0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
+-    0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
+-    0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
+-    0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
+-    0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
+-    0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
+-};
+-
+-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
+-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
+-static const unsigned char rsa_sigverx931_1_msg[] = {
+-    0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
+-    0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
+-    0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
+-    0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
+-    0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
+-    0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
+-    0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
+-    0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
+-    0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
+-    0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
+-    0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
+-    0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
+-    0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
+-    0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
+-    0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
+-    0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
+-};
+-
+-static const unsigned char rsa_sigverx931_1_sig[] = {
+-    0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
+-    0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
+-    0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
+-    0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
+-    0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
+-    0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
+-    0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
+-    0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
+-    0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
+-    0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
+-    0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
+-    0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
+-    0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
+-    0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
+-    0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
+-    0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
+-    0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
+-    0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
+-    0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
+-    0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
+-    0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
+-    0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
+-    0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
+-    0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
+-    0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
+-    0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
+-    0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
+-    0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
+-    0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
+-    0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
+-    0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
+-    0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
+-    0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
+-    0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
+-    0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
+-    0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
+-    0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
+-    0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
+-    0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
+-    0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
+-    0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
+-    0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
+-    0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
+-    0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
+-    0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
+-    0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
+-    0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
+-    0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
+-};
+-
+ static const struct rsa_sigver_st rsa_sigver_data[] = {
+     {
+         "pkcs1", /* pkcs1v1.5 */
+@@ -1991,28 +1788,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
+         NO_PSS_SALT_LEN,
+         FAIL
+     },
+-    {
+-        "x931",
+-        3072,
+-        "SHA1",
+-        ITM(rsa_sigverx931_0_msg),
+-        ITM(rsa_sigverx931_0_n),
+-        ITM(rsa_sigverx931_0_e),
+-        ITM(rsa_sigverx931_0_sig),
+-        NO_PSS_SALT_LEN,
+-        PASS
+-    },
+-    {
+-        "x931",
+-        3072,
+-        "SHA256",
+-        ITM(rsa_sigverx931_1_msg),
+-        ITM(rsa_sigverx931_1_n),
+-        ITM(rsa_sigverx931_1_e),
+-        ITM(rsa_sigverx931_1_sig),
+-        NO_PSS_SALT_LEN,
+-        FAIL
+-    },
+     {
+         "pss",
+         4096,
+-- 
+2.50.0
+

0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch

@@ -0,0 +1,387 @@
+From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 12 Feb 2025 17:12:02 -0500
+Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK:
+ FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ ...EP-in-KATs-support-fixed-OAEP-seed.p.patch | 348 ++++++++++++++++++
+ REBASE.txt                                    |  10 +
+ 2 files changed, 358 insertions(+)
+ create mode 100644 Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+ create mode 100644 REBASE.txt
+
+diff --git a/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+new file mode 100644
+index 0000000000..793b8a4dac
+--- /dev/null
++++ b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+@@ -0,0 +1,348 @@
++From a0e92712c141cda0b8321feb492982506b18c612 Mon Sep 17 00:00:00 2001
++From: rpm-build <rpm-build>
++Date: Wed, 6 Mar 2024 19:17:15 +0100
++Subject: [PATCH 28/55] 
++ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
++
++Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
++Patch-id: 73
++Patch-status: |
++    # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
++From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
++---
++ crypto/rsa/rsa_local.h                        |  8 ++
++ crypto/rsa/rsa_oaep.c                         | 34 ++++++--
++ providers/fips/self_test_data.inc             | 79 ++++++++++---------
++ providers/fips/self_test_kats.c               |  7 ++
++ .../implementations/asymciphers/rsa_enc.c     | 41 +++++++++-
++ util/perl/OpenSSL/paramnames.pm               |  1 +
++ 6 files changed, 126 insertions(+), 44 deletions(-)
++
++diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
++index ea70da05ad..dde57a1a0e 100644
++--- a/crypto/rsa/rsa_local.h
+++++ b/crypto/rsa/rsa_local.h
++@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
++                                          int tlen, const unsigned char *from,
++                                          int flen);
++ 
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+++                                             unsigned char *to, int tlen,
+++                                             const unsigned char *from, int flen,
+++                                             const unsigned char *param,
+++                                             int plen, const EVP_MD *md,
+++                                             const EVP_MD *mgf1md,
+++                                             const char *redhat_st_seed);
+++
++ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */
++diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
++index b9030440c4..3d665c3860 100644
++--- a/crypto/rsa/rsa_oaep.c
+++++ b/crypto/rsa/rsa_oaep.c
++@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
++                                                    param, plen, NULL, NULL);
++ }
++ 
+++#ifdef FIPS_MODULE
+++extern int REDHAT_FIPS_asym_cipher_st;
+++#endif /* FIPS_MODULE */
+++
++ /*
++  * Perform the padding as per NIST 800-56B 7.2.2.3
++  *      from (K) is the key material.
++@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
++  * Step numbers are included here but not in the constant time inverse below
++  * to avoid complicating an already difficult enough function.
++  */
++-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++-                                            unsigned char *to, int tlen,
++-                                            const unsigned char *from, int flen,
++-                                            const unsigned char *param,
++-                                            int plen, const EVP_MD *md,
++-                                            const EVP_MD *mgf1md)
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+++                                             unsigned char *to, int tlen,
+++                                             const unsigned char *from, int flen,
+++                                             const unsigned char *param,
+++                                             int plen, const EVP_MD *md,
+++                                             const EVP_MD *mgf1md,
+++                                             const char *redhat_st_seed)
++ {
++     int rv = 0;
++     int i, emlen = tlen - 1;
++@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++     db[emlen - flen - mdlen - 1] = 0x01;
++     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
++     /* step 3d: generate random byte string */
+++#ifdef FIPS_MODULE
+++    if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
+++        memcpy(seed, redhat_st_seed, mdlen);
+++    } else
+++#endif
++     if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
++         goto err;
++ 
++@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++     return rv;
++ }
++ 
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+++                                            unsigned char *to, int tlen,
+++                                            const unsigned char *from, int flen,
+++                                            const unsigned char *param,
+++                                            int plen, const EVP_MD *md,
+++                                            const EVP_MD *mgf1md)
+++{
+++    return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
+++                                                    flen, param, plen, md,
+++                                                    mgf1md, NULL);
+++}
+++
++ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
++                                     const unsigned char *from, int flen,
++                                     const unsigned char *param, int plen,
++diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
++index 4b80bb70b9..c33ecd0791 100644
++--- a/providers/fips/self_test_data.inc
+++++ b/providers/fips/self_test_data.inc
++@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
++ };
++ 
++ /*-
++- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
+++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
++  * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
++  * HP/UX PA-RISC compilers.
++  */
++-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
+++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
+++static const char oaep_fixed_seed[] = {
+++    0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
+++    0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
+++    0x2e, 0x4b, 0x2c, 0xe6
+++};
++ 
++ static const ST_KAT_PARAM rsa_enc_params[] = {
++-    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
+++    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
+++    ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
+++                       oaep_fixed_seed),
++     ST_KAT_PARAM_END()
++ };
++ 
++@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
++     0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
++ };
++ 
++-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
+++static const unsigned char rsa_asym_plaintext_encrypt[208] = {
++    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
++ };
++ static const unsigned char rsa_asym_expected_encrypt[256] = {
++-    0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
++-    0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
++-    0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
++-    0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
++-    0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
++-    0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
++-    0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
++-    0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
++-    0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
++-    0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
++-    0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
++-    0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
++-    0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
++-    0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
++-    0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
++-    0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
++-    0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
++-    0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
++-    0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
++-    0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
++-    0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
++-    0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
++-    0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
++-    0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
++-    0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
++-    0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
++-    0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
++-    0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
++-    0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
++-    0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
++-    0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
++-    0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
+++    0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
+++    0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
+++    0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
+++    0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
+++    0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
+++    0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
+++    0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
+++    0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
+++    0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
+++    0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
+++    0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
+++    0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
+++    0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
+++    0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
+++    0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
+++    0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
+++    0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
+++    0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
+++    0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
+++    0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
+++    0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
+++    0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
+++    0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
+++    0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
+++    0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
+++    0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
+++    0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
+++    0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
+++    0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
+++    0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
+++    0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
+++    0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
++ };
++ 
++ #ifndef OPENSSL_NO_EC
++diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
++index f13c41abd6..4ea10670c0 100644
++--- a/providers/fips/self_test_kats.c
+++++ b/providers/fips/self_test_kats.c
++@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
++     return ret;
++ }
++ 
+++int REDHAT_FIPS_asym_cipher_st = 0;
+++
++ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
++ {
++     int i, ret = 1;
++ 
+++    REDHAT_FIPS_asym_cipher_st = 1;
+++
++     for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
++         if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
++             ret = 0;
++     }
+++
+++    REDHAT_FIPS_asym_cipher_st = 0;
+++
++     return ret;
++ }
++ 
++diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
++index d548560f1f..f3443b0c66 100644
++--- a/providers/implementations/asymciphers/rsa_enc.c
+++++ b/providers/implementations/asymciphers/rsa_enc.c
++@@ -30,6 +30,9 @@
++ #include "prov/implementations.h"
++ #include "prov/providercommon.h"
++ #include "prov/securitycheck.h"
+++#ifdef FIPS_MODULE
+++# include "crypto/rsa/rsa_local.h"
+++#endif
++ 
++ #include <stdlib.h>
++ 
++@@ -75,6 +78,9 @@ typedef struct {
++     /* TLS padding */
++     unsigned int client_version;
++     unsigned int alt_version;
+++#ifdef FIPS_MODULE
+++    char *redhat_st_oaep_seed;
+++#endif /* FIPS_MODULE */
++     /* PKCS#1 v1.5 decryption mode */
++     unsigned int implicit_rejection;
++ } PROV_RSA_CTX;
++@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
++             }
++         }
++         ret =
++-            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
+++#ifdef FIPS_MODULE
+++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
+++#else
+++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
+++#endif
+++                                                    prsactx->libctx, tbuf,
++                                                     rsasize, in, inlen,
++                                                     prsactx->oaep_label,
++                                                     prsactx->oaep_labellen,
++                                                     prsactx->oaep_md,
++-                                                    prsactx->mgf1_md);
+++                                                    prsactx->mgf1_md
+++#ifdef FIPS_MODULE
+++                                                    , prsactx->redhat_st_oaep_seed
+++#endif
+++                                                    );
++ 
++         if (!ret) {
++             OPENSSL_free(tbuf);
++@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx)
++     EVP_MD_free(prsactx->oaep_md);
++     EVP_MD_free(prsactx->mgf1_md);
++     OPENSSL_free(prsactx->oaep_label);
+++#ifdef FIPS_MODULE
+++    OPENSSL_free(prsactx->redhat_st_oaep_seed);
+++#endif /* FIPS_MODULE */
++ 
++     OPENSSL_free(prsactx);
++ }
++@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
++                     NULL, 0),
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+++#ifdef FIPS_MODULE
+++    OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+++#endif /* FIPS_MODULE */
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
++     OSSL_PARAM_END
++ };
++@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
++     return known_gettable_ctx_params;
++ }
++ 
+++#ifdef FIPS_MODULE
+++extern int REDHAT_FIPS_asym_cipher_st;
+++#endif /* FIPS_MODULE */
+++
++ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
++ {
++     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
++@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
++         prsactx->oaep_labellen = tmp_labellen;
++     }
++ 
+++#ifdef FIPS_MODULE
+++    p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
+++    if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
+++        void *tmp_oaep_seed = NULL;
+++
+++        if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
+++            return 0;
+++        OPENSSL_free(prsactx->redhat_st_oaep_seed);
+++        prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
+++    }
+++#endif /* FIPS_MODULE */
+++
++     p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
++     if (p != NULL) {
++         unsigned int client_version;
++diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
++index c37ed7815f..70f7c50fe4 100644
++--- a/util/perl/OpenSSL/paramnames.pm
+++++ b/util/perl/OpenSSL/paramnames.pm
++@@ -401,6 +401,7 @@ my %params = (
++     'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' =>       "tls-client-version",
++     'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' =>   "tls-negotiated-version",
++     'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' =>       "implicit-rejection",
+++    'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' =>     "redhat-kat-oaep-seed",
++ 
++ # Encoder / decoder parameters
++ 
++-- 
++2.48.1
++
+diff --git a/REBASE.txt b/REBASE.txt
+new file mode 100644
+index 0000000000..2833a383c1
+--- /dev/null
++++ b/REBASE.txt
+@@ -0,0 +1,10 @@
++0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
++
++Some asym testing has been dropped upstream, unclear if this needs to survive,
++if so we may need to resurrect deleted code in upstream patch:
++
++    commit 635bf4946a7e948f26a348ddc3b5a8d282354f64
++
++    fips: remove redundant RSA encrypt/decrypt KAT
++--
++
+-- 
+2.50.0
+

0031-FIPS-Deny-SHA-1-signature-verification.patch

@@ -0,0 +1,708 @@
+From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification
+
+For RHEL, we already disable SHA-1 signatures by default in the default
+provider, so it is unexpected that the FIPS provider would have a more
+lenient configuration in this regard. Additionally, we do not think
+continuing to accept SHA-1 signatures is a good idea due to the
+published chosen-prefix collision attacks.
+
+As a consequence, disable verification of SHA-1 signatures in the FIPS
+provider.
+
+This requires adjusting a few tests that would otherwise fail:
+- 30-test_acvp: Remove the test vectors that use SHA-1.
+- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
+  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
+  which will not run them when the FIPS provider is enabled.
+- 80-test_cms: Re-create all certificates in test/smime-certificates
+  with SHA256 signatures while keeping the same private keys. These
+  certificates were signed with SHA-1 and thus fail verification in the
+  FIPS provider.
+  Fix some other tests by explicitly running them in the default
+  provider, where SHA-1 is available.
+- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
+  the FIPS provider.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+Bug Id: https://bugzilla.redhat.com/show_bug.cgi?id=2087147
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/implementations/signature/dsa_sig.c |  4 +-
+ .../implementations/signature/ecdsa_sig.c     |  4 +-
+ providers/implementations/signature/rsa_sig.c |  8 ++-
+ .../30-test_evp_data/evppkey_ecdsa.txt        | 11 +++-
+ .../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 64 ++++++++++++++++---
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 58 +++++++++++++++--
+ test/recipes/80-test_cms.t                    |  4 +-
+ test/recipes/80-test_ssl_old.t                |  4 ++
+ 8 files changed, 130 insertions(+), 27 deletions(-)
+
+diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
+index 52ed52482d..0d3050dbe9 100644
+--- a/providers/implementations/signature/dsa_sig.c
++++ b/providers/implementations/signature/dsa_sig.c
+@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
+         }
+ #ifdef FIPS_MODULE
+         {
+-            int sha1_allowed
+-                = ((ctx->operation
+-                    & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++            int sha1_allowed = 0;
+ 
+             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                                  OSSL_FIPS_IND_SETTABLE1,
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 04d4009ab5..4e46eaf9bc 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -214,9 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
+ 
+ #ifdef FIPS_MODULE
+     {
+-        int sha1_allowed
+-            = ((ctx->operation
+-                & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++        int sha1_allowed = 0;
+ 
+         if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                              OSSL_FIPS_IND_SETTABLE1,
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 09c202f87c..014b17fe49 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+         }
+ #ifdef FIPS_MODULE
+         {
+-            int sha1_allowed
+-                = ((ctx->operation
+-                    & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++            int sha1_allowed = 0;
+ 
+             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                                  OSSL_FIPS_IND_SETTABLE1,
+@@ -1795,11 +1793,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+         && pad_mode == RSA_PKCS1_PSS_PADDING) {
++#ifdef FIPS_MODULE
++        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++#else
+         if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+             pmdname = RSA_DEFAULT_DIGEST_NAME;
+         } else {
+             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+         }
++#endif
+     }
+ 
+     if (pmgf1mdname != NULL
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index 06ec905be0..1602f0c521 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1235"
+@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -237,7 +244,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Key = P-256
+ Input = "Hello World"
+-Result = SIGNATURE_MISMATCH
++Result = DIGESTSIGNINIT_ERROR
+ 
+ # Test that SHA1 is not allowed in fips mode for signing
+ FIPSversion = >=3.4.0
+@@ -247,7 +254,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+-Result = KEYOP_MISMATCH
++Result = PKEY_CTRL_ERROR
+ 
+ Title = XOF disallowed
+ 
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+index 0ff482e4e8..d407ea1ca8 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF12345"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF123"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1235"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
+@@ -78,16 +78,64 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # BER signature
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = fips
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest too long
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF12345"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest too short
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF123"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest invalid
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1235"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Invalid signature
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
++Result = KEYOP_INIT_ERROR
++
++# BER signature
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
++Result = KEYOP_INIT_ERROR
++
++Availablein = fips
+ FIPSversion = >=3.4.0
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
+ 
+ Title = Sign-Message and Verify-Message
+ 
+@@ -236,7 +284,7 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = digest-check:0
+ Input = "Hello World"
+-Result = KEYOP_MISMATCH
++Result = KEYOP_INIT_ERROR
+ 
+ # Test that SHA1 is not allowed in fips mode for signing
+ Availablein = fips
+@@ -246,4 +294,4 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = digest-check:0
+ Input = "0123456789ABCDEF1234"
+-Result = KEYOP_MISMATCH
++Result = KEYOP_INIT_ERROR
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 972e90f32f..61e2b4e3ac 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -96,6 +96,7 @@ NDL6WCBbets=
+ 
+ Title = RSA tests
+ 
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+ Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Output = "0123456789ABCDEF1234"
+ 
+ # Leading zero in the signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = KEYOP_ERROR
+ 
+ # Mismatched digest
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ Result = VERIFY_ERROR
+ 
+ # Corrupted signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ Result = VERIFY_ERROR
+ 
+ # parameter is not NULLt
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7
+ Result = VERIFY_ERROR
+ 
+ # embedded digest too long
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # embedded digest too short
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # Garbage after DigestInfo
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = KEYOP_ERROR
+ 
+ # invalid tag for parameter
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
+ 
+ # Verify using public key
+ 
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -939,7 +954,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+ # Verify using salt length auto detect
+-FIPSversion = <3.4.0
++# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:auto
+@@ -974,6 +990,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters, explicitly setting parameters
++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
++# RHEL-9 does not support in FIPS mode; all these tests are thus marked
++# Availablein = default.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:20
+@@ -982,6 +1002,7 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify explicitly setting parameters "digest" salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:digest
+@@ -990,20 +1011,21 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify using salt length larger than minimum
+-FIPSversion = <3.4.0
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:30
+ Input="0123456789ABCDEF0123"
+ Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
+ 
+ # Verify using maximum salt length
+-FIPSversion = <3.4.0
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:max
+ Input="0123456789ABCDEF0123"
+ Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
+ 
+ # Attempt to change salt length below minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:0
+ Result = PKEY_CTRL_ERROR
+@@ -1011,21 +1033,25 @@ Result = PKEY_CTRL_ERROR
+ # Attempt to change padding mode
+ # Note this used to return PKEY_CTRL_INVALID
+ # but it is limited because setparams only returns 0 or 1.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pkcs1
+ Result = PKEY_CTRL_ERROR
+ 
+ # Attempt to change digest
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = digest:sha256
+ Result = PKEY_CTRL_ERROR
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD2
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+@@ -1081,36 +1107,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
+ 4fINDOjP+yJJvZohNwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
+ Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
+ Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0652ec67bcee30f9d2699122b91c19abdba89f91
+ Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=39c21c4cceda9c1adf839c744e1212a6437575ec
+ Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36dae913b77bd17cae6e7b09453d24544cebb33c
+ Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1126,36 +1158,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
+ 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
+ Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2dac956d53964748ac364d06595827c6b4f143cd
+ Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
+ Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
+ Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
+ Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1173,36 +1211,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
+ BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
+ Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=b503319399277fd6c1c8f1033cbf04199ea21716
+ Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=50aaede8536b2c307208b275a67ae2df196c7628
+ Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
+ Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=fad3902c9750622a2bc672622c48270cc57d3ea8
+ Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1999,11 +2043,13 @@ Securitycheck = 1
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Result = KEYOP_INIT_ERROR
+ 
+-# Verifying with SHA1 is permitted in fips mode for older applications
++# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
++Availablein = fips
+ DigestVerify = SHA1
+ Key = RSA-2048
+ Input = "Hello "
+ Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
++Result = DIGESTVERIFYINIT_ERROR
+ 
+ # Verifying with a 1024 bit key is permitted in fips mode for older applications
+ DigestVerify = SHA256
+@@ -2019,7 +2065,7 @@ Securitycheck = 1
+ Key = RSA-2048
+ Input = "Hello"
+ Result = DIGESTSIGNINIT_ERROR
+-Reason = invalid digest
++Reason = digest not allowed
+ 
+ # Signing with a 1024 bit key is not allowed in fips mode
+ Availablein = fips
+@@ -2085,7 +2131,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Key = RSA-2048
+ Input = "Hello"
+-Result = SIGNATURE_MISMATCH
++Result = DIGESTSIGNINIT_ERROR
+ 
+ Availablein = fips
+ FIPSversion = >=3.4.0
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index d13dceaac5..ece29485f4 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
+         "-certfile", $smroot,
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
+     [ "signed zero-length content S/MIME format, RSA key SHA1",
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
+         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&zero_compare
+     ],
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 568a1ddba4..6332aaec4b 100755
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -462,6 +462,9 @@ sub testssl {
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+ 
++        SKIP: {
++          skip "SSLv3 is not supported by the FIPS provider", 4
++              if $provider eq "fips";
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
+              'test sslv2/sslv3 with server authentication');
+           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
+@@ -470,6 +473,7 @@ sub testssl {
+              'test sslv2/sslv3 with both client and server authentication via BIO pair');
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
+              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
++         }
+ 
+         SKIP: {
+             skip "No IPv4 available on this machine", 4
+-- 
+2.50.0
+

0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch

@@ -0,0 +1,158 @@
+From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:16 +0100
+Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
+
+providers/implementations/rands/crngt.c is gone
+
+Patch-name: 0076-FIPS-140-3-DRBG.patch
+Patch-id: 76
+Patch-status: |
+    # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
+    # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/rand/prov_seed.c                       |  9 ++-
+ providers/implementations/rands/drbg.c        | 11 ++-
+ .../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
+ 3 files changed, 22 insertions(+), 66 deletions(-)
+
+diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
+index 2985c7f2d8..3202a28226 100644
+--- a/crypto/rand/prov_seed.c
++++ b/crypto/rand/prov_seed.c
+@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
+     size_t entropy_available;
+     RAND_POOL *pool;
+ 
+-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
+         return 0;
+diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
+index 4925a3b400..1cdb67b22c 100644
+--- a/providers/implementations/rands/drbg.c
++++ b/providers/implementations/rands/drbg.c
+@@ -559,6 +559,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
+ #endif
+     }
+ 
++#ifdef FIPS_MODULE
++    prediction_resistance = 1;
++#endif
+     /* Reseed using our sources in addition */
+     entropylen = get_entropy(drbg, &entropy, drbg->strength,
+                              drbg->min_entropylen, drbg->max_entropylen,
+@@ -680,8 +683,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+             reseed_required = 1;
+     }
+     if (drbg->parent != NULL
+-            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
++#ifdef FIPS_MODULE
++        /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
++        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
++#else
+         reseed_required = 1;
++#endif
++        }
+ 
+     if (reseed_required || prediction_resistance) {
+         if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
+diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
+index c3a5d8b3bf..b7b34a9345 100644
+--- a/providers/implementations/rands/seeding/rand_unix.c
++++ b/providers/implementations/rands/seeding/rand_unix.c
+@@ -53,6 +53,8 @@
+ # include <fcntl.h>
+ # include <unistd.h>
+ # include <sys/time.h>
++# include <sys/random.h>
++# include <openssl/evp.h>
+ 
+ static uint64_t get_time_stamp(void);
+ 
+@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
+      * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
+      * between size_t and ssize_t is safe even without a range check.
+      */
+-
+-    /*
+-     * Do runtime detection to find getentropy().
+-     *
+-     * Known OSs that should support this:
+-     * - Darwin since 16 (OSX 10.12, IOS 10.0).
+-     * - Solaris since 11.3
+-     * - OpenBSD since 5.6
+-     * - Linux since 3.17 with glibc 2.25
+-     *
+-     * Note: Sometimes getentropy() can be provided but not implemented
+-     * internally. So we need to check errno for ENOSYS
+-     */
+-#  if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
+-#    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+-    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
+-
+-    if (getentropy != NULL) {
+-        if (getentropy(buf, buflen) == 0)
+-            return (ssize_t)buflen;
+-        if (errno != ENOSYS)
+-            return -1;
+-    }
+-#    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
+-
+-    if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
+-	    return (ssize_t)buflen;
+-
+-    return -1;
+-#    else
+-    union {
+-        void *p;
+-        int (*f)(void *buffer, size_t length);
+-    } p_getentropy;
+-
+-    /*
+-     * We could cache the result of the lookup, but we normally don't
+-     * call this function often.
+-     */
+-    ERR_set_mark();
+-    p_getentropy.p = DSO_global_lookup("getentropy");
+-    ERR_pop_to_mark();
+-    if (p_getentropy.p != NULL)
+-        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+-#    endif
+-#  endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
+-
+-    /* Linux supports this since version 3.17 */
+-#  if defined(__linux) && defined(__NR_getrandom)
+-    return syscall(__NR_getrandom, buf, buflen, 0);
+-#  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
+-     || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
+-     || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
+-    return getrandom(buf, buflen, 0);
+-#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+-    return sysctl_random(buf, buflen);
+-#  elif defined(__wasi__)
+-    if (getentropy(buf, buflen) == 0)
+-      return (ssize_t)buflen;
+-    return -1;
+-#  else
+-    errno = ENOSYS;
+-    return -1;
+-#  endif
++    /* Red Hat uses downstream patch to always seed from getrandom() */
++    return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
+ }
+ #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
+ 
+-- 
+2.50.0
+

0034-FIPS-PBKDF2-Set-minimum-password-length.patch

@@ -0,0 +1,121 @@
+From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Implementation Guidance for FIPS 140-3 says in section D.N
+"Password-Based Key Derivation for Storage Applications" that "the
+vendor shall document in the module’s Security Policy the length of
+a password/passphrase used in key derivation and establish an upper
+bound for the probability of having this parameter guessed at random.
+This probability shall take into account not only the length of the
+password/passphrase, but also the difficulty of guessing it. The
+decision on the minimum length of a password used for key derivation is
+the vendor’s, but the vendor shall at a minimum informally justify the
+decision."
+
+We are choosing a minimum password length of 8 bytes, because NIST's
+ACVP testing uses passwords as short as 8 bytes, and requiring longer
+passwords combined with an implicit indicator (i.e., returning an error)
+would cause the module to fail ACVP testing.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/implementations/kdfs/pbkdf2.c | 39 +++++++++++++++++++++----
+ 1 file changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index b383314064..68f9355b7d 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -36,6 +36,21 @@
+ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
+ #define KDF_PBKDF2_MIN_ITERATIONS 1000
+ #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
++/* The Implementation Guidance for FIPS 140-3 says in section D.N
++ * "Password-Based Key Derivation for Storage Applications" that "the vendor
++ * shall document in the module’s Security Policy the length of
++ * a password/passphrase used in key derivation and establish an upper bound
++ * for the probability of having this parameter guessed at random. This
++ * probability shall take into account not only the length of the
++ * password/passphrase, but also the difficulty of guessing it. The decision on
++ * the minimum length of a password used for key derivation is the vendor’s,
++ * but the vendor shall at a minimum informally justify the decision."
++ *
++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
++ * testing uses passwords as short as 8 bytes, and requiring longer passwords
++ * combined with an implicit indicator (i.e., returning an error) would cause
++ * the module to fail ACVP testing. */
++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+ 
+ static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
+ static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
+@@ -179,8 +194,8 @@ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
+ }
+ 
+ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
+-                                           size_t keylen, int *error,
+-                                           const char **desc)
++                                           size_t keylen, size_t passlen,
++                                           int *error, const char **desc)
+ {
+     if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
+         *error = PROV_R_KEY_SIZE_TOO_SMALL;
+@@ -200,7 +215,12 @@ static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
+             *desc = "Iteration count";
+         return 0;
+     }
+-
++    if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++        *error = PROV_R_INVALID_INPUT_LENGTH;
++        if (desc != NULL)
++            *desc = "Password length";
++        return 0;
++    }
+     return 1;
+ }
+ 
+@@ -211,7 +231,8 @@ static int fips_lower_bound_check_passed(KDF_PBKDF2 *ctx, size_t keylen)
+     int error = 0;
+     const char *desc = NULL;
+     int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter,
+-                                                   keylen, &error, &desc);
++                                                   keylen, ctx->pass_len,
++                                                   &error, &desc);
+ 
+     if (!approved) {
+         if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
+@@ -283,9 +304,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ #endif
+     }
+ 
+-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
++    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
++        if (ctx->lower_bound_checks != 0
++            && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
+         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
+             return 0;
++    }
+ 
+     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
+         if (ctx->lower_bound_checks != 0
+@@ -406,7 +433,7 @@ static int pbkdf2_derive(KDF_PBKDF2 *ctx, const char *pass, size_t passlen,
+     if (lower_bound_checks) {
+         int error = 0;
+         int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
+-                                                     &error, NULL);
++                                                     passlen, &error, NULL);
+ 
+         if (!passed) {
+             ERR_raise(ERR_LIB_PROV, error);
+-- 
+2.50.0
+

0035-FIPS-DH-PCT.patch

@@ -0,0 +1,73 @@
+From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 24 Mar 2025 10:49:00 -0400
+Subject: [PATCH 35/53] FIPS: DH: PCT
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/dh/dh_key.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 7132b9b68e..189bfc3e8b 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *z = NULL, *pminus1;
+     int ret = -1;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        return 0;
++    }
++#endif
++
+     ctx = BN_CTX_new_ex(dh->libctx);
+     if (ctx == NULL)
+         goto err;
+@@ -271,6 +281,9 @@ static int generate_key(DH *dh)
+ #endif
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
+     if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
+         goto err;
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        goto err;
++    }
++#endif
++
+     dh->pub_key = pub_key;
+     dh->priv_key = priv_key;
++#ifdef FIPS_MODULE
++    if (ossl_dh_check_pairwise(dh) <= 0) {
++        abort();
++    }
++#endif
++
+     dh->dirty_cnt++;
+     ok = 1;
+  err:
+-- 
+2.50.0
+

0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch

@@ -0,0 +1,330 @@
+From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters
+
+For DH parameter and key pair generation/verification, the DSA
+procedures specified in FIPS 186-4 are used. With the release of FIPS
+186-5 and the removal of DSA, the approved status of these groups is in
+peril. Once the transition for DSA ends (this transition will be 1 year
+long and start once CMVP has published the guidance), no more
+submissions claiming DSA will be allowed. Hence, FIPS 186-type
+parameters will also be automatically non-approved.
+
+In the FIPS provider, disable validation of any DH parameters that are
+not well-known groups, and remove DH parameter generation completely.
+
+Adjust tests to use well-known groups or larger DH groups where this
+change would now cause failures, and skip tests that are expected to
+fail due to this change.
+
+Related: rhbz#2169757, rhbz#2169757
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+
+NOTE: Dropped changes in test/recipes/80-test_cms.t
+---
+ crypto/dh/dh_backend.c                       | 10 ++++
+ crypto/dh/dh_check.c                         | 12 ++--
+ crypto/dh/dh_gen.c                           | 12 +++-
+ crypto/dh/dh_key.c                           | 13 ++--
+ crypto/dh/dh_pmeth.c                         | 10 +++-
+ providers/implementations/keymgmt/dh_kmgmt.c |  5 ++
+ test/endecode_test.c                         |  4 +-
+ test/evp_libctx_test.c                       |  2 +-
+ test/helpers/predefined_dhparams.c           | 62 ++++++++++++++++++++
+ test/helpers/predefined_dhparams.h           |  1 +
+ test/recipes/80-test_ssl_old.t               |  3 +
+ 11 files changed, 116 insertions(+), 18 deletions(-)
+
+diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
+index 1aaa88daca..aa3a491799 100644
+--- a/crypto/dh/dh_backend.c
++++ b/crypto/dh/dh_backend.c
+@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
+     if (!dh_ffc_params_fromdata(dh, params))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    if (!ossl_dh_is_named_safe_prime_group(dh)) {
++        ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                       "FIPS 186-4 type domain parameters no longer allowed in"
++                       " FIPS mode, since the required validation routines"
++                       " were removed from FIPS 186-5");
++        return 0;
++    }
++#endif
++
+     param_priv_len =
+         OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+     if (param_priv_len != NULL
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index ae23f61839..6e30a9b735 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
+     nid = DH_get_nid((DH *)dh);
+     if (nid != NID_undef)
+         return 1;
++
+     /*
+-     * OR
+-     * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+-     * validity tests.
++     * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
+      */
+-    return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
+-                                              FFC_PARAM_TYPE_DH, ret, NULL);
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required validation routines were"
++                   " removed from FIPS 186-5");
++    return 0;
+ }
+ #else
+ int DH_check_params(const DH *dh, int *ret)
+diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
+index b73bfb7f3b..275ce2c1af 100644
+--- a/crypto/dh/dh_gen.c
++++ b/crypto/dh/dh_gen.c
+@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
+ int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
+                                     BN_GENCB *cb)
+ {
+-    int ret, res;
++    int ret = 0;
+ 
+ #ifndef FIPS_MODULE
++    int res;
++
+     if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
+         ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
+     else
+-#endif
+         ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
++#else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++#endif
+     if (ret > 0)
+         dh->dirty_cnt++;
+     return ret;
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 189bfc3e8b..023d628502 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
+                 goto err;
+         } else {
+ #ifdef FIPS_MODULE
+-            if (dh->params.q == NULL)
+-                goto err;
++            ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                           "FIPS 186-4 type domain parameters no longer"
++                           " allowed in FIPS mode, since the required"
++                           " generation routines were removed from FIPS"
++                           " 186-5");
++            goto err;
+ #else
+             if (dh->params.q == NULL) {
+                 /* secret exponent length, must satisfy 2^(l-1) <= p */
+@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
+                     if (!BN_clear_bit(priv_key, 0))
+                         goto err;
+                 }
+-            } else
+-#endif
+-            {
++            } else {
+                 /* Do a partial check for invalid p, q, g */
+                 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
+                                                      FFC_PARAM_TYPE_DH, NULL))
+@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
+                                                    priv_key))
+                     goto err;
+             }
++#endif
+         }
+     }
+ 
+diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
+index 3b75a537b3..6ea7a423d5 100644
+--- a/crypto/dh/dh_pmeth.c
++++ b/crypto/dh/dh_pmeth.c
+@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
+     else
+-# endif
+-    /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
+-    if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
+         rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+                                                 FFC_PARAM_TYPE_DH,
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
++# else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++# endif
+     if (rv <= 0) {
+         DH_free(ret);
+         return NULL;
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index c2ee859355..51c21e436f 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
++++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
+     if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+         return 1; /* nothing to validate */
+ 
++#ifdef FIPS_MODULE
++    /* In FIPS provider, always check the domain parameters to disallow
++     * operations on keys with FIPS 186-4 params. */
++    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
++#endif
+     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+         /*
+          * Both of these functions check parameters. DH_check_params_ex()
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 85c84f6592..d2ff9e6eb6 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
+      * for testing only. Use a minimum key size of 2048 for security purposes.
+      */
+     if (strcmp(type, "DH") == 0)
+-        return get_dh512(keyctx);
++        return get_dh2048(keyctx);
+ 
+     if (strcmp(type, "X9.42 DH") == 0)
+-        return get_dhx512(keyctx);
++        return get_dhx_ffdhe2048(keyctx);
+ # endif
+ 
+     /*
+diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
+index 039fca9bb0..2838f343bd 100644
+--- a/test/evp_libctx_test.c
++++ b/test/evp_libctx_test.c
+@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
+ 
+     if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
+         || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
+-        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
++        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
+         goto err;
+ 
+     if (expected) {
+diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
+index 4bdadc4143..e5186e4b4a 100644
+--- a/test/helpers/predefined_dhparams.c
++++ b/test/helpers/predefined_dhparams.c
+@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
+                           dhx512_q, sizeof(dhx512_q));
+ }
+ 
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
++{
++    /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
++     * non-well-known groups in FIPS mode. */
++    static unsigned char dhx_p[] = {
++        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
++        0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++        0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
++        0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++        0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
++        0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++        0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
++        0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++        0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
++        0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++        0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
++        0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++        0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
++        0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++        0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
++        0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++        0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
++        0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++        0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
++        0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++        0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++    static unsigned char dhx_g[] = {
++        0x02
++    };
++    static unsigned char dhx_q[] = {
++        0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
++        0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++        0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
++        0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++        0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
++        0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++        0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
++        0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++        0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
++        0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++        0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
++        0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++        0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
++        0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++        0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
++        0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++        0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
++        0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++        0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
++        0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++        0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++
++    return get_dh_from_pg(libctx, "X9.42 DH",
++                          dhx_p, sizeof(dhx_p),
++                          dhx_g, sizeof(dhx_g),
++                          dhx_q, sizeof(dhx_q));
++}
++
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
+ {
+     static unsigned char dh1024_p[] = {
+diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
+index f0e8709062..2ff6d6e721 100644
+--- a/test/helpers/predefined_dhparams.h
++++ b/test/helpers/predefined_dhparams.h
+@@ -12,6 +12,7 @@
+ #ifndef OPENSSL_NO_DH
+ EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
+ EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 6332aaec4b..4d8c900c00 100755
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -458,6 +458,9 @@ sub testssl {
+             skip "skipping dhe1024dsa test", 1
+                 if ($no_dh);
+ 
++            skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
++                if $provider eq "fips";
++
+             ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+-- 
+2.50.0
+

0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch

@@ -0,0 +1,192 @@
+From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
+
+NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
+change the option to enforce it seem to be available only in FIPS build
+
+Patch-name: 0114-FIPS-enforce-EMS-support.patch
+Patch-id: 114
+Patch-status: |
+    # # We believe that some changes present in CentOS are not necessary
+    # # because ustream has a check for FIPS version
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ doc/man3/SSL_CONF_cmd.pod                          |  3 +++
+ doc/man5/fips_config.pod                           | 13 +++++++++++++
+ include/openssl/ssl.h.in                           |  1 +
+ providers/fips/include/fips_indicator_params.inc   |  2 +-
+ ssl/ssl_conf.c                                     |  1 +
+ ssl/statem/extensions_srvr.c                       |  8 +++++++-
+ ssl/t1_enc.c                                       | 11 +++++++++--
+ test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++
+ test/sslapitest.c                                  |  2 +-
+ 9 files changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
+index 9338ffc01d..911ea21a68 100644
+--- a/doc/man3/SSL_CONF_cmd.pod
++++ b/doc/man3/SSL_CONF_cmd.pod
+@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
+ default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
+ B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+ 
++B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
++
+ B<CANames>: use CA names extension, enabled by
+ default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
+ B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index 15748c5756..34cbfbb2ad 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
+ environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
+ for more information.
+ 
++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
++OpenSSL configuration directory and managed by crypto policies. If present, it
++should have format
++
++ [fips_sect]
++ tls1-prf-ems-check = 0
++ activate = 1
++
++The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
++presence of extended master secret or not.
++
++The B<activate> option enforces FIPS provider activation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index d1b00e8454..b815f25dae 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
+      * interoperability with CryptoPro CSP 3.x
+      */
+ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)
++# define SSL_OP_RH_PERMIT_NOEMS_FIPS                     SSL_OP_BIT(48)
+ /*
+  * Disable RFC8879 certificate compression
+  * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
+diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
+index c1b029de86..47d1cf2d01 100644
+--- a/providers/fips/include/fips_indicator_params.inc
++++ b/providers/fips/include/fips_indicator_params.inc
+@@ -1,5 +1,5 @@
+ OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
+-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
++OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 1)
+ OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
+ OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
+ OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
+diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
+index 946d20be52..b52c1675fd 100644
+--- a/ssl/ssl_conf.c
++++ b/ssl/ssl_conf.c
+@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+         SSL_FLAG_TBL("ClientRenegotiation",
+                      SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
+         SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
++        SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
+         SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
+         SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+         SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 1a09913ad6..936be81819 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -12,6 +12,7 @@
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
+ #include "internal/ssl_unwrap.h"
++#include <openssl/fips.h>
+ 
+ #define COOKIE_STATE_FORMAT_VERSION     1
+ 
+@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
+                                   unsigned int context,
+                                   X509 *x, size_t chainidx)
+ {
+-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
++    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
++        if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++            return EXT_RETURN_FAIL;
++        }
+         return EXT_RETURN_NOT_SENT;
++    }
+ 
+     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
+             || !WPACKET_put_bytes_u16(pkt, 0)) {
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 474ea7bf5b..e0e595e989 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -21,6 +21,7 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/core_names.h>
+ #include <openssl/trace.h>
++#include <openssl/fips.h>
+ 
+ /* seed1 through seed5 are concatenated */
+ static int tls1_PRF(SSL_CONNECTION *s,
+@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s,
+     }
+ 
+  err:
+-    if (fatal)
+-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    if (fatal) {
++        /* The calls to this function are local so it's safe to implement the check */
++        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
++            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++	else
++            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    }
+     else
+         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+     EVP_KDF_CTX_free(kctx);
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index 50944328cb..edb2e81273 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+ Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ 
++Availablein = fips
++KDF = TLS1-PRF
++Ctrl.digest = digest:SHA256
++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Result = KDF_DERIVE_ERROR
++
+ FIPSversion = <=3.1.0
+ KDF = TLS1-PRF
+ Ctrl.digest = digest:SHA256
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 250a439137..acc4751095 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
+     STACK_OF(X509) *server_chain;
+     SSL_CTX *cctx = NULL, *sctx = NULL;
+     SSL *clientssl = NULL, *serverssl = NULL;
+-    int testresult = 0;
++    int testresult = 0, status;
+ 
+     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+                                        TLS_client_method(), TLS1_VERSION, 0,
+-- 
+2.50.0
+

0038-FIPS-CMS-Set-default-padding-to-OAEP.patch

@@ -0,0 +1,61 @@
+From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 13 Feb 2025 18:08:34 -0500
+Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP
+
+From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
+---
+ apps/cms.c           |  1 +
+ crypto/cms/cms_env.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/apps/cms.c b/apps/cms.c
+index 919d306ff6..b4950df759 100644
+--- a/apps/cms.c
++++ b/apps/cms.c
+@@ -20,6 +20,7 @@
+ #include <openssl/x509_vfy.h>
+ #include <openssl/x509v3.h>
+ #include <openssl/cms.h>
++#include <openssl/fips.h>
+ 
+ static int save_certs(char *signerfile, STACK_OF(X509) *signers);
+ static int cms_cb(int ok, X509_STORE_CTX *ctx);
+diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
+index 375239c78d..e09ad03ece 100644
+--- a/crypto/cms/cms_env.c
++++ b/crypto/cms/cms_env.c
+@@ -14,6 +14,7 @@
+ #include <openssl/err.h>
+ #include <openssl/cms.h>
+ #include <openssl/evp.h>
++#include <openssl/fips.h>
+ #include "internal/sizes.h"
+ #include "crypto/asn1.h"
+ #include "crypto/evp.h"
+@@ -375,6 +376,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
+             return 0;
+         if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
+             return 0;
++        if (FIPS_mode()) {
++            if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0)
++                return 0;
++        }
+     } else if (!ossl_cms_env_asn1_ctrl(ri, 0))
+         return 0;
+     return 1;
+@@ -540,6 +545,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
+ 
+         if (EVP_PKEY_encrypt_init(pctx) <= 0)
+             goto err;
++
++        if (FIPS_mode()) {
++            if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0)
++                goto err;
++        }
+     }
+ 
+     if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
+-- 
+2.50.0
+

0039-FIPS-PKCS12-PBMAC1-defaults.patch

@@ -0,0 +1,35 @@
+From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 13 Feb 2025 18:16:29 -0500
+Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults
+
+From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
+---
+ apps/pkcs12.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/apps/pkcs12.c b/apps/pkcs12.c
+index 9964faf21a..59439a8cc0 100644
+--- a/apps/pkcs12.c
++++ b/apps/pkcs12.c
+@@ -17,6 +17,7 @@
+ #include <openssl/asn1.h>
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
++#include <openssl/evp.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/provider.h>
+@@ -709,6 +710,9 @@ int pkcs12_main(int argc, char **argv)
+         }
+ 
+         if (maciter != -1) {
++            if (EVP_default_properties_is_fips_enabled(NULL))
++                pbmac1_pbkdf2 = 1;
++
+             if (pbmac1_pbkdf2 == 1) {
+                 if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
+                                               macsaltlen, maciter,
+-- 
+2.50.0
+

0040-FIPS-Fix-encoder-decoder-negative-test.patch

@@ -0,0 +1,35 @@
+From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 5 Mar 2025 13:22:03 -0500
+Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/04-test_encoder_decoder.t | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+ mode change 100644 => 100755 test/recipes/04-test_encoder_decoder.t
+
+diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
+old mode 100644
+new mode 100755
+index 2acc980e90..660d4e1115
+--- a/test/recipes/04-test_encoder_decoder.t
++++ b/test/recipes/04-test_encoder_decoder.t
+@@ -75,10 +75,10 @@ SKIP: {
+ }
+     my $no_des = disabled("des");
+ SKIP: {
+-    skip "MD5 disabled", 2 if disabled("md5");
+-    ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem',
+-                 '-traditional', '-passout', 'pass:pass' ])),
+-       "rsa encrypted using a non fips algorithm MD5 in pbe");
++    skip "DES disabled", 2 if disabled("des3");
++    ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem',
++                 '-traditional', '-passout', 'pass:pass'])),
++       "rsa encrypted using a non fips algorithm DES3 in pbe");
+ 
+     my $conf2 = srctop_file("test", "default-and-fips.cnf");
+     ok(run(test(['decoder_propq_test', '-config', $conf2,
+-- 
+2.50.0
+

0041-FIPS-EC-DH-DSA-PCTs.patch

@@ -0,0 +1,180 @@
+From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 24 Mar 2025 10:50:06 -0400
+Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ .../implementations/exchange/ecdh_exch.c      | 19 ++++++++++
+ providers/implementations/keymgmt/ec_kmgmt.c  | 24 +++++++++++-
+ .../implementations/signature/ecdsa_sig.c     | 37 +++++++++++++++++--
+ 3 files changed, 75 insertions(+), 5 deletions(-)
+
+diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
+index 58fbc7bc09..98d4354f3e 100644
+--- a/providers/implementations/exchange/ecdh_exch.c
++++ b/providers/implementations/exchange/ecdh_exch.c
+@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
+ #endif
+ 
+     ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
++#ifdef FIPS_MODULE
++    {
++        BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
++        int check = 0;
++
++        if (bn_ctx == NULL) {
++            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
++            goto end;
++        }
++
++        check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
++        BN_CTX_free(bn_ctx);
++
++        if (check <= 0) {
++            ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
++            goto end;
++        }
++    }
++#endif
+ 
+     retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
+ 
+diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
+index 9421aabb14..77531c4b59 100644
+--- a/providers/implementations/keymgmt/ec_kmgmt.c
++++ b/providers/implementations/keymgmt/ec_kmgmt.c
+@@ -993,9 +993,18 @@ struct ec_gen_ctx {
+     EC_GROUP *gen_group;
+     unsigned char *dhkem_ikm;
+     size_t dhkem_ikmlen;
++#ifdef FIPS_MODULE
++    void *ecdsa_sig_ctx;
++#endif
+     OSSL_FIPS_IND_DECLARE
+ };
+ 
++#ifdef FIPS_MODULE
++void *ecdsa_newctx(void *provctx, const char *propq);
++void ecdsa_freectx(void *vctx);
++int do_ec_pct(void *, const char *, void *);
++#endif
++
+ static void *ec_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
+ {
+@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx, int selection,
+             gctx = NULL;
+         }
+     }
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ }
+ 
+@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ 
+     if (gctx->ecdh_mode != -1)
+         ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
++        && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
++        abort();
++#endif
+ 
+     if (gctx->group_check != NULL)
+         ret = ret && ossl_ec_set_check_group_type_from_name(ec,
+@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
+ 
+     if (gctx == NULL)
+         return;
+-
++#ifdef FIPS_MODULE
++    ecdsa_freectx(gctx->ecdsa_sig_ctx);
++    gctx->ecdsa_sig_ctx = NULL;
++#endif
+     OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
+     EC_GROUP_free(gctx->gen_group);
+     BN_free(gctx->p);
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 4e46eaf9bc..4d7c25728a 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -33,7 +33,7 @@
+ #include "prov/der_ec.h"
+ #include "crypto/ec.h"
+ 
+-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
++OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
+ static OSSL_FUNC_signature_sign_fn ecdsa_sign;
+@@ -48,7 +48,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
++OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
+ static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
+ static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
+@@ -139,7 +139,7 @@ typedef struct {
+     OSSL_FIPS_IND_DECLARE
+ } PROV_ECDSA_CTX;
+ 
+-static void *ecdsa_newctx(void *provctx, const char *propq)
++void *ecdsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_ECDSA_CTX *ctx;
+ 
+@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+     return ok;
+ }
+ 
+-static void ecdsa_freectx(void *vctx)
++void ecdsa_freectx(void *vctx)
+ {
+     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
+ 
+@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+     return EVP_MD_settable_ctx_params(ctx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_ec_pct(void *vctx, const char *mdname, void *ec)
++{
++    static const unsigned char data[32];
++    unsigned char sigbuf[256];
++    size_t siglen = sizeof(sigbuf);
++
++    if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        return 0;
++
++    return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
+-- 
+2.50.0
+

0042-FIPS-EC-disable-weak-curves.patch

@@ -0,0 +1,31 @@
+From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:06:36 -0500
+Subject: [PATCH 42/53] FIPS: EC: disable weak curves
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ apps/ecparam.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/apps/ecparam.c b/apps/ecparam.c
+index f0879dfb11..a6042e7d2a 100644
+--- a/apps/ecparam.c
++++ b/apps/ecparam.c
+@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
++        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
++            continue;
++
+         if (comment == NULL)
+             comment = "CURVE DESCRIPTION NOT AVAILABLE";
+         if (sname == NULL)
+-- 
+2.50.0
+

0043-FIPS-NO-DSA-Support.patch

@@ -0,0 +1,400 @@
+From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:10:52 -0500
+Subject: [PATCH 43/53] FIPS: NO DSA Support
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                     |  8 +++++---
+ providers/fips/self_test_data.inc             |  6 +++++-
+ test/acvp_test.c                              |  2 ++
+ test/endecode_test.c                          |  2 ++
+ test/recipes/15-test_gendsa.t                 |  2 +-
+ test/recipes/20-test_cli_fips.t               |  3 +--
+ test/recipes/30-test_evp.t                    |  7 ++-----
+ test/recipes/30-test_evp_data/evppkey_dsa.txt | 18 ++++++++++++++++-
+ test/recipes/80-test_cms.t                    | 20 +++++++++----------
+ 9 files changed, 45 insertions(+), 23 deletions(-)
+ mode change 100644 => 100755 test/recipes/30-test_evp.t
+
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 1e90f363af..84d8e897cc 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+ };
+ 
+ static const OSSL_ALGORITHM fips_signature[] = {
+-#ifndef OPENSSL_NO_DSA
++/* We don't certify DSA in our FIPS provider */
++#if 0 /* #ifndef OPENSSL_NO_DSA */
+     { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+     { PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
+     { PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
+@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+       PROV_DESCS_DHX },
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+-      PROV_DESCS_DSA },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
++      PROV_DESCS_DSA }, */
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
+       PROV_DESCS_RSA },
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 5cbb5352a5..10ca473764 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expected_sig[] = {
+ # endif /* OPENSSL_NO_ECX */
+ #endif /* OPENSSL_NO_EC */
+ 
+-#ifndef OPENSSL_NO_DSA
+ /* dsa 2048 */
++#if 0
++#ifndef OPENSSL_NO_DSA
+ static const unsigned char dsa_p[] = {
+     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
+     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
+@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = {
+     ST_KAT_PARAM_END()
+ };
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_ML_DSA
+ static const unsigned char ml_dsa_65_pub_key[] = {
+@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+     },
+ # endif /* OPENSSL_NO_ECX */
+ #endif /* OPENSSL_NO_EC */
++#if 0
+ #ifndef OPENSSL_NO_DSA
+     {
+         OSSL_SELF_TEST_DESC_SIGN_DSA,
+@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         ITM(dsa_expected_sig)
+     },
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_ML_DSA
+     {
+diff --git a/test/acvp_test.c b/test/acvp_test.c
+index 2bcc886fd2..db0282d043 100644
+--- a/test/acvp_test.c
++++ b/test/acvp_test.c
+@@ -1735,6 +1735,7 @@ int setup_tests(void)
+                   OSSL_NELEM(dh_safe_prime_keyver_data));
+ #endif /* OPENSSL_NO_DH */
+ 
++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
+ #ifndef OPENSSL_NO_DSA
+     dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0);
+     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
+@@ -1743,6 +1744,7 @@ int setup_tests(void)
+     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
+     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_EC
+     ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0);
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index d2ff9e6eb6..dfd5e92f7e 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -1536,6 +1536,7 @@ int setup_tests(void)
+          * so no legacy tests.
+          */
+ #endif
++    if (is_fips == 0) {
+ #ifndef OPENSSL_NO_DSA
+         ADD_TEST_SUITE(DSA);
+         ADD_TEST_SUITE_PARAMS(DSA);
+@@ -1546,6 +1547,7 @@ int setup_tests(void)
+         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
+ # endif
+ #endif
++    }
+ #ifndef OPENSSL_NO_EC
+         ADD_TEST(ec_encode_to_data_multi);
+         ADD_TEST_SUITE(EC);
+diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
+index cd331c4cfc..e21d6acda4 100644
+--- a/test/recipes/15-test_gendsa.t
++++ b/test/recipes/15-test_gendsa.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "This test is unsupported in a no-dsa build"
+     if disabled("dsa");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1;
+ 
+ plan tests =>
+     ($no_fips ? 0 : 2)          # FIPS related tests
+diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
+index 2abc4d2434..9a6875b3ec 100644
+--- a/test/recipes/20-test_cli_fips.t
++++ b/test/recipes/20-test_cli_fips.t
+@@ -283,8 +283,7 @@ SKIP: {
+ }
+ 
+ SKIP : {
+-    skip "FIPS DSA tests because of no dsa in this build", 1
+-        if disabled("dsa") || $dsasignpass == '0';
++    skip "FIPS DSA tests because of no dsa in this build", 1;
+ 
+     subtest DSA => sub {
+         my $testtext_prefix = 'DSA';
+diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
+old mode 100644
+new mode 100755
+index a86456157b..05a61c8abe
+--- a/test/recipes/30-test_evp.t
++++ b/test/recipes/30-test_evp.t
+@@ -83,10 +83,6 @@ push @files, qw(
+                 evppkey_slh_dsa_siggen.txt
+                 evppkey_slh_dsa_sigver.txt
+                ) unless $no_slh_dsa;
+-push @files, qw(
+-                evppkey_dsa.txt
+-                evppkey_dsa_sigalg.txt
+-               ) unless $no_dsa;
+ push @files, qw(
+                 evppkey_ecx.txt
+                 evppkey_ecx_sigalg.txt
+@@ -166,11 +162,12 @@ my @defltfiles = qw(
+ push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_ecx_kem.txt) unless $no_ecx;
+-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
+ push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
+ push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
+ push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
+ push @defltfiles, qw(evpkdf_argon2.txt) unless $no_argon2;
++push @defltfiles, qw(evppkey_dsa.txt
++                     evppkey_dsa_sigalg.txt) unless $no_dsa;
+ 
+ plan tests =>
+     + (scalar(@configs) * scalar(@files))
+diff --git a/test/recipes/30-test_evp_data/evppkey_dsa.txt b/test/recipes/30-test_evp_data/evppkey_dsa.txt
+index 5e5315a5b9..660d1db149 100644
+--- a/test/recipes/30-test_evp_data/evppkey_dsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_dsa.txt
+@@ -44,17 +44,22 @@ PrivPubKeyPair = DSA-1024:DSA-1024-PUBLIC
+ 
+ Title = DSA tests
+ 
++## Red Hat all SHA1 tests are unavailable
++
++Availablein = none
+ Verify = DSA-1024
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+ 
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+ 
+ # Modified signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -62,6 +67,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -69,6 +75,7 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
+ Result = VERIFY_ERROR
+ 
+ # Digest too long
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -76,12 +83,14 @@ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
+ Result = VERIFY_ERROR
+ 
+ # Garbage after signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700
+ Result = VERIFY_ERROR
+ 
+ # Invalid tag
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -89,6 +98,7 @@ Output = 312d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f239
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -277,6 +287,7 @@ Output = 00
+ Result = DIGESTSIGNINIT_ERROR
+ 
+ # Test sign with a 2048 bit key with N == 224 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-2048-224
+@@ -285,6 +296,7 @@ Output = 00
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 2048 bit key with N == 256 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-2048-256
+@@ -292,6 +304,7 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 3072 bit key with N == 256 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-3072-256
+@@ -299,6 +312,7 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 2048 bit SHA3 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA3-224
+ Key = DSA-2048-256
+@@ -306,19 +320,21 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test verify with a 1024 bit key is allowed in fips mode
++Availablein = default
+ DigestVerify = SHA256
+ Key = DSA-1024
+ Input = "Hello "
+ Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713
+ 
+ # Test verify with SHA1 is allowed in fips mode
++Availablein = none
+ DigestVerify = SHA1
+ Key = DSA-1024
+ Input = "Hello "
+ Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6
+ 
+ # Test verify with a 2048/160 bit key is allowed in fips mode
+-FIPSversion = >3.1.1
++Availablein = default
+ DigestVerify = SHA256
+ Key = DSA-2048-160
+ Input = "Hello"
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index ece29485f4..756f90c1bd 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content DER format, DSA key",
++    [ "signed content DER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, DSA key",
++    [ "signed detached content DER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, add RSA signer (with DSA existing)",
++    [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
+@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, DSA key",
++    [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-noattr", "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
+       \&zero_compare
+     ],
+ 
+-    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) {
+ 
+ my @smime_cms_tests = (
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-keyid",
+         "-signer", $smrsa1,
+@@ -278,7 +278,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+-- 
+2.50.0
+

0044-FIPS-NO-DES-support.patch

@@ -0,0 +1,174 @@
+From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:15:13 -0500
+Subject: [PATCH 44/53] FIPS: NO DES support
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                           |  3 ++-
+ providers/fips/self_test_data.inc                   |  5 ++++-
+ test/evp_libctx_test.c                              |  4 +++-
+ .../30-test_evp_data/evpciph_des3_common.txt        | 13 ++++---------
+ test/recipes/30-test_evp_data/evpmac_cmac_des.txt   | 10 ----------
+ test/recipes/80-test_cms.t                          |  2 +-
+ 6 files changed, 14 insertions(+), 23 deletions(-)
+
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 84d8e897cc..4b394c3e39 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+-#ifndef OPENSSL_NO_DES
++/* We don't certify 3DES in our FIPS provider */
++#if 0 /* ifndef OPENSSL_NO_DES */
+     ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+     ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+ #endif  /* OPENSSL_NO_DES */
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 10ca473764..6a69e1687b 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
+ /*- CIPHER TEST DATA */
+ 
+ /* DES3 test data */
++#if 0
+ static const unsigned char des_ede3_cbc_pt[] = {
+     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
+     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
+     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
+ };
+-
++#endif
+ /* AES-256 GCM test data */
+ static const unsigned char aes_256_gcm_key[] = {
+     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
+@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+         CIPHER_MODE_DECRYPT,
+         ITM(aes_128_ecb_key)
+     },
++#if 0
+ #ifndef OPENSSL_NO_DES
+     {
+         {
+@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+         ITM(tdes_key)
+     }
+ #endif
++#endif
+ };
+ 
+ static const char hkdf_digest[] = "SHA256";
+diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
+index 2838f343bd..19dd2c6c63 100644
+--- a/test/evp_libctx_test.c
++++ b/test/evp_libctx_test.c
+@@ -831,7 +831,9 @@ int setup_tests(void)
+     ADD_TEST(kem_invalid_keytype);
+ #endif
+ #ifndef OPENSSL_NO_DES
+-    ADD_TEST(test_cipher_tdes_randkey);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_TEST(test_cipher_tdes_randkey);
++    }
+ #endif
+     return 1;
+ }
+diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+index 6c74b65cef..8bcb78cd2d 100644
+--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
++++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+@@ -14,7 +14,7 @@
+ Title = DES3 Tests
+ 
+ # DES EDE3 CBC tests (from destest)
+-FIPSversion = <3.4.0
++Availablein = default
+ Cipher = DES-EDE3-CBC
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ IV = fedcba9876543210
+@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
+ 
+ # DES EDE3 ECB test
+ # FIPS(3.0.0): has a bug in the IV length #17591
+-FIPSversion = >3.0.0
+-FIPSversion = <3.4.0
++Availablein = default
+ Cipher = DES-EDE3-ECB
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2bae5e4e6a0094171abcfc27df2bfd40da9f4e4d
+ 
+ # Test that DES3 CBC mode encryption fails because it is not FIPS approved
+ Availablein = fips
+-FIPSversion = >=3.4.0
+ Cipher = DES-EDE3-CBC
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ IV = fedcba9876543210
+@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
+ 
+ # Test that DES3 EBC mode encryption fails because it is not FIPS approved
+ Availablein = fips
+-FIPSversion = >=3.4.0
+ Cipher = DES-EDE3-ECB
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
+ Title = DES3 FIPS Indicator Tests
+ 
+ # Test that DES3 CBC mode encryption is not FIPS approved
+-Availablein = fips
+-FIPSversion = >=3.4.0
++Availablein = none
+ Cipher = DES-EDE3-CBC
+ Unapproved = 1
+ CtrlInit = encrypt-check:0
+@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+ Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+ 
+ # Test that DES3 ECB mode encryption is not FIPS approved
+-Availablein = fips
+-FIPSversion = >=3.4.0
++Availablein = none
+ Cipher = DES-EDE3-ECB
+ Operation = ENCRYPT
+ Unapproved = 1
+diff --git a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
+index a11e5ffe54..e4a7cbe75e 100644
+--- a/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
++++ b/test/recipes/30-test_evp_data/evpmac_cmac_des.txt
+@@ -35,13 +35,3 @@ Algorithm = DES-EDE3-CBC
+ Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
+ Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
+ Result = MAC_INIT_ERROR
+-
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = CMAC
+-Unapproved = 1
+-Ctrl = encrypt-check:0
+-Algorithm = DES-EDE3-CBC
+-Key = 89BCD952A8C8AB371AF48AC7D07085D5EFF702E6D62CDC23
+-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
+-Output = 8F49A1B7D6AA2258
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 756f90c1bd..ac833d2a2f 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -398,7 +398,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "encrypted content test streaming PEM format, triple DES key",
++    [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
+       [ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
+         "-stream", "-out", "{output}.cms" ],
+-- 
+2.50.0
+

0045-FIPS-NO-Kmac.patch

@@ -0,0 +1,426 @@
+From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:22:07 -0500
+Subject: [PATCH 45/53] FIPS: NO Kmac
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                     |  10 +-
+ providers/fips/self_test_data.inc             |   4 +
+ test/recipes/30-test_evp.t                    |   2 +-
+ test/recipes/30-test_evp_data/evpkdf_hkdf.txt |   2 +-
+ .../30-test_evp_data/evpkdf_kbkdf_counter.txt |   2 +-
+ test/recipes/30-test_evp_data/evpkdf_ss.txt   |   6 +-
+ .../30-test_evp_data/evpmac_common.txt        | 100 ++++--------------
+ 7 files changed, 40 insertions(+), 86 deletions(-)
+
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 4b394c3e39..8f00dfa0ef 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
+      * KMAC128 and KMAC256.
+      */
+-    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
++    /* We don't certify KECCAK in our FIPS provider */
++    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+       ossl_keccak_kmac_128_functions },
+     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
+-      ossl_keccak_kmac_256_functions },
++      ossl_keccak_kmac_256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+ #endif
+     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
+-    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+-    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
++    /* We don't certify KMAC in our FIPS provider */
++    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
++    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 6a69e1687b..f3059a8446 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
+     ST_KAT_PARAM_END()
+ };
+ 
++#if 0
+ static const char kbkdf_kmac_mac[] = "KMAC128";
+ static unsigned char kbkdf_kmac_label[] = {
+     0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
+@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
+     ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
+     ST_KAT_PARAM_END()
+ };
++#endif
+ 
+ static const char tls13_kdf_digest[] = "SHA256";
+ static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
+@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
+         kbkdf_params,
+         ITM(kbkdf_expected)
+     },
++#if 0
+     {
+         OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC,
+         OSSL_KDF_NAME_KBKDF,
+         kbkdf_kmac_params,
+         ITM(kbkdf_kmac_expected)
+     },
++#endif
+     {
+         OSSL_SELF_TEST_DESC_KDF_HKDF,
+         OSSL_KDF_NAME_HKDF,
+diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
+index 05a61c8abe..4f2e8277b5 100755
+--- a/test/recipes/30-test_evp.t
++++ b/test/recipes/30-test_evp.t
+@@ -52,7 +52,6 @@ my @files = qw(
+                 evpciph_des3_common.txt
+                 evpkdf_hkdf.txt
+                 evpkdf_kbkdf_counter.txt
+-                evpkdf_kbkdf_kmac.txt
+                 evpkdf_pbkdf1.txt
+                 evpkdf_pbkdf2.txt
+                 evpkdf_ss.txt
+@@ -144,6 +143,7 @@ my @defltfiles = qw(
+                      evpkdf_scrypt.txt
+                      evpkdf_tls11_prf.txt
+                      evpkdf_hmac_drbg.txt
++                     evpkdf_kbkdf_kmac.txt
+                      evpmac_blake.txt
+                      evpmac_poly1305.txt
+                      evpmac_siphash.txt
+diff --git a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
+index c617f2cc44..c5cbaf5840 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_hkdf.txt
+@@ -244,7 +244,7 @@ Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
+index 67090f2112..bc87975449 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
+@@ -1869,7 +1869,7 @@ Ctrl.use-separator = use-separator:0
+ Ctrl.r = r:8
+ Ctrl.hexkey = hexkey:0ef9
+ Ctrl.hexinfo = hexinfo:56ec
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+ 
+ Availablein = fips
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+index 07691ccf57..4503af711f 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+@@ -1171,6 +1171,7 @@ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96CB056DEBAEB6E5E706F99435257C
+ Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
+ Output = 428979EA52175DC833C04215AC6B4BA89BA4FCAA0E0FA3B4E2C0E264C5746F0A5C788F2907A2C2B90719E396B35A14C4B583C51B9911125D34100FADDC4D94C0D936263CC1EF0B0D526E3891FE1F67BCB94DEA2525B84A8E7949A4CA34F36AEEC55099BF0EC5DE24B86428F4E6E6E23FE9AA443E2BDCF25A77ECD22BF758D554
+ 
++Availablein = default
+ KDF = SSKDF
+ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390ADBA9DFB291EE8C1920CB13452FDF851E0A6DBBB862FD8811F8CB29CDEC13591D8C047065FCD2
+@@ -1209,7 +1210,7 @@ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A
+ Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400
+ Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Reason = unsupported
+ 
+ Title = Secret length < 112 is not approved in FIPS
+ 
+@@ -1246,6 +1247,8 @@ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390A
+ Ctrl.hexinfo = hexinfo:A2641090E75D5BDC0B23CCD49BB02DC63B41D3F38E0947D491DFDDC734A8582DF5C961EFE586378317AB7E5821DE3146EA26C823EE4FA48C22D7142E5BDEF50DE8BD9940E6E5AC58A6441DFCD9D5C8F6199D05BEBE1394C706F2354AC902EB5C4533EB00000400
+ Output = b160ca853957becf10f4edd06b24cff412b6ca85cff76490afb53ce2f81081ef
++Result = KDF_CTRL_ERROR
++Reason = unsupported
+ 
+ Title = Test Small salt is allowed
+ 
+@@ -1257,6 +1260,7 @@ Ctrl.hexsalt = hexsalt:00
+ Ctrl.hexinfo = hexinfo:861aa2886798231259bd0314
+ Output = 02cfca07797566285b38982b86762abd
+ 
++Availablein = default
+ KDF = SSKDF
+ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsalt = hexsalt:00000000
+diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
+index 831eecbac9..af92ceea98 100644
+--- a/test/recipes/30-test_evp_data/evpmac_common.txt
++++ b/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -399,6 +399,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C
+ Result = MAC_INIT_ERROR
+ Reason = invalid mode
+ 
++Availablein = default
+ Title = KMAC Tests (From NIST)
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+@@ -409,12 +410,14 @@ Ctrl = xof:0
+ OutputSize = 32
+ BlockSize = 168
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Custom = "My Tagged Application"
+ Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -422,6 +425,7 @@ Custom = "My Tagged Application"
+ Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -430,12 +434,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
+ OutputSize = 64
+ BlockSize = 136
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+ Custom = ""
+ Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -445,12 +451,14 @@ Ctrl = size:64
+ 
+ Title = KMAC XOF Tests (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -458,6 +466,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -466,6 +475,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ XOF = 1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -473,6 +483,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -480,6 +491,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -490,6 +502,7 @@ XOF = 1
+ 
+ Title = KMAC long customisation string (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -500,12 +513,14 @@ XOF = 1
+ 
+ Title = KMAC XOF Tests via ctrl (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -513,6 +528,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -521,6 +537,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ Ctrl = xof:1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -528,6 +545,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -535,6 +553,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -545,6 +564,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string via ctrl (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -555,6 +575,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string negative test
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -564,6 +585,7 @@ Reason = invalid custom length
+ 
+ Title = KMAC output is too large
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -572,81 +594,3 @@ Ctrl = size:2097152
+ Result = MAC_INIT_ERROR
+ Reason = invalid output length
+ 
+-Title = KMAC output is too small in FIPS
+-
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Output = 28c815
+-Custom = "My Tagged Application"
+-Unapproved = 1
+-Ctrl = size:3
+-Ctrl = no-short-mac:0
+-
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Output = 28c815
+-Custom = "My Tagged Application"
+-Ctrl = size:3
+-Result = MAC_INIT_ERROR
+-Reason = invalid output length
+-
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Output = 28c815
+-Custom = "My Tagged Application"
+-Ctrl = size:3
+-Ctrl = no-short-mac:1
+-Result = MAC_INIT_ERROR
+-Reason = invalid output length
+-
+-# Old FIPS providers accept short output
+-FIPSversion = <3.4.0
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Output = 28c815
+-Custom = "My Tagged Application"
+-Ctrl = size:3
+-
+-# The default provider accepts short output
+-Availablein = default
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Output = 28c815
+-Custom = "My Tagged Application"
+-Ctrl = size:3
+-
+-Title = KMAC FIPS short key test
+-
+-# Test KMAC with key < 112 bits is not allowed
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = KMAC256
+-Key = 404142434445464748494A4B4C
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Custom = ""
+-Result = MAC_INIT_ERROR
+-Reason = invalid key length
+-
+-Title = KMAC FIPS short key indicator test
+-
+-# Test KMAC with key < 112 bits is unapproved
+-Availablein = fips
+-FIPSversion = >=3.4.0
+-MAC = KMAC256
+-Unapproved = 1
+-Ctrl = key-check:0
+-Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+-Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-Custom = ""
+-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+-- 
+2.50.0
+

0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch

@@ -0,0 +1,106 @@
+From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Mar 2025 13:52:50 -0400
+Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/ssl-tests/13-fragmentation.cnf.in    | 4 ++--
+ test/ssl-tests/17-renegotiate.cnf.in      | 4 ++--
+ test/ssl-tests/18-dtls-renegotiate.cnf.in | 2 +-
+ test/ssl-tests/19-mac-then-encrypt.cnf.in | 2 +-
+ test/ssl-tests/20-cert-select.cnf.in      | 6 +++---
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in
+index 318fd65960..87ec08ee5b 100644
+--- a/test/ssl-tests/13-fragmentation.cnf.in
++++ b/test/ssl-tests/13-fragmentation.cnf.in
+@@ -14,7 +14,7 @@ use warnings;
+ 
+ package ssltests;
+ 
+-our $fips_3_4;
++our $fips_mode;
+ 
+ our @tests = (
+     # Default fragment size is 512.
+@@ -273,4 +273,4 @@ my @tests_rsa = (
+ );
+ 
+ push @tests, @tests_rsa
+-    unless $fips_3_4;
++    unless $fips_mode;
+diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
+index 2812e4c38b..9cbd972eba 100644
+--- a/test/ssl-tests/17-renegotiate.cnf.in
++++ b/test/ssl-tests/17-renegotiate.cnf.in
+@@ -15,7 +15,7 @@ use warnings;
+ package ssltests;
+ use OpenSSL::Test::Utils;
+ 
+-our $fips_3_4;
++our $fips_mode;
+ 
+ our @tests = (
+     {
+@@ -318,5 +318,5 @@ our @tests_tls1_2 = (
+     }
+ );
+ 
+-push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
++push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_mode;
+ push @tests, @tests_tls1_2 unless disabled("tls1_2");
+diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
+index 8996849a2c..415dc2978d 100644
+--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
++++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
+@@ -133,7 +133,7 @@ foreach my $sctp ("No", "Yes")
+     );
+     push @tests, @tests_basic;
+ 
+-    next if disabled("dtls1_2") || $fips_3_4;
++    next if disabled("dtls1_2") || $fips_mode;
+     our @tests_dtls1_2 = (
+         {
+             name => "renegotiate-aead-to-non-aead".$suffix,
+diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
+index 32bcec4be4..2f8a123c20 100644
+--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
++++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
+@@ -17,7 +17,7 @@ our $fips_mode;
+ our $fips_3_4;
+ 
+ # Nothing to test with newer fips providers
+-return if $fips_3_4;
++return if $fips_mode;
+ 
+ our @tests = (
+     {
+diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
+index af47842fd8..21c75033e8 100644
+--- a/test/ssl-tests/20-cert-select.cnf.in
++++ b/test/ssl-tests/20-cert-select.cnf.in
+@@ -266,7 +266,7 @@ our @tests = (
+         },
+         test   => {
+             "ExpectedServerCertType" =>, "RSA",
+-            "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success"
++            "ExpectedResult" => $fips_mode ? "ClientFail" : "Success"
+         },
+     },
+     {
+@@ -1005,8 +1005,8 @@ my @tests_dsa_tls_1_3 = (
+ );
+ 
+ if (!disabled("dsa")) {
+-    push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4;
+-    push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
++    push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
++    push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3") || $fips_mode;
+ }
+ 
+ my @tests_mldsa_tls_1_3 = (
+-- 
+2.50.0
+

0047-Current-Rebase-status.patch

@@ -0,0 +1,106 @@
+From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 12 Feb 2025 17:25:47 -0500
+Subject: [PATCH 47/53] Current Rebase status
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ REBASE.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 81 insertions(+)
+
+diff --git a/REBASE.txt b/REBASE.txt
+index 2833a383c1..c8f6c992a8 100644
+--- a/REBASE.txt
++++ b/REBASE.txt
+@@ -1,3 +1,6 @@
++REBASED on TOP of tagged openssl-3.5.0
++
++
+ 0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+ 
+ Some asym testing has been dropped upstream, unclear if this needs to survive,
+@@ -8,3 +11,81 @@ if so we may need to resurrect deleted code in upstream patch:
+     fips: remove redundant RSA encrypt/decrypt KAT
+ --
+ 
++This does not apply cleanly and I can't figure out the original intent exactly
++to modify the existing code correctly.
++
++--
++0030-0075-FIPS-Use-FFDHE2048-in-self-test.patch.patch
++
++Unnecessary, upstream aleady change to use ffsh2048
++
++--
++0032-0077-FIPS-140-3-zeroization.patch.patch
++
++Unnecessary, but MUST define OPENSSL_PEDANTIC_ZEROIZATION to do the same
++
++--
++0048-Spec-cleanup.patch
++
++Not applied as I did not get in the initial patch that imports into packit
++--
++0049-0117-ignore-unknown-sigalgorithms-groups.patch.patch
++
++Unnecessary, already included in 3.5
++
++--
++0050-0118-no-crl-memleak.patch.patch
++
++Unnecessary, already included in 3.5
++
++--
++0051-0119-provider-sigalgs-in-signaturealgorithms-conf.pa.patch
++
++Unnecessary, already included in 3.5
++
++--
++
++Recheck
++======
++
++- Dropped: openssl speed - skip unavailable dgst
++
++- Dropped: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signa.patch
++
++- Dropped patch to disable ECX algorihms
++
++Needed build/spec changes
++====================
++
++Add -DOPENSSL_PEDANTIC_ZEROIZATION to ./Configure line
++This is needed for zeroizations required for FIPS
++
++Add -DREDHAT_FIPS_VENDOR for the module name
++
++Drop 0025-for-tests.patch from dist-git
++We now use a separate config file for tests and for install
++Copy rh-openssl.cnf over the openssl default conf file in the install section.
++
++Testing
++=======
++./Configure \
++        --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
++        --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
++        zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
++        enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
++        no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
++        shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
++        -Wl,--allow-multiple-definition
++
++prefix=$HOME/tmp/openssl-rebase
++sysconfigdir=$prefix/etc
++fips="Rebase Testing"
++sslarch=linux-x86_64
++sslflags=enable-ec_nistp_64_gcc_128
++ktlsopt=enable-ktls
++
++Example Testing
++===============
++
++./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
++
+-- 
+2.50.0
+

0048-FIPS-KDF-key-lenght-errors.patch

@@ -0,0 +1,175 @@
+From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Apr 2025 15:25:40 -0400
+Subject: [PATCH 48/53] FIPS: KDF key lenght errors
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/30-test_evp_data/evpkdf_ss.txt        |  8 ++++----
+ test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt |  6 +++---
+ test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 11 ++++++-----
+ test/recipes/30-test_evp_data/evpkdf_x942.txt      |  3 +--
+ test/recipes/30-test_evp_data/evpkdf_x963.txt      |  6 ++----
+ test/recipes/30-test_evp_data/evpmac_common.txt    |  2 +-
+ test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt |  2 +-
+ 7 files changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+index 4503af711f..7ef2894ae6 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+@@ -1189,8 +1189,8 @@ KDF = SSKDF
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexsecret = hexsecret:d7e6
+ Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++#Reason = invalid key length
+ 
+ Availablein = fips
+ FIPSversion = >=3.4.0
+@@ -1200,8 +1200,8 @@ Ctrl.digest = digest:SHA224
+ Ctrl.salt = hexsalt:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96C
+ Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++#Reason = invalid key length
+ 
+ Availablein = fips
+ FIPSversion = >=3.4.0
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index edb2e81273..d663e5e5a5 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -104,8 +104,8 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55
+ Ctrl.label = seed:extended master secret
+ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_DERIVE_ERROR
++Reason = invalid key length
+ 
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -131,7 +131,7 @@ Ctrl.Secret = hexsecret:0102030405060708090a0b
+ Ctrl.label = seed:extended master secret
+ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+index f2ea9ac44a..0f2f6e3904 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+@@ -4963,7 +4963,7 @@ KDF = TLS13-KDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+ Ctrl.digest = digest:SHA512-256
+ Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ 
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -4985,20 +4985,21 @@ KDF = TLS13-KDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+ Ctrl.digest = digest:SHA2-256
+ Ctrl.key = hexkey:0102030405060708090a0b
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++Reason = wrong output buffer size
+ 
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = TLS13-KDF
++Unapproved = 1
+ Ctrl.mode = mode:EXPAND_ONLY
+ Ctrl.digest = digest:SHA2-256
+ Ctrl.key = hexkey:0102030405060708090a0b
+ Ctrl.data = hexdata:7c92f68bd5bf3638ea338a6494722e1b44127e1b7e8aad535f2322a644ff22b3
+ Ctrl.prefix = hexprefix:746c73313320
+ Ctrl.label = hexlabel:6320652074726166666963
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_MISMATCH
++#Reason = invalid key length
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt
+index b1774592e9..6869fd0f20 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_x942.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt
+@@ -124,11 +124,10 @@ Reason = xof digests not allowed
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = X942KDF-ASN1
++Unapproved = 1
+ Ctrl.digest = digest:SHA256
+ Ctrl.hexsecret = hexsecret:6B
+ Ctrl.use-keybits = use-keybits:0
+ Ctrl.cekalg = cekalg:id-aes128-wrap
+ Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC
+ Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
+diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt
+index b8f3cff3d3..74524c4694 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_x963.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt
+@@ -148,8 +148,7 @@ KDF = X963KDF
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2
+ Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_DERIVE_ERROR
+ 
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -170,8 +169,7 @@ KDF = X963KDF
+ Ctrl.digest = digest:SHA224
+ Ctrl.hexsecret = hexsecret:0102030405060908090a0b
+ Ctrl.hexinfo = hexinfo:0102030405060708090a0b0c0d0e0f10
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
+index af92ceea98..a1541bf226 100644
+--- a/test/recipes/30-test_evp_data/evpmac_common.txt
++++ b/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -271,7 +271,7 @@ MAC = HMAC
+ Algorithm = SHA256
+ Input = "Test Input"
+ Key = 0001020304
+-Result = MAC_INIT_ERROR
++Output = db70da6176d87813b059879ccc27bc53e295c6eca74db8bdc4e77d7e951d894b
+ 
+ Title = HMAC FIPS short key indicator test
+ 
+diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+index 1fb2472001..93c07ede7c 100644
+--- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
++++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+@@ -216,7 +216,7 @@ Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+-Result = PKEY_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+-- 
+2.50.0
+

0049-FIPS-fix-disallowed-digests-tests.patch

@@ -0,0 +1,51 @@
+From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 15 Apr 2025 13:41:42 -0400
+Subject: [PATCH 49/53] FIPS: fix disallowed digests tests
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/30-test_evp_data/evpkdf_ssh.txt | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+index 6688c217aa..8347f773e6 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+@@ -4894,13 +4894,14 @@ Title = FIPS indicator tests
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = SSHKDF
++Unapproved = 1
+ Ctrl.digest = digest:SHA512-256
+ Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
+ Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.type = type:A
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_MISMATCH
++#Reason = digest not allowed
+ 
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -4920,13 +4921,14 @@ Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = SSHKDF
++Unapproved = 1
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexkey = hexkey:0102030405060708090a0b
+ Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.type = type:A
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_MISMATCH
++#Reason = invalid key length
+ 
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+-- 
+2.50.0
+

0050-Make-openssl-speed-run-in-FIPS-mode.patch

@@ -0,0 +1,76 @@
+From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 9 May 2025 15:09:46 +0200
+Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode
+
+---
+ apps/speed.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index 3307a9cb46..ae2f166d24 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
+                                                       (void *)key32, 16);
+         params[1] = OSSL_PARAM_construct_end();
+ 
+-        if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
+-            goto end;
+-        for (testnum = 0; testnum < size_num; testnum++) {
+-            print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+-            Time_F(START);
+-            count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+-            d = Time_F(STOP);
+-            print_result(D_KMAC128, testnum, count, d);
+-            if (count < 0)
+-                break;
++        if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
++            for (testnum = 0; testnum < size_num; testnum++) {
++                print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
++                Time_F(START);
++                count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
++                d = Time_F(STOP);
++                print_result(D_KMAC128, testnum, count, d);
++                if (count < 0)
++                    break;
++            }
++            mac_teardown(&mac, loopargs, loopargs_len);
+         }
+-        mac_teardown(&mac, loopargs, loopargs_len);
+     }
+ 
+     if (doit[D_KMAC256]) {
+@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
+                                                       (void *)key32, 32);
+         params[1] = OSSL_PARAM_construct_end();
+ 
+-        if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
+-            goto end;
+-        for (testnum = 0; testnum < size_num; testnum++) {
+-            print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+-            Time_F(START);
+-            count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+-            d = Time_F(STOP);
+-            print_result(D_KMAC256, testnum, count, d);
+-            if (count < 0)
+-                break;
++        if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
++            for (testnum = 0; testnum < size_num; testnum++) {
++                print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
++                Time_F(START);
++                count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
++                d = Time_F(STOP);
++                print_result(D_KMAC256, testnum, count, d);
++                if (count < 0)
++                    break;
++            }
++            mac_teardown(&mac, loopargs, loopargs_len);
+         }
+-        mac_teardown(&mac, loopargs, loopargs_len);
+     }
+ 
+     for (i = 0; i < loopargs_len; i++)
+-- 
+2.50.0
+

0051-Backport-upstream-27483-for-PKCS11-needs.patch

@@ -0,0 +1,146 @@
+From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 14:34:39 +0200
+Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
+
+---
+ .../implementations/skeymgmt/aes_skmgmt.c     |  2 +
+ providers/implementations/skeymgmt/generic.c  | 12 ++++
+ .../implementations/skeymgmt/skeymgmt_lcl.h   |  1 +
+ test/evp_skey_test.c                          | 61 +++++++++++++++++++
+ 4 files changed, 76 insertions(+)
+
+diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
+index 6d3b5f377f..17be480131 100644
+--- a/providers/implementations/skeymgmt/aes_skmgmt.c
++++ b/providers/implementations/skeymgmt/aes_skmgmt.c
+@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
+     { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+     { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
+     { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
++    { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++      (void (*)(void))generic_imp_settable_params },
+     OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
+index b41bf8e12d..5fb3fad7e3 100644
+--- a/providers/implementations/skeymgmt/generic.c
++++ b/providers/implementations/skeymgmt/generic.c
+@@ -65,6 +65,16 @@ end:
+     return generic;
+ }
+ 
++static const OSSL_PARAM generic_import_params[] = {
++    OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
++    OSSL_PARAM_END
++};
++
++const OSSL_PARAM *generic_imp_settable_params(void *provctx)
++{
++    return generic_import_params;
++}
++
+ int generic_export(void *keydata, int selection,
+                    OSSL_CALLBACK *param_callback, void *cbarg)
+ {
+@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
+     { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+     { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
+     { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
++    { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++      (void (*)(void))generic_imp_settable_params },
+     OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+index c180c1d303..a7e7605050 100644
+--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
++++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+@@ -15,5 +15,6 @@
+ OSSL_FUNC_skeymgmt_import_fn generic_import;
+ OSSL_FUNC_skeymgmt_export_fn generic_export;
+ OSSL_FUNC_skeymgmt_free_fn generic_free;
++OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
+ 
+ #endif
+diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
+index b81df9c8f8..e33bbbe003 100644
+--- a/test/evp_skey_test.c
++++ b/test/evp_skey_test.c
+@@ -92,6 +92,66 @@ end:
+     return ret;
+ }
+ 
++static int test_skey_skeymgmt(void)
++{
++    int ret = 0;
++    EVP_SKEYMGMT *skeymgmt = NULL;
++    EVP_SKEY *key = NULL;
++    const unsigned char import_key[KEY_SIZE] = {
++        0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++        0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++    };
++    OSSL_PARAM params[2];
++    const OSSL_PARAM *imp_params;
++    const OSSL_PARAM *p;
++    OSSL_PARAM *exp_params = NULL;
++    const void *export_key = NULL;
++    size_t export_len;
++
++    deflprov = OSSL_PROVIDER_load(libctx, "default");
++    if (!TEST_ptr(deflprov))
++        return 0;
++
++    /* Fetch our SKYMGMT for Generic Secrets */
++    if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
++                                                NULL)))
++        goto end;
++
++    /* Check the parameter we need is available */
++    if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
++        || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
++                                                 OSSL_SKEY_PARAM_RAW_BYTES)))
++        goto end;
++
++    /* Import EVP_SKEY */
++    params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
++                                                  (void *)import_key, KEY_SIZE);
++    params[1] = OSSL_PARAM_construct_end();
++
++    if (!TEST_ptr(key = EVP_SKEY_import(libctx,
++                                        EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
++                                        OSSL_SKEYMGMT_SELECT_ALL, params)))
++        goto end;
++
++    /* Export EVP_SKEY */
++    if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
++                                     ossl_pkey_todata_cb, &exp_params), 0)
++        || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
++                                                 OSSL_SKEY_PARAM_RAW_BYTES))
++        || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
++                                                        &export_len), 0)
++        || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
++        goto end;
++
++    ret = 1;
++end:
++    OSSL_PARAM_free(exp_params);
++    EVP_SKEYMGMT_free(skeymgmt);
++    EVP_SKEY_free(key);
++
++    return ret;
++}
++
+ #define IV_SIZE 16
+ #define DATA_SIZE 32
+ static int test_aes_raw_skey(void)
+@@ -252,6 +312,7 @@ int setup_tests(void)
+         return 0;
+ 
+     ADD_TEST(test_skey_cipher);
++    ADD_TEST(test_skey_skeymgmt);
+ 
+     ADD_TEST(test_aes_raw_skey);
+ #ifndef OPENSSL_NO_DES
+-- 
+2.50.0
+

0052-Red-Hat-9-FIPS-indicator-defines.patch

@@ -0,0 +1,129 @@
+From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 16:21:23 +0200
+Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
+
+---
+ include/openssl/evp.h           | 15 +++++++++++++++
+ include/openssl/kdf.h           |  4 ++++
+ util/perl/OpenSSL/paramnames.pm |  7 +++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index e5da1e6415..3849c1779e 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+ 
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                            const unsigned char *key, const unsigned char *iv);
+ __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+                               int *outl);
+ 
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+                          EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+                             void *arg);
+ 
+ /* MAC stuff */
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+ 
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+                        const char *properties);
+@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
+ # endif
+ 
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+                                const char *properties);
+ int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
+ 
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index 059b489735..5a1864309d 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -143,6 +143,8 @@ my %params = (
+     'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' =>   "encrypt-check", # int
+     'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+     'CIPHER_PARAM_ALGORITHM_ID' =>         '*ALG_PARAM_ALGORITHM_ID',
++    #Old RedHat FIPS provider compatibility
++    'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
+     # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used.  For the
+     # time being, the old libcrypto functions will use both, so old providers
+     # continue to work.
+@@ -190,6 +192,7 @@ my %params = (
+     'MAC_PARAM_SIZE' =>             "size",                     # size_t
+     'MAC_PARAM_BLOCK_SIZE' =>       "block-size",               # size_t
+     'MAC_PARAM_TLS_DATA_SIZE' =>    "tls-data-size",            # size_t
++    'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",    # size_t
+     'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
+     'MAC_PARAM_FIPS_KEY_CHECK' =>   '*PKEY_PARAM_FIPS_KEY_CHECK',
+     'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+@@ -234,6 +237,7 @@ my %params = (
+     'KDF_PARAM_X942_SUPP_PUBINFO' =>    "supp-pubinfo",
+     'KDF_PARAM_X942_SUPP_PRIVINFO' =>   "supp-privinfo",
+     'KDF_PARAM_X942_USE_KEYBITS' =>     "use-keybits",
++    'KDF_PARAM_REDHAT_FIPS_INDICATOR' =>     "redhat-fips-indicator",
+     'KDF_PARAM_HMACDRBG_ENTROPY' =>     "entropy",
+     'KDF_PARAM_HMACDRBG_NONCE' =>       "nonce",
+     'KDF_PARAM_THREADS' =>        "threads",                # uint32_t
+@@ -474,6 +478,7 @@ my %params = (
+     'SIGNATURE_PARAM_MGF1_DIGEST' =>          '*PKEY_PARAM_MGF1_DIGEST',
+     'SIGNATURE_PARAM_MGF1_PROPERTIES' =>      '*PKEY_PARAM_MGF1_PROPERTIES',
+     'SIGNATURE_PARAM_DIGEST_SIZE' =>          '*PKEY_PARAM_DIGEST_SIZE',
++    'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+     'SIGNATURE_PARAM_NONCE_TYPE' =>           "nonce-type",
+     'SIGNATURE_PARAM_INSTANCE' =>             "instance",
+     'SIGNATURE_PARAM_CONTEXT_STRING' =>       "context-string",
+@@ -508,6 +513,7 @@ my %params = (
+     'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
+     'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' =>           '*PKEY_PARAM_FIPS_KEY_CHECK',
+     'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' =>  '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
++    'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' =>    "redhat-fips-indicator",
+ 
+ # Encoder / decoder parameters
+ 
+@@ -541,6 +547,7 @@ my %params = (
+ 
+ # KEM parameters
+     'KEM_PARAM_OPERATION' =>            "operation",
++    'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+     'KEM_PARAM_IKME' =>                 "ikme",
+     'KEM_PARAM_FIPS_KEY_CHECK' =>       '*PKEY_PARAM_FIPS_KEY_CHECK',
+     'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+-- 
+2.50.0
+

0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch

@@ -0,0 +1,302 @@
+From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 30 May 2025 16:17:37 +0200
+Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
+
+---
+ crypto/ml_kem/ml_kem.c                        | 11 ++--
+ include/crypto/ml_kem.h                       |  2 +
+ providers/defltprov.c                         |  8 +--
+ providers/implementations/kem/mlx_kem.c       | 33 +++++++++-
+ providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
+ 5 files changed, 103 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
+index 4474af0f87..6eca7dc29d 100644
+--- a/crypto/ml_kem/ml_kem.c
++++ b/crypto/ml_kem/ml_kem.c
+@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+ {
+     const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
+     ML_KEM_KEY *key;
++    char *adjusted_propq = NULL;
+ 
+     if (vinfo == NULL) {
+         ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT,
+@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+     if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
+         return NULL;
+ 
++    adjusted_propq = get_adjusted_propq(properties);
+     key->vinfo = vinfo;
+     key->libctx = libctx;
+     key->prov_flags = ML_KEM_KEY_PROV_FLAGS_DEFAULT;
+-    key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", properties);
+-    key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", properties);
+-    key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", properties);
+-    key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", properties);
++    key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", adjusted_propq ? adjusted_propq : properties);
++    key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", adjusted_propq ? adjusted_propq : properties);
++    key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", adjusted_propq ? adjusted_propq : properties);
++    key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", adjusted_propq ? adjusted_propq : properties);
+     key->d = key->z = key->rho = key->pkhash = key->encoded_dk = NULL;
+     key->s = key->m = key->t = NULL;
++    OPENSSL_free(adjusted_propq);
+ 
+     if (key->shake128_md != NULL
+         && key->shake256_md != NULL
+diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
+index 67d55697e9..ab1aaae8ac 100644
+--- a/include/crypto/ml_kem.h
++++ b/include/crypto/ml_kem.h
+@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
+ __owur
+ int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+ 
++char *get_adjusted_propq(const char *propq);
++
+ #endif  /* OPENSSL_HEADER_ML_KEM_H */
+diff --git a/providers/defltprov.c b/providers/defltprov.c
+index eee2178b41..0dba017f3f 100644
+--- a/providers/defltprov.c
++++ b/providers/defltprov.c
+@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
+     { "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+-    { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
+-    { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
++    { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
++    { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ #endif
+     { NULL, NULL, NULL }
+@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
+       PROV_DESCS_X448MLKEM1024 },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+-    { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
++    { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
+       PROV_DESCS_SecP256r1MLKEM768 },
+-    { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
++    { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
+       PROV_DESCS_SecP384r1MLKEM1024 },
+ # endif
+ #endif
+diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
+index 197c345d85..08fbf99a76 100644
+--- a/providers/implementations/kem/mlx_kem.c
++++ b/providers/implementations/kem/mlx_kem.c
+@@ -19,6 +19,7 @@
+ #include "prov/mlx_kem.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
++#include <string.h>
+ 
+ static OSSL_FUNC_kem_newctx_fn mlx_kem_newctx;
+ static OSSL_FUNC_kem_freectx_fn mlx_kem_freectx;
+@@ -103,6 +104,28 @@ mlx_kem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+     return 1;
+ }
+ 
++char *get_adjusted_propq(const char *propq)
++{
++    char *adjusted_propq = NULL;
++    const char *nofips = "-fips";
++    size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
++                                             strlen(nofips) + 1;
++    char *ptr = NULL;
++
++    adjusted_propq = OPENSSL_zalloc(len);
++    if (adjusted_propq != NULL) {
++        ptr = adjusted_propq;
++        if (propq && strlen(propq) > 0) {
++            memcpy(ptr, propq, strlen(propq));
++            ptr += strlen(propq);
++            *ptr = ',';
++            ptr++;
++        }
++        memcpy(ptr, nofips, strlen(nofips));
++    }
++    return adjusted_propq;
++}
++
+ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+                                unsigned char *shsec, size_t *slen)
+ {
+@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+     uint8_t *sbuf;
+     int ml_kem_slot = key->xinfo->ml_kem_slot;
+     int ret = 0;
++    char *adjusted_propq = NULL;
+ 
+     if (!mlx_kem_have_pubkey(key)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -167,7 +191,8 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+     encap_slen = ML_KEM_SHARED_SECRET_BYTES;
+     cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+     sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+-    ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++    adjusted_propq = get_adjusted_propq(key->propq);
++    ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+     if (ctx == NULL
+         || EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
+         || EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
+@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+  end:
+     EVP_PKEY_free(xkey);
+     EVP_PKEY_CTX_free(ctx);
++    OPENSSL_free(adjusted_propq);
+     return ret;
+ }
+ 
+@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+     size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
+     int ml_kem_slot = key->xinfo->ml_kem_slot;
+     int ret = 0;
++    char *adjusted_propq = NULL;
+ 
+     if (!mlx_kem_have_prvkey(key)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+     decap_slen = ML_KEM_SHARED_SECRET_BYTES;
+     cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+     sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+-    ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++    adjusted_propq = get_adjusted_propq(key->propq);
++    ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+     if (ctx == NULL
+         || EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
+         || EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
+@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+  end:
+     EVP_PKEY_CTX_free(ctx);
+     EVP_PKEY_free(xkey);
++    OPENSSL_free(adjusted_propq);
+     return ret;
+ }
+ 
+diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
+index bea8783276..aeef0c8f84 100644
+--- a/providers/implementations/keymgmt/mlx_kmgmt.c
++++ b/providers/implementations/keymgmt/mlx_kmgmt.c
+@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
+     size_t   prvlen;
+ } EXPORT_CB_ARG;
+ 
++#ifndef FIPS_MODULE
++# include <openssl/bn.h>
++# include <openssl/ec.h>
++static size_t decompress_pub_key(void *pub, size_t compressed_len, size_t decompressed_len)
++{
++    EC_GROUP *group = NULL;
++    EC_POINT *point = NULL;
++    BN_CTX *ctx = NULL;
++    size_t len = compressed_len;
++    int group_nid = NID_undef;
++
++    switch (len) {
++    case 33:
++         group_nid = NID_X9_62_prime256v1;
++       break;
++    case 49:
++         group_nid = NID_secp384r1;
++       break;
++    default:
++       return len;
++       break;
++    }
++
++    ctx = BN_CTX_new();
++    group = EC_GROUP_new_by_curve_name(group_nid);
++    if (ctx == NULL || group == NULL)
++        goto err;
++
++    point = EC_POINT_new(group);
++    if (point == NULL)
++        goto err;
++
++    if (!EC_POINT_oct2point(group, point, pub, len, ctx))
++        goto err;
++
++    len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, pub, decompressed_len, ctx);
++
++err:
++    EC_POINT_free(point);
++    EC_GROUP_free(group);
++    BN_CTX_free(ctx);
++
++    return len;
++}
++#endif
++
+ /* Copy any exported key material into its storage slot */
+ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+ {
+@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+ 
+         if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
+             return 0;
++#ifndef FIPS_MODULE
++        if (len < sub_arg->publen)
++            len = decompress_pub_key(pub, len, sub_arg->publen);
++#endif
+         if (len != sub_arg->publen) {
+             ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
+                            "Unexpected %s public key length %lu != %lu",
+@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+     void *val;
+     int ml_kem_slot = key->xinfo->ml_kem_slot;
+     int ret = 0;
++    char *adjusted_propq = NULL;
+ 
+     if (slot == ml_kem_slot) {
+         alg = key->minfo->algorithm_name;
+         ppkey = &key->mkey;
+         off = slot * xbytes;
+         len = mbytes;
++        adjusted_propq = get_adjusted_propq(propq);
+     } else {
+         alg = key->xinfo->algorithm_name;
+         group = (char *) key->xinfo->group_name;
+@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+     }
+     val = (void *)(in + off);
+ 
+-    if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg, propq)) == NULL
++    if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg,
++                                          adjusted_propq ? adjusted_propq : propq)) == NULL
+         || EVP_PKEY_fromdata_init(ctx) <= 0)
+         goto err;
+     parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
+@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+         ret = 1;
+ 
+  err:
++    OPENSSL_free(adjusted_propq);
+     EVP_PKEY_CTX_free(ctx);
+     return ret;
+ }
+@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+     PROV_ML_KEM_GEN_CTX *gctx = vgctx;
+     MLX_KEY *key;
+     char *propq;
++    char *adjusted_propq = NULL;
+ 
+     if (gctx == NULL
+         || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
+@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+         return key;
+ 
+     /* For now, using the same "propq" for all components */
+-    key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
++    adjusted_propq = get_adjusted_propq(propq);
++    key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
+                                   key->minfo->algorithm_name);
++    OPENSSL_free(adjusted_propq);
+     key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
+                                   key->xinfo->algorithm_name,
+                                   key->xinfo->group_name);
+-- 
+2.50.0
+

0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch

@@ -0,0 +1,64 @@
+From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 15 Jul 2025 12:32:14 -0400
+Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/self_test_data.inc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index f3059a8446..e924e93018 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
+ };
+ #endif /* OPENSSL_NO_ML_DSA */
+ 
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+ /*
+  * Deterministic SLH_DSA key generation supplies the private key elements and
+@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
+     0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
+ };
+ #endif /* OPENSSL_NO_SLH_DSA */
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ 
+ /* Hash DRBG inputs for signature KATs */
+ static const unsigned char sig_kat_entropyin[] = {
+@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         ml_dsa_sig_init
+     },
+ #endif /* OPENSSL_NO_ML_DSA */
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+     /*
+      * FIPS 140-3 IG 10.3.A.16 Note 29 says:
+@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         slh_dsa_sig_params, slh_dsa_sig_params
+     },
+ #endif /* OPENSSL_NO_SLH_DSA */
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+ 
+ #if !defined(OPENSSL_NO_ML_DSA)
+@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+         ml_dsa_key
+     },
+ # endif
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ # if !defined(OPENSSL_NO_SLH_DSA)
+     {
+         OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
+@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+         slh_dsa_128f_keygen_expected_params
+     },
+ # endif
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+ #endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
+-- 
+2.50.1
+

0055-Add-a-define-to-disable-symver-attributes.patch

@@ -0,0 +1,66 @@
+From 5d70f27ffdb520001e560ef0852f29c84e0afa18 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 17 Jul 2025 09:40:34 -0400
+Subject: [PATCH] Add a define to disable symver attributes
+
+Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
+compatibility symver attributes.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/evp/digest.c  | 2 +-
+ crypto/evp/evp_enc.c | 2 +-
+ crypto/o_str.c       | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 8ee9db73dd..7ed4933934 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+ 
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 619cf4f385..9192898d39 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+ 
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+                     symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 86442a939e..8c33e4dd63 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+ #endif
+@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
+ }
+ 
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+                     symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+ #endif
+-- 
+2.50.1
+

SOURCES/Makefile.certificate

@@ -1,82 +0,0 @@
-UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
-DAYS=365
-KEYLEN=2048
-TYPE=rsa:$(KEYLEN)
-EXTRA_FLAGS=
-ifdef SERIAL
-	EXTRA_FLAGS+=-set_serial $(SERIAL)
-endif
-
-.PHONY: usage
-.SUFFIXES: .key .csr .crt .pem
-.PRECIOUS: %.key %.csr %.crt %.pem
-
-usage:
-	@echo "This makefile allows you to create:"
-	@echo "  o public/private key pairs"
-	@echo "  o SSL certificate signing requests (CSRs)"
-	@echo "  o self-signed SSL test certificates"
-	@echo
-	@echo "To create a key pair, run \"make SOMETHING.key\"."
-	@echo "To create a CSR, run \"make SOMETHING.csr\"."
-	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
-	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
-	@echo
-	@echo "To create a key for use with Apache, run \"make genkey\"."
-	@echo "To create a CSR for use with Apache, run \"make certreq\"."
-	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
-	@echo
-	@echo "To create a test certificate with serial number other than random, add SERIAL=num"
-	@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
-	@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
-	@echo
-	@echo Examples:
-	@echo "  make server.key"
-	@echo "  make server.csr"
-	@echo "  make server.crt"
-	@echo "  make stunnel.pem"
-	@echo "  make genkey"
-	@echo "  make certreq"
-	@echo "  make testcert"
-	@echo "  make server.crt SERIAL=1"
-	@echo "  make stunnel.pem EXTRA_FLAGS=-sha384"
-	@echo "  make testcert DAYS=600"
-
-%.pem:
-	umask 77 ; \
-	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
-	cat $$PEM1 >  $@ ; \
-	echo ""    >> $@ ; \
-	cat $$PEM2 >> $@ ; \
-	$(RM) $$PEM1 $$PEM2
-
-%.key:
-	umask 77 ; \
-	/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
-
-%.csr: %.key
-	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
-
-%.crt: %.key
-	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS)
-
-TLSROOT=/etc/pki/tls
-KEY=$(TLSROOT)/private/localhost.key
-CSR=$(TLSROOT)/certs/localhost.csr
-CRT=$(TLSROOT)/certs/localhost.crt
-
-genkey: $(KEY)
-certreq: $(CSR)
-testcert: $(CRT)
-
-$(CSR): $(KEY)
-	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
-
-$(CRT): $(KEY)
-	umask 77 ; \
-	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) $(EXTRA_FLAGS)

SOURCES/ec_curve.c

@@ -1,582 +0,0 @@
-/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include "ec_local.h"
-#include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/opensslconf.h>
-#include "internal/nelem.h"
-
-typedef struct {
-    int field_type,             /* either NID_X9_62_prime_field or
-                                 * NID_X9_62_characteristic_two_field */
-     seed_len, param_len;
-    unsigned int cofactor;      /* promoted to BN_ULONG */
-} EC_CURVE_DATA;
-
-/* the nist prime curves */
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 28 * 6];
-} _EC_NIST_PRIME_224 = {
-    {
-        NID_X9_62_prime_field, 20, 28, 1
-    },
-    {
-        /* seed */
-        0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
-        0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x01,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE,
-        /* b */
-        0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
-        0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
-        0x23, 0x55, 0xFF, 0xB4,
-        /* x */
-        0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
-        0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
-        0x11, 0x5C, 0x1D, 0x21,
-        /* y */
-        0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
-        0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
-        0x85, 0x00, 0x7e, 0x34,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
-        0x5C, 0x5C, 0x2A, 0x3D
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 48 * 6];
-} _EC_NIST_PRIME_384 = {
-    {
-        NID_X9_62_prime_field, 20, 48, 1
-    },
-    {
-        /* seed */
-        0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
-        0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
-        0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
-        0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
-        0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
-        /* x */
-        0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
-        0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
-        0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
-        0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
-        /* y */
-        0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
-        0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
-        0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
-        0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
-        0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 66 * 6];
-} _EC_NIST_PRIME_521 = {
-    {
-        NID_X9_62_prime_field, 20, 66, 1
-    },
-    {
-        /* seed */
-        0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
-        0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
-        /* p */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
-        0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
-        0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
-        0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
-        0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
-        0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
-        /* x */
-        0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
-        0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
-        0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
-        0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
-        0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
-        0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
-        /* y */
-        0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
-        0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
-        0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
-        0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
-        0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
-        0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
-        /* order */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
-        0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
-        0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
-        0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 32 * 6];
-} _EC_X9_62_PRIME_256V1 = {
-    {
-        NID_X9_62_prime_field, 20, 32, 1
-    },
-    {
-        /* seed */
-        0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
-        0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
-        0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
-        0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
-        /* x */
-        0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
-        0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
-        0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
-        /* y */
-        0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
-        0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
-        0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
-        0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[0 + 32 * 6];
-} _EC_SECG_PRIME_256K1 = {
-    {
-        NID_X9_62_prime_field, 0, 32, 1
-    },
-    {
-        /* no seed */
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
-        /* a */
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        /* b */
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
-        /* x */
-        0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
-        0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
-        0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
-        /* y */
-        0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
-        0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
-        0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
-        0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
-    }
-};
-
-typedef struct _ec_list_element_st {
-    int nid;
-    const EC_CURVE_DATA *data;
-    const EC_METHOD *(*meth) (void);
-    const char *comment;
-} ec_list_element;
-
-static const ec_list_element curve_list[] = {
-    /* prime field curves */
-    /* secg curves */
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-     "NIST/SECG curve over a 224 bit prime field"},
-#else
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
-     "NIST/SECG curve over a 224 bit prime field"},
-#endif
-    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
-     "SECG curve over a 256 bit prime field"},
-    /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
-    {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
-     "NIST/SECG curve over a 384 bit prime field"},
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
-     "NIST/SECG curve over a 521 bit prime field"},
-#else
-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
-     "NIST/SECG curve over a 521 bit prime field"},
-#endif
-    /* X9.62 curves */
-    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
-#if defined(ECP_NISTZ256_ASM)
-     EC_GFp_nistz256_method,
-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
-     EC_GFp_nistp256_method,
-#else
-     0,
-#endif
-     "X9.62/SECG curve over a 256 bit prime field"},
-};
-
-#define curve_list_length OSSL_NELEM(curve_list)
-
-static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
-{
-    EC_GROUP *group = NULL;
-    EC_POINT *P = NULL;
-    BN_CTX *ctx = NULL;
-    BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
-        NULL;
-    int ok = 0;
-    int seed_len, param_len;
-    const EC_METHOD *meth;
-    const EC_CURVE_DATA *data;
-    const unsigned char *params;
-
-    /* If no curve data curve method must handle everything */
-    if (curve.data == NULL)
-        return EC_GROUP_new(curve.meth != NULL ? curve.meth() : NULL);
-
-    if ((ctx = BN_CTX_new()) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    data = curve.data;
-    seed_len = data->seed_len;
-    param_len = data->param_len;
-    params = (const unsigned char *)(data + 1); /* skip header */
-    params += seed_len;         /* skip seed */
-
-    if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
-        || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
-        || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-
-    if (curve.meth != 0) {
-        meth = curve.meth();
-        if (((group = EC_GROUP_new(meth)) == NULL) ||
-            (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    } else if (data->field_type == NID_X9_62_prime_field) {
-        if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-#ifndef OPENSSL_NO_EC2M
-    else {                      /* field_type ==
-                                 * NID_X9_62_characteristic_two_field */
-
-        if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-#endif
-
-    EC_GROUP_set_curve_name(group, curve.nid);
-
-    if ((P = EC_POINT_new(group)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-
-    if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
-        || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-    if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-    if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
-        || !BN_set_word(x, (BN_ULONG)data->cofactor)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-    if (!EC_GROUP_set_generator(group, P, order, x)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-    if (seed_len) {
-        if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-    ok = 1;
- err:
-    if (!ok) {
-        EC_GROUP_free(group);
-        group = NULL;
-    }
-    EC_POINT_free(P);
-    BN_CTX_free(ctx);
-    BN_free(p);
-    BN_free(a);
-    BN_free(b);
-    BN_free(order);
-    BN_free(x);
-    BN_free(y);
-    return group;
-}
-
-EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
-{
-    size_t i;
-    EC_GROUP *ret = NULL;
-
-    if (nid <= 0)
-        return NULL;
-
-    for (i = 0; i < curve_list_length; i++)
-        if (curve_list[i].nid == nid) {
-            ret = ec_group_new_from_data(curve_list[i]);
-            break;
-        }
-
-    if (ret == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
-        return NULL;
-    }
-
-    return ret;
-}
-
-size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
-{
-    size_t i, min;
-
-    if (r == NULL || nitems == 0)
-        return curve_list_length;
-
-    min = nitems < curve_list_length ? nitems : curve_list_length;
-
-    for (i = 0; i < min; i++) {
-        r[i].nid = curve_list[i].nid;
-        r[i].comment = curve_list[i].comment;
-    }
-
-    return curve_list_length;
-}
-
-/* Functions to translate between common NIST curve names and NIDs */
-
-typedef struct {
-    const char *name;           /* NIST Name of curve */
-    int nid;                    /* Curve NID */
-} EC_NIST_NAME;
-
-static EC_NIST_NAME nist_curves[] = {
-    {"B-163", NID_sect163r2},
-    {"B-233", NID_sect233r1},
-    {"B-283", NID_sect283r1},
-    {"B-409", NID_sect409r1},
-    {"B-571", NID_sect571r1},
-    {"K-163", NID_sect163k1},
-    {"K-233", NID_sect233k1},
-    {"K-283", NID_sect283k1},
-    {"K-409", NID_sect409k1},
-    {"K-571", NID_sect571k1},
-    {"P-192", NID_X9_62_prime192v1},
-    {"P-224", NID_secp224r1},
-    {"P-256", NID_X9_62_prime256v1},
-    {"P-384", NID_secp384r1},
-    {"P-521", NID_secp521r1}
-};
-
-const char *EC_curve_nid2nist(int nid)
-{
-    size_t i;
-    for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
-        if (nist_curves[i].nid == nid)
-            return nist_curves[i].name;
-    }
-    return NULL;
-}
-
-int EC_curve_nist2nid(const char *name)
-{
-    size_t i;
-    for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
-        if (strcmp(nist_curves[i].name, name) == 0)
-            return nist_curves[i].nid;
-    }
-    return NID_undef;
-}
-
-#define NUM_BN_FIELDS 6
-/*
- * Validates EC domain parameter data for known named curves.
- * This can be used when a curve is loaded explicitly (without a curve
- * name) or to validate that domain parameters have not been modified.
- *
- * Returns: The nid associated with the found named curve, or NID_undef
- *          if not found. If there was an error it returns -1.
- */
-int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
-{
-    int ret = -1, nid, len, field_type, param_len;
-    size_t i, seed_len;
-    const unsigned char *seed, *params_seed, *params;
-    unsigned char *param_bytes = NULL;
-    const EC_CURVE_DATA *data;
-    const EC_POINT *generator = NULL;
-    const EC_METHOD *meth;
-    const BIGNUM *cofactor = NULL;
-    /* An array of BIGNUMs for (p, a, b, x, y, order) */
-    BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
-
-    meth = EC_GROUP_method_of(group);
-    if (meth == NULL)
-        return -1;
-    /* Use the optional named curve nid as a search field */
-    nid = EC_GROUP_get_curve_name(group);
-    field_type = EC_METHOD_get_field_type(meth);
-    seed_len = EC_GROUP_get_seed_len(group);
-    seed = EC_GROUP_get0_seed(group);
-    cofactor = EC_GROUP_get0_cofactor(group);
-
-    BN_CTX_start(ctx);
-
-    /*
-     * The built-in curves contains data fields (p, a, b, x, y, order) that are
-     * all zero-padded to be the same size. The size of the padding is
-     * determined by either the number of bytes in the field modulus (p) or the
-     * EC group order, whichever is larger.
-     */
-    param_len = BN_num_bytes(group->order);
-    len = BN_num_bytes(group->field);
-    if (len > param_len)
-        param_len = len;
-
-    /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
-    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
-    if (param_bytes == NULL)
-        goto end;
-
-    /* Create the bignums */
-    for (i = 0; i < NUM_BN_FIELDS; ++i) {
-        if ((bn[i] = BN_CTX_get(ctx)) == NULL)
-            goto end;
-    }
-    /*
-     * Fill in the bn array with the same values as the internal curves
-     * i.e. the values are p, a, b, x, y, order.
-     */
-    /* Get p, a & b */
-    if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
-        && ((generator = EC_GROUP_get0_generator(group)) != NULL)
-        /* Get x & y */
-        && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
-        /* Get order */
-        && EC_GROUP_get_order(group, bn[5], ctx)))
-        goto end;
-
-   /*
-     * Convert the bignum array to bytes that are joined together to form
-     * a single buffer that contains data for all fields.
-     * (p, a, b, x, y, order) are all zero padded to be the same size.
-     */
-    for (i = 0; i < NUM_BN_FIELDS; ++i) {
-        if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
-            goto end;
-    }
-
-    for (i = 0; i < curve_list_length; i++) {
-        const ec_list_element curve = curve_list[i];
-
-        data = curve.data;
-        /* Get the raw order byte data */
-        params_seed = (const unsigned char *)(data + 1); /* skip header */
-        params = params_seed + data->seed_len;
-
-        /* Look for unique fields in the fixed curve data */
-        if (data->field_type == field_type
-            && param_len == data->param_len
-            && (nid <= 0 || nid == curve.nid)
-            /* check the optional cofactor (ignore if its zero) */
-            && (BN_is_zero(cofactor)
-                || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
-            /* Check the optional seed (ignore if its not set) */
-            && (data->seed_len == 0 || seed_len == 0
-                || ((size_t)data->seed_len == seed_len
-                     && memcmp(params_seed, seed, seed_len) == 0))
-            /* Check that the groups params match the built-in curve params */
-            && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
-                             == 0) {
-            ret = curve.nid;
-            goto end;
-        }
-    }
-    /* Gets here if the group was not found */
-    ret = NID_undef;
-end:
-    OPENSSL_free(param_bytes);
-    BN_CTX_end(ctx);
-    return ret;
-}

SOURCES/hobble-openssl

@@ -1,40 +0,0 @@
-#!/bin/sh
-
-# Quit out if anything fails.
-set -e
-
-# Clean out patent-or-otherwise-encumbered code.
-# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
-# IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
-# RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
-# EC:    ????????? ??/??/2020
-# SRP:   ????????? ??/??/2017 - expired, we do not remove it anymore
-
-# Remove assembler portions of IDEA, MDC2, and RC5.
-# (find crypto/rc5/asm -type f | xargs -r rm -fv)
-
-for c in `find crypto/bn -name "*gf2m.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for c in `find test -name "ectest.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for h in `find crypto ssl apps test -name "*.h"` ; do
-	echo Removing EC2M references from $h
-	cat $h | \
-	awk    'BEGIN {ech=1;} \
-		/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
-                /^#[ \t]*if/ {if(ech < 1) ech--;} \
-		{if(ech>0) {;print $0};} \
-		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
-	mv $h.hobbled $h
-done

SOURCES/openssl-1.1.1-addrconfig.patch

@@ -1,31 +0,0 @@
-From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Mon, 26 Apr 2021 14:40:17 +0200
-Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name
- is given
-
-The flag only affects which record types are queried (A or AAAA, or
-both), and when node is NULL, it prevents getaddrinfo returning the
-right address associated with the loopback interface.
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- crypto/bio/b_addr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c
-index b023bbda40..ea15601f3d 100644
---- a/crypto/bio/b_addr.c
-+++ b/crypto/bio/b_addr.c
-@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
-         hints.ai_protocol = protocol;
- # ifdef AI_ADDRCONFIG
- #  ifdef AF_UNSPEC
--        if (family == AF_UNSPEC)
-+        if (host != NULL && family == AF_UNSPEC)
- #  endif
-             hints.ai_flags |= AI_ADDRCONFIG;
- # endif
--- 
-2.30.2
-

SOURCES/openssl-1.1.1-alpn-cb.patch

@@ -1,27 +0,0 @@
-commit 9e885a707d604e9528b5491b78fb9c00f41193fc
-Author: Tomas Mraz <tmraz@fedoraproject.org>
-Date:   Thu Mar 26 15:59:00 2020 +0100
-
-    s_server: Properly indicate ALPN protocol mismatch
-    
-    Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
-    an alert is sent to the client on ALPN protocol mismatch.
-    
-    Fixes: #2708
-    
-    Reviewed-by: Matt Caswell <matt@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/11415)
-
-diff --git a/apps/s_server.c b/apps/s_server.c
-index bcc83e562c..591c6c19c5 100644
---- a/apps/s_server.c
-+++ b/apps/s_server.c
-@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
-     if (SSL_select_next_proto
-         ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
-          inlen) != OPENSSL_NPN_NEGOTIATED) {
--        return SSL_TLSEXT_ERR_NOACK;
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-     }
- 
-     if (!s_quiet) {

SOURCES/openssl-1.1.1-apps-dgst.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
---- openssl-1.1.1b/apps/ca.c.dgst	2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/apps/ca.c	2019-03-15 15:53:46.622267688 +0100
-@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
-     {"enddate", OPT_ENDDATE, 's',
-      "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
-     {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
--    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
-+    {"md", OPT_MD, 's', "md to use; see openssl help for list"},
-     {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
-     {"keyfile", OPT_KEYFILE, 's', "Private key"},
-     {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},

SOURCES/openssl-1.1.1-build.patch

@@ -1,40 +0,0 @@
-diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
---- openssl-1.1.1f/Configurations/10-main.conf.build	2020-03-31 14:17:45.000000000 +0200
-+++ openssl-1.1.1f/Configurations/10-main.conf	2020-04-07 16:42:10.920546387 +0200
-@@ -678,6 +678,7 @@ my %targets = (
-         cxxflags         => add("-m64"),
-         lib_cppflags     => add("-DL_ENDIAN"),
-         perlasm_scheme   => "linux64le",
-+        multilib         => "64",
-     },
- 
-     "linux-armv4" => {
-@@ -718,6 +719,7 @@ my %targets = (
-     "linux-aarch64" => {
-         inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
-         perlasm_scheme   => "linux64",
-+        multilib         => "64",
-     },
-     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
-         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build	2020-04-07 16:42:10.920546387 +0200
-+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:44:23.539142108 +0200
-@@ -823,7 +823,7 @@ uninstall_runtime_libs:
- install_man_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
- 
- uninstall_man_docs:
-@@ -835,7 +835,7 @@ uninstall_man_docs:
- install_html_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing HTML manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
- 
- uninstall_html_docs:

SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch

@@ -1,36 +0,0 @@
-diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
---- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg	2021-03-25 14:28:38.000000000 +0100
-+++ openssl-1.1.1k/ssl/statem/extensions.c	2021-06-24 16:16:19.526181743 +0200
-@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
- #ifndef OPENSSL_NO_SRP
- static int init_srp(SSL *s, unsigned int context);
- #endif
-+static int init_ec_point_formats(SSL *s, unsigned int context);
- static int init_etm(SSL *s, unsigned int context);
- static int init_ems(SSL *s, unsigned int context);
- static int final_ems(SSL *s, unsigned int context, int sent);
-@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de
-         TLSEXT_TYPE_ec_point_formats,
-         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
-         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
--        NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
-+        init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
-         tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
-         final_ec_pt_formats
-     },
-@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
- }
- #endif
- 
-+static int init_ec_point_formats(SSL *s, unsigned int context)
-+{
-+	    OPENSSL_free(s->ext.peer_ecpointformats);
-+	    s->ext.peer_ecpointformats = NULL;
-+	    s->ext.peer_ecpointformats_len = 0;
-+
-+	    return 1;
-+}
-+
- static int init_etm(SSL *s, unsigned int context)
- {
-     s->ext.use_etm = 0;

SOURCES/openssl-1.1.1-conf-paths.patch

@@ -1,56 +0,0 @@
-diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
---- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths	2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/apps/CA.pl.in	2018-07-25 17:26:58.388624296 +0200
-@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
- my $PKCS12 = "$openssl pkcs12";
- 
- # default openssl.cnf file has setup as per the following
--my $CATOP = "./demoCA";
-+my $CATOP = "/etc/pki/CA";
- my $CAKEY = "cakey.pem";
- my $CAREQ = "careq.pem";
- my $CACERT = "cacert.pem";
-diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
---- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths	2018-07-25 17:26:58.378624057 +0200
-+++ openssl-1.1.1-pre8/apps/openssl.cnf	2018-07-27 13:20:08.198513471 +0200
-@@ -23,6 +23,22 @@ oid_section		= new_oids
- # (Alternatively, use a configuration file that has only
- # X.509v3 extensions in its main [= default] section.)
- 
-+# Load default TLS policy configuration
-+
-+openssl_conf = default_modules
-+
-+[ default_modules ]
-+
-+ssl_conf = ssl_module
-+
-+[ ssl_module ]
-+
-+system_default = crypto_policy
-+
-+[ crypto_policy ]
-+
-+.include /etc/crypto-policies/back-ends/opensslcnf.config
-+
- [ new_oids ]
- 
- # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-@@ -43,7 +59,7 @@ default_ca	= CA_default		# The default c
- ####################################################################
- [ CA_default ]
- 
--dir		= ./demoCA		# Where everything is kept
-+dir		= /etc/pki/CA		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.
-@@ -329,7 +345,7 @@ default_tsa = tsa_config1	# the default
- [ tsa_config1 ]
- 
- # These are used by the TSA reply generation only.
--dir		= ./demoCA		# TSA root directory
-+dir		= /etc/pki/CA		# TSA root directory
- serial		= $dir/tsaserial	# The current serial number (mandatory)
- crypto_device	= builtin		# OpenSSL engine to use for signing
- signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

SOURCES/openssl-1.1.1-cve-2022-0778.patch

@@ -1,179 +0,0 @@
-From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:21 +0100
-Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
-
-The calculation in some cases does not finish for non-prime p.
-
-This fixes CVE-2022-0778.
-
-Based on patch by David Benjamin <davidben@google.com>.
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
- 1 file changed, 18 insertions(+), 12 deletions(-)
-
-From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:30 +0100
-Subject: [PATCH] Add documentation of BN_mod_sqrt()
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- doc/man3/BN_add.pod | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 28 Feb 2022 18:26:35 +0100
-Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
----
- test/bntest.c                          | 11 ++++++++++-
- test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
- 2 files changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
-index 1723d5ded5a8..53b0f559855c 100644
---- a/crypto/bn/bn_sqrt.c
-+++ b/crypto/bn/bn_sqrt.c
-@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
- /*
-  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
-  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
-- * Theory", algorithm 1.5.1). 'p' must be prime!
-+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
-+ * an incorrect "result" will be returned.
-  */
- {
-     BIGNUM *ret = in;
-@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
-             goto vrfy;
-         }
- 
--        /* find smallest  i  such that  b^(2^i) = 1 */
--        i = 1;
--        if (!BN_mod_sqr(t, b, p, ctx))
--            goto end;
--        while (!BN_is_one(t)) {
--            i++;
--            if (i == e) {
--                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
--                goto end;
-+        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
-+        for (i = 1; i < e; i++) {
-+            if (i == 1) {
-+                if (!BN_mod_sqr(t, b, p, ctx))
-+                    goto end;
-+
-+            } else {
-+                if (!BN_mod_mul(t, t, t, p, ctx))
-+                    goto end;
-             }
--            if (!BN_mod_mul(t, t, t, p, ctx))
--                goto end;
-+            if (BN_is_one(t))
-+                break;
-+        }
-+        /* If not found, a is not a square or p is not prime. */
-+        if (i >= e) {
-+            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
-+            goto end;
-         }
- 
-         /* t := y^2^(e - i - 1) */
-diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
-index dccd4790ede7..1f5e37a4d183 100644
---- a/doc/man3/BN_add.pod
-+++ b/doc/man3/BN_add.pod
-@@ -3,7 +3,7 @@
- =head1 NAME
- 
- BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
--BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
-+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
- arithmetic operations on BIGNUMs
- 
- =head1 SYNOPSIS
-@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
- 
-  int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
- 
-+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
-+
-  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
- 
-  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
- BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
- result in I<r>.
- 
-+BN_mod_sqrt() returns the modular square root of I<a> such that
-+C<in^2 = a (mod p)>. The modulus I<p> must be a
-+prime, otherwise an error or an incorrect "result" will be returned.
-+The result is stored into I<in> which can be NULL. The result will be
-+newly allocated in that case.
-+
- BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
- (C<r=a^p>). This function is faster than repeated applications of
- BN_mul().
-@@ -108,7 +116,10 @@ the arguments.
- 
- =head1 RETURN VALUES
- 
--For all functions, 1 is returned for success, 0 on error. The return
-+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
-+not a prime), or NULL.
-+
-+For all remaining functions, 1 is returned for success, 0 on error. The return
- value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
- The error codes can be obtained by L<ERR_get_error(3)>.
- 
-diff --git a/test/bntest.c b/test/bntest.c
-index 390dd800733e..1cab660bcafb 100644
---- a/test/bntest.c
-+++ b/test/bntest.c
-@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
-             || !TEST_ptr(ret2 = BN_new()))
-         goto err;
- 
-+    if (BN_is_negative(mod_sqrt)) {
-+        /* A negative testcase */
-+        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
-+            goto err;
-+
-+        st = 1;
-+        goto err;
-+    }
-+
-     /* There are two possible answers. */
--    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
-+    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
-             || !TEST_true(BN_sub(ret2, p, ret)))
-         goto err;
- 
-diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
-index 5ea4d031f271..e28cc6bfb02e 100644
---- a/test/recipes/10-test_bn_data/bnmod.txt
-+++ b/test/recipes/10-test_bn_data/bnmod.txt
-@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
- ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
- A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
- P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
-+
-+# Negative testcases for BN_mod_sqrt()
-+
-+# This one triggers an infinite loop with unfixed implementation
-+# It should just fail.
-+ModSqrt = -1
-+A = 20a7ee
-+P = 460201
-+
-+ModSqrt = -1
-+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
-+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f

SOURCES/openssl-1.1.1-cve-2022-1292.patch

@@ -1,74 +0,0 @@
-From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 26 Apr 2022 12:40:24 +0200
-Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
-
-Except on VMS where it is safe.
-
-This fixes CVE-2022-1292.
-
-Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23]
----
- tools/c_rehash.in | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index fa7c6c9fef91..83c1cc80e08a 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -152,6 +152,23 @@ sub check_file {
- 	return ($is_cert, $is_crl);
- }
- 
-+sub compute_hash {
-+    my $fh;
-+    if ( $^O eq "VMS" ) {
-+        # VMS uses the open through shell
-+        # The file names are safe there and list form is unsupported
-+        if (!open($fh, "-|", join(' ', @_))) {
-+            print STDERR "Cannot compute hash on '$fname'\n";
-+            return;
-+        }
-+    } else {
-+        if (!open($fh, "-|", @_)) {
-+            print STDERR "Cannot compute hash on '$fname'\n";
-+            return;
-+        }
-+    }
-+    return (<$fh>, <$fh>);
-+}
- 
- # Link a certificate to its subject name hash value, each hash is of
- # the form <hash>.<n> where n is an integer. If the hash value already exists
-@@ -161,10 +178,12 @@ sub check_file {
- 
- sub link_hash_cert {
- 		my $fname = $_[0];
--		$fname =~ s/\"/\\\"/g;
--		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
-+		my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
-+						   "-fingerprint", "-noout",
-+						   "-in", $fname);
- 		chomp $hash;
- 		chomp $fprint;
-+		return if !$hash;
- 		$fprint =~ s/^.*=//;
- 		$fprint =~ tr/://d;
- 		my $suffix = 0;
-@@ -202,10 +221,12 @@ sub link_hash_cert {
- 
- sub link_hash_crl {
- 		my $fname = $_[0];
--		$fname =~ s/'/'\\''/g;
--		my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
-+		my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
-+						   "-fingerprint", "-noout",
-+						   "-in", $fname);
- 		chomp $hash;
- 		chomp $fprint;
-+		return if !$hash;
- 		$fprint =~ s/^.*=//;
- 		$fprint =~ tr/://d;
- 		my $suffix = 0;

SOURCES/openssl-1.1.1-cve-2022-2068.patch

@@ -1,255 +0,0 @@
-From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
-From: Daniel Fiala <daniel@openssl.org>
-Date: Sun, 29 May 2022 20:11:24 +0200
-Subject: [PATCH] Fix file operations in c_rehash.
-
-CVE-2022-2068
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7]
----
- tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
- 1 file changed, 107 insertions(+), 109 deletions(-)
-
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index cfd18f5da110..9d2a6f6db73b 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -104,52 +104,78 @@ foreach (@dirlist) {
- }
- exit($errorcount);
- 
-+sub copy_file {
-+    my ($src_fname, $dst_fname) = @_;
-+
-+    if (open(my $in, "<", $src_fname)) {
-+        if (open(my $out, ">", $dst_fname)) {
-+            print $out $_ while (<$in>);
-+            close $out;
-+        } else {
-+            warn "Cannot open $dst_fname for write, $!";
-+        }
-+        close $in;
-+    } else {
-+        warn "Cannot open $src_fname for read, $!";
-+    }
-+}
-+
- sub hash_dir {
--	my %hashlist;
--	print "Doing $_[0]\n";
--	chdir $_[0];
--	opendir(DIR, ".");
--	my @flist = sort readdir(DIR);
--	closedir DIR;
--	if ( $removelinks ) {
--		# Delete any existing symbolic links
--		foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
--			if (-l $_) {
--				print "unlink $_" if $verbose;
--				unlink $_ || warn "Can't unlink $_, $!\n";
--			}
--		}
--	}
--	FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
--		# Check to see if certificates and/or CRLs present.
--		my ($cert, $crl) = check_file($fname);
--		if (!$cert && !$crl) {
--			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
--			next;
--		}
--		link_hash_cert($fname) if ($cert);
--		link_hash_crl($fname) if ($crl);
--	}
-+    my $dir = shift;
-+    my %hashlist;
-+
-+    print "Doing $dir\n";
-+
-+    if (!chdir $dir) {
-+        print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
-+        return;
-+    }
-+
-+    opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
-+    my @flist = sort readdir(DIR);
-+    closedir DIR;
-+    if ( $removelinks ) {
-+        # Delete any existing symbolic links
-+        foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-+            if (-l $_) {
-+                print "unlink $_\n" if $verbose;
-+                unlink $_ || warn "Can't unlink $_, $!\n";
-+            }
-+        }
-+    }
-+    FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
-+        # Check to see if certificates and/or CRLs present.
-+        my ($cert, $crl) = check_file($fname);
-+        if (!$cert && !$crl) {
-+            print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-+            next;
-+        }
-+        link_hash_cert($fname) if ($cert);
-+        link_hash_crl($fname) if ($crl);
-+    }
-+
-+    chdir $pwd;
- }
- 
- sub check_file {
--	my ($is_cert, $is_crl) = (0,0);
--	my $fname = $_[0];
--	open IN, $fname;
--	while(<IN>) {
--		if (/^-----BEGIN (.*)-----/) {
--			my $hdr = $1;
--			if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
--				$is_cert = 1;
--				last if ($is_crl);
--			} elsif ($hdr eq "X509 CRL") {
--				$is_crl = 1;
--				last if ($is_cert);
--			}
--		}
--	}
--	close IN;
--	return ($is_cert, $is_crl);
-+    my ($is_cert, $is_crl) = (0,0);
-+    my $fname = $_[0];
-+
-+    open(my $in, "<", $fname);
-+    while(<$in>) {
-+        if (/^-----BEGIN (.*)-----/) {
-+            my $hdr = $1;
-+            if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-+                $is_cert = 1;
-+                last if ($is_crl);
-+            } elsif ($hdr eq "X509 CRL") {
-+                $is_crl = 1;
-+                last if ($is_cert);
-+            }
-+        }
-+    }
-+    close $in;
-+    return ($is_cert, $is_crl);
- }
- 
- sub compute_hash {
-@@ -177,76 +203,48 @@ sub compute_hash {
- # certificate fingerprints
- 
- sub link_hash_cert {
--		my $fname = $_[0];
--		my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
--						   "-fingerprint", "-noout",
--						   "-in", $fname);
--		chomp $hash;
--		chomp $fprint;
--		return if !$hash;
--		$fprint =~ s/^.*=//;
--		$fprint =~ tr/://d;
--		my $suffix = 0;
--		# Search for an unused hash filename
--		while(exists $hashlist{"$hash.$suffix"}) {
--			# Hash matches: if fingerprint matches its a duplicate cert
--			if ($hashlist{"$hash.$suffix"} eq $fprint) {
--				print STDERR "WARNING: Skipping duplicate certificate $fname\n";
--				return;
--			}
--			$suffix++;
--		}
--		$hash .= ".$suffix";
--		if ($symlink_exists) {
--			print "link $fname -> $hash\n" if $verbose;
--			symlink $fname, $hash || warn "Can't symlink, $!";
--		} else {
--			print "copy $fname -> $hash\n" if $verbose;
--                        if (open($in, "<", $fname)) {
--                            if (open($out,">", $hash)) {
--                                print $out $_ while (<$in>);
--                                close $out;
--                            } else {
--                                warn "can't open $hash for write, $!";
--                            }
--                            close $in;
--                        } else {
--                            warn "can't open $fname for read, $!";
--                        }
--		}
--		$hashlist{$hash} = $fprint;
-+    link_hash($_[0], 'cert');
- }
- 
- # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
- 
- sub link_hash_crl {
--		my $fname = $_[0];
--		my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
--						   "-fingerprint", "-noout",
--						   "-in", $fname);
--		chomp $hash;
--		chomp $fprint;
--		return if !$hash;
--		$fprint =~ s/^.*=//;
--		$fprint =~ tr/://d;
--		my $suffix = 0;
--		# Search for an unused hash filename
--		while(exists $hashlist{"$hash.r$suffix"}) {
--			# Hash matches: if fingerprint matches its a duplicate cert
--			if ($hashlist{"$hash.r$suffix"} eq $fprint) {
--				print STDERR "WARNING: Skipping duplicate CRL $fname\n";
--				return;
--			}
--			$suffix++;
--		}
--		$hash .= ".r$suffix";
--		if ($symlink_exists) {
--			print "link $fname -> $hash\n" if $verbose;
--			symlink $fname, $hash || warn "Can't symlink, $!";
--		} else {
--			print "cp $fname -> $hash\n" if $verbose;
--			system ("cp", $fname, $hash);
--                        warn "Can't copy, $!" if ($? >> 8) != 0;
--		}
--		$hashlist{$hash} = $fprint;
-+    link_hash($_[0], 'crl');
-+}
-+
-+sub link_hash {
-+    my ($fname, $type) = @_;
-+    my $is_cert = $type eq 'cert';
-+
-+    my ($hash, $fprint) = compute_hash($openssl,
-+                                       $is_cert ? "x509" : "crl",
-+                                       $is_cert ? $x509hash : $crlhash,
-+                                       "-fingerprint", "-noout",
-+                                       "-in", $fname);
-+    chomp $hash;
-+    chomp $fprint;
-+    return if !$hash;
-+    $fprint =~ s/^.*=//;
-+    $fprint =~ tr/://d;
-+    my $suffix = 0;
-+    # Search for an unused hash filename
-+    my $crlmark = $is_cert ? "" : "r";
-+    while(exists $hashlist{"$hash.$crlmark$suffix"}) {
-+        # Hash matches: if fingerprint matches its a duplicate cert
-+        if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
-+            my $what = $is_cert ? 'certificate' : 'CRL';
-+            print STDERR "WARNING: Skipping duplicate $what $fname\n";
-+            return;
-+        }
-+        $suffix++;
-+    }
-+    $hash .= ".$crlmark$suffix";
-+    if ($symlink_exists) {
-+        print "link $fname -> $hash\n" if $verbose;
-+        symlink $fname, $hash || warn "Can't symlink, $!";
-+    } else {
-+        print "copy $fname -> $hash\n" if $verbose;
-+        copy_file($fname, $hash);
-+    }
-+    $hashlist{$hash} = $fprint;
- }

SOURCES/openssl-1.1.1-cve-2022-2097.patch

@@ -1,152 +0,0 @@
-From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
-From: Alex Chernyakhovsky <achernya@google.com>
-Date: Thu, 16 Jun 2022 12:00:22 +1000
-Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
-that performs operations on 6 16-byte blocks concurrently (the
-"grandloop") and then proceeds to handle the "short" tail (which can
-be anywhere from 0 to 5 blocks) that remain.
-
-As part of initialization, the assembly initializes $len to the true
-length, less 96 bytes and converts it to a pointer so that the $inp
-can be compared to it. Each iteration of "grandloop" checks to see if
-there's a full 96-byte chunk to process, and if so, continues. Once
-this has been exhausted, it falls through to "short", which handles
-the remaining zero to five blocks.
-
-Unfortunately, the jump at the end of "grandloop" had a fencepost
-error, doing a `jb` ("jump below") rather than `jbe` (jump below or
-equal). This should be `jbe`, as $inp is pointing to the *end* of the
-chunk currently being handled. If $inp == $len, that means that
-there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
-then there's 5 or fewer 16-byte blocks left to be handled, and the
-fall-through is intended.
-
-The net effect of `jb` instead of `jbe` is that the last 16-byte block
-of the last 96-byte chunk was completely omitted. The contents of
-`out` in this position were never written to. Additionally, since
-those bytes were never processed, the authentication tag generated is
-also incorrect.
-
-The same fencepost error, and identical logic, exists in both
-aesni_ocb_encrypt and aesni_ocb_decrypt.
-
-This addresses CVE-2022-2097.
-
-Co-authored-by: Alejandro Sedeño <asedeno@google.com>
-Co-authored-by: David Benjamin <davidben@google.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431]
----
- crypto/aes/asm/aesni-x86.pl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
-index fe2b26542ab6..812758e02e04 100644
---- a/crypto/aes/asm/aesni-x86.pl
-+++ b/crypto/aes/asm/aesni-x86.pl
-@@ -2027,7 +2027,7 @@ sub aesni_generate6
- 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
- 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
- 	&cmp		($inp,$len);			# done yet?
--	&jb		(&label("grandloop"));
-+	&jbe		(&label("grandloop"));
- 
- &set_label("short");
- 	&add		($len,16*6);
-@@ -2453,7 +2453,7 @@ sub aesni_generate6
- 	&pxor		($rndkey1,$inout5);
- 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
- 	&cmp		($inp,$len);			# done yet?
--	&jb		(&label("grandloop"));
-+	&jbe		(&label("grandloop"));
- 
- &set_label("short");
- 	&add		($len,16*6);
-From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001
-From: Alex Chernyakhovsky <achernya@google.com>
-Date: Thu, 16 Jun 2022 12:02:37 +1000
-Subject: [PATCH] AES OCB test vectors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue.
-
-Co-authored-by: Alejandro Sedeño <asedeno@google.com>
-Co-authored-by: David Benjamin <davidben@google.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06]
----
- test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
- 1 file changed, 50 insertions(+)
-
-diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
-index 1c02ea1e9c2d..e12670d9a4b4 100644
---- a/test/recipes/30-test_evp_data/evpciph.txt
-+++ b/test/recipes/30-test_evp_data/evpciph.txt
-@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
- Operation = DECRYPT
- Result = CIPHERFINAL_ERROR
- 
-+#Test vectors generated to validate aesni_ocb_encrypt on x86
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = C14DFF7D62A13C4A3422456207453190
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 41970D13737B7BD1B5FBF49ED4412CA5
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = BE0228651ED4E48A11BDED68D953F3A0
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 17BC6E10B16E5FDC52836E7D589518C7
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = E84AAC18666116990A3A37B3A5FC55BD
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
-+
-+Cipher = aes-128-ocb
-+Key = 000102030405060708090A0B0C0D0E0F
-+IV = 000000000001020304050607
-+Tag = 3E5EA7EE064FE83B313E28D411E91EAD
-+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
-+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
-+
- Title = AES XTS test vectors from IEEE Std 1619-2007
- 
- # Using the same key twice for encryption is always banned.

SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch

@@ -1,805 +0,0 @@
-From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 20 Jan 2023 15:26:54 +0000
-Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption
-
-A timing based side channel exists in the OpenSSL RSA Decryption
-implementation which could be sufficient to recover a plaintext across
-a network in a Bleichenbacher style attack. To achieve a successful
-decryption an attacker would have to be able to send a very large number
-of trial messages for decryption. The vulnerability affects all RSA
-padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
-
-Patch written by Dmitry Belyavsky and Hubert Kario
-
-CVE-2022-4304
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
----
- crypto/bn/bn_blind.c    |  14 -
- crypto/bn/bn_err.c      |   2 +
- crypto/bn/bn_local.h    |  14 +
- crypto/bn/build.info    |   3 +-
- crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++
- crypto/err/openssl.txt  |   3 +-
- crypto/rsa/rsa_ossl.c   |  17 +-
- include/crypto/bn.h     |   5 +
- include/openssl/bnerr.h |   1 +
- 9 files changed, 653 insertions(+), 20 deletions(-)
- create mode 100644 crypto/bn/rsa_sup_mul.c
-
-diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
-index 76fc7ebcff..6e9d239321 100644
---- a/crypto/bn/bn_blind.c
-+++ b/crypto/bn/bn_blind.c
-@@ -13,20 +13,6 @@
- 
- #define BN_BLINDING_COUNTER     32
- 
--struct bn_blinding_st {
--    BIGNUM *A;
--    BIGNUM *Ai;
--    BIGNUM *e;
--    BIGNUM *mod;                /* just a reference */
--    CRYPTO_THREAD_ID tid;
--    int counter;
--    unsigned long flags;
--    BN_MONT_CTX *m_ctx;
--    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
--                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
--    CRYPTO_RWLOCK *lock;
--};
--
- BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
- {
-     BN_BLINDING *ret = NULL;
-diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c
-index dd87c152cf..3dd8d9a568 100644
---- a/crypto/bn/bn_err.c
-+++ b/crypto/bn/bn_err.c
-@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
-     {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
-     {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
-     {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
-+    {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
-+    "ossl_bn_rsa_do_unblind"},
-     {0, NULL}
- };
- 
-diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h
-index 62a969b134..4d8cb64675 100644
---- a/crypto/bn/bn_local.h
-+++ b/crypto/bn/bn_local.h
-@@ -283,6 +283,20 @@ struct bn_gencb_st {
-     } cb;
- };
- 
-+struct bn_blinding_st {
-+    BIGNUM *A;
-+    BIGNUM *Ai;
-+    BIGNUM *e;
-+    BIGNUM *mod;                /* just a reference */
-+    CRYPTO_THREAD_ID tid;
-+    int counter;
-+    unsigned long flags;
-+    BN_MONT_CTX *m_ctx;
-+    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-+                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-+    CRYPTO_RWLOCK *lock;
-+};
-+
- /*-
-  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
-  *
-diff --git a/crypto/bn/build.info b/crypto/bn/build.info
-index b9ed5322fa..c9fe2fdada 100644
---- a/crypto/bn/build.info
-+++ b/crypto/bn/build.info
-@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
-         bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
-         {- $target{bn_asm_src} -} \
-         bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
--        bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
-+        bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
-+        rsa_sup_mul.c
- 
- INCLUDE[bn_exp.o]=..
- 
-diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
-new file mode 100644
-index 0000000000..acafefd5fe
---- /dev/null
-+++ b/crypto/bn/rsa_sup_mul.c
-@@ -0,0 +1,614 @@
-+#include <openssl/e_os2.h>
-+#include <stddef.h>
-+#include <sys/types.h>
-+#include <string.h>
-+#include <openssl/bn.h>
-+#include <openssl/err.h>
-+#include <openssl/rsaerr.h>
-+#include "internal/numbers.h"
-+#include "internal/constant_time.h"
-+#include "bn_local.h"
-+
-+# if BN_BYTES == 8
-+typedef uint64_t limb_t;
-+#  if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
-+/* nonstandard; implemented by gcc on 64-bit platforms */
-+typedef __uint128_t limb2_t;
-+#   define HAVE_LIMB2_T
-+#  endif
-+#  define LIMB_BIT_SIZE 64
-+#  define LIMB_BYTE_SIZE 8
-+# elif BN_BYTES == 4
-+typedef uint32_t limb_t;
-+typedef uint64_t limb2_t;
-+#  define LIMB_BIT_SIZE 32
-+#  define LIMB_BYTE_SIZE 4
-+#  define HAVE_LIMB2_T
-+# else
-+#  error "Not supported"
-+# endif
-+
-+/*
-+ * For multiplication we're using schoolbook multiplication,
-+ * so if we have two numbers, each with 6 "digits" (words)
-+ * the multiplication is calculated as follows:
-+ *                        A B C D E F
-+ *                     x  I J K L M N
-+ *                     --------------
-+ *                                N*F
-+ *                              N*E
-+ *                            N*D
-+ *                          N*C
-+ *                        N*B
-+ *                      N*A
-+ *                              M*F
-+ *                            M*E
-+ *                          M*D
-+ *                        M*C
-+ *                      M*B
-+ *                    M*A
-+ *                            L*F
-+ *                          L*E
-+ *                        L*D
-+ *                      L*C
-+ *                    L*B
-+ *                  L*A
-+ *                          K*F
-+ *                        K*E
-+ *                      K*D
-+ *                    K*C
-+ *                  K*B
-+ *                K*A
-+ *                        J*F
-+ *                      J*E
-+ *                    J*D
-+ *                  J*C
-+ *                J*B
-+ *              J*A
-+ *                      I*F
-+ *                    I*E
-+ *                  I*D
-+ *                I*C
-+ *              I*B
-+ *         +  I*A
-+ *         ==========================
-+ *                        N*B N*D N*F
-+ *                    + N*A N*C N*E
-+ *                    + M*B M*D M*F
-+ *                  + M*A M*C M*E
-+ *                  + L*B L*D L*F
-+ *                + L*A L*C L*E
-+ *                + K*B K*D K*F
-+ *              + K*A K*C K*E
-+ *              + J*B J*D J*F
-+ *            + J*A J*C J*E
-+ *            + I*B I*D I*F
-+ *          + I*A I*C I*E
-+ *
-+ *                1+1 1+3 1+5
-+ *              1+0 1+2 1+4
-+ *              0+1 0+3 0+5
-+ *            0+0 0+2 0+4
-+ *
-+ *            0 1 2 3 4 5 6
-+ * which requires n^2 multiplications and 2n full length additions
-+ * as we can keep every other result of limb multiplication in two separate
-+ * limbs
-+ */
-+
-+#if defined HAVE_LIMB2_T
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
-+{
-+    limb2_t t;
-+    /*
-+     * this is idiomatic code to tell compiler to use the native mul
-+     * those three lines will actually compile to single instruction
-+     */
-+
-+    t = (limb2_t)a * b;
-+    *hi = t >> LIMB_BIT_SIZE;
-+    *lo = (limb_t)t;
-+}
-+#elif (BN_BYTES == 8) && (defined _MSC_VER)
-+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
-+#pragma intrinsic(_umul128)
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
-+{
-+    *lo = _umul128(a, b, hi);
-+}
-+#else
-+/*
-+ * if the compiler doesn't have either a 128bit data type nor a "return
-+ * high 64 bits of multiplication"
-+ */
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
-+{
-+    limb_t a_low = (limb_t)(uint32_t)a;
-+    limb_t a_hi = a >> 32;
-+    limb_t b_low = (limb_t)(uint32_t)b;
-+    limb_t b_hi = b >> 32;
-+
-+    limb_t p0 = a_low * b_low;
-+    limb_t p1 = a_low * b_hi;
-+    limb_t p2 = a_hi * b_low;
-+    limb_t p3 = a_hi * b_hi;
-+
-+    uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
-+
-+    *lo = p0 + (p1 << 32) + (p2 << 32);
-+    *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
-+}
-+#endif
-+
-+/* add two limbs with carry in, return carry out */
-+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
-+{
-+    limb_t carry1, carry2, t;
-+    /*
-+     * `c = a + b; if (c < a)` is idiomatic code that makes compilers
-+     * use add with carry on assembly level
-+     */
-+
-+    *ret = a + carry;
-+    if (*ret < a)
-+        carry1 = 1;
-+    else
-+        carry1 = 0;
-+
-+    t = *ret;
-+    *ret = t + b;
-+    if (*ret < t)
-+        carry2 = 1;
-+    else
-+        carry2 = 0;
-+
-+    return carry1 + carry2;
-+}
-+
-+/*
-+ * add two numbers of the same size, return overflow
-+ *
-+ * add a to b, place result in ret; all arrays need to be n limbs long
-+ * return overflow from addition (0 or 1)
-+ */
-+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
-+{
-+    limb_t c = 0;
-+    ossl_ssize_t i;
-+
-+    for(i = n - 1; i > -1; i--)
-+        c = _add_limb(&ret[i], a[i], b[i], c);
-+
-+    return c;
-+}
-+
-+/*
-+ * return number of limbs necessary for temporary values
-+ * when multiplying numbers n limbs large
-+ */
-+static ossl_inline size_t mul_limb_numb(size_t n)
-+{
-+    return  2 * n * 2;
-+}
-+
-+/*
-+ * multiply two numbers of the same size
-+ *
-+ * multiply a by b, place result in ret; a and b need to be n limbs long
-+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
-+ * long
-+ */
-+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
-+{
-+    limb_t *r_odd, *r_even;
-+    size_t i, j, k;
-+
-+    r_odd = tmp;
-+    r_even = &tmp[2 * n];
-+
-+    memset(ret, 0, 2 * n * sizeof(limb_t));
-+
-+    for (i = 0; i < n; i++) {
-+        for (k = 0; k < i + n + 1; k++) {
-+            r_even[k] = 0;
-+            r_odd[k] = 0;
-+        }
-+        for (j = 0; j < n; j++) {
-+            /*
-+             * place results from even and odd limbs in separate arrays so that
-+             * we don't have to calculate overflow every time we get individual
-+             * limb multiplication result
-+             */
-+            if (j % 2 == 0)
-+                _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
-+            else
-+                _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
-+        }
-+        /*
-+         * skip the least significant limbs when adding multiples of
-+         * more significant limbs (they're zero anyway)
-+         */
-+        add(ret, ret, r_even, n + i + 1);
-+        add(ret, ret, r_odd, n + i + 1);
-+    }
-+}
-+
-+/* modifies the value in place by performing a right shift by one bit */
-+static ossl_inline void rshift1(limb_t *val, size_t n)
-+{
-+    limb_t shift_in = 0, shift_out = 0;
-+    size_t i;
-+
-+    for (i = 0; i < n; i++) {
-+        shift_out = val[i] & 1;
-+        val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
-+        shift_in = shift_out;
-+    }
-+}
-+
-+/* extend the LSB of flag to all bits of limb */
-+static ossl_inline limb_t mk_mask(limb_t flag)
-+{
-+    flag |= flag << 1;
-+    flag |= flag << 2;
-+    flag |= flag << 4;
-+    flag |= flag << 8;
-+    flag |= flag << 16;
-+#if (LIMB_BYTE_SIZE == 8)
-+    flag |= flag << 32;
-+#endif
-+    return flag;
-+}
-+
-+/*
-+ * copy from either a or b to ret based on flag
-+ * when flag == 0, then copies from b
-+ * when flag == 1, then copies from a
-+ */
-+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
-+{
-+    /*
-+     * would be more efficient with non volatile mask, but then gcc
-+     * generates code with jumps
-+     */
-+    volatile limb_t mask;
-+    size_t i;
-+
-+    mask = mk_mask(flag);
-+    for (i = 0; i < n; i++) {
-+#if (LIMB_BYTE_SIZE == 8)
-+        ret[i] = constant_time_select_64(mask, a[i], b[i]);
-+#else
-+        ret[i] = constant_time_select_32(mask, a[i], b[i]);
-+#endif
-+    }
-+}
-+
-+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
-+{
-+    limb_t borrow1, borrow2, t;
-+    /*
-+     * while it doesn't look constant-time, this is idiomatic code
-+     * to tell compilers to use the carry bit from subtraction
-+     */
-+
-+    *ret = a - borrow;
-+    if (*ret > a)
-+        borrow1 = 1;
-+    else
-+        borrow1 = 0;
-+
-+    t = *ret;
-+    *ret = t - b;
-+    if (*ret > t)
-+        borrow2 = 1;
-+    else
-+        borrow2 = 0;
-+
-+    return borrow1 + borrow2;
-+}
-+
-+/*
-+ * place the result of a - b into ret, return the borrow bit.
-+ * All arrays need to be n limbs long
-+ */
-+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
-+{
-+    limb_t borrow = 0;
-+    ossl_ssize_t i;
-+
-+    for (i = n - 1; i > -1; i--)
-+        borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
-+
-+    return borrow;
-+}
-+
-+/* return the number of limbs necessary to allocate for the mod() tmp operand */
-+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
-+{
-+    return (anum + modnum) * 3;
-+}
-+
-+/*
-+ * calculate a % mod, place the result in ret
-+ * size of a is defined by anum, size of ret and mod is modnum,
-+ * size of tmp is returned by mod_limb_numb()
-+ */
-+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
-+               size_t modnum, limb_t *tmp)
-+{
-+    limb_t *atmp, *modtmp, *rettmp;
-+    limb_t res;
-+    size_t i;
-+
-+    memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
-+
-+    atmp = tmp;
-+    modtmp = &tmp[anum + modnum];
-+    rettmp = &tmp[(anum + modnum) * 2];
-+
-+    for (i = modnum; i <modnum + anum; i++)
-+        atmp[i] = a[i-modnum];
-+
-+    for (i = 0; i < modnum; i++)
-+        modtmp[i] = mod[i];
-+
-+    for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
-+        rshift1(modtmp, anum + modnum);
-+        res = sub(rettmp, atmp, modtmp, anum+modnum);
-+        cselect(res, atmp, atmp, rettmp, anum+modnum);
-+    }
-+
-+    memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
-+}
-+
-+/* necessary size of tmp for a _mul_add_limb() call with provided anum */
-+static ossl_inline size_t _mul_add_limb_numb(size_t anum)
-+{
-+    return 2 * (anum + 1);
-+}
-+
-+/* multiply a by m, add to ret, return carry */
-+static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
-+                           limb_t m, limb_t *tmp)
-+{
-+    limb_t carry = 0;
-+    limb_t *r_odd, *r_even;
-+    size_t i;
-+
-+    memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
-+
-+    r_odd = tmp;
-+    r_even = &tmp[anum + 1];
-+
-+    for (i = 0; i < anum; i++) {
-+        /*
-+         * place the results from even and odd limbs in separate arrays
-+         * so that we have to worry about carry just once
-+         */
-+        if (i % 2 == 0)
-+            _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
-+        else
-+            _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
-+    }
-+    /* assert: add() carry here will be equal zero */
-+    add(r_even, r_even, r_odd, anum + 1);
-+    /*
-+     * while here it will not overflow as the max value from multiplication
-+     * is -2 while max overflow from addition is 1, so the max value of
-+     * carry is -1 (i.e. max int)
-+     */
-+    carry = add(ret, ret, &r_even[1], anum) + r_even[0];
-+
-+    return carry;
-+}
-+
-+static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
-+{
-+    return modnum * 2 + _mul_add_limb_numb(modnum);
-+}
-+
-+/*
-+ * calculate a % mod, place result in ret
-+ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
-+ * smallest power of two big enough to fit mod and that's also a power
-+ * of the count of number of bits in limb_t (B).
-+ * For calculation, we also need n', such that mod * n' == -1 mod B.
-+ * anum must be <= 2 * modnum
-+ * ret needs to be modnum words long
-+ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
-+ */
-+static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
-+                          size_t modnum, limb_t ni0, limb_t *tmp)
-+{
-+    limb_t carry, v;
-+    limb_t *res, *rp, *tmp2;
-+    ossl_ssize_t i;
-+
-+    res = tmp;
-+    /*
-+     * for intermediate result we need an integer twice as long as modulus
-+     * but keep the input in the least significant limbs
-+     */
-+    memset(res, 0, sizeof(limb_t) * (modnum * 2));
-+    memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
-+    rp = &res[modnum];
-+    tmp2 = &res[modnum * 2];
-+
-+    carry = 0;
-+
-+    /* add multiples of the modulus to the value until R divides it cleanly */
-+    for (i = modnum; i > 0; i--, rp--) {
-+        v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
-+        v = v + carry + rp[-1];
-+        carry |= (v != rp[-1]);
-+        carry &= (v <= rp[-1]);
-+        rp[-1] = v;
-+    }
-+
-+    /* perform the final reduction by mod... */
-+    carry -= sub(ret, rp, mod, modnum);
-+
-+    /* ...conditionally */
-+    cselect(carry, ret, rp, ret, modnum);
-+}
-+
-+/* allocated buffer should be freed afterwards */
-+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
-+{
-+    int i;
-+    int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
-+    limb_t *ptr = buf + (limbs - real_limbs);
-+
-+    for (i = 0; i < real_limbs; i++)
-+         ptr[i] = bn->d[real_limbs - i - 1];
-+}
-+
-+#if LIMB_BYTE_SIZE == 8
-+static ossl_inline uint64_t be64(uint64_t host)
-+{
-+    const union {
-+        long one;
-+        char little;
-+    } is_endian = { 1 };
-+
-+    if (is_endian.little) {
-+        uint64_t big = 0;
-+
-+        big |= (host & 0xff00000000000000) >> 56;
-+        big |= (host & 0x00ff000000000000) >> 40;
-+        big |= (host & 0x0000ff0000000000) >> 24;
-+        big |= (host & 0x000000ff00000000) >>  8;
-+        big |= (host & 0x00000000ff000000) <<  8;
-+        big |= (host & 0x0000000000ff0000) << 24;
-+        big |= (host & 0x000000000000ff00) << 40;
-+        big |= (host & 0x00000000000000ff) << 56;
-+        return big;
-+    } else {
-+        return host;
-+    }
-+}
-+
-+#else
-+/* Not all platforms have htobe32(). */
-+static ossl_inline uint32_t be32(uint32_t host)
-+{
-+    const union {
-+        long one;
-+        char little;
-+    } is_endian = { 1 };
-+
-+    if (is_endian.little) {
-+        uint32_t big = 0;
-+
-+        big |= (host & 0xff000000) >> 24;
-+        big |= (host & 0x00ff0000) >> 8;
-+        big |= (host & 0x0000ff00) << 8;
-+        big |= (host & 0x000000ff) << 24;
-+        return big;
-+    } else {
-+        return host;
-+    }
-+}
-+#endif
-+
-+/*
-+ * We assume that intermediate, possible_arg2, blinding, and ctx are used
-+ * similar to BN_BLINDING_invert_ex() arguments.
-+ * to_mod is RSA modulus.
-+ * buf and num is the serialization buffer and its length.
-+ *
-+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
-+ * we serialize the new structure instead of BIGNUMs taking endianness into account.
-+ */
-+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
-+                           const BN_BLINDING *blinding,
-+                           const BIGNUM *possible_arg2,
-+                           const BIGNUM *to_mod, BN_CTX *ctx,
-+                           unsigned char *buf, int num)
-+{
-+    limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
-+    limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
-+    size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
-+    size_t l_tmp_count = 0;
-+    int ret = 0;
-+    size_t i;
-+    unsigned char *tmp;
-+    const BIGNUM *arg1 = intermediate;
-+    const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
-+
-+    l_im_count  = (BN_num_bytes(arg1)   + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
-+    l_mul_count = (BN_num_bytes(arg2)   + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
-+    l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
-+
-+    l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
-+    l_im  = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
-+    l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
-+    l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
-+
-+    if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
-+        goto err;
-+
-+    BN_to_limb(arg1,   l_im,  l_size);
-+    BN_to_limb(arg2,   l_mul, l_size);
-+    BN_to_limb(to_mod, l_mod, l_mod_count);
-+
-+    l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
-+
-+    if (blinding->m_ctx != NULL) {
-+        l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
-+                      mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
-+        l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
-+    } else {
-+        l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
-+                      mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
-+        l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
-+    }
-+
-+    if ((l_ret == NULL) || (l_tmp == NULL))
-+        goto err;
-+
-+    if (blinding->m_ctx != NULL) {
-+        limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
-+        mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
-+                       blinding->m_ctx->n0[0], l_tmp);
-+    } else {
-+        limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
-+        mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
-+    }
-+
-+    /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
-+    if (num < BN_num_bytes(to_mod)) {
-+        BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
-+        goto err;
-+    }
-+
-+    memset(buf, 0, num);
-+    tmp = buf + num - BN_num_bytes(to_mod);
-+    for (i = 0; i < l_mod_count; i++) {
-+#if LIMB_BYTE_SIZE == 8
-+        l_buf = be64(l_ret[i]);
-+#else
-+        l_buf = be32(l_ret[i]);
-+#endif
-+        if (i == 0) {
-+            int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
-+
-+            memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
-+            tmp += delta;
-+        } else {
-+            memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
-+            tmp += LIMB_BYTE_SIZE;
-+        }
-+    }
-+    ret = num;
-+
-+ err:
-+    OPENSSL_free(l_im);
-+    OPENSSL_free(l_mul);
-+    OPENSSL_free(l_mod);
-+    OPENSSL_free(l_tmp);
-+    OPENSSL_free(l_ret);
-+
-+    return ret;
-+}
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index 9f91a4a811..ba3a46d5b9 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -1,4 +1,4 @@
--# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
-+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
- #
- # Licensed under the OpenSSL license (the "License").  You may not use
- # this file except in compliance with the License.  You can obtain a copy
-@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
- BN_F_BN_SET_WORDS:144:bn_set_words
- BN_F_BN_STACK_PUSH:148:BN_STACK_push
- BN_F_BN_USUB:115:BN_usub
-+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
- BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
- BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
- BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
-diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
-index b52a66f6a6..6c3c0cf78d 100644
---- a/crypto/rsa/rsa_ossl.c
-+++ b/crypto/rsa/rsa_ossl.c
-@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
-         BN_free(d);
-     }
- 
--    if (blinding)
--        if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
-+    if (blinding) {
-+        /*
-+         * ossl_bn_rsa_do_unblind() combines blinding inversion and
-+         * 0-padded BN BE serialization
-+         */
-+        j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
-+                                   buf, num);
-+        if (j == 0)
-             goto err;
--
--    j = BN_bn2binpad(ret, buf, num);
-+    } else {
-+        j = BN_bn2binpad(ret, buf, num);
-+        if (j < 0)
-+            goto err;
-+    }
- 
-     switch (padding) {
-     case RSA_PKCS1_PADDING:
-diff --git a/include/crypto/bn.h b/include/crypto/bn.h
-index 60afda1dad..b5f36fb25a 100644
---- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
- int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
- int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
-                      const BIGNUM *d, BN_CTX *ctx);
-+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
-+                           const BN_BLINDING *blinding,
-+                           const BIGNUM *possible_arg2,
-+                           const BIGNUM *to_mod, BN_CTX *ctx,
-+                           unsigned char *buf, int num);
- 
- #endif
-diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h
-index 9f3c7cfaab..a0752cea52 100644
---- a/include/openssl/bnerr.h
-+++ b/include/openssl/bnerr.h
-@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
- # define BN_F_BN_SET_WORDS                                144
- # define BN_F_BN_STACK_PUSH                               148
- # define BN_F_BN_USUB                                     115
-+# define BN_F_OSSL_BN_RSA_DO_UNBLIND                      151
- 
- /*
-  * BN reason codes.
--- 
-2.39.1
-

SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch

@@ -1,103 +0,0 @@
-From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 13 Dec 2022 14:54:55 +0000
-Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
- PEM_read_bio_ex
-
-In the event of a failure in PEM_read_bio_ex() we free the buffers we
-allocated for the header and data buffers. However we were not clearing
-the ptrs stored in *header and *data. Since, on success, the caller is
-responsible for freeing these ptrs this can potentially lead to a double
-free if the caller frees them even on failure.
-
-Thanks to Dawei Wang for reporting this issue.
-
-Based on a proposed patch by Kurt Roeckx.
-
-CVE-2022-4450
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
----
- crypto/pem/pem_lib.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
-index d416d939ea..328c30cdbb 100644
---- a/crypto/pem/pem_lib.c
-+++ b/crypto/pem/pem_lib.c
-@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
-     *data = pem_malloc(len, flags);
-     if (*header == NULL || *data == NULL) {
-         pem_free(*header, flags, 0);
-+        *header = NULL;
-         pem_free(*data, flags, 0);
-+        *data = NULL;
-         goto end;
-     }
-     BIO_read(headerB, *header, headerlen);
--- 
-2.39.1
-
-From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 13 Dec 2022 15:02:26 +0000
-Subject: [PATCH 3/6] Add a test for CVE-2022-4450
-
-Call PEM_read_bio_ex() and expect a failure. There should be no dangling
-ptrs and therefore there should be no double free if we free the ptrs on
-error.
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
----
- test/pemtest.c | 30 ++++++++++++++++++++++++++++++
- 1 file changed, 30 insertions(+)
-
-diff --git a/test/pemtest.c b/test/pemtest.c
-index 3203d976be..edeb0a1205 100644
---- a/test/pemtest.c
-+++ b/test/pemtest.c
-@@ -83,9 +83,39 @@ static int test_invalid(void)
-     return 1;
- }
- 
-+static int test_empty_payload(void)
-+{
-+    BIO *b;
-+    static char *emptypay =
-+        "-----BEGIN CERTIFICATE-----\n"
-+        "-\n" /* Base64 EOF character */
-+        "-----END CERTIFICATE-----";
-+    char *name = NULL, *header = NULL;
-+    unsigned char *data = NULL;
-+    long len;
-+    int ret = 0;
-+
-+    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
-+    if (!TEST_ptr(b))
-+        return 0;
-+
-+    /* Expected to fail because the payload is empty */
-+    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
-+        goto err;
-+
-+    ret = 1;
-+ err:
-+    OPENSSL_free(name);
-+    OPENSSL_free(header);
-+    OPENSSL_free(data);
-+    BIO_free(b);
-+    return ret;
-+}
-+
- int setup_tests(void)
- {
-     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
-     ADD_TEST(test_invalid);
-+    ADD_TEST(test_empty_payload);
-     return 1;
- }
--- 
-2.39.1
-

SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch

@@ -1,186 +0,0 @@
-From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 14 Dec 2022 16:18:14 +0000
-Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF
-
-If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
-be part of an invalid BIO chain. This causes a "use after free" when the
-BIO is eventually freed.
-
-Based on an original patch by Viktor Dukhovni and an idea from Theo
-Buehler.
-
-Thanks to Octavio Galland for reporting this issue.
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
----
- crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++-------
- 1 file changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
-index 760e4846a4..f8d4b1b9aa 100644
---- a/crypto/asn1/bio_ndef.c
-+++ b/crypto/asn1/bio_ndef.c
-@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
- static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
-                             void *parg);
- 
-+/*
-+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
-+ * On failure, NULL is returned and the input BIO is owned by the caller.
-+ *
-+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
-+ */
- BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
- {
-     NDEF_SUPPORT *ndef_aux = NULL;
-     BIO *asn_bio = NULL;
-     const ASN1_AUX *aux = it->funcs;
-     ASN1_STREAM_ARG sarg;
-+    BIO *pop_bio = NULL;
- 
-     if (!aux || !aux->asn1_cb) {
-         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
-@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
-     out = BIO_push(asn_bio, out);
-     if (out == NULL)
-         goto err;
-+    pop_bio = asn_bio;
- 
--    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
--    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
-+    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
-+            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
-+            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
-+        goto err;
- 
-     /*
--     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
--     * needs.
-+     * Now let the callback prepend any digest, cipher, etc., that the BIO's
-+     * ASN1 structure needs.
-      */
- 
-     sarg.out = out;
-     sarg.ndef_bio = NULL;
-     sarg.boundary = NULL;
- 
--    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
-+    /*
-+     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
-+     * middle of some partially built, but not returned BIO chain.
-+     */
-+    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
-+        /*
-+         * ndef_aux is now owned by asn_bio so we must not free it in the err
-+         * clean up block
-+         */
-+        ndef_aux = NULL;
-         goto err;
-+    }
-+
-+    /*
-+     * We must not fail now because the callback has prepended additional
-+     * BIOs to the chain
-+     */
- 
-     ndef_aux->val = val;
-     ndef_aux->it = it;
-@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
-     ndef_aux->boundary = sarg.boundary;
-     ndef_aux->out = out;
- 
--    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
--
-     return sarg.ndef_bio;
- 
-  err:
-+    /* BIO_pop() is NULL safe */
-+    (void)BIO_pop(pop_bio);
-     BIO_free(asn_bio);
-     OPENSSL_free(ndef_aux);
-     return NULL;
--- 
-2.39.1
-
-From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Wed, 14 Dec 2022 17:15:18 +0000
-Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is
- handled correctly
-
-Test for the issue fixed in the previous commit
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
----
- test/recipes/80-test_cms.t  | 15 +++++++++++++--
- test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
- 2 files changed, 31 insertions(+), 2 deletions(-)
- create mode 100644 test/smime-certs/badrsa.pem
-
-diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 5dc6a3aebe..ec11bfc253 100644
---- a/test/recipes/80-test_cms.t
-+++ b/test/recipes/80-test_cms.t
-@@ -13,7 +13,7 @@ use warnings;
- use POSIX;
- use File::Spec::Functions qw/catfile/;
- use File::Compare qw/compare_text/;
--use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
-+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
- use OpenSSL::Test::Utils;
- 
- setup("test_cms");
-@@ -27,7 +27,7 @@ my $smcont   = srctop_file("test", "smcont.txt");
- my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
-     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
- 
--plan tests => 6;
-+plan tests => 7;
- 
- my @smime_pkcs7_tests = (
- 
-@@ -584,3 +584,14 @@ sub check_availability {
- 
-     return "";
- }
-+
-+# Check that we get the expected failure return code
-+with({ exit_checker => sub { return shift == 6; } },
-+    sub {
-+        ok(run(app(['openssl', 'cms', '-encrypt',
-+                    '-in', srctop_file("test", "smcont.txt"),
-+                    '-stream', '-recip',
-+                    srctop_file("test/smime-certs", "badrsa.pem"),
-+                   ])),
-+            "Check failure during BIO setup with -stream is handled correctly");
-+    });
-diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
-new file mode 100644
-index 0000000000..f824fc2267
---- /dev/null
-+++ b/test/smime-certs/badrsa.pem
-@@ -0,0 +1,18 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
-+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
-+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
-+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
-+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
-+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
-+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
-+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
-+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
-+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
-+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
-+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
-+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
-+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
-+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
-+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
-+-----END CERTIFICATE-----
--- 
-2.39.1
-

SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch

@@ -1,63 +0,0 @@
-From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
-From: Hugo Landau <hlandau@openssl.org>
-Date: Tue, 17 Jan 2023 17:45:42 +0000
-Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address
- (1.1.1)
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
----
- CHANGES                  | 18 +++++++++++++++++-
- crypto/x509v3/v3_genn.c  |  2 +-
- include/openssl/x509v3.h |  2 +-
- test/v3nametest.c        |  8 ++++++++
- 4 files changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
-index 87a5eff47c..e54ddc55c9 100644
---- a/crypto/x509v3/v3_genn.c
-+++ b/crypto/x509v3/v3_genn.c
-@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
-         return -1;
-     switch (a->type) {
-     case GEN_X400:
--        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
-+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
-         break;
- 
-     case GEN_EDIPARTY:
-diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
-index 90fa3592ce..e61c0f29d4 100644
---- a/include/openssl/x509v3.h
-+++ b/include/openssl/x509v3.h
-@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
-         OTHERNAME *otherName;   /* otherName */
-         ASN1_IA5STRING *rfc822Name;
-         ASN1_IA5STRING *dNSName;
--        ASN1_TYPE *x400Address;
-+        ASN1_STRING *x400Address;
-         X509_NAME *directoryName;
-         EDIPARTYNAME *ediPartyName;
-         ASN1_IA5STRING *uniformResourceIdentifier;
-diff --git a/test/v3nametest.c b/test/v3nametest.c
-index d1852190b8..37819da8fd 100644
---- a/test/v3nametest.c
-+++ b/test/v3nametest.c
-@@ -646,6 +646,14 @@ static struct gennamedata {
-             0xb7, 0x09, 0x02, 0x02
-         },
-         15
-+    }, {
-+        /*
-+         * Regression test for CVE-2023-0286.
-+         */
-+        {
-+            0xa3, 0x00
-+        },
-+        2
-     }
- };
- 
--- 
-2.39.1
-

SOURCES/openssl-1.1.1-cve-2023-3446.patch

@@ -1,127 +0,0 @@
-From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 6 Jul 2023 16:36:35 +0100
-Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
-
-The DH_check() function checks numerous aspects of the key or parameters
-that have been supplied. Some of those checks use the supplied modulus
-value even if it is excessively large.
-
-There is already a maximum DH modulus size (10,000 bits) over which
-OpenSSL will not generate or derive keys. DH_check() will however still
-perform various tests for validity on such a large modulus. We introduce a
-new maximum (32,768) over which DH_check() will just fail.
-
-An application that calls DH_check() and supplies a key or parameters
-obtained from an untrusted source could be vulnerable to a Denial of
-Service attack.
-
-The function DH_check() is itself called by a number of other OpenSSL
-functions. An application calling any of those other functions may
-similarly be affected. The other functions affected by this are
-DH_check_ex() and EVP_PKEY_param_check().
-
-CVE-2023-3446
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21452)
-
-Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528]
----
- crypto/dh/dh_check.c    | 6 ++++++
- crypto/dh/dh_err.c      | 3 ++-
- crypto/err/openssl.txt  | 3 ++-
- include/openssl/dh.h    | 3 +++
- include/openssl/dherr.h | 3 ++-
- 5 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 4ac169e75c..e5f9dd5030 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret)
-     BN_CTX *ctx = NULL;
-     BIGNUM *t1 = NULL, *t2 = NULL;
- 
-+    /* Don't do any checks at all with an excessively large modulus */
-+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
-     if (!DH_check_params(dh, ret))
-         return 0;
- 
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
-index 7285587b4a..92800d3fcc 100644
---- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the OpenSSL license (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = {
-     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
-     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
-      "dh_builtin_genparams"},
-+    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
-     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
-     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
-     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index 9f91a4a811..c0a3cd720b 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
- DH_F_COMPUTE_KEY:102:compute_key
- DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
- DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
-+DH_F_DH_CHECK:126:DH_check
- DH_F_DH_CHECK_EX:121:DH_check_ex
- DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
- DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
-diff --git a/include/openssl/dh.h b/include/openssl/dh.h
-index 3527540cdd..892e31559d 100644
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -29,6 +29,9 @@ extern "C" {
- # ifndef OPENSSL_DH_MAX_MODULUS_BITS
- #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
- # endif
-+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
-+#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
-+# endif
- 
- # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
- # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
- 
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
-index 916b3bed0b..528c819856 100644
---- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the OpenSSL license (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
- #  define DH_F_COMPUTE_KEY                                 102
- #  define DH_F_DHPARAMS_PRINT_FP                           101
- #  define DH_F_DH_BUILTIN_GENPARAMS                        106
-+#  define DH_F_DH_CHECK                                    126
- #  define DH_F_DH_CHECK_EX                                 121
- #  define DH_F_DH_CHECK_PARAMS_EX                          122
- #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
--- 
-2.41.0
-

SOURCES/openssl-1.1.1-cve-2023-3817.patch

@@ -1,60 +0,0 @@
-From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 21 Jul 2023 11:39:41 +0200
-Subject: [PATCH] DH_check(): Do not try checking q properties if it is
- obviously invalid
-
-If  |q| >= |p| then the q value is obviously wrong as q
-is supposed to be a prime divisor of p-1.
-
-We check if p is overly large so this added test implies that
-q is not large either when performing subsequent tests using that
-q value.
-
-Otherwise if it is too large these additional checks of the q value
-such as the primality test can then trigger DoS by doing overly long
-computations.
-
-Fixes CVE-2023-3817
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21551)
-
-Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5]
----
- crypto/dh/dh_check.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 2001d2e7cb..9ae96991eb 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh)
- /* Note: according to documentation - this only checks the params */
- int DH_check(const DH *dh, int *ret)
- {
--    int ok = 0, r;
-+    int ok = 0, r, q_good = 0;
-     BN_CTX *ctx = NULL;
-     BIGNUM *t1 = NULL, *t2 = NULL;
- 
-@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret)
-     if (t2 == NULL)
-         goto err;
- 
--    if (dh->q) {
-+    if (dh->q != NULL) {
-+        if (BN_ucmp(dh->p, dh->q) > 0)
-+            q_good = 1;
-+        else
-+            *ret |= DH_CHECK_INVALID_Q_VALUE;
-+    }
-+
-+    if (q_good) {
-         if (BN_cmp(dh->g, BN_value_one()) <= 0)
-             *ret |= DH_NOT_SUITABLE_GENERATOR;
-         else if (BN_cmp(dh->g, dh->p) >= 0)
--- 
-2.41.0
-

SOURCES/openssl-1.1.1-cve-2023-5678.patch

@@ -1,154 +0,0 @@
-From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 20 Oct 2023 09:18:19 +0200
-Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
-
-We already check for an excessively large P in DH_generate_key(), but not in
-DH_check_pub_key(), and none of them check for an excessively large Q.
-
-This change adds all the missing excessive size checks of P and Q.
-
-It's to be noted that behaviours surrounding excessively sized P and Q
-differ.  DH_check() raises an error on the excessively sized P, but only
-sets a flag for the excessively sized Q.  This behaviour is mimicked in
-DH_check_pub_key().
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/22518)
-
-(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
-Backported-by: Clemens Lang <cllang@redhat.com>
----
- crypto/dh/dh_check.c    | 17 +++++++++++++++++
- crypto/dh/dh_err.c      |  1 +
- crypto/dh/dh_key.c      | 10 ++++++++++
- crypto/err/openssl.txt  |  1 +
- include/openssl/dh.h    |  6 ++++--
- include/openssl/dherr.h |  1 +
- 6 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index ae1b03bc92..424a3bb4cd 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
-     BN_CTX *ctx = NULL;
- 
-     *ret = 0;
-+
-     ctx = BN_CTX_new();
-     if (ctx == NULL)
-         goto err;
-     BN_CTX_start(ctx);
-+
-+    /* Don't do any checks at all with an excessively large modulus */
-+    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
-+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
-+        goto err;
-+    }
-+    if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) {
-+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
-+        /* This may look strange here, but returning 1 after setting ret is
-+         * correct. See also the behavior of the pub_key^q == 1 mod p check
-+         * further down, which behaves in the same way. */
-+        ok = 1;
-+        goto err;
-+    }
-+
-     tmp = BN_CTX_get(ctx);
-     if (tmp == NULL || !BN_set_word(tmp, 1))
-         goto err;
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
-index 92800d3fcc..b3b1e7a706 100644
---- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
-@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
-     "parameter encoding error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
-+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
-     "unable to check generator"},
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 117f2fa883..9f5e6f6d4c 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -140,6 +140,11 @@ static int generate_key(DH *dh)
-         return 0;
-     }
- 
-+    if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE);
-+        return 0;
-+    }
-+
-     ctx = BN_CTX_new();
-     if (ctx == NULL)
-         goto err;
-@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-         DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
-         goto err;
-     }
-+
-+    if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE);
-+        goto err;
-+    }
-+
- #ifdef OPENSSL_FIPS
-     if (FIPS_mode()
-         && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index c0a3cd720b..5e0ff47516 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set
- DH_R_NO_PRIVATE_VALUE:100:no private value
- DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
- DH_R_PEER_KEY_ERROR:111:peer key error
-+DH_R_Q_TOO_LARGE:130:q too large
- DH_R_SHARED_INFO_ERROR:113:shared info error
- DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
- DSA_R_BAD_Q_VALUE:102:bad q value
-diff --git a/include/openssl/dh.h b/include/openssl/dh.h
-index 6c6ff3636a..b7df43b44f 100644
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams)
- /* #define DH_GENERATOR_3       3 */
- # define DH_GENERATOR_5          5
- 
--/* DH_check error codes */
-+/* DH_check error codes, some of them shared with DH_check_pub_key */
- # define DH_CHECK_P_NOT_PRIME            0x01
- # define DH_CHECK_P_NOT_SAFE_PRIME       0x02
- # define DH_UNABLE_TO_CHECK_GENERATOR    0x04
- # define DH_NOT_SUITABLE_GENERATOR       0x08
- # define DH_CHECK_Q_NOT_PRIME            0x10
--# define DH_CHECK_INVALID_Q_VALUE        0x20
-+# define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
- # define DH_CHECK_INVALID_J_VALUE        0x40
-+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */
-+# define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
- 
- /* DH_check_pub_key error codes */
- # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
-index 528c819856..d66c35aa8e 100644
---- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
-@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void);
- #  define DH_R_NON_FIPS_METHOD                             202
- #  define DH_R_PARAMETER_ENCODING_ERROR                    105
- #  define DH_R_PEER_KEY_ERROR                              111
-+#  define DH_R_Q_TOO_LARGE                                 130
- #  define DH_R_SHARED_INFO_ERROR                           113
- #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
- 
--- 
-2.41.0
-

SOURCES/openssl-1.1.1-defaults.patch

@@ -1,51 +0,0 @@
-diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
---- openssl-1.1.1a/apps/openssl.cnf.defaults	2018-11-20 14:35:37.000000000 +0100
-+++ openssl-1.1.1a/apps/openssl.cnf	2019-01-15 13:56:50.841719776 +0100
-@@ -74,7 +74,7 @@ cert_opt 	= ca_default		# Certificate fi
- 
- default_days	= 365			# how long to certify for
- default_crl_days= 30			# how long before next CRL
--default_md	= default		# use public key default MD
-+default_md	= sha256		# use SHA-256 by default
- preserve	= no			# keep passed DN ordering
- 
- # A few difference way of specifying how similar the request should look
-@@ -106,6 +106,7 @@ emailAddress		= optional
- ####################################################################
- [ req ]
- default_bits		= 2048
-+default_md		= sha256
- default_keyfile 	= privkey.pem
- distinguished_name	= req_distinguished_name
- attributes		= req_attributes
-@@ -128,17 +129,18 @@ string_mask = utf8only
- 
- [ req_distinguished_name ]
- countryName			= Country Name (2 letter code)
--countryName_default		= AU
-+countryName_default		= XX
- countryName_min			= 2
- countryName_max			= 2
- 
- stateOrProvinceName		= State or Province Name (full name)
--stateOrProvinceName_default	= Some-State
-+#stateOrProvinceName_default	= Default Province
- 
- localityName			= Locality Name (eg, city)
-+localityName_default		= Default City
- 
- 0.organizationName		= Organization Name (eg, company)
--0.organizationName_default	= Internet Widgits Pty Ltd
-+0.organizationName_default	= Default Company Ltd
- 
- # we can do this but it is not needed normally :-)
- #1.organizationName		= Second Organization Name (eg, company)
-@@ -147,7 +149,7 @@ localityName			= Locality Name (eg, city
- organizationalUnitName		= Organizational Unit Name (eg, section)
- #organizationalUnitName_default	=
- 
--commonName			= Common Name (e.g. server FQDN or YOUR name)
-+commonName			= Common Name (eg, your name or your server\'s hostname)
- commonName_max			= 64
- 
- emailAddress			= Email Address

SOURCES/openssl-1.1.1-detected-addr-ipv6.patch

@@ -1,34 +0,0 @@
-diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c
---- openssl-1.1.1k/apps/s_socket.c.addr-ipv6	2021-07-16 15:14:08.491986682 +0200
-+++ openssl-1.1.1k/apps/s_socket.c	2021-07-16 15:23:21.271329197 +0200
-@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch
-     const BIO_ADDRINFO *next;
-     int sock_family, sock_type, sock_protocol, sock_port;
-     const BIO_ADDR *sock_address;
-+    int sock_family_fallback = AF_UNSPEC;
-+    const BIO_ADDR *sock_address_fallback = NULL;
-     int sock_options = BIO_SOCK_REUSEADDR;
-     int ret = 0;
- 
-@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch
-             && BIO_ADDRINFO_protocol(next) == sock_protocol) {
-         if (sock_family == AF_INET
-                 && BIO_ADDRINFO_family(next) == AF_INET6) {
-+            /* In case AF_INET6 is returned but not supported by the
-+             * kernel, retry with the first detected address family */
-+            sock_family_fallback = sock_family;
-+            sock_address_fallback = sock_address;
-             sock_family = AF_INET6;
-             sock_address = BIO_ADDRINFO_address(next);
-         } else if (sock_family == AF_INET6
-@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch
-     }
- 
-     asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
-+	if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
-+       asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
-+       sock_address = sock_address_fallback;
-+	}
-     if (asock == INVALID_SOCKET
-         || !BIO_listen(asock, sock_address, sock_options)) {
-         BIO_ADDRINFO_free(res);

SOURCES/openssl-1.1.1-ec-curves.patch

@@ -1,266 +0,0 @@
-diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
---- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
-@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
- #endif /* OPENSSL_NO_RSA */
- 
- enum {
--    R_EC_P160,
--    R_EC_P192,
-     R_EC_P224,
-     R_EC_P256,
-     R_EC_P384,
-     R_EC_P521,
--#ifndef OPENSSL_NO_EC2M
--    R_EC_K163,
--    R_EC_K233,
--    R_EC_K283,
--    R_EC_K409,
--    R_EC_K571,
--    R_EC_B163,
--    R_EC_B233,
--    R_EC_B283,
--    R_EC_B409,
--    R_EC_B571,
--#endif
--    R_EC_BRP256R1,
--    R_EC_BRP256T1,
--    R_EC_BRP384R1,
--    R_EC_BRP384T1,
--    R_EC_BRP512R1,
--    R_EC_BRP512T1,
-     R_EC_X25519,
-     R_EC_X448
- };
- 
- #ifndef OPENSSL_NO_EC
- static OPT_PAIR ecdsa_choices[] = {
--    {"ecdsap160", R_EC_P160},
--    {"ecdsap192", R_EC_P192},
-     {"ecdsap224", R_EC_P224},
-     {"ecdsap256", R_EC_P256},
-     {"ecdsap384", R_EC_P384},
-     {"ecdsap521", R_EC_P521},
--# ifndef OPENSSL_NO_EC2M
--    {"ecdsak163", R_EC_K163},
--    {"ecdsak233", R_EC_K233},
--    {"ecdsak283", R_EC_K283},
--    {"ecdsak409", R_EC_K409},
--    {"ecdsak571", R_EC_K571},
--    {"ecdsab163", R_EC_B163},
--    {"ecdsab233", R_EC_B233},
--    {"ecdsab283", R_EC_B283},
--    {"ecdsab409", R_EC_B409},
--    {"ecdsab571", R_EC_B571},
--# endif
--    {"ecdsabrp256r1", R_EC_BRP256R1},
--    {"ecdsabrp256t1", R_EC_BRP256T1},
--    {"ecdsabrp384r1", R_EC_BRP384R1},
--    {"ecdsabrp384t1", R_EC_BRP384T1},
--    {"ecdsabrp512r1", R_EC_BRP512R1},
--    {"ecdsabrp512t1", R_EC_BRP512T1}
- };
- # define ECDSA_NUM       OSSL_NELEM(ecdsa_choices)
- 
- static double ecdsa_results[ECDSA_NUM][2];    /* 2 ops: sign then verify */
- 
- static const OPT_PAIR ecdh_choices[] = {
--    {"ecdhp160", R_EC_P160},
--    {"ecdhp192", R_EC_P192},
-     {"ecdhp224", R_EC_P224},
-     {"ecdhp256", R_EC_P256},
-     {"ecdhp384", R_EC_P384},
-     {"ecdhp521", R_EC_P521},
--# ifndef OPENSSL_NO_EC2M
--    {"ecdhk163", R_EC_K163},
--    {"ecdhk233", R_EC_K233},
--    {"ecdhk283", R_EC_K283},
--    {"ecdhk409", R_EC_K409},
--    {"ecdhk571", R_EC_K571},
--    {"ecdhb163", R_EC_B163},
--    {"ecdhb233", R_EC_B233},
--    {"ecdhb283", R_EC_B283},
--    {"ecdhb409", R_EC_B409},
--    {"ecdhb571", R_EC_B571},
--# endif
--    {"ecdhbrp256r1", R_EC_BRP256R1},
--    {"ecdhbrp256t1", R_EC_BRP256T1},
--    {"ecdhbrp384r1", R_EC_BRP384R1},
--    {"ecdhbrp384t1", R_EC_BRP384T1},
--    {"ecdhbrp512r1", R_EC_BRP512R1},
--    {"ecdhbrp512t1", R_EC_BRP512T1},
-     {"ecdhx25519", R_EC_X25519},
-     {"ecdhx448", R_EC_X448}
- };
-@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
-         unsigned int bits;
-     } test_curves[] = {
-         /* Prime Curves */
--        {"secp160r1", NID_secp160r1, 160},
--        {"nistp192", NID_X9_62_prime192v1, 192},
-         {"nistp224", NID_secp224r1, 224},
-         {"nistp256", NID_X9_62_prime256v1, 256},
-         {"nistp384", NID_secp384r1, 384},
-         {"nistp521", NID_secp521r1, 521},
--# ifndef OPENSSL_NO_EC2M
--        /* Binary Curves */
--        {"nistk163", NID_sect163k1, 163},
--        {"nistk233", NID_sect233k1, 233},
--        {"nistk283", NID_sect283k1, 283},
--        {"nistk409", NID_sect409k1, 409},
--        {"nistk571", NID_sect571k1, 571},
--        {"nistb163", NID_sect163r2, 163},
--        {"nistb233", NID_sect233r1, 233},
--        {"nistb283", NID_sect283r1, 283},
--        {"nistb409", NID_sect409r1, 409},
--        {"nistb571", NID_sect571r1, 571},
--# endif
--        {"brainpoolP256r1", NID_brainpoolP256r1, 256},
--        {"brainpoolP256t1", NID_brainpoolP256t1, 256},
--        {"brainpoolP384r1", NID_brainpoolP384r1, 384},
--        {"brainpoolP384t1", NID_brainpoolP384t1, 384},
--        {"brainpoolP512r1", NID_brainpoolP512r1, 512},
--        {"brainpoolP512t1", NID_brainpoolP512t1, 512},
-         /* Other and ECDH only ones */
-         {"X25519", NID_X25519, 253},
-         {"X448", NID_X448, 448}
-@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
- #  endif
- 
- #  ifndef OPENSSL_NO_EC
--    ecdsa_c[R_EC_P160][0] = count / 1000;
--    ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
--    for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+    ecdsa_c[R_EC_P224][0] = count / 1000;
-+    ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
-+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
-         ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
-         ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
-         if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
-             }
-         }
-     }
--#   ifndef OPENSSL_NO_EC2M
-+#   if 0
-     ecdsa_c[R_EC_K163][0] = count / 1000;
-     ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
-     for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
-     }
- #   endif
- 
--    ecdh_c[R_EC_P160][0] = count / 1000;
--    for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+    ecdh_c[R_EC_P224][0] = count / 1000;
-+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
-         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-         if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
-             ecdh_doit[i] = 0;
-@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
-             }
-         }
-     }
--#   ifndef OPENSSL_NO_EC2M
-+#   if 0
-     ecdh_c[R_EC_K163][0] = count / 1000;
-     for (i = R_EC_K233; i <= R_EC_K571; i++) {
-         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
---- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
-@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
-         return 0;
-     }
- 
-+    if (BN_num_bits(p) < 224) {
-+        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+        return 0;
-+    }
-+
-     if (ctx == NULL) {
-         ctx = new_ctx = BN_CTX_new();
-         if (ctx == NULL)
-diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
---- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
-+++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
-@@ -32,23 +32,6 @@ typedef struct {
- } ecdsa_cavs_kat_t;
- 
- static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
--    /* prime KATs from X9.62 */
--    {NID_X9_62_prime192v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
--     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
--     "5ca5c0d69716dfcb3474373902",
--     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
--     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
--     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
--    {NID_X9_62_prime239v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
--     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
--     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
--     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
--     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
--     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
-     /* prime KATs from NIST CAVP */
-     {NID_secp224r1, NID_sha224,
-      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
---- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
-+++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
-@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
-     if disabled("ec");
- 
- my @prime_curves = qw(
--    secp112r1
--    secp112r2
--    secp128r1
--    secp128r2
--    secp160k1
--    secp160r1
--    secp160r2
--    secp192k1
--    secp224k1
-     secp224r1
-     secp256k1
-     secp384r1
-     secp521r1
--    prime192v1
--    prime192v2
--    prime192v3
--    prime239v1
--    prime239v2
--    prime239v3
-     prime256v1
--    wap-wsg-idm-ecid-wtls6
--    wap-wsg-idm-ecid-wtls7
--    wap-wsg-idm-ecid-wtls8
--    wap-wsg-idm-ecid-wtls9
--    wap-wsg-idm-ecid-wtls12
--    brainpoolP160r1
--    brainpoolP160t1
--    brainpoolP192r1
--    brainpoolP192t1
--    brainpoolP224r1
--    brainpoolP224t1
--    brainpoolP256r1
--    brainpoolP256t1
--    brainpoolP320r1
--    brainpoolP320t1
--    brainpoolP384r1
--    brainpoolP384t1
--    brainpoolP512r1
--    brainpoolP512t1
- );
- 
- my @binary_curves = qw(
-@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
-     if !disabled("sm2");
- 
- my @curve_aliases = qw(
--    P-192
-     P-224
-     P-256
-     P-384

SOURCES/openssl-1.1.1-edk2-build.patch

@@ -1,57 +0,0 @@
-diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
---- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build	2020-05-18 12:55:53.299548432 +0200
-+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c	2020-05-18 12:55:53.340548788 +0200
-@@ -12,6 +12,7 @@
- #include <openssl/evp.h>
- #include <openssl/err.h>
- #include <openssl/kdf.h>
-+#include "internal/numbers.h"
- #include "crypto/evp.h"
- 
- static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
-diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
---- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build	2020-05-18 12:55:53.340548788 +0200
-+++ openssl-1.1.1g/crypto/kdf/hkdf.c	2020-05-18 12:57:18.648288904 +0200
-@@ -13,6 +13,7 @@
- #include <openssl/hmac.h>
- #include <openssl/kdf.h>
- #include <openssl/evp.h>
-+#include "internal/numbers.h"
- #include "internal/cryptlib.h"
- #include "crypto/evp.h"
- #include "kdf_local.h"
-diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
---- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build	2020-05-18 12:56:05.646655554 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_unix.c	2020-05-18 12:58:51.088090896 +0200
-@@ -20,7 +20,7 @@
- #include "crypto/fips.h"
- #include <stdio.h>
- #include "internal/dso.h"
--#ifdef __linux
-+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
- # include <sys/syscall.h>
- # include <sys/random.h>
- # ifdef DEVRANDOM_WAIT
-diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
---- openssl-1.1.1g/include/crypto/fips.h.edk2-build	2020-05-18 12:55:53.296548406 +0200
-+++ openssl-1.1.1g/include/crypto/fips.h	2020-05-18 12:55:53.340548788 +0200
-@@ -50,10 +50,6 @@
- #include <openssl/opensslconf.h>
- #include <openssl/evp.h>
- 
--#ifndef OPENSSL_FIPS
--# error FIPS is disabled.
--#endif
--
- #ifdef OPENSSL_FIPS
- 
- int FIPS_module_mode_set(int onoff);
-@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
- 
- void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
- 
-+#else
-+
-+# define fips_in_post() 0
-+
- #endif

SOURCES/openssl-1.1.1-fips-crng-test.patch

@@ -1,408 +0,0 @@
-diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
---- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200
-+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200
-@@ -1,6 +1,6 @@
- LIBS=../../libcrypto
- SOURCE[../../libcrypto]=\
--        randfile.c rand_lib.c rand_err.c rand_egd.c \
-+        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
-         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
- 
- INCLUDE[drbg_ctr.o]=../modes
-diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
---- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200
-+++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200
-@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
- 
- 
- /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
--static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
-+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
- 
- static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
- 
-@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
-     drbg->parent = parent;
- 
-     if (parent == NULL) {
-+#ifdef OPENSSL_FIPS
-+        drbg->get_entropy = rand_crngt_get_entropy;
-+        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
-+#else
-         drbg->get_entropy = rand_drbg_get_entropy;
-         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
-+#endif
- #ifndef RAND_DRBG_GET_RANDOM_NONCE
-         drbg->get_nonce = rand_drbg_get_nonce;
-         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
---- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200
-@@ -0,0 +1,118 @@
-+/*
-+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+/*
-+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
-+ */
-+
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include "crypto/rand.h"
-+#include "internal/thread_once.h"
-+#include "rand_local.h"
-+
-+static RAND_POOL *crngt_pool;
-+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
-+
-+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
-+    = &rand_crngt_get_entropy_cb;
-+
-+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
-+                              unsigned int *md_size)
-+{
-+    int r;
-+    size_t n;
-+    unsigned char *p;
-+
-+    n = rand_pool_acquire_entropy(crngt_pool);
-+    if (n >= CRNGT_BUFSIZ) {
-+        p = rand_pool_detach(crngt_pool);
-+        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
-+        if (r != 0)
-+            memcpy(buf, p, CRNGT_BUFSIZ);
-+        rand_pool_reattach(crngt_pool, p);
-+        return r;
-+    }
-+    return 0;
-+}
-+
-+void rand_crngt_cleanup(void)
-+{
-+    rand_pool_free(crngt_pool);
-+    crngt_pool = NULL;
-+}
-+
-+int rand_crngt_init(void)
-+{
-+    unsigned char buf[CRNGT_BUFSIZ];
-+
-+    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
-+        return 0;
-+    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
-+        OPENSSL_cleanse(buf, sizeof(buf));
-+        return 1;
-+    }
-+    rand_crngt_cleanup();
-+    return 0;
-+}
-+
-+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
-+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
-+{
-+    return OPENSSL_init_crypto(0, NULL)
-+        && rand_crngt_init()
-+        && OPENSSL_atexit(&rand_crngt_cleanup);
-+}
-+
-+int rand_crngt_single_init(void)
-+{
-+    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
-+}
-+
-+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
-+                              unsigned char **pout,
-+                              int entropy, size_t min_len, size_t max_len,
-+                              int prediction_resistance)
-+{
-+    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
-+    unsigned int sz;
-+    RAND_POOL *pool;
-+    size_t q, r = 0, s, t = 0;
-+    int attempts = 3;
-+
-+    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
-+        return 0;
-+
-+    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
-+        return 0;
-+
-+    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
-+        s = q > sizeof(buf) ? sizeof(buf) : q;
-+        if (!crngt_get_entropy(buf, md, &sz)
-+            || memcmp(crngt_prev, md, sz) == 0
-+            || !rand_pool_add(pool, buf, s, s * 8))
-+            goto err;
-+        memcpy(crngt_prev, md, sz);
-+        t += s;
-+        attempts++;
-+    }
-+    r = t;
-+    *pout = rand_pool_detach(pool);
-+err:
-+    OPENSSL_cleanse(buf, sizeof(buf));
-+    rand_pool_free(pool);
-+    return r;
-+}
-+
-+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
-+                                unsigned char *out, size_t outlen)
-+{
-+    OPENSSL_secure_clear_free(out, outlen);
-+}
-diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
---- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200
-@@ -33,7 +33,15 @@
- # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
- # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
- 
--
-+/*
-+ * The number of bytes that constitutes an atomic lump of entropy with respect
-+ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
-+ * arbitrary, the smaller the value, the less entropy is consumed on first
-+ * read but the higher the probability of the test failing by accident.
-+ *
-+ * The value is in bytes.
-+ */
-+#define CRNGT_BUFSIZ    16
- 
- /*
-  * Maximum input size for the DRBG (entropy, nonce, personalization string)
-@@ -44,6 +52,8 @@
-  */
- # define DRBG_MAX_LENGTH                         INT32_MAX
- 
-+/* The default nonce */
-+# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
- 
- /*
-  * Maximum allocation size for RANDOM_POOL buffers
-@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
- /* initializes the AES-CTR DRBG implementation */
- int drbg_ctr_init(RAND_DRBG *drbg);
- 
-+/*
-+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
-+ * These need to be exposed for the unit tests.
-+ */
-+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
-+                              unsigned int *md_size);
-+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
-+                                unsigned int *md_size);
-+int rand_crngt_init(void);
-+void rand_crngt_cleanup(void);
-+
-+/*
-+ * Expose the run once initialisation function for the unit tests because.
-+ * they need to restart from scratch to validate the first block is skipped
-+ * properly.
-+ */
-+int rand_crngt_single_init(void);
-+
- #endif
-diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
---- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200
-+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200
-@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
- 
- void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
- 
-+/* CRNG test entropy filter callbacks. */
-+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
-+                              unsigned char **pout,
-+                              int entropy, size_t min_len, size_t max_len,
-+                              int prediction_resistance);
-+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
-+                                unsigned char *out, size_t outlen);
-+
- /*
-  * RAND_POOL functions
-  */
-diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
---- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200
-@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
-     return t->noncelen;
- }
- 
-+ /*
-+ * Disable CRNG testing if it is enabled.
-+ * If the DRBG is ready or in an error state, this means an instantiate cycle
-+ * for which the default personalisation string is used.
-+ */
-+static int disable_crngt(RAND_DRBG *drbg)
-+{
-+    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
-+    const int instantiate = drbg->state != DRBG_UNINITIALISED;
-+
-+    if (drbg->get_entropy != rand_crngt_get_entropy)
-+        return 1;
-+
-+     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
-+        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
-+                                              &rand_drbg_cleanup_entropy,
-+                                              &rand_drbg_get_nonce,
-+                                              &rand_drbg_cleanup_nonce))
-+        || (instantiate
-+            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
-+                                      sizeof(pers) - 1)))
-+        return 0;
-+    return 1;
-+}
-+
- static int uninstantiate(RAND_DRBG *drbg)
- {
-     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
-@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
-     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
-         return 0;
-     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
--                                           kat_nonce, NULL))) {
-+                                           kat_nonce, NULL))
-+        || !TEST_true(disable_crngt(drbg))) {
-         failures++;
-         goto err;
-     }
-@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
-     unsigned int reseed_counter_tmp;
-     int ret = 0;
- 
--    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
-+    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
-+	|| !TEST_true(disable_crngt(drbg)))
-         goto err;
- 
-     /*
-@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
-         || !TEST_ptr_eq(private->parent, master))
-         return 0;
- 
-+    /* Disable CRNG testing for the master DRBG */
-+    if (!TEST_true(disable_crngt(master)))
-+        return 0;
-+
-     /* uninstantiate the three global DRBGs */
-     RAND_DRBG_uninstantiate(private);
-     RAND_DRBG_uninstantiate(public);
-@@ -964,7 +995,8 @@ static int test_rand_seed(void)
-     size_t rand_buflen;
-     size_t required_seed_buflen = 0;
- 
--    if (!TEST_ptr(master = RAND_DRBG_get0_master()))
-+    if (!TEST_ptr(master = RAND_DRBG_get0_master())
-+        || !TEST_true(disable_crngt(master)))
-         return 0;
- 
- #ifdef OPENSSL_RAND_SEED_NONE
-@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
-     return 1;
- }
- 
-+/*
-+ * A list of the FIPS DRGB types.
-+ */
-+static const struct s_drgb_types {
-+    int nid;
-+    int flags;
-+} drgb_types[] = {
-+    { NID_aes_128_ctr,  0                   },
-+    { NID_aes_192_ctr,  0                   },
-+    { NID_aes_256_ctr,  0                   },
-+};
-+
-+/* Six cases for each covers seed sizes up to 32 bytes */
-+static const size_t crngt_num_cases = 6;
-+
-+static size_t crngt_case, crngt_idx;
-+
-+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
-+                            unsigned int *md_size)
-+{
-+    size_t i, z;
-+
-+    if (!TEST_int_lt(crngt_idx, crngt_num_cases))
-+        return 0;
-+    /* Generate a block of unique data unless this is the duplication point */
-+    z = crngt_idx++;
-+    if (z > 0 && crngt_case == z)
-+        z--;
-+    for (i = 0; i < CRNGT_BUFSIZ; i++)
-+        buf[i] = (unsigned char)(i + 'A' + z);
-+    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
-+}
-+
-+static int test_crngt(int n)
-+{
-+    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char buff[100];
-+    size_t ent;
-+    int res = 0;
-+    int expect;
-+
-+    if (!TEST_true(rand_crngt_single_init()))
-+        return 0;
-+    rand_crngt_cleanup();
-+
-+    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
-+        return 0;
-+    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
-+    crngt_case = n % crngt_num_cases;
-+    crngt_idx = 0;
-+    crngt_get_entropy = &crngt_entropy_cb;
-+    if (!TEST_true(rand_crngt_init()))
-+        goto err;
-+#ifndef OPENSSL_FIPS
-+    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
-+                                           &rand_crngt_cleanup_entropy,
-+                                           &rand_drbg_get_nonce,
-+                                           &rand_drbg_cleanup_nonce)))
-+        goto err;
-+#endif
-+    expect = crngt_case == 0 || crngt_case > ent;
-+    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
-+        goto err;
-+    if (!expect)
-+        goto fin;
-+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
-+        goto err;
-+
-+    expect = crngt_case == 0 || crngt_case > 2 * ent;
-+    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
-+        goto err;
-+    if (!expect)
-+        goto fin;
-+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
-+        goto err;
-+
-+fin:
-+    res = 1;
-+err:
-+    if (!res)
-+        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
-+                  crngt_case, crngt_idx);
-+    uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    crngt_get_entropy = &rand_crngt_get_entropy_cb;
-+    return res;
-+}
-+
- int setup_tests(void)
- {
-     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-@@ -1025,5 +1146,6 @@ int setup_tests(void)
- #if defined(OPENSSL_THREADS)
-     ADD_TEST(test_multi_thread);
- #endif
-+    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
-     return 1;
- }

SOURCES/openssl-1.1.1-fips-curves.patch

@@ -1,200 +0,0 @@
-diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
---- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves	2020-05-18 12:59:54.839643980 +0200
-+++ openssl-1.1.1g/crypto/ec/ec_curve.c	2020-05-18 12:59:54.852644093 +0200
-@@ -13,6 +13,7 @@
- #include <openssl/err.h>
- #include <openssl/obj_mac.h>
- #include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
- #include "internal/nelem.h"
- 
- typedef struct {
-@@ -237,6 +238,7 @@ static const struct {
- 
- typedef struct _ec_list_element_st {
-     int nid;
-+    int fips_allowed;
-     const EC_CURVE_DATA *data;
-     const EC_METHOD *(*meth) (void);
-     const char *comment;
-@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
-     /* prime field curves */
-     /* secg curves */
- #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
--    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-      "NIST/SECG curve over a 224 bit prime field"},
- #else
--    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
-+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
-      "NIST/SECG curve over a 224 bit prime field"},
- #endif
--    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
-+    {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
-      "SECG curve over a 256 bit prime field"},
-     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
--    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
-+    {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
- # if defined(S390X_EC_ASM)
-      EC_GFp_s390x_nistp384_method,
- # else
-      0,
- # endif
-      "NIST/SECG curve over a 384 bit prime field"},
--    {NID_secp521r1, &_EC_NIST_PRIME_521.h,
-+    {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
- # if defined(S390X_EC_ASM)
-      EC_GFp_s390x_nistp521_method,
- # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
-@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
- # endif
-      "NIST/SECG curve over a 521 bit prime field"},
-     /* X9.62 curves */
--    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
-+    {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
- #if defined(ECP_NISTZ256_ASM)
-      EC_GFp_nistz256_method,
- # elif defined(S390X_EC_ASM)
-@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
- 
-     for (i = 0; i < curve_list_length; i++)
-         if (curve_list[i].nid == nid) {
-+            if (!curve_list[i].fips_allowed && FIPS_mode()) {
-+                ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
-+                return NULL;
-+            }
-             ret = ec_group_new_from_data(curve_list[i]);
-             break;
-         }
-@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
- 
- size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
- {
--    size_t i, min;
-+    size_t i, j, num;
-+    int fips_mode = FIPS_mode();
- 
--    if (r == NULL || nitems == 0)
--        return curve_list_length;
-+    num = curve_list_length;
-+    if (fips_mode)
-+        for (i = 0; i < curve_list_length; i++) {
-+            if (!curve_list[i].fips_allowed)
-+                --num;
-+        }
- 
--    min = nitems < curve_list_length ? nitems : curve_list_length;
-+    if (r == NULL || nitems == 0) {
-+        return num;
-+    }
- 
--    for (i = 0; i < min; i++) {
--        r[i].nid = curve_list[i].nid;
--        r[i].comment = curve_list[i].comment;
-+    for (i = 0, j = 0; i < curve_list_length; i++) {
-+        if (j >= nitems)
-+            break;
-+        if (!fips_mode || curve_list[i].fips_allowed) {
-+            r[j].nid = curve_list[i].nid;
-+            r[j].comment = curve_list[i].comment;
-+            ++j;
-+        }
-     }
- 
--    return curve_list_length;
-+    return num;
- }
- 
- /* Functions to translate between common NIST curve names and NIDs */
-diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.fips-curves	2020-05-18 12:59:54.797643616 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c	2020-05-18 13:03:54.748725463 +0200
-@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
- #endif
- };
- 
-+static const uint16_t tls12_fips_sigalgs[] = {
-+#ifndef OPENSSL_NO_EC
-+    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
-+    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
-+    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
-+#endif
-+
-+    TLSEXT_SIGALG_rsa_pss_pss_sha256,
-+    TLSEXT_SIGALG_rsa_pss_pss_sha384,
-+    TLSEXT_SIGALG_rsa_pss_pss_sha512,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
-+
-+    TLSEXT_SIGALG_rsa_pkcs1_sha256,
-+    TLSEXT_SIGALG_rsa_pkcs1_sha384,
-+    TLSEXT_SIGALG_rsa_pkcs1_sha512,
-+
-+#ifndef OPENSSL_NO_EC
-+    TLSEXT_SIGALG_ecdsa_sha224,
-+#endif
-+    TLSEXT_SIGALG_rsa_pkcs1_sha224,
-+#ifndef OPENSSL_NO_DSA
-+    TLSEXT_SIGALG_dsa_sha224,
-+    TLSEXT_SIGALG_dsa_sha256,
-+    TLSEXT_SIGALG_dsa_sha384,
-+    TLSEXT_SIGALG_dsa_sha512,
-+#endif
-+};
-+
- #ifndef OPENSSL_NO_EC
- static const uint16_t suiteb_sigalgs[] = {
-     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
-@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
-     }
-     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
-         return NULL;
-+    if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
-+        return NULL;
-     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
-         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
- 
-@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
-     } else if (s->cert->conf_sigalgs) {
-         *psigs = s->cert->conf_sigalgs;
-         return s->cert->conf_sigalgslen;
-+    } else if (FIPS_mode()) {
-+        *psigs = tls12_fips_sigalgs;
-+        return OSSL_NELEM(tls12_fips_sigalgs);
-     } else {
-         *psigs = tls12_sigalgs;
-         return OSSL_NELEM(tls12_sigalgs);
-@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
-     if (s->cert->conf_sigalgs) {
-         sigs = s->cert->conf_sigalgs;
-         siglen = s->cert->conf_sigalgslen;
-+    } else if (FIPS_mode()) {
-+        sigs = tls12_fips_sigalgs;
-+        siglen = OSSL_NELEM(tls12_fips_sigalgs);
-     } else {
-         sigs = tls12_sigalgs;
-         siglen = OSSL_NELEM(tls12_sigalgs);
-@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
-     if (lu->sig == NID_id_GostR3410_2012_256
-             || lu->sig == NID_id_GostR3410_2012_512
-             || lu->sig == NID_id_GostR3410_2001) {
-+        if (FIPS_mode())
-+            return 0;
-         /* We never allow GOST sig algs on the server with TLSv1.3 */
-         if (s->server && SSL_IS_TLS13(s))
-             return 0;
-@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
-                 const uint16_t *sent_sigs;
-                 size_t sent_sigslen;
- 
-+                if (fatalerrs && FIPS_mode()) {
-+                    /* There are no suitable legacy algorithms in FIPS mode */
-+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
-+                             SSL_F_TLS_CHOOSE_SIGALG,
-+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
-+                    return 0;
-+                }
-                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
-                     if (!fatalerrs)
-                         return 1;

SOURCES/openssl-1.1.1-fips-drbg-selftest.patch

@@ -1,587 +0,0 @@
-diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
---- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest	2020-04-23 13:33:12.500624151 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-04-23 13:33:12.618621925 +0200
-@@ -67,12 +67,18 @@
- 
- # include <openssl/fips.h>
- # include "crypto/fips.h"
-+# include "crypto/rand.h"
- # include "fips_locl.h"
- 
- /* Run all selftests */
- int FIPS_selftest(void)
- {
-     int rv = 1;
-+    if (!rand_drbg_selftest()) {
-+        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
-+        ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
-+        rv = 0;
-+    }
-     if (!FIPS_selftest_drbg())
-         rv = 0;
-     if (!FIPS_selftest_sha1())
-diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
---- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
-+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:34:10.857523497 +0200
-@@ -1,6 +1,6 @@
- LIBS=../../libcrypto
- SOURCE[../../libcrypto]=\
-         randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
--        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-+        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
- 
- INCLUDE[drbg_ctr.o]=../modes
-diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
---- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
-+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c	2020-04-23 13:33:12.619621907 +0200
-@@ -0,0 +1,537 @@
-+/*
-+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <string.h>
-+#include <stddef.h>
-+#include "internal/nelem.h"
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/rand_drbg.h>
-+#include <openssl/obj_mac.h>
-+#include "internal/thread_once.h"
-+#include "crypto/rand.h"
-+
-+typedef struct test_ctx_st {
-+    const unsigned char *entropy;
-+    size_t entropylen;
-+    int entropycnt;
-+    const unsigned char *nonce;
-+    size_t noncelen;
-+    int noncecnt;
-+} TEST_CTX;
-+
-+static int app_data_index = -1;
-+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
-+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
-+{
-+    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-+
-+    return 1;
-+}
-+
-+enum drbg_kat_type {
-+    NO_RESEED,
-+    PR_FALSE,
-+    PR_TRUE
-+};
-+
-+enum drbg_df {
-+    USE_DF,
-+    NO_DF,
-+    NA
-+};
-+
-+struct drbg_kat_no_reseed {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *addin1;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat_pr_false {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *entropyinreseed;
-+    const unsigned char *addinreseed;
-+    const unsigned char *addin1;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat_pr_true {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *entropyinpr1;
-+    const unsigned char *addin1;
-+    const unsigned char *entropyinpr2;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat {
-+    enum drbg_kat_type type;
-+    enum drbg_df df;
-+    int nid;
-+
-+    size_t entropyinlen;
-+    size_t noncelen;
-+    size_t persstrlen;
-+    size_t addinlen;
-+    size_t retbyteslen;
-+
-+    const void *t;
-+};
-+
-+/*
-+ * Excerpt from test/drbg_cavs_data.c
-+ * DRBG test vectors from:
-+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
-+ */
-+
-+static const unsigned char kat1308_entropyin[] = {
-+    0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
-+    0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
-+    0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
-+    0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
-+};
-+static const unsigned char kat1308_nonce[] = {0};
-+static const unsigned char kat1308_persstr[] = {
-+    0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
-+    0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
-+    0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
-+    0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
-+};
-+static const unsigned char kat1308_addin0[] = {
-+    0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
-+    0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
-+    0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
-+    0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
-+};
-+static const unsigned char kat1308_addin1[] = {
-+    0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
-+    0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
-+    0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
-+    0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
-+};
-+static const unsigned char kat1308_retbits[] = {
-+    0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
-+    0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
-+    0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
-+    0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
-+    0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
-+    0x26, 0x32, 0xd0, 0xb8,
-+};
-+static const struct drbg_kat_no_reseed kat1308_t = {
-+    2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
-+    kat1308_addin0, kat1308_addin1, kat1308_retbits
-+};
-+static const struct drbg_kat kat1308 = {
-+    NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
-+};
-+
-+static const unsigned char kat1465_entropyin[] = {
-+    0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
-+    0x87, 0xbe, 0xaa, 0xc0,
-+};
-+static const unsigned char kat1465_nonce[] = {
-+    0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
-+};
-+static const unsigned char kat1465_persstr[] = {0};
-+static const unsigned char kat1465_entropyinreseed[] = {
-+    0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
-+    0x1f, 0x4b, 0x7b, 0x51,
-+};
-+static const unsigned char kat1465_addinreseed[] = {
-+    0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
-+    0x61, 0x9f, 0x26, 0x5f,
-+};
-+static const unsigned char kat1465_addin0[] = {
-+    0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
-+    0x10, 0x5a, 0x73, 0x9c,
-+};
-+static const unsigned char kat1465_addin1[] = {
-+    0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
-+    0x47, 0x99, 0x1f, 0xeb,
-+};
-+static const unsigned char kat1465_retbits[] = {
-+    0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
-+    0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
-+    0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
-+    0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
-+    0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
-+    0x58, 0xdb, 0x27, 0xba,
-+};
-+static const struct drbg_kat_pr_false kat1465_t = {
-+    9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
-+    kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
-+    kat1465_addin1, kat1465_retbits
-+};
-+static const struct drbg_kat kat1465 = {
-+    PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
-+};
-+
-+static const unsigned char kat3146_entropyin[] = {
-+    0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
-+    0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
-+};
-+static const unsigned char kat3146_nonce[] = {
-+    0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
-+    0x50, 0x86, 0xca, 0xca,
-+};
-+static const unsigned char kat3146_persstr[] = {0};
-+static const unsigned char kat3146_entropyinpr1[] = {
-+    0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
-+    0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
-+};
-+static const unsigned char kat3146_addinpr1[] = {
-+    0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
-+    0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
-+    0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
-+};
-+static const unsigned char kat3146_entropyinpr2[] = {
-+    0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
-+    0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
-+};
-+static const unsigned char kat3146_addinpr2[] = {
-+    0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
-+    0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
-+    0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
-+};
-+static const unsigned char kat3146_retbits[] = {
-+    0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
-+    0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
-+    0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
-+    0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
-+    0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
-+    0xd4, 0x30, 0x73, 0xbb,
-+};
-+static const struct drbg_kat_pr_true kat3146_t = {
-+    10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
-+    kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
-+    kat3146_addinpr2, kat3146_retbits
-+};
-+static const struct drbg_kat kat3146 = {
-+    PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
-+};
-+
-+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
-+
-+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
-+
-+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
-+                          int entropy, size_t min_len, size_t max_len,
-+                          int prediction_resistance)
-+{
-+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
-+
-+    t->entropycnt++;
-+    *pout = (unsigned char *)t->entropy;
-+    return t->entropylen;
-+}
-+
-+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
-+                        int entropy, size_t min_len, size_t max_len)
-+{
-+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
-+
-+    t->noncecnt++;
-+    *pout = (unsigned char *)t->nonce;
-+    return t->noncelen;
-+}
-+
-+/*
-+ * Do a single NO_RESEED KAT:
-+ *
-+ * Instantiate
-+ * Generate Random Bits (pr=false)
-+ * Generate Random Bits (pr=false)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_no_reseed(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin1, td->addinlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+/*-
-+ * Do a single PR_FALSE KAT:
-+ *
-+ * Instantiate
-+ * Reseed
-+ * Generate Random Bits (pr=false)
-+ * Generate Random Bits (pr=false)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_pr_false(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinreseed;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin1, td->addinlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+/*-
-+ * Do a single PR_TRUE KAT:
-+ *
-+ * Instantiate
-+ * Generate Random Bits (pr=true)
-+ * Generate Random Bits (pr=true)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_pr_true(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinpr1;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
-+                            data->addin1, td->addinlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinpr2;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
-+                            data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+static int test_kats(int i)
-+{
-+    const struct drbg_kat *td = drbg_test[i];
-+    int rv = 0;
-+
-+    switch (td->type) {
-+    case NO_RESEED:
-+        if (!single_kat_no_reseed(td))
-+            goto err;
-+        break;
-+    case PR_FALSE:
-+        if (!single_kat_pr_false(td))
-+            goto err;
-+        break;
-+    case PR_TRUE:
-+        if (!single_kat_pr_true(td))
-+            goto err;
-+        break;
-+    default:	/* cant happen */
-+        goto err;
-+    }
-+    rv = 1;
-+err:
-+    return rv;
-+}
-+
-+/*-
-+ * Do one expected-error test:
-+ *
-+ * Instantiate with no entropy supplied
-+ *
-+ * Return 0 on failure.
-+ */
-+static int test_drbg_sanity(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = 0;     /* No entropy */
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    ERR_set_mark();
-+    /* This must fail. */
-+    if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+    RAND_DRBG_uninstantiate(drbg);
-+    ERR_pop_to_mark();
-+
-+err:
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+
-+int rand_drbg_selftest(void)
-+{
-+    int i;
-+
-+    if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
-+        return 0;
-+
-+    for (i = 0; i < drbg_test_nelem; i++) {
-+        if (test_kats(i) <= 0)
-+            return 0;
-+    }
-+
-+    if (test_drbg_sanity(&kat1465) <= 0)
-+        return 0;
-+
-+    return 1;
-+}
-diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
---- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest	2020-04-23 13:33:12.587622510 +0200
-+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:33:12.619621907 +0200
-@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
-  */
- void rand_pool_keep_random_devices_open(int keep);
- 
-+/*
-+ * Perform the DRBG KAT selftests
-+ */
-+int rand_drbg_selftest(void);
-+
- #endif

SOURCES/openssl-1.1.1-fips-post-rand.patch

@@ -1,189 +0,0 @@
-diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
---- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand	2020-12-09 10:26:41.634106328 +0100
-+++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-09 10:26:41.652106475 +0100
-@@ -68,6 +68,7 @@
- 
- # include <openssl/fips.h>
- # include "internal/thread_once.h"
-+# include "crypto/rand.h"
- 
- # ifndef PATH_MAX
- #  define PATH_MAX 1024
-@@ -76,6 +77,7 @@
- static int fips_selftest_fail = 0;
- static int fips_mode = 0;
- static int fips_started = 0;
-+static int fips_post = 0;
- 
- static int fips_is_owning_thread(void);
- static int fips_set_owning_thread(void);
-@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
-     fips_selftest_fail = 1;
- }
- 
-+int fips_in_post(void)
-+{
-+    return fips_post;
-+}
-+
- /* we implement what libfipscheck does ourselves */
- 
- static int
-@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
-         }
- # endif
- 
-+        fips_post = 1;
-+
-         if (!FIPS_selftest()) {
-             fips_selftest_fail = 1;
-             ret = 0;
-@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
-             goto end;
-         }
- 
-+        fips_post = 0;
-+
-         fips_set_mode(onoff);
-+        /* force RNG reseed with entropy from getrandom() on next call */
-+        rand_force_reseed();
-+
-         ret = 1;
-         goto end;
-     }
-diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
---- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
-+++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-09 10:26:41.652106475 +0100
-@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
-     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
- }
- 
-+void rand_force_reseed(void)
-+{
-+    RAND_DRBG *drbg;
-+
-+    drbg = RAND_DRBG_get0_master();
-+    drbg->fork_id = 0;
-+
-+    drbg = RAND_DRBG_get0_private();
-+    drbg->fork_id = 0;
-+
-+    drbg = RAND_DRBG_get0_public();
-+    drbg->fork_id = 0;
-+}
-+
- /* Implements the default OpenSSL RAND_add() method */
- static int drbg_add(const void *buf, int num, double randomness)
- {
-diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
---- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
-+++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-09 10:36:59.531221903 +0100
-@@ -17,10 +17,12 @@
- #include <openssl/crypto.h>
- #include "rand_local.h"
- #include "crypto/rand.h"
-+#include "crypto/fips.h"
- #include <stdio.h>
- #include "internal/dso.h"
- #ifdef __linux
- # include <sys/syscall.h>
-+# include <sys/random.h>
- # ifdef DEVRANDOM_WAIT
- #  include <sys/shm.h>
- #  include <sys/utsname.h>
-@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
-  * syscall_random(): Try to get random data using a system call
-  * returns the number of bytes returned in buf, or < 0 on error.
-  */
--static ssize_t syscall_random(void *buf, size_t buflen)
-+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
- {
-     /*
-      * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
-      * Note: Sometimes getentropy() can be provided but not implemented
-      * internally. So we need to check errno for ENOSYS
-      */
-+#  if 0
- #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
-     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
- 
-@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
-     if (p_getentropy.p != NULL)
-         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
- #  endif
--
-+#  endif
-     /* Linux supports this since version 3.17 */
--#  if defined(__linux) && defined(__NR_getrandom)
--    return syscall(__NR_getrandom, buf, buflen, 0);
-+#  if defined(__linux) && defined(SYS_getrandom)
-+    return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
- #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
-     return sysctl_random(buf, buflen);
- #  else
-@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-     size_t entropy_available;
- 
- #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
-+    int in_post;
-+
-+    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
-     {
-         size_t bytes_needed;
-         unsigned char *buffer;
-@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
-         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
-         while (bytes_needed != 0 && attempts-- > 0) {
-             buffer = rand_pool_add_begin(pool, bytes_needed);
--            bytes = syscall_random(buffer, bytes_needed);
-+            bytes = syscall_random(buffer, bytes_needed, in_post);
-             if (bytes > 0) {
-                 rand_pool_add_end(pool, bytes, 8 * bytes);
-                 bytes_needed -= bytes;
-@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
-             int attempts = 3;
-             const int fd = get_random_device(i);
- 
--            if (fd == -1)
-+            if (fd == -1) {
-+                OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
-                 continue;
-+            }
- 
-             while (bytes_needed != 0 && attempts-- > 0) {
-                 buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-             return entropy_available;
-     }
- #   endif
--
-+#   ifdef OPENSSL_RAND_SEED_GETRANDOM
-+    }
-+#   endif
-     return rand_pool_entropy_available(pool);
- #  endif
- }
-diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
---- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand	2020-12-09 10:26:41.639106369 +0100
-+++ openssl-1.1.1i/include/crypto/fips.h	2020-12-09 10:26:41.657106516 +0100
-@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
- int FIPS_selftest_drbg(void);
- int FIPS_selftest_cmac(void);
- 
-+int fips_in_post(void);
-+
- int fips_pkey_signature_test(EVP_PKEY *pkey,
-                                  const unsigned char *tbs, int tbslen,
-                                  const unsigned char *kat,
-diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
---- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
-+++ openssl-1.1.1i/include/crypto/rand.h	2020-12-09 10:26:41.657106516 +0100
-@@ -24,6 +24,7 @@
- typedef struct rand_pool_st RAND_POOL;
- 
- void rand_cleanup_int(void);
-+void rand_force_reseed(void);
- void rand_drbg_cleanup_int(void);
- void drbg_delete_thread_state(void);
- 

SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch

@@ -1,255 +0,0 @@
-From d1d4b56fe0c9a4200276d630f62108e1165e0990 Mon Sep 17 00:00:00 2001
-From: Maurizio Barbaro <mbarbaro@redhat.com>
-Date: Mon, 16 Sep 2024 10:53:53 +0200
-Subject: [PATCH] Backport openssl: SSL_select_next_proto buffer overread from 3.2
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Merged from: https://github.com/openssl/openssl/pull/24717.
-
-Backported-by: Maurizio Barbaro <mbarbaro@redhat.com> 
-we did't ported test changes because rely on internal testing framework.
-
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +++++++----
- ssl/ssl_lib.c                           | 64 +++++++++++++++----------
- ssl/statem/extensions_clnt.c            | 30 +++++++++++-
- ssl/statem/extensions_srvr.c            |  3 +-
- 4 files changed, 89 insertions(+), 36 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index e90caec..a3f8dfd 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -43,7 +43,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
-                            const unsigned char *server,
-                            unsigned int server_len,
-                            const unsigned char *client,
--                           unsigned int client_len)
-+                           unsigned int client_len);
-  void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
-                              unsigned *len);
- 
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
- 
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
- 
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
- 
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
- 
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
- 
- =back
- 
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index c71c686..21e6c45 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2739,38 +2739,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+       while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
--}
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
-+ } 
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
- /*
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index ce8a757..cfde733 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1585,8 +1585,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-     if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
-                                   PACKET_data(pkt),
-                                   PACKET_remaining(pkt),
--                                  s->ctx->ext.npn_select_cb_arg) !=
--             SSL_TLSEXT_ERR_OK) {
-+                                  s->ctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
-+           || selected_len == 0) {           
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
-                  SSL_R_BAD_EXTENSION);
-         return 0;
-@@ -1617,6 +1617,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                         size_t chainidx)
- {
-     size_t len;
-+    PACKET confpkt, protpkt;
-+    int valid = 0;
- 
-     /* We must have requested it. */
-     if (!s->s3->alpn_sent) {
-@@ -1637,6 +1639,30 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                  SSL_R_BAD_EXTENSION);
-         return 0;
-     }
-+
-+    /* It must be a protocol that we sent */
-+    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 
-+                 ERR_R_INTERNAL_ERROR);
-+        return 0;
-+    }
-+    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
-+        if (PACKET_remaining(&protpkt) != len)
-+            continue;
-+        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
-+            /* Valid protocol found */
-+            valid = 1;
-+            break;
-+        }
-+    }
-+
-+    if (!valid) {
-+        /* The protocol sent from the server does not match one we advertised */
-+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
-+                 SSL_R_BAD_EXTENSION);
-+        return 0;
-+    }
-+
-     OPENSSL_free(s->s3->alpn_selected);
-     s->s3->alpn_selected = OPENSSL_malloc(len);
-     if (s->s3->alpn_selected == NULL) {
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 3c7395c..4e3cbf8 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
-             return EXT_RETURN_FAIL;
-         }
-         s->s3->npn_seen = 1;
-+        return EXT_RETURN_SENT;
-     }
- 
--    return EXT_RETURN_SENT;
-+    return EXT_RETURN_NOT_SENT;
- }
- #endif
- 
--- 
-2.46.0
-

SOURCES/openssl-1.1.1-intel-cet.patch

@@ -1,500 +0,0 @@
-diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
---- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl	2020-03-19 17:07:02.626522694 +0100
-@@ -275,6 +275,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_encrypt:
- .cfi_startproc
-+	endbranch
- 	movups	($inp),$inout0		# load input
- 	mov	240($key),$rounds	# key->rounds
- ___
-@@ -293,6 +294,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_decrypt:
- .cfi_startproc
-+	endbranch
- 	movups	($inp),$inout0		# load input
- 	mov	240($key),$rounds	# key->rounds
- ___
-@@ -613,6 +615,7 @@ $code.=<<___;
- .align	16
- aesni_ecb_encrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -985,6 +988,7 @@ $code.=<<___;
- .align	16
- aesni_ccm64_encrypt_blocks:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -1077,6 +1081,7 @@ $code.=<<___;
- .align	16
- aesni_ccm64_decrypt_blocks:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -1203,6 +1208,7 @@ $code.=<<___;
- .align	16
- aesni_ctr32_encrypt_blocks:
- .cfi_startproc
-+	endbranch
- 	cmp	\$1,$len
- 	jne	.Lctr32_bulk
- 
-@@ -1775,6 +1781,7 @@ $code.=<<___;
- .align	16
- aesni_xts_encrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%r11			# frame pointer
- .cfi_def_cfa_register	%r11
- 	push	%rbp
-@@ -2258,6 +2265,7 @@ $code.=<<___;
- .align	16
- aesni_xts_decrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%r11			# frame pointer
- .cfi_def_cfa_register	%r11
- 	push	%rbp
-@@ -2783,6 +2791,7 @@ $code.=<<___;
- .align	32
- aesni_ocb_encrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%rax
- 	push	%rbx
- .cfi_push	%rbx
-@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
- .align	32
- aesni_ocb_decrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%rax
- 	push	%rbx
- .cfi_push	%rbx
-@@ -3737,6 +3747,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	test	$len,$len		# check length
- 	jz	.Lcbc_ret
- 
-diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
---- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl	2020-03-19 17:00:15.974621757 +0100
-@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
- .align	16
- ${PREFIX}_set_encrypt_key:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -746,6 +747,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_set_decrypt_key:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -801,6 +803,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_encrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -846,6 +849,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_decrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -897,6 +901,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	xchg	$key,$len
- ___
- ($len,$key)=($key,$len);
-diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
---- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/async/arch/async_posix.c	2020-03-19 17:00:15.974621757 +0100
-@@ -34,7 +34,9 @@ void async_local_cleanup(void)
- 
- int async_fibre_makecontext(async_fibre *fibre)
- {
-+#ifndef USE_SWAPCONTEXT
-     fibre->env_init = 0;
-+#endif
-     if (getcontext(&fibre->fibre) == 0) {
-         fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
-         if (fibre->fibre.uc_stack.ss_sp != NULL) {
-diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
---- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet	2020-03-19 17:00:15.435631166 +0100
-+++ openssl-1.1.1e/crypto/async/arch/async_posix.h	2020-03-19 17:00:15.975621739 +0100
-@@ -25,17 +25,33 @@
- #  define ASYNC_POSIX
- #  define ASYNC_ARCH
- 
-+#  ifdef __CET__
-+/*
-+ * When Intel CET is enabled, makecontext will create a different
-+ * shadow stack for each context.  async_fibre_swapcontext cannot
-+ * use _longjmp.  It must call swapcontext to swap shadow stack as
-+ * well as normal stack.
-+ */
-+#   define USE_SWAPCONTEXT
-+#  endif
- #  include <ucontext.h>
--#  include <setjmp.h>
-+#  ifndef USE_SWAPCONTEXT
-+#   include <setjmp.h>
-+#  endif
- 
- typedef struct async_fibre_st {
-     ucontext_t fibre;
-+#  ifndef USE_SWAPCONTEXT
-     jmp_buf env;
-     int env_init;
-+#  endif
- } async_fibre;
- 
- static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
- {
-+#  ifdef USE_SWAPCONTEXT
-+    swapcontext(&o->fibre, &n->fibre);
-+#  else
-     o->env_init = 1;
- 
-     if (!r || !_setjmp(o->env)) {
-@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
-         else
-             setcontext(&n->fibre);
-     }
-+#  endif
- 
-     return 1;
- }
-diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
---- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
-@@ -685,6 +685,7 @@ $code.=<<___;
- .align	16
- Camellia_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	cmp	\$0,%rdx
- 	je	.Lcbc_abort
- 	push	%rbx
-diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
---- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
-@@ -239,6 +239,7 @@ $code=<<___;
- .align	16
- gcm_gmult_4bit:
- .cfi_startproc
-+	endbranch
- 	push	%rbx
- .cfi_push	%rbx
- 	push	%rbp		# %rbp and others are pushed exclusively in
-@@ -286,6 +287,7 @@ $code.=<<___;
- .align	16
- gcm_ghash_4bit:
- .cfi_startproc
-+	endbranch
- 	push	%rbx
- .cfi_push	%rbx
- 	push	%rbp
-@@ -612,6 +614,7 @@ $code.=<<___;
- .align	16
- gcm_gmult_clmul:
- .cfi_startproc
-+	endbranch
- .L_gmult_clmul:
- 	movdqu		($Xip),$Xi
- 	movdqa		.Lbswap_mask(%rip),$T3
-@@ -663,6 +666,7 @@ $code.=<<___;
- .align	32
- gcm_ghash_clmul:
- .cfi_startproc
-+	endbranch
- .L_ghash_clmul:
- ___
- $code.=<<___ if ($win64);
-@@ -1166,6 +1170,7 @@ $code.=<<___;
- .align	32
- gcm_gmult_avx:
- .cfi_startproc
-+	endbranch
- 	jmp	.L_gmult_clmul
- .cfi_endproc
- .size	gcm_gmult_avx,.-gcm_gmult_avx
-@@ -1177,6 +1182,7 @@ $code.=<<___;
- .align	32
- gcm_ghash_avx:
- .cfi_startproc
-+	endbranch
- ___
- if ($avx) {
- my ($Xip,$Htbl,$inp,$len)=@_4args;
-diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
---- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/cbc.pl	2020-03-19 17:00:15.976621722 +0100
-@@ -165,21 +165,28 @@ sub cbc
- 	&jmp_ptr($count);
- 
- &set_label("ej7");
-+	&endbranch()
- 	&movb(&HB("edx"),	&BP(6,$in,"",0));
- 	&shl("edx",8);
- &set_label("ej6");
-+	&endbranch()
- 	&movb(&HB("edx"),	&BP(5,$in,"",0));
- &set_label("ej5");
-+	&endbranch()
- 	&movb(&LB("edx"),	&BP(4,$in,"",0));
- &set_label("ej4");
-+	&endbranch()
- 	&mov("ecx",		&DWP(0,$in,"",0));
- 	&jmp(&label("ejend"));
- &set_label("ej3");
-+	&endbranch()
- 	&movb(&HB("ecx"),	&BP(2,$in,"",0));
- 	&shl("ecx",8);
- &set_label("ej2");
-+	&endbranch()
- 	&movb(&HB("ecx"),	&BP(1,$in,"",0));
- &set_label("ej1");
-+	&endbranch()
- 	&movb(&LB("ecx"),	&BP(0,$in,"",0));
- &set_label("ejend");
- 
-diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
---- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl	2020-03-19 17:00:15.984621582 +0100
-@@ -101,6 +101,33 @@ elsif (!$gas)
-     $decor="\$L\$";
- }
- 
-+my $cet_property;
-+if ($flavour =~ /elf/) {
-+	# Always generate .note.gnu.property section for ELF outputs to
-+	# mark Intel CET support since all input files must be marked
-+	# with Intel CET support in order for linker to mark output with
-+	# Intel CET support.
-+	my $p2align=3; $p2align=2 if ($flavour eq "elf32");
-+	$cet_property = <<_____;
-+	.section ".note.gnu.property", "a"
-+	.p2align $p2align
-+	.long 1f - 0f
-+	.long 4f - 1f
-+	.long 5
-+0:
-+	.asciz "GNU"
-+1:
-+	.p2align $p2align
-+	.long 0xc0000002
-+	.long 3f - 2f
-+2:
-+	.long 3
-+3:
-+	.p2align $p2align
-+4:
-+_____
-+}
-+
- my $current_segment;
- my $current_function;
- my %globals;
-@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
-     print $line,"\n";
- }
- 
-+print "$cet_property"			if ($cet_property);
- print "\n$current_segment\tENDS\n"	if ($current_segment && $masm);
- print "END\n"				if ($masm);
- 
-diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
---- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl	2020-03-19 17:00:15.985621565 +0100
-@@ -124,6 +124,7 @@ sub ::function_begin_B
-     push(@out,".align\t$align\n");
-     push(@out,"$func:\n");
-     push(@out,"$begin:\n")		if ($global);
-+    &::endbranch();
-     $::stack=4;
- }
- 
-@@ -172,6 +173,26 @@ sub ::file_end
- 	else		{ push (@out,"$tmp\n"); }
-     }
-     push(@out,$initseg) if ($initseg);
-+    if ($::elf) {
-+	push(@out,"
-+	.section \".note.gnu.property\", \"a\"
-+	.p2align 2
-+	.long 1f - 0f
-+	.long 4f - 1f
-+	.long 5
-+0:
-+	.asciz \"GNU\"
-+1:
-+	.p2align 2
-+	.long 0xc0000002
-+	.long 3f - 2f
-+2:
-+	.long 3
-+3:
-+	.p2align 2
-+4:
-+");
-+    }
- }
- 
- sub ::data_byte	{   push(@out,".byte\t".join(',',@_)."\n");   }
-diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
---- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet	2020-03-19 17:00:38.185234015 +0100
-+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl	2020-03-19 17:05:46.575850341 +0100
-@@ -2806,6 +2806,7 @@ $code.=<<___;
- .align	32
- poly1305_blocks_vpmadd52:
- .cfi_startproc
-+	endbranch
- 	shr	\$4,$len
- 	jz	.Lno_data_vpmadd52		# too short
- 
-@@ -3739,6 +3740,7 @@ $code.=<<___;
- .align	32
- poly1305_emit_base2_44:
- .cfi_startproc
-+	endbranch
- 	mov	0($ctx),%r8	# load hash value
- 	mov	8($ctx),%r9
- 	mov	16($ctx),%r10
-diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
---- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet	2020-03-19 17:00:38.190233928 +0100
-+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl	2020-03-19 17:05:02.598618064 +0100
-@@ -140,6 +140,7 @@ $code=<<___;
- .align	16
- RC4:
- .cfi_startproc
-+	endbranch
- 	or	$len,$len
- 	jne	.Lentry
- 	ret
-@@ -455,6 +456,7 @@ $code.=<<___;
- .align	16
- RC4_set_key:
- .cfi_startproc
-+	endbranch
- 	lea	8($dat),$dat
- 	lea	($inp,$len),$inp
- 	neg	$len
-@@ -529,6 +531,7 @@ RC4_set_key:
- .align	16
- RC4_options:
- .cfi_startproc
-+	endbranch
- 	lea	.Lopts(%rip),%rax
- 	mov	OPENSSL_ia32cap_P(%rip),%edx
- 	bt	\$20,%edx
-diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
---- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/x86_64cpuid.pl	2020-03-19 17:03:58.172742775 +0100
-@@ -40,6 +40,7 @@ print<<___;
- .align	16
- OPENSSL_atomic_add:
- .cfi_startproc
-+	endbranch
- 	movl	($arg1),%eax
- .Lspin:	leaq	($arg2,%rax),%r8
- 	.byte	0xf0		# lock
-@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
- .align	16
- OPENSSL_rdtsc:
- .cfi_startproc
-+	endbranch
- 	rdtsc
- 	shl	\$32,%rdx
- 	or	%rdx,%rax
-@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
- .align	16
- OPENSSL_ia32_cpuid:
- .cfi_startproc
-+	endbranch
- 	mov	%rbx,%r8		# save %rbx
- .cfi_register	%rbx,%r8
- 
-@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
- .align  16
- OPENSSL_cleanse:
- .cfi_startproc
-+	endbranch
- 	xor	%rax,%rax
- 	cmp	\$15,$arg2
- 	jae	.Lot
-@@ -274,6 +278,7 @@ OPENSSL_cleanse:
- .align  16
- CRYPTO_memcmp:
- .cfi_startproc
-+	endbranch
- 	xor	%rax,%rax
- 	xor	%r10,%r10
- 	cmp	\$0,$arg3
-@@ -312,6 +317,7 @@ print<<___ if (!$win64);
- .align	16
- OPENSSL_wipe_cpu:
- .cfi_startproc
-+	endbranch
- 	pxor	%xmm0,%xmm0
- 	pxor	%xmm1,%xmm1
- 	pxor	%xmm2,%xmm2
-@@ -346,6 +352,8 @@ print<<___ if ($win64);
- .type	OPENSSL_wipe_cpu,\@abi-omnipotent
- .align	16
- OPENSSL_wipe_cpu:
-+.cfi_startproc
-+	endbranch
- 	pxor	%xmm0,%xmm0
- 	pxor	%xmm1,%xmm1
- 	pxor	%xmm2,%xmm2
-@@ -376,6 +384,7 @@ print<<___;
- .align	16
- OPENSSL_instrument_bus:
- .cfi_startproc
-+	endbranch
- 	mov	$arg1,$out	# tribute to Win64
- 	mov	$arg2,$cnt
- 	mov	$arg2,$max
-@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
- .align	16
- OPENSSL_instrument_bus2:
- .cfi_startproc
-+	endbranch
- 	mov	$arg1,$out	# tribute to Win64
- 	mov	$arg2,$cnt
- 	mov	$arg3,$max
-@@ -465,6 +475,7 @@ print<<___;
- .align	16
- OPENSSL_ia32_${rdop}_bytes:
- .cfi_startproc
-+	endbranch
- 	xor	%rax, %rax	# return value
- 	cmp	\$0,$arg2
- 	je	.Ldone_${rdop}_bytes

SOURCES/openssl-1.1.1-kdf-selftest.patch

@@ -1,456 +0,0 @@
-diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
---- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest	2020-06-03 16:08:36.274849058 +0200
-+++ openssl-1.1.1g/crypto/fips/build.info	2020-06-03 16:11:05.609079372 +0200
-@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
-         fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
--        fips_dh_selftest.c fips_ers.c
-+        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
- 
- PROGRAMS_NO_INST=\
-           fips_standalone_hmac
-diff -up openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest openssl-1.1.1g/crypto/fips/fips_err.h
---- openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest	2020-07-14 15:27:51.681785958 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_err.h	2020-10-22 14:07:13.645614388 +0200
-@@ -108,9 +108,16 @@ static ERR_STRING_DATA FIPS_str_functs[]
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"},
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KBKDF), "FIPS_selftest_kbkdf"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KRB5KDF), "FIPS_selftest_krb5kdf"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
-     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSHKDF), "FIPS_selftest_sshkdf"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSKDF), "FIPS_selftest_sskdf"},
-+    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS1_PRF), "FIPS_selftest_tls1_prf"},
-     {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
-     {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
-     {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
-diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
---- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest	2020-10-22 16:25:33.211248158 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c	2020-10-22 16:56:54.652267521 +0200
-@@ -0,0 +1,377 @@
-+/*
-+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include "crypto/fips.h"
-+
-+#include <openssl/evp.h>
-+#include <openssl/kdf.h>
-+
-+#ifdef OPENSSL_FIPS
-+static int FIPS_selftest_tls1_prf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[16];
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
-+                     "secret", (size_t)6) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    {
-+        const unsigned char expected[sizeof(out)] = {
-+            0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
-+            0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
-+        };
-+        if (memcmp(out, expected, sizeof(expected))) {
-+            goto err;
-+        }
-+    }
-+    ret = 1;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_TLS1_PRF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+static int FIPS_selftest_hkdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[10];
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
-+                     "label", (size_t)5) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    {
-+        const unsigned char expected[sizeof(out)] = {
-+            0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
-+        };
-+        if (memcmp(out, expected, sizeof(expected))) {
-+            goto err;
-+        }
-+    }
-+    ret = 1;
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+static int FIPS_selftest_sshkdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[32];
-+    const unsigned char input_key[] = {
-+        0x00, 0x00, 0x00, 0x80, 0x0f, 0xaa, 0x17, 0x2b,
-+        0x8c, 0x28, 0x7e, 0x37, 0x2b, 0xb2, 0x36, 0xad,
-+        0x34, 0xc7, 0x33, 0x69, 0x5c, 0x13, 0xd7, 0x7f,
-+        0x88, 0x2a, 0xdc, 0x0f, 0x47, 0xe5, 0xa7, 0xf6,
-+        0xa3, 0xde, 0x07, 0xef, 0xb1, 0x01, 0x20, 0x7a,
-+        0xa5, 0xd6, 0x65, 0xb6, 0x19, 0x82, 0x6f, 0x75,
-+        0x65, 0x91, 0xf6, 0x53, 0x10, 0xbb, 0xd2, 0xc9,
-+        0x2c, 0x93, 0x84, 0xe6, 0xc6, 0xa6, 0x7b, 0x42,
-+        0xde, 0xc3, 0x82, 0xfd, 0xb2, 0x4c, 0x59, 0x1d,
-+        0x79, 0xff, 0x5e, 0x47, 0x73, 0x7b, 0x0f, 0x5b,
-+        0x84, 0x79, 0x69, 0x4c, 0x3a, 0xdc, 0x19, 0x40,
-+        0x17, 0x04, 0x91, 0x2b, 0xbf, 0xec, 0x27, 0x04,
-+        0xd4, 0xd5, 0xbe, 0xbb, 0xfc, 0x1a, 0x7f, 0xc7,
-+        0x96, 0xe2, 0x77, 0x63, 0x4e, 0x40, 0x85, 0x18,
-+        0x51, 0xa1, 0x87, 0xec, 0x2d, 0x37, 0xed, 0x3f,
-+        0x35, 0x1c, 0x45, 0x96, 0xa5, 0xa0, 0x89, 0x29,
-+        0x16, 0xb4, 0xc5, 0x5f
-+    };
-+    const unsigned char xcghash[] = {
-+        0xa3, 0x47, 0xf5, 0xf1, 0xe1, 0x91, 0xc3, 0x5f,
-+        0x21, 0x2c, 0x93, 0x24, 0xd5, 0x86, 0x7e, 0xfd,
-+        0xf8, 0x30, 0x26, 0xbe, 0x62, 0xc2, 0xb1, 0x6a,
-+        0xe0, 0x06, 0xed, 0xb3, 0x37, 0x8d, 0x40, 0x06
-+    };
-+    const unsigned char session_id[] = {
-+        0x90, 0xbe, 0xfc, 0xef, 0x3f, 0xf8, 0xf9, 0x20,
-+        0x67, 0x4a, 0x9f, 0xab, 0x94, 0x19, 0x8c, 0xf3,
-+        0xfd, 0x9d, 0xca, 0x24, 0xa2, 0x1d, 0x3c, 0x9d,
-+        0xba, 0x39, 0x4d, 0xaa, 0xfb, 0xc6, 0x21, 0xed
-+    };
-+
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key,
-+                     sizeof(input_key)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash,
-+                     sizeof(xcghash)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id,
-+                     sizeof(session_id)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, (int)'F') <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    {
-+        const unsigned char expected[sizeof(out)] = {
-+            0x14, 0x7a, 0x77, 0x14, 0x45, 0x12, 0x3f, 0x84,
-+            0x6d, 0x8a, 0xe5, 0x14, 0xd7, 0xff, 0x9b, 0x3c,
-+            0x93, 0xb2, 0xbc, 0xeb, 0x7c, 0x7c, 0x95, 0x00,
-+            0x94, 0x21, 0x61, 0xb8, 0xe2, 0xd0, 0x11, 0x0f
-+        };
-+        if (memcmp(out, expected, sizeof(expected))) {
-+            goto err;
-+        }
-+    }
-+    ret = 1;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_SSHKDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+static int FIPS_selftest_pbkdf2(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[32];
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    {
-+        const unsigned char expected[sizeof(out)] = {
-+            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
-+            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
-+            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
-+            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
-+        };
-+        if (memcmp(out, expected, sizeof(expected))) {
-+            goto err;
-+        }
-+    }
-+    ret = 1;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
-+ * 5) appendix A. */
-+static int FIPS_selftest_kbkdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    char *label = "prf", *prf_input = "test";
-+    const unsigned char input_key[] = {
-+        0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
-+        0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
-+    };
-+    const unsigned char output[] = {
-+        0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
-+        0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
-+        0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
-+        0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
-+    };
-+    unsigned char result[sizeof(output)] = { 0 };
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
-+        goto err;
-+    }
-+    ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
-+        && memcmp(result, output, sizeof(output)) == 0;
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+static int FIPS_selftest_krb5kdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[16];
-+    const unsigned char key[] = {
-+        0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28,
-+        0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15
-+    };
-+    const unsigned char constant[] = {
-+        0x00, 0x00, 0x00, 0x02, 0x99
-+    };
-+    const unsigned char expected[sizeof(out)] = {
-+        0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69,
-+        0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B
-+    };
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) {
-+        goto err;
-+    }
-+
-+    ret =
-+        EVP_KDF_derive(kctx, out, sizeof(out)) > 0
-+        && memcmp(out, expected, sizeof(expected)) == 0;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_KRB5KDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+static int FIPS_selftest_sskdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    const unsigned char z[] = {
-+        0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e,
-+        0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62,
-+        0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4,
-+        0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9
-+    };
-+    const unsigned char other[] = {
-+        0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e,
-+        0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde,
-+        0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e,
-+        0xe0,0xec,0x3f,0x8d,0xbe
-+    };
-+    const unsigned char expected[] = {
-+        0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8
-+    };
-+    unsigned char out[14];
-+
-+    kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS);
-+
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other,
-+                     sizeof(other)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    if (memcmp(out, expected, sizeof(expected)))
-+        goto err;
-+    ret = 1;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_SSKDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+int FIPS_selftest_kdf(void)
-+{
-+    return FIPS_selftest_tls1_prf()
-+        && FIPS_selftest_hkdf()
-+        && FIPS_selftest_sshkdf()
-+        && FIPS_selftest_pbkdf2()
-+        && FIPS_selftest_kbkdf()
-+        && FIPS_selftest_krb5kdf()
-+        && FIPS_selftest_sskdf();
-+}
-+
-+#endif
-diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
---- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest	2020-06-03 16:08:36.332849536 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-03 16:08:36.338849585 +0200
-@@ -111,6 +111,8 @@ int FIPS_selftest(void)
-         rv = 0;
-     if (!FIPS_selftest_ecdh())
-         rv = 0;
-+    if (!FIPS_selftest_kdf())
-+        rv = 0;
-     return rv;
- }
- 
-diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
---- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest	2020-06-03 16:08:36.330849519 +0200
-+++ openssl-1.1.1g/include/crypto/fips.h	2020-06-03 16:08:36.338849585 +0200
-@@ -72,6 +72,7 @@ void FIPS_drbg_stick(int onoff);
- int FIPS_selftest_hmac(void);
- int FIPS_selftest_drbg(void);
- int FIPS_selftest_cmac(void);
-+int FIPS_selftest_kdf(void);
- 
- int fips_in_post(void);
- 
-diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
---- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest	2020-07-14 15:27:51.685785988 +0200
-+++ openssl-1.1.1g/include/openssl/fips.h	2020-10-22 14:03:28.868575785 +0200
-@@ -122,9 +122,16 @@ extern "C" {
- # define FIPS_F_FIPS_SELFTEST_DES                         111
- # define FIPS_F_FIPS_SELFTEST_DSA                         112
- # define FIPS_F_FIPS_SELFTEST_ECDSA                       133
-+# define FIPS_F_FIPS_SELFTEST_HKDF                        153
- # define FIPS_F_FIPS_SELFTEST_HMAC                        113
-+# define FIPS_F_FIPS_SELFTEST_KBKDF                       151
-+# define FIPS_F_FIPS_SELFTEST_KRB5KDF                     154
-+# define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
- # define FIPS_F_FIPS_SELFTEST_SHA1                        115
- # define FIPS_F_FIPS_SELFTEST_SHA2                        105
-+# define FIPS_F_FIPS_SELFTEST_SSHKDF                      155
-+# define FIPS_F_FIPS_SELFTEST_SSKDF                       156
-+# define FIPS_F_FIPS_SELFTEST_TLS1_PRF                    157
- # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
- # define FIPS_F_OSSL_ECDSA_VERIFY_SIG                     148
- # define FIPS_F_RSA_BUILTIN_KEYGEN                        116

SOURCES/openssl-1.1.1-man-rename.patch

@@ -1,19 +0,0 @@
-diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod
---- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename	2018-08-21 14:14:13.000000000 +0200
-+++ openssl-1.1.1-pre9/doc/man1/openssl.pod	2018-08-22 12:13:04.092568064 +0200
-@@ -482,13 +482,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
- L<ec(1)>, L<ecparam(1)>,
- L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
- L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
--L<passwd(1)>,
- L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
- L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
--L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
-+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
- L<rsautl(1)>, L<s_client(1)>,
- L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
- L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
-+L<sslpasswd(1)>, L<sslrand(1)>,
- L<ts(1)>,
- L<verify(1)>, L<version(1)>, L<x509(1)>,
- L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>

SOURCES/openssl-1.1.1-no-brainpool.patch

@@ -1,112 +0,0 @@
-diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in	2019-09-13 15:11:07.358687169 +0200
-@@ -147,22 +147,22 @@ our @tests = (
-     {
-         name => "ECDSA with brainpool",
-         server =>  {
--            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
--            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
--            "Groups" => "brainpoolP256r1",
-+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
-+#            "Groups" => "brainpoolP256r1",
-         },
-         client => {
-             #We don't restrict this to TLSv1.2, although use of brainpool
-             #should force this anyway so that this should succeed
-             "CipherString" => "aECDSA",
-             "RequestCAFile" => test_pem("root-cert.pem"),
--            "Groups" => "brainpoolP256r1",
-+#            "Groups" => "brainpoolP256r1",
-         },
-         test   => {
--            "ExpectedServerCertType" =>, "brainpoolP256r1",
--            "ExpectedServerSignType" =>, "EC",
-+#            "ExpectedServerCertType" =>, "brainpoolP256r1",
-+#            "ExpectedServerSignType" =>, "EC",
-             # Note: certificate_authorities not sent for TLS < 1.3
--            "ExpectedServerCANames" =>, "empty",
-+#            "ExpectedServerCANames" =>, "empty",
-             "ExpectedResult" => "Success"
-         },
-     },
-@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
-     {
-         name => "TLS 1.3 ECDSA with brainpool",
-         server =>  {
--            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
--            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
--            "Groups" => "brainpoolP256r1",
-+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
-+#            "Groups" => "brainpoolP256r1",
-         },
-         client => {
-             "RequestCAFile" => test_pem("root-cert.pem"),
--            "Groups" => "brainpoolP256r1",
-+#            "Groups" => "brainpoolP256r1",
-             "MinProtocol" => "TLSv1.3",
-             "MaxProtocol" => "TLSv1.3"
-         },
-         test   => {
--            "ExpectedResult" => "ServerFail"
-+            "ExpectedResult" => "Success"
-         },
-     },
- );
-diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf	2019-09-13 15:12:27.380288469 +0200
-@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
- client = 5-ECDSA with brainpool-client
- 
- [5-ECDSA with brainpool-server]
--Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
- CipherString = DEFAULT
--Groups = brainpoolP256r1
--PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
- 
- [5-ECDSA with brainpool-client]
- CipherString = aECDSA
--Groups = brainpoolP256r1
- RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
- [test-5]
- ExpectedResult = Success
--ExpectedServerCANames = empty
--ExpectedServerCertType = brainpoolP256r1
--ExpectedServerSignType = EC
- 
- 
- # ===========================================================
-@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
- client = 52-TLS 1.3 ECDSA with brainpool-client
- 
- [52-TLS 1.3 ECDSA with brainpool-server]
--Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
- CipherString = DEFAULT
--Groups = brainpoolP256r1
--PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
- 
- [52-TLS 1.3 ECDSA with brainpool-client]
- CipherString = DEFAULT
--Groups = brainpoolP256r1
- MaxProtocol = TLSv1.3
- MinProtocol = TLSv1.3
- RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
- VerifyMode = Peer
- 
- [test-52]
--ExpectedResult = ServerFail
-+ExpectedResult = Success
- 
- 
- # ===========================================================

SOURCES/openssl-1.1.1-no-html.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html	2020-04-07 16:45:21.904083989 +0200
-+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:45:56.218461895 +0200
-@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
- 
- uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
- 
--install_docs: install_man_docs install_html_docs
-+install_docs: install_man_docs
- 
- uninstall_docs: uninstall_man_docs uninstall_html_docs
- 	$(RM) -r "$(DESTDIR)$(DOCDIR)"

SOURCES/openssl-1.1.1-no-weak-verify.patch

@@ -1,26 +0,0 @@
-diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c
---- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify	2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/asn1/a_verify.c	2019-02-28 11:25:31.531862873 +0100
-@@ -7,6 +7,9 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
- #include <sys/types.h>
-@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
-         if (ret != 2)
-             goto err;
-         ret = -1;
-+    } else if ((mdnid == NID_md5
-+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
-+               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
-+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
-+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+        goto err;
-     } else {
-         const EVP_MD *type = EVP_get_digestbynid(mdnid);
-