- bsc#1243564 CVE-2025-4575: Fix the x509 application adding trusted use instead of rejected use

* Add openssl-CVE-2025-4575.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=143

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

baselibs.conf

@@ -0,0 +1,12 @@
+libopenssl3
+  obsoletes "libopenssl1_1_0-<targettype>"
+  provides "libopenssl3-hmac-<targettype> = <version>-%release"
+  obsoletes "libopenssl3-hmac-<targettype> < <version>-%release"
+libopenssl-3-devel
+  provides "libopenssl-devel-<targettype> = <version>"
+  conflicts "otherproviders(libopenssl-devel-<targettype>)"
+  conflicts "libopenssl-1_1-devel-<targettype>"
+  requires -"openssl-3-<targettype>"
+  requires "libopenssl3-<targettype> = <version>"
+libopenssl-3-fips-provider
+  requires "libopenssl3-<targettype> >= <version>"

openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

@@ -0,0 +1,570 @@
+From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 18 May 2022 17:25:59 +0200
+Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
+
+For RHEL, we already disable SHA-1 signatures by default in the default
+provider, so it is unexpected that the FIPS provider would have a more
+lenient configuration in this regard. Additionally, we do not think
+continuing to accept SHA-1 signatures is a good idea due to the
+published chosen-prefix collision attacks.
+
+As a consequence, disable verification of SHA-1 signatures in the FIPS
+provider.
+
+This requires adjusting a few tests that would otherwise fail:
+- 30-test_acvp: Remove the test vectors that use SHA-1.
+- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
+  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
+  which will not run them when the FIPS provider is enabled.
+- 80-test_cms: Re-create all certificates in test/smime-certificates
+  with SHA256 signatures while keeping the same private keys. These
+  certificates were signed with SHA-1 and thus fail verification in the
+  FIPS provider.
+  Fix some other tests by explicitly running them in the default
+  provider, where SHA-1 is available.
+- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
+  the FIPS provider.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ providers/implementations/signature/dsa_sig.c |  4 --
+ .../implementations/signature/ecdsa_sig.c     |  4 --
+ providers/implementations/signature/rsa_sig.c |  8 +--
+ test/acvp_test.inc                            | 20 -------
+ .../30-test_evp_data/evppkey_ecdsa.txt        |  7 +++
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 51 +++++++++++++++-
+ test/recipes/80-test_cms.t                    |  4 +-
+ test/recipes/80-test_ssl_old.t                |  4 ++
+ test/smime-certs/smdh.pem                     | 18 +++---
+ test/smime-certs/smdsa1.pem                   | 60 +++++++++----------
+ test/smime-certs/smdsa2.pem                   | 60 +++++++++----------
+ test/smime-certs/smdsa3.pem                   | 60 +++++++++----------
+ test/smime-certs/smec1.pem                    | 30 +++++-----
+ test/smime-certs/smec2.pem                    | 30 +++++-----
+ test/smime-certs/smec3.pem                    | 30 +++++-----
+ test/smime-certs/smroot.pem                   | 38 ++++++------
+ test/smime-certs/smrsa1.pem                   | 38 ++++++------
+ test/smime-certs/smrsa2.pem                   | 38 ++++++------
+ test/smime-certs/smrsa3.pem                   | 38 ++++++------
+ 19 files changed, 286 insertions(+), 256 deletions(-)
+
+Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c
++++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c
+@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         int md_nid;
+         size_t mdname_len = strlen(mdname);
+-#ifdef FIPS_MODULE
+-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+         int sha1_allowed = 0;
+-#endif
+         md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                             sha1_allowed);
+ 
+Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c
++++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
+@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
+                        "%s could not be fetched", mdname);
+         return 0;
+     }
+-#ifdef FIPS_MODULE
+-    sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+     sha1_allowed = 0;
+-#endif
+     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                     sha1_allowed);
+     if (md_nid < 0) {
+Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         int md_nid;
+         size_t mdname_len = strlen(mdname);
+-#ifdef FIPS_MODULE
+-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+         int sha1_allowed = 0;
+-#endif
+         md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+                                                      sha1_allowed);
+ 
+@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+         && pad_mode == RSA_PKCS1_PSS_PADDING) {
++#ifdef FIPS_MODULE
++        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++#else
+         pmdname = RSA_DEFAULT_DIGEST_NAME;
+-#ifndef FIPS_MODULE
+         if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+         }
+Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1235"
+@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -96,6 +96,7 @@ NDL6WCBbets=
+ 
+ Title = RSA tests
+ 
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+ Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Output = "0123456789ABCDEF1234"
+ 
+ # Leading zero in the signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = KEYOP_ERROR
+ 
+ # Mismatched digest
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547
+ Result = VERIFY_ERROR
+ 
+ # Corrupted signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547
+ Result = VERIFY_ERROR
+ 
+ # parameter is not NULLt
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b
+ Result = VERIFY_ERROR
+ 
+ # embedded digest too long
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # embedded digest too short
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # Garbage after DigestInfo
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = KEYOP_ERROR
+ 
+ # invalid tag for parameter
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
+ 
+ # Verify using public key
+ 
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+ # Verify using salt length auto detect
++# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:auto
+@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters, explicitly setting parameters
++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
++# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked
++# Availablein = default.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:20
+@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify explicitly setting parameters "digest" salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:digest
+@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify using salt length larger than minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:30
+ Input="0123456789ABCDEF0123"
+ Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
+ 
+ # Verify using maximum salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:max
+ Input="0123456789ABCDEF0123"
+ Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
+ 
+ # Attempt to change salt length below minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:0
+ Result = PKEY_CTRL_ERROR
+@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR
+ # Attempt to change padding mode
+ # Note this used to return PKEY_CTRL_INVALID
+ # but it is limited because setparams only returns 0 or 1.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pkcs1
+ Result = PKEY_CTRL_ERROR
+ 
+ # Attempt to change digest
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = digest:sha256
+ Result = PKEY_CTRL_ERROR
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD2
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
+ 4fINDOjP+yJJvZohNwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
+ Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
+ Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0652ec67bcee30f9d2699122b91c19abdba89f91
+ Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=39c21c4cceda9c1adf839c744e1212a6437575ec
+ Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36dae913b77bd17cae6e7b09453d24544cebb33c
+ Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
+ 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
+ Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2dac956d53964748ac364d06595827c6b4f143cd
+ Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
+ Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
+ Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
+ Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
+ BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
+ Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=b503319399277fd6c1c8f1033cbf04199ea21716
+ Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=50aaede8536b2c307208b275a67ae2df196c7628
+ Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
+ Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=fad3902c9750622a2bc672622c48270cc57d3ea8
+ Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests
+ 
+ # FIPS tests
+ 
+-# Verifying with SHA1 is permitted in fips mode for older applications
++# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode
++Availablein = fips
+ DigestVerify = SHA1
+ Key = RSA-2048
+ Input = "Hello "
+ Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
++Result = DIGESTVERIFYINIT_ERROR
+ 
+ # Verifying with a 1024 bit key is permitted in fips mode for older applications
+ DigestVerify = SHA256
+Index: openssl-3.2.3/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
++++ openssl-3.2.3/test/recipes/80-test_cms.t
+@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = (
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
+         "-certfile", $smroot,
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = (
+     [ "signed zero-length content S/MIME format, RSA key SHA1",
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
+         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&zero_compare
+     ],
+Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
+@@ -394,6 +394,9 @@ sub testssl {
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+ 
++        SKIP: {
++          skip "SSLv3 is not supported by the FIPS provider", 4
++              if $provider eq "fips";
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
+              'test sslv2/sslv3 with server authentication');
+           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
+@@ -402,6 +405,7 @@ sub testssl {
+              'test sslv2/sslv3 with both client and server authentication via BIO pair');
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
+              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
++         }
+ 
+         SKIP: {
+             skip "No IPv4 available on this machine", 4
+Index: openssl-3.2.3/test/acvp_test.inc
+===================================================================
+--- openssl-3.2.3.orig/test/acvp_test.inc
++++ openssl-3.2.3/test/acvp_test.inc
+@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si
+     {
+         "x931",
+         3072,
+-        "SHA1",
+-        ITM(rsa_sigverx931_0_msg),
+-        ITM(rsa_sigverx931_0_n),
+-        ITM(rsa_sigverx931_0_e),
+-        ITM(rsa_sigverx931_0_sig),
+-        NO_PSS_SALT_LEN,
+-        PASS
+-    },
+-    {
+-        "x931",
+-        3072,
+         "SHA256",
+         ITM(rsa_sigverx931_1_msg),
+         ITM(rsa_sigverx931_1_n),

openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch

@@ -0,0 +1,98 @@
+From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 17 Feb 2023 15:31:08 +0100
+Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
+
+Implementation Guidance for FIPS 140-3 and the Cryptographic Module
+Verification Program, Section C.H requires guarantees about the
+uniqueness of key/iv pairs, and proposes a few approaches to ensure
+this. Provide an indicator for option 2 "The IV may be generated
+internally at its entirety randomly."
+
+Resolves: rhbz#2168289
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ include/openssl/core_names.h                  |  1 +
+ include/openssl/evp.h                         |  4 +++
+ .../implementations/ciphers/ciphercommon.c    |  4 +++
+ .../ciphers/ciphercommon_gcm.c                | 25 +++++++++++++++++++
+ 4 files changed, 34 insertions(+)
+
+Index: openssl-3.2.3/include/openssl/evp.h
+===================================================================
+--- openssl-3.2.3.orig/include/openssl/evp.h
++++ openssl-3.2.3/include/openssl/evp.h
+@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+ 
++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED     1
++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                            const unsigned char *key, const unsigned char *iv);
+ __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c
++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
+@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
++    /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
++     * not work in ciphercommon.c because it is compiled only once into
++     * libcommon.a */
++    OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL),
+     OSSL_PARAM_END
+ };
+ const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
+Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c
++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
+@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
+             break;
+         }
+     }
++
++    /* We would usually hide this under #ifdef FIPS_MODULE, but
++     * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
++     * not work here. */
++    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section C.H requires guarantees about the
++         * uniqueness of key/iv pairs, and proposes a few approaches to ensure
++         * this. This provides an indicator for option 2 "The IV may be
++         * generated internally at its entirety randomly." Note that one of the
++         * conditions of this option is that "The IV length shall be at least
++         * 96 bits (per SP 800-38D)." We do not specically check for this
++         * condition here, because gcm_iv_generate will fail in this case. */
++        if (ctx->enc && !ctx->iv_gen_rand)
++            fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
++            return 0;
++        }
++    }
++
+     return 1;
+ }
+ 
+Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+===================================================================
+--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+@@ -102,6 +102,7 @@ my %params = (
+     'CIPHER_PARAM_CTS_MODE' =>             "cts_mode",    # utf8_string
+ # For passing the AlgorithmIdentifier parameter in DER form
+     'CIPHER_PARAM_ALGORITHM_ID_PARAMS' =>  "alg_id_param",# octet_string
++    'CIPHER_PARAM_SUSE_FIPS_INDICATOR' =>  "suse-fips-indicator",# int
+     'CIPHER_PARAM_XTS_STANDARD' =>         "xts_standard",# utf8_string
+ 
+     'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' =>  "tls1multi_maxsndfrag",# uint

openssl-3-FIPS-PCT_rsa_keygen.patch

@@ -0,0 +1,28 @@
+Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
+===================================================================
+--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
++++ openssl-3.1.4/crypto/rsa/rsa_gen.c
+@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
+ 
+ #ifdef FIPS_MODULE
+     ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
+-    pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
++     /* FIPS MODE needs to always run the pairwise test. But, the
++      * rsa_keygen_pairwise_test() PCT as self-test requirements will be
++      * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
++      * this PCT can be skipped here. See bsc#1221760 for more info.
++      */
++    pairwise_test = 0;
+ #else
+     /*
+      * Only multi-prime keys or insecure keys with a small key length or a
+@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
+             rsa->dmp1 = NULL;
+             rsa->dmq1 = NULL;
+             rsa->iqmp = NULL;
++#ifdef FIPS_MODULE
++            abort();
++#endif /* FIPS_MODULE */
+         }
+     }
+     return ok;

openssl-3-add-defines-CPACF-funcs.patch

@@ -0,0 +1,82 @@
+commit 518b53b139d7b4ac082ccedd401d2ee08fc66985
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Jan 31 16:26:52 2024 +0100
+
+    s390x: Add defines for new CPACF functions
+    
+    Add defines for new CPACF functions codes, its required MSA levels, and
+    document how to disable these functions via the OPENSSL_s390xcap environment
+    variable.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+    
+    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/25161)
+
+diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
+index fdc682af06..88ed866b0d 100644
+--- a/crypto/s390x_arch.h
++++ b/crypto/s390x_arch.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex;
+ # define S390X_MSA5             57      /* message-security-assist-ext. 5 */
+ # define S390X_MSA3             76      /* message-security-assist-ext. 3 */
+ # define S390X_MSA4             77      /* message-security-assist-ext. 4 */
++# define S390X_MSA12            86      /* message-security-assist-ext. 12 */
+ # define S390X_VX               129     /* vector */
+ # define S390X_VXD              134     /* vector packed decimal */
+ # define S390X_VXE              135     /* vector enhancements 1 */
+@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex;
+ /* km */
+ # define S390X_XTS_AES_128      50
+ # define S390X_XTS_AES_256      52
++# define S390X_XTS_AES_128_MSA10 82
++# define S390X_XTS_AES_256_MSA10 84
++
++/* kmac */
++# define S390X_HMAC_SHA_224     112
++# define S390X_HMAC_SHA_256     113
++# define S390X_HMAC_SHA_384     114
++# define S390X_HMAC_SHA_512     115
+ 
+ /* prno */
+ # define S390X_SHA_512_DRNG     3
+diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
+index d7185530ec..363003d8d3 100644
+--- a/doc/man3/OPENSSL_s390xcap.pod
++++ b/doc/man3/OPENSSL_s390xcap.pod
+@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries.
+       :
+       # 76    1<<51    message-security assist extension 3
+       # 77    1<<50    message-security assist extension 4
++      # 86    1<<41    message-security-assist extension 12
+       :
+       #129    1<<62    vector facility
+       #134    1<<57    vector packed decimal facility
+@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries.
+       # 50    1<<13    KM-XTS-AES-128
+       # 52    1<<11    KM-XTS-AES-256
+       :
++      # 82    1<<45    KM-XTS-AES-128-MSA10
++      # 84    1<<43    KM-XTS-AES-256-MSA10
+ 
+  kmc  :
+       # 18    1<<45    KMC-AES-128
+@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries.
+       # 19    1<<44    KMAC-AES-192
+       # 20    1<<43    KMAC-AES-256
+       :
++      # 112   1<<15    KMAC-SHA-224
++      # 113   1<<14    KMAC-SHA-256
++      # 114   1<<13    KMAC-SHA-384
++      # 115   1<<12    KMAC-SHA-512
+ 
+  kmctr:
+       :

openssl-3-add-hw-acceleration-hmac.patch

@@ -0,0 +1,506 @@
+commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Feb 1 15:15:27 2024 +0100
+
+    s390x: Add hardware acceleration for HMAC
+    
+    The CPACF instruction KMAC provides support for accelerating the HMAC
+    algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and
+    SHA-512.
+    
+    Preliminary measurements showed performance improvements of up to a factor
+    of 2, dependent on the message size, whether chunking is used and the size
+    of the chunks.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+    
+    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/25161)
+
+Index: openssl-3.2.3/crypto/hmac/build.info
+===================================================================
+--- openssl-3.2.3.orig/crypto/hmac/build.info
++++ openssl-3.2.3/crypto/hmac/build.info
+@@ -2,5 +2,22 @@ LIBS=../../libcrypto
+ 
+ $COMMON=hmac.c
+ 
+-SOURCE[../../libcrypto]=$COMMON
+-SOURCE[../../providers/libfips.a]=$COMMON
++IF[{- !$disabled{asm} -}]
++  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
++    $HMACASM_s390x=hmac_s390x.c
++    $HMACDEF_s390x=OPENSSL_HMAC_S390X
++  ENDIF
++
++  # Now that we have defined all the arch specific variables, use the
++  # appropriate ones, and define the appropriate macros
++  IF[$HMACASM_{- $target{asm_arch} -}]
++    $HMACASM=$HMACASM_{- $target{asm_arch} -}
++    $HMACDEF=$HMACDEF_{- $target{asm_arch} -}
++  ENDIF
++ENDIF
++
++DEFINE[../../libcrypto]=$HMACDEF
++DEFINE[../../providers/libfips.a]=$HMACDEF
++
++SOURCE[../../libcrypto]=$COMMON $HMACASM
++SOURCE[../../providers/libfips.a]=$COMMON $HMACASM
+Index: openssl-3.2.3/crypto/hmac/hmac.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/hmac/hmac.c
++++ openssl-3.2.3/crypto/hmac/hmac.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
+         return 0;
+ 
++#ifdef OPENSSL_HMAC_S390X
++    rv = s390x_HMAC_init(ctx, key, len, impl);
++    if (rv >= 1)
++        return rv;
++#endif
++
+     if (key != NULL) {
+         reset = 1;
+ 
+@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns
+ {
+     if (!ctx->md)
+         return 0;
++
++#ifdef OPENSSL_HMAC_S390X
++    if (ctx->plat.s390x.fc)
++        return s390x_HMAC_update(ctx, data, len);
++#endif
++
+     return EVP_DigestUpdate(ctx->md_ctx, data, len);
+ }
+ 
+@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
+     if (!ctx->md)
+         goto err;
+ 
++#ifdef OPENSSL_HMAC_S390X
++    if (ctx->plat.s390x.fc)
++        return s390x_HMAC_final(ctx, md, len);
++#endif
++
+     if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i))
+         goto err;
+     if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx))
+@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c
+     EVP_MD_CTX_reset(ctx->o_ctx);
+     EVP_MD_CTX_reset(ctx->md_ctx);
+     ctx->md = NULL;
++
++#ifdef OPENSSL_HMAC_S390X
++    s390x_HMAC_CTX_cleanup(ctx);
++#endif
+ }
+ 
+ void HMAC_CTX_free(HMAC_CTX *ctx)
+@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
+     if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
+         goto err;
+     dctx->md = sctx->md;
++
++#ifdef OPENSSL_HMAC_S390X
++    if (s390x_HMAC_CTX_copy(dctx, sctx) == 0)
++        goto err;
++#endif
++
+     return 1;
+  err:
+     hmac_ctx_cleanup(dctx);
+Index: openssl-3.2.3/crypto/hmac/hmac_local.h
+===================================================================
+--- openssl-3.2.3.orig/crypto/hmac/hmac_local.h
++++ openssl-3.2.3/crypto/hmac/hmac_local.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -10,6 +10,10 @@
+ #ifndef OSSL_CRYPTO_HMAC_LOCAL_H
+ # define OSSL_CRYPTO_HMAC_LOCAL_H
+ 
++# include "internal/common.h"
++# include "internal/numbers.h"
++# include "openssl/sha.h"
++
+ /* The current largest case is for SHA3-224 */
+ #define HMAC_MAX_MD_CBLOCK_SIZE     144
+ 
+@@ -18,6 +22,45 @@ struct hmac_ctx_st {
+     EVP_MD_CTX *md_ctx;
+     EVP_MD_CTX *i_ctx;
+     EVP_MD_CTX *o_ctx;
++
++    /* Platform specific data */
++    union {
++        int dummy;
++# ifdef OPENSSL_HMAC_S390X
++        struct {
++            unsigned int fc; /* 0 if not supported by kmac instruction */
++            int blk_size;
++            int ikp;
++            int iimp;
++            unsigned char *buf;
++            size_t size; /* must be multiple of digest block size */
++            size_t num;
++            union {
++                OSSL_UNION_ALIGN;
++                struct {
++                    uint32_t h[8];
++                    uint64_t imbl;
++                    unsigned char key[64];
++                } hmac_224_256;
++                struct {
++                    uint64_t h[8];
++                    uint128_t imbl;
++                    unsigned char key[128];
++                } hmac_384_512;
++            } param;
++        } s390x;
++# endif /* OPENSSL_HMAC_S390X */
++    } plat;
+ };
+ 
++# ifdef OPENSSL_HMAC_S390X
++#  define HMAC_S390X_BUF_NUM_BLOCKS 64
++
++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl);
++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx);
++# endif /* OPENSSL_HMAC_S390X */
++
+ #endif
+Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c
+===================================================================
+--- /dev/null
++++ openssl-3.2.3/crypto/hmac/hmac_s390x.c
+@@ -0,0 +1,298 @@
++/*
++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "crypto/s390x_arch.h"
++#include "hmac_local.h"
++#include "openssl/obj_mac.h"
++#include "openssl/evp.h"
++
++#ifdef OPENSSL_HMAC_S390X
++
++static int s390x_fc_from_md(const EVP_MD *md)
++{
++    int fc;
++
++    switch (EVP_MD_get_type(md)) {
++    case NID_sha224:
++        fc = S390X_HMAC_SHA_224;
++        break;
++    case NID_sha256:
++        fc = S390X_HMAC_SHA_256;
++        break;
++    case NID_sha384:
++        fc = S390X_HMAC_SHA_384;
++        break;
++    case NID_sha512:
++        fc = S390X_HMAC_SHA_512;
++        break;
++    default:
++        return 0;
++    }
++
++    if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
++        return 0;
++
++    return fc;
++}
++
++static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
++{
++    unsigned int fc = ctx->plat.s390x.fc;
++
++    if (ctx->plat.s390x.ikp)
++        fc |= S390X_KMAC_IKP;
++
++    if (ctx->plat.s390x.iimp)
++        fc |= S390X_KMAC_IIMP;
++
++    switch (ctx->plat.s390x.fc) {
++    case S390X_HMAC_SHA_224:
++    case S390X_HMAC_SHA_256:
++        ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8);
++        break;
++    case S390X_HMAC_SHA_384:
++    case S390X_HMAC_SHA_512:
++        ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8);
++        break;
++    default:
++        break;
++    }
++
++    s390x_kmac(in, len, fc, &ctx->plat.s390x.param);
++
++    ctx->plat.s390x.ikp = 1;
++}
++
++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
++{
++    unsigned char *key_param;
++    unsigned int key_param_len;
++
++    ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md);
++    if (ctx->plat.s390x.fc == 0)
++        return -1; /* Not supported by kmac instruction */
++
++    ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
++    if (ctx->plat.s390x.blk_size < 0)
++        return 0;
++
++    if (ctx->plat.s390x.size !=
++        (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) {
++        OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
++        ctx->plat.s390x.size = 0;
++        ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size *
++                                             HMAC_S390X_BUF_NUM_BLOCKS);
++        if (ctx->plat.s390x.buf == NULL)
++            return 0;
++        ctx->plat.s390x.size = ctx->plat.s390x.blk_size *
++            HMAC_S390X_BUF_NUM_BLOCKS;
++    }
++    ctx->plat.s390x.num = 0;
++
++    ctx->plat.s390x.ikp = 0;
++    ctx->plat.s390x.iimp = 1;
++
++    switch (ctx->plat.s390x.fc) {
++    case S390X_HMAC_SHA_224:
++    case S390X_HMAC_SHA_256:
++        ctx->plat.s390x.param.hmac_224_256.imbl = 0;
++        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h,
++                        sizeof(ctx->plat.s390x.param.hmac_224_256.h));
++        break;
++    case S390X_HMAC_SHA_384:
++    case S390X_HMAC_SHA_512:
++        ctx->plat.s390x.param.hmac_384_512.imbl = 0;
++        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h,
++                        sizeof(ctx->plat.s390x.param.hmac_384_512.h));
++        break;
++    default:
++        return 0;
++    }
++
++    if (key != NULL) {
++        switch (ctx->plat.s390x.fc) {
++        case S390X_HMAC_SHA_224:
++        case S390X_HMAC_SHA_256:
++            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key,
++                            sizeof(ctx->plat.s390x.param.hmac_224_256.key));
++            key_param = ctx->plat.s390x.param.hmac_224_256.key;
++            key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key);
++            break;
++        case S390X_HMAC_SHA_384:
++        case S390X_HMAC_SHA_512:
++            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key,
++                            sizeof(ctx->plat.s390x.param.hmac_384_512.key));
++            key_param = ctx->plat.s390x.param.hmac_384_512.key;
++            key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key);
++            break;
++        default:
++            return 0;
++        }
++
++        if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len))
++            return 0;
++
++        if (key_len > ctx->plat.s390x.blk_size) {
++            if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl)
++                    || !EVP_DigestUpdate(ctx->md_ctx, key, key_len)
++                    || !EVP_DigestFinal_ex(ctx->md_ctx, key_param,
++                                           &key_param_len))
++                return 0;
++        } else {
++            if (key_len < 0 || key_len > (int)key_param_len)
++                return 0;
++            memcpy(key_param, key, key_len);
++            /* remaining key bytes already zeroed out above */
++        }
++    }
++
++    return 1;
++}
++
++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
++{
++    size_t remain, num;
++
++    if (len == 0)
++        return 1;
++
++    /* buffer is full, process it now */
++    if (ctx->plat.s390x.num == ctx->plat.s390x.size) {
++        s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
++
++        ctx->plat.s390x.num = 0;
++    }
++
++    remain = ctx->plat.s390x.size - ctx->plat.s390x.num;
++    if (len > remain) {
++        /* data does not fit into buffer */
++        if (ctx->plat.s390x.num > 0) {
++            /* first fill buffer and process it */
++            memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain);
++            ctx->plat.s390x.num += remain;
++
++            s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
++
++            ctx->plat.s390x.num = 0;
++
++            data += remain;
++            len -= remain;
++        }
++
++        if (!ossl_assert(ctx->plat.s390x.num == 0))
++            return 0;
++
++        if (len > ctx->plat.s390x.size) {
++            /*
++             * remaining data is still larger than buffer, process remaining
++             * full blocks of input directly
++             */
++            remain = len % ctx->plat.s390x.blk_size;
++            num = len - remain;
++
++            s390x_call_kmac(ctx, data, num);
++
++            data += num;
++            len -= num;
++        }
++    }
++
++    /* add remaining input data (which is < buffer size) to buffer */
++    if (!ossl_assert(len <= ctx->plat.s390x.size))
++        return 0;
++
++    if (len > 0) {
++        memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len);
++        ctx->plat.s390x.num += len;
++    }
++
++    return 1;
++}
++
++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
++{
++    void *result;
++    unsigned int res_len;
++
++    ctx->plat.s390x.iimp = 0; /* last block */
++    s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
++
++    ctx->plat.s390x.num = 0;
++
++    switch (ctx->plat.s390x.fc) {
++    case S390X_HMAC_SHA_224:
++        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
++        res_len = SHA224_DIGEST_LENGTH;
++        break;
++    case S390X_HMAC_SHA_256:
++        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
++        res_len = SHA256_DIGEST_LENGTH;
++        break;
++    case S390X_HMAC_SHA_384:
++        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
++        res_len = SHA384_DIGEST_LENGTH;
++        break;
++    case S390X_HMAC_SHA_512:
++        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
++        res_len = SHA512_DIGEST_LENGTH;
++        break;
++    default:
++        return 0;
++    }
++
++    memcpy(md, result, res_len);
++    if (len != NULL)
++        *len = res_len;
++
++    return 1;
++}
++
++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
++{
++    dctx->plat.s390x.fc = sctx->plat.s390x.fc;
++    dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size;
++    dctx->plat.s390x.ikp = sctx->plat.s390x.ikp;
++    dctx->plat.s390x.iimp = sctx->plat.s390x.iimp;
++
++    memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
++           sizeof(dctx->plat.s390x.param));
++
++    dctx->plat.s390x.buf = NULL;
++    if (sctx->plat.s390x.buf != NULL) {
++        dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,
++                                              sctx->plat.s390x.size);
++        if (dctx->plat.s390x.buf == NULL)
++            return 0;
++    }
++
++    dctx->plat.s390x.size = sctx->plat.s390x.size;
++    dctx->plat.s390x.num = sctx->plat.s390x.num;
++
++    return 1;
++}
++
++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx)
++{
++    OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
++    ctx->plat.s390x.buf = NULL;
++    ctx->plat.s390x.size = 0;
++    ctx->plat.s390x.num = 0;
++
++    OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param));
++
++    ctx->plat.s390x.blk_size = 0;
++    ctx->plat.s390x.ikp = 0;
++    ctx->plat.s390x.iimp = 1;
++
++    ctx->plat.s390x.fc = 0;
++
++    return 1;
++}
++
++#endif
+Index: openssl-3.2.3/crypto/s390x_arch.h
+===================================================================
+--- openssl-3.2.3.orig/crypto/s390x_arch.h
++++ openssl-3.2.3/crypto/s390x_arch.h
+@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex;
+ # define S390X_KMA_HS           0x400
+ # define S390X_KDSA_D           0x80
+ # define S390X_KLMD_PS          0x100
++# define S390X_KMAC_IKP         0x8000
++# define S390X_KMAC_IIMP        0x4000
++# define S390X_KMAC_CCUP        0x2000
+ 
+ #endif

openssl-3-add-xof-state-handling-s3_absorb.patch

@@ -0,0 +1,32 @@
+commit 1337b50936ed190a98af1ee6601d857b42a3d296
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 21:54:34 2023 +0200
+
+    Add xof state handing for generic sha3 absorb.
+    
+    The digest life-cycle diagram specifies state transitions to `updated`
+    (aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this
+    checking to the generic sha3 absorb implementation.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void *
+ {
+     KECCAK1600_CTX *ctx = vctx;
+ 
++    if (!(ctx->xof_state == XOF_STATE_INIT ||
++          ctx->xof_state == XOF_STATE_ABSORB))
++        return 0;
++    ctx->xof_state = XOF_STATE_ABSORB;
+     return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
+ }
+ 

openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch

@@ -0,0 +1,90 @@
+commit a75d62637aa165a7f37e39a3a36e2a8b089913bc
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Aug 26 11:26:03 2024 +0200
+
+    s390x: Disable HMAC hardware acceleration when an engine is used for the digest
+    
+    The TLSProxy uses the 'ossltest' engine to produce known output for digests
+    and HMAC calls. However, when running on a s390x system that supports
+    hardware acceleration of HMAC, the engine is not used for calculating HMACs,
+    but the s390x specific HMAC implementation is used, which does produce correct
+    output, but not the known output that the engine would produce. This causes
+    some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
+    test_sslvertol, and test_tlsextms) to fail.
+    
+    Disable the s390x HMAC hardware acceleration if an engine is used for the
+    digest of the HMAC calculation. This provides compatibility for engines that
+    provide digest implementations, and assume that these implementations are also
+    used when calculating an HMAC.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+    
+    Reviewed-by: Neil Horman <nhorman@openssl.org>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/25287)
+
+diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
+index 5db7e9a221..02e1cd1dd6 100644
+--- a/crypto/hmac/hmac_s390x.c
++++ b/crypto/hmac/hmac_s390x.c
+@@ -7,10 +7,16 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++/* We need to use some engine deprecated APIs */
++#define OPENSSL_SUPPRESS_DEPRECATED
++
+ #include "crypto/s390x_arch.h"
+ #include "hmac_local.h"
+ #include "openssl/obj_mac.h"
+ #include "openssl/evp.h"
++#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
++# include <openssl/engine.h>
++#endif
+ 
+ #ifdef OPENSSL_HMAC_S390X
+ 
+@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
+     ctx->plat.s390x.ikp = 1;
+ }
+ 
++static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl)
++{
++# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
++    const EVP_MD *d;
++
++    if (impl != NULL) {
++        if (!ENGINE_init(impl))
++            return 0;
++    } else {
++        impl = ENGINE_get_digest_engine(EVP_MD_get_type(md));
++    }
++
++    if (impl == NULL)
++        return 0;
++
++    d = ENGINE_get_digest(impl, EVP_MD_get_type(md));
++    ENGINE_finish(impl);
++
++    if (d != NULL)
++        return 1;
++# endif
++
++    return 0;
++}
++
+ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
+ {
+     unsigned char *key_param;
+@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
+     if (ctx->plat.s390x.fc == 0)
+         return -1; /* Not supported by kmac instruction */
+ 
++    if (s390x_check_engine_used(ctx->md, impl)) {
++        ctx->plat.s390x.fc = 0;
++        return -1; /* An engine handles the digest, disable acceleration */
++    }
++
+     ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
+     if (ctx->plat.s390x.blk_size < 0)
+         return 0;

openssl-3-fix-hmac-digest-detection-s390x.patch

@@ -0,0 +1,49 @@
+commit d5b3c0e24bc56614e92ffafdd705622beaef420a
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Aug 28 14:56:33 2024 +0200
+
+    s390x: Fix HMAC digest detection
+    
+    Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
+    type. EVP_MD_get_type() does not always return the expected NID, e.g.
+    when running in the FIPS provider, EVP_MD_get_type() returns zero,
+    causing to skip the HMAC acceleration path.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+    
+    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/25304)
+
+diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
+index 8b0da0d59d..5db7e9a221 100644
+--- a/crypto/hmac/hmac_s390x.c
++++ b/crypto/hmac/hmac_s390x.c
+@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md)
+ {
+     int fc;
+ 
+-    switch (EVP_MD_get_type(md)) {
+-    case NID_sha224:
++    if (EVP_MD_is_a(md, "SHA2-224"))
+         fc = S390X_HMAC_SHA_224;
+-        break;
+-    case NID_sha256:
++    else if (EVP_MD_is_a(md, "SHA2-256"))
+         fc = S390X_HMAC_SHA_256;
+-        break;
+-    case NID_sha384:
++    else if (EVP_MD_is_a(md, "SHA2-384"))
+         fc = S390X_HMAC_SHA_384;
+-        break;
+-    case NID_sha512:
++    else if (EVP_MD_is_a(md, "SHA2-512"))
+         fc = S390X_HMAC_SHA_512;
+-        break;
+-    default:
++    else
+         return 0;
+-    }
+ 
+     if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
+         return 0;

openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch

@@ -0,0 +1,28 @@
+commit 19b87d2d2b022c20dd9043c3b6d021315011b45f
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Aug 20 11:35:20 2024 +0200
+
+    s390x: Fix memory leak in s390x_HMAC_CTX_copy()
+    
+    When s390x_HMAC_CTX_copy() is called, but the destination context already
+    has a buffer allocated, it is not freed before duplicating the buffer from
+    the source context.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+    
+    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    (Merged from https://github.com/openssl/openssl/pull/25238)
+
+diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
+index 1124d9bc5d..8b0da0d59d 100644
+--- a/crypto/hmac/hmac_s390x.c
++++ b/crypto/hmac/hmac_s390x.c
+@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
+     memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
+            sizeof(dctx->plat.s390x.param));
+ 
++    OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size);
+     dctx->plat.s390x.buf = NULL;
+     if (sctx->plat.s390x.buf != NULL) {
+         dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,

openssl-3-fix-quic_multistream_test.patch

@@ -0,0 +1,25 @@
+From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001
+From: "Randall S. Becker" <randall.becker@nexbridge.ca>
+Date: Mon, 20 May 2024 22:23:04 +0000
+Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for
+ cooperative threading.
+
+Fixes: #24442
+
+Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+---
+ test/quic_multistream_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: openssl-3.2.3/test/quic_multistream_test.c
+===================================================================
+--- openssl-3.2.3.orig/test/quic_multistream_test.c
++++ openssl-3.2.3/test/quic_multistream_test.c
+@@ -2397,6 +2397,7 @@ static const struct script_op script_13_
+ 
+     OP_C_ACCEPT_STREAM_WAIT (a)
+     OP_C_READ_EXPECT        (a, "foo", 3)
++    OP_SLEEP                (10)
+     OP_C_EXPECT_FIN         (a)
+     OP_C_FREE_STREAM        (a)
+ 

openssl-3-fix-s390x_sha3_absorb.patch

@@ -0,0 +1,50 @@
+From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 5 Sep 2024 08:45:29 +0200
+Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
+ KIMD
+
+If the data to absorb is less than a block, then the KIMD instruction is
+called with zero bytes. This is superfluous, and causes incorrect hash
+output later on if this is the very first absorb call, i.e. when the
+xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
+the NIP flag is set in the function code for KIMD, but KIMD ignores the
+NIP flag when it is called with zero bytes to process.
+
+Skip any KIMD calls for zero length data. Also do not set the xof_state
+to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
+the next KIMD (with non-zero length data) or KLMD call will get the NIP
+flag set and will then honor it to produce correct output.
+
+Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25388)
+---
+ providers/implementations/digests/sha3_prov.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
+-    fc = ctx->pad;
+-    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+-    ctx->xof_state = XOF_STATE_ABSORB;
+-    s390x_kimd(inp, len - rem, fc, ctx->A);
++    if (len - rem > 0) {
++        fc = ctx->pad;
++        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
++        ctx->xof_state = XOF_STATE_ABSORB;
++        s390x_kimd(inp, len - rem, fc, ctx->A);
++    }
+     return rem;
+ }
+ 

openssl-3-fix-s390x_shake_squeeze.patch

@@ -0,0 +1,98 @@
+From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 4 Sep 2024 13:42:09 +0200
+Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available
+
+On the first squeeze call, when finishing the absorb process, also set
+the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
+available, the state buffer A has not been zeroed during initialization,
+thus we must also pass the NIP flag here. This situation can happen
+when a squeeze is performed without a preceding absorb (i.e. a SHAKE
+of the empty message).
+
+Add a test that performs a squeeze without a preceding absorb and check
+if the result is correct.
+
+Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25388)
+---
+ providers/implementations/digests/sha3_prov.c |  5 +++-
+ test/evp_xof_test.c                           | 29 +++++++++++++++++++
+ 2 files changed, 33 insertions(+), 1 deletion(-)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx,
+ static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
+ {
+     KECCAK1600_CTX *ctx = vctx;
++    unsigned int fc;
+     size_t len;
+ 
+     if (!ossl_prov_is_running())
+@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct
+      * On the first squeeze call, finish the absorb process (incl. padding).
+      */
+     if (ctx->xof_state != XOF_STATE_SQUEEZE) {
++        fc = ctx->pad;
++        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
+         ctx->xof_state = XOF_STATE_SQUEEZE;
+-        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
++        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
+         ctx->bufsz = outlen % ctx->block_size;
+         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
+         return 1;
+Index: openssl-3.2.3/test/evp_xof_test.c
+===================================================================
+--- openssl-3.2.3.orig/test/evp_xof_test.c
++++ openssl-3.2.3/test/evp_xof_test.c
+@@ -479,6 +479,34 @@ err:
+     return ret;
+ }
+ 
++/* Test that a squeeze without a preceding absorb works */
++static int shake_squeeze_no_absorb_test(void)
++{
++    int ret = 0;
++    EVP_MD_CTX *ctx = NULL;
++    unsigned char out[1000];
++    unsigned char out2[1000];
++    const char *alg = "SHAKE128";
++
++    if (!TEST_ptr(ctx = shake_setup(alg))
++        || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))))
++        goto err;
++
++    if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))
++        || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2))
++        || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2,
++                                        sizeof(out2) / 2)))
++        goto err;
++
++    if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out)))
++        goto err;
++    ret = 1;
++
++err:
++    EVP_MD_CTX_free(ctx);
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_TEST(shake_kat_test);
+@@ -488,5 +516,7 @@ int setup_tests(void)
+     ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests));
+     ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests));
+     ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests));
++    ADD_TEST(shake_squeeze_no_absorb_test);
++
+     return 1;
+ }

openssl-3-fix-sha3-squeeze-ppc64.patch

@@ -0,0 +1,31 @@
+commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1
+Author: Rohan McLure <rmclure@linux.ibm.com>
+Date:   Tue Nov 14 14:14:33 2023 +1100
+
+    ppc64: Fix SHA3_squeeze
+    
+    Fix the conditional on the 'next' parameter passed into SHA3_squeeze.
+    
+    Reported-by: David Benjamin <davidben@davidben.net>
+    Signed-off-by: Rohan McLure <rmclure@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22722)
+
+diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl
+index 3f8ba817f8..fe7d6db20e 100755
+--- a/crypto/sha/asm/keccak1600-ppc64.pl
++++ b/crypto/sha/asm/keccak1600-ppc64.pl
+@@ -668,8 +668,8 @@ SHA3_squeeze:
+ 	subi	$out,r4,1		; prepare for stbu
+ 	mr	$len,r5
+ 	mr	$bsz,r6
+-	${UCMP}i r7,1                   ; r7 = 'next' argument
+-	blt	.Lnext_block
++	${UCMP}i r7,0                   ; r7 = 'next' argument
++	bne	.Lnext_block
+ 	b	.Loop_squeeze
+ 
+ .align	4

openssl-3-fix-state-handling-keccak_final_s390x.patch

@@ -0,0 +1,32 @@
+commit 1022131d16e30cfbf896e02419019de48e8e1149
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 15:43:18 2023 +0200
+
+    Fix state handling of keccak_final for s390x.
+    
+    The digest life-cycle state diagram has been updated for XOF. Fix the
+    state handling in s390x_keccac_final() according to the updated state
+    diagram.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
+index 34620cf95a..f691273baf 100644
+--- a/providers/implementations/digests/sha3_prov.c
++++ b/providers/implementations/digests/sha3_prov.c
+@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
+ 
+     if (!ossl_prov_is_running())
+         return 0;
++    if (!(ctx->xof_state == XOF_STATE_INIT ||
++          ctx->xof_state == XOF_STATE_ABSORB))
++        return 0;
++    ctx->xof_state = XOF_STATE_FINAL;
+     if (outlen == 0)
+         return 1;
+     memset(ctx->buf + num, 0, bsz - num);

openssl-3-fix-state-handling-sha3_absorb_s390x.patch

@@ -0,0 +1,32 @@
+commit 7aa45b8bb3269e881d0378aa785ff344efdd2897
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 15:36:23 2023 +0200
+
+    Fix state handling of sha3_absorb for s390x.
+    
+    The digest life-cycle state diagram has been updated for XOF. Fix the
+    state handling in s390x_sha3_aborb() according to the updated state
+    diagram.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc
+     KECCAK1600_CTX *ctx = vctx;
+     size_t rem = len % ctx->block_size;
+ 
++    if (!(ctx->xof_state == XOF_STATE_INIT ||
++          ctx->xof_state == XOF_STATE_ABSORB))
++        return 0;
++    ctx->xof_state = XOF_STATE_ABSORB;
+     s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
+     return rem;
+ }

openssl-3-fix-state-handling-sha3_final_s390x.patch

@@ -0,0 +1,32 @@
+commit 017acc58f6b67d5b347db411a7a1c4e890434f42
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 15:36:59 2023 +0200
+
+    Fix state handling of sha3_final for s390x.
+    
+    The digest life-cycle state diagram has been updated for XOF. Fix the
+    state handling in s390x_sha3_final() according to the updated state
+    diagram.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx,
+ 
+     if (!ossl_prov_is_running())
+         return 0;
++    if (!(ctx->xof_state == XOF_STATE_INIT ||
++          ctx->xof_state == XOF_STATE_ABSORB))
++        return 0;
++    ctx->xof_state = XOF_STATE_FINAL;
+     s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
+     memcpy(out, ctx->A, outlen);
+     return 1;

openssl-3-fix-state-handling-shake_final_s390x.patch

@@ -0,0 +1,32 @@
+commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 15:37:29 2023 +0200
+
+    Fix state handling of shake_final for s390x.
+    
+    The digest life-cycle state diagram has been updated for XOF. Fix the
+    state handling in s390x_shake_final() according to the updated state
+    diagram.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx,
+ 
+     if (!ossl_prov_is_running())
+         return 0;
++    if (!(ctx->xof_state == XOF_STATE_INIT ||
++          ctx->xof_state == XOF_STATE_ABSORB))
++        return 0;
++    ctx->xof_state = XOF_STATE_FINAL;
+     s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
+     return 1;
+ }

openssl-3-hw-acceleration-aes-xts-s390x.patch

@@ -0,0 +1,327 @@
+commit 9cd4051e47c8da8398f93f42f0f56750552965f4
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Tue Aug 6 14:00:49 2024 +0200
+
+    s390x: Add hardware acceleration for full AES-XTS
+    
+    The CPACF instruction KM provides support for accelerating the full
+    AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256.
+    
+    Preliminary measurements showed performance improvements of up to 50%,
+    dependent on the message size.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    Reviewed-by: Paul Dale <pauli@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/25414)
+
+diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info
+index 5eb705969f..1837070c21 100644
+--- a/providers/implementations/ciphers/build.info
++++ b/providers/implementations/ciphers/build.info
+@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}]
+   ENDIF
+ ENDIF
+ 
++IF[{- !$disabled{asm} -}]
++  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
++    $AESXTSDEF_s390x=AES_XTS_S390X
++  ENDIF
++
++  # Now that we have defined all the arch specific variables, use the
++  # appropriate one, and define the appropriate macros
++
++  IF[$AESXTSDEF_{- $target{asm_arch} -}]
++    $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -}
++  ENDIF
++ENDIF
++
+ # This source is common building blocks for all ciphers in all our providers.
+ SOURCE[$COMMON_GOAL]=\
+         ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
+@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\
+         cipher_aes_cbc_hmac_sha.c \
+         cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
+         cipher_cts.c
++DEFINE[$AES_GOAL]=$AESXTSDEF
+ 
+ # Extra code to satisfy the FIPS and non-FIPS separation.
+ # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.
+diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
+index cce2537ea7..2287834d62 100644
+--- a/providers/implementations/ciphers/cipher_aes_xts.c
++++ b/providers/implementations/ciphers/cipher_aes_xts.c
+@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes,
+     return 1;
+ }
+ 
++#ifdef AES_XTS_S390X
++# include "cipher_aes_xts_s390x.inc"
++#endif
++
+ /*-
+  * Provider dispatch functions
+  */
+@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+ {
++#ifdef AES_XTS_S390X
++    if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1)
++        return 1;
++#endif
+     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1);
+ }
+ 
+@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+ {
++#ifdef AES_XTS_S390X
++    if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1)
++        return 1;
++#endif
+     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
+ }
+ 
+@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx)
+     if (!ossl_prov_is_running())
+         return NULL;
+ 
++#ifdef AES_XTS_S390X
++    if (in->plat.s390x.fc)
++        return s390x_aes_xts_dupctx(vctx);
++#endif
++
+     if (in->xts.key1 != NULL) {
+         if (in->xts.key1 != &in->ks1)
+             return NULL;
+@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
+ {
+     PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx;
+ 
++#ifdef AES_XTS_S390X
++    if (ctx->plat.s390x.fc)
++        return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl);
++#endif
++
+     if (!ossl_prov_is_running()
+             || ctx->xts.key1 == NULL
+             || ctx->xts.key2 == NULL
+diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h
+index afc42ef444..56891ca98c 100644
+--- a/providers/implementations/ciphers/cipher_aes_xts.h
++++ b/providers/implementations/ciphers/cipher_aes_xts.h
+@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream,
+                   const AES_KEY *key1, const AES_KEY *key2,
+                   const unsigned char iv[16]));
+ 
++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
++typedef struct S390X_km_xts_params_st {
++    unsigned char key[64];
++    unsigned char tweak[16];
++    unsigned char nap[16];
++} S390X_KM_XTS_PARAMS;
++#endif
++
+ typedef struct prov_aes_xts_ctx_st {
+     PROV_CIPHER_CTX base;      /* Must be first */
+     union {
+@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st {
+     } ks1, ks2;                /* AES key schedules to use */
+     XTS128_CONTEXT xts;
+     OSSL_xts_stream_fn stream;
++
++    /* Platform specific data */
++    union {
++        int dummy;
++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
++        struct {
++            union {
++                OSSL_UNION_ALIGN;
++                S390X_KM_XTS_PARAMS km;
++            } param;
++            size_t offset;
++            unsigned int fc;
++            unsigned int iv_set : 1;
++            unsigned int key_set : 1;
++        } s390x;
++#endif
++    } plat;
+ } PROV_AES_XTS_CTX;
+ 
+ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits);
+diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
+new file mode 100644
+index 0000000000..77341b3bbd
+--- /dev/null
++++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
+@@ -0,0 +1,167 @@
++/*
++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include "crypto/s390x_arch.h"
++
++static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit;
++static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit;
++static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher;
++static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx;
++
++static int s390x_aes_xts_init(void *vctx, const unsigned char *key,
++                              size_t keylen, const unsigned char *iv,
++                              size_t ivlen, const OSSL_PARAM params[],
++                              unsigned int dec)
++{
++    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
++    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
++    unsigned int fc, offs;
++
++    switch (xctx->base.keylen) {
++    case 128 / 8 * 2:
++        fc = S390X_XTS_AES_128_MSA10;
++        offs = 32;
++        break;
++    case 256 / 8 * 2:
++        fc = S390X_XTS_AES_256_MSA10;
++        offs = 0;
++        break;
++    default:
++        goto not_supported;
++    }
++
++    if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc)))
++        goto not_supported;
++
++    if (iv != NULL) {
++        if (ivlen != xctx->base.ivlen
++                || ivlen > sizeof(km->tweak)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
++            return 0;
++        }
++        memcpy(km->tweak, iv, ivlen);
++        xctx->plat.s390x.iv_set = 1;
++    }
++
++    if (key != NULL) {
++        if (keylen != xctx->base.keylen) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++        if (!aes_xts_check_keys_differ(key, keylen / 2, !dec))
++            return 0;
++
++        memcpy(km->key + offs, key, keylen);
++        xctx->plat.s390x.key_set = 1;
++    }
++
++    xctx->plat.s390x.fc = fc | dec;
++    xctx->plat.s390x.offset = offs;
++
++    memset(km->nap, 0, sizeof(km->nap));
++    km->nap[0] = 0x1;
++
++    return aes_xts_set_ctx_params(xctx, params);
++
++not_supported:
++    xctx->plat.s390x.fc = 0;
++    xctx->plat.s390x.offset = 0;
++    return 0;
++}
++
++static int s390x_aes_xts_einit(void *vctx, const unsigned char *key,
++                               size_t keylen, const unsigned char *iv,
++                               size_t ivlen, const OSSL_PARAM params[])
++{
++    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
++}
++
++static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key,
++                               size_t keylen, const unsigned char *iv,
++                               size_t ivlen, const OSSL_PARAM params[])
++{
++    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params,
++                              S390X_DECRYPT);
++}
++
++static void *s390x_aes_xts_dupctx(void *vctx)
++{
++    PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx;
++    PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in));
++
++    if (ret != NULL)
++        *ret = *in;
++
++    return ret;
++}
++
++static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
++                                size_t outsize, const unsigned char *in,
++                                size_t inl)
++{
++    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
++    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
++    unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset;
++    unsigned int fc = xctx->plat.s390x.fc;
++    unsigned char tmp[2][AES_BLOCK_SIZE];
++    unsigned char nap_n1[AES_BLOCK_SIZE];
++    unsigned char drop[AES_BLOCK_SIZE];
++    size_t len_incomplete, len_complete;
++
++    if (!ossl_prov_is_running()
++            || inl < AES_BLOCK_SIZE
++            || in == NULL
++            || out == NULL
++            || !xctx->plat.s390x.iv_set
++            || !xctx->plat.s390x.key_set)
++        return 0;
++
++    /*
++     * Impose a limit of 2^20 blocks per data unit as specified by
++     * IEEE Std 1619-2018.  The earlier and obsolete IEEE Std 1619-2007
++     * indicated that this was a SHOULD NOT rather than a MUST NOT.
++     * NIST SP 800-38E mandates the same limit.
++     */
++    if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE);
++        return 0;
++    }
++
++    len_incomplete = inl % AES_BLOCK_SIZE;
++    len_complete = (len_incomplete == 0) ? inl :
++                       (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE;
++
++    if (len_complete > 0)
++        s390x_km(in, len_complete, out, fc, param);
++    if (len_incomplete == 0)
++       goto out;
++
++    memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete);
++    /* swap NAP for decrypt */
++    if (fc & S390X_DECRYPT) {
++        memcpy(nap_n1, km->nap, AES_BLOCK_SIZE);
++        s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param);
++    }
++    s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param);
++    if (fc & S390X_DECRYPT)
++        memcpy(km->nap, nap_n1, AES_BLOCK_SIZE);
++
++    memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete,
++           AES_BLOCK_SIZE - len_incomplete);
++    s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param);
++    memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete);
++
++    /* do not expose temporary data */
++    OPENSSL_cleanse(tmp, sizeof(tmp));
++out:
++    memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE);
++    *outl = inl;
++
++    return 1;
++}

openssl-3-jitterentropy-3.4.0.patch

@@ -0,0 +1,364 @@
+Index: openssl-3.2.3/Configurations/00-base-templates.conf
+===================================================================
+--- openssl-3.2.3.orig/Configurations/00-base-templates.conf
++++ openssl-3.2.3/Configurations/00-base-templates.conf
+@@ -88,6 +88,7 @@ my %targets=(
+             sub {
+                 my @libs = ();
+                 push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
++		push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
+                 if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
+                     push(@libs, "-lbrotlienc");
+                     push(@libs, "-lbrotlidec");
+Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
+===================================================================
+--- /dev/null
++++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
+@@ -0,0 +1,97 @@
++# include "jitterentropy.h"
++# include "prov/jitter_entropy.h"
++
++struct rand_data* ec = NULL;
++CRYPTO_RWLOCK *jent_lock = NULL;
++int stop = 0;
++
++struct rand_data* FIPS_entropy_init(void)
++{
++    if (ec != NULL) {
++        /* Entropy source has been initiated and collector allocated */
++        return ec;
++    }
++    if (stop != 0) {
++        /* FIPS_entropy_cleanup() already called, don't initialize it again */
++        return NULL;
++    }
++    if (jent_lock == NULL) {
++        /* Allocates a new lock to serialize access to jent library */
++        jent_lock = CRYPTO_THREAD_lock_new();
++        if (jent_lock == NULL) {
++            return NULL;
++        }
++    }
++    if (CRYPTO_THREAD_write_lock(jent_lock) == 0) {
++        return NULL;
++    }
++    /* If the initialization is successful, the call returns with 0 */
++    if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) {
++        /* Allocate entropy collector */
++        ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
++    } else {
++        /* abort if jitter rng fails initialization */
++        abort();
++    }
++    if (ec == NULL) {
++        /* abort if jitter rng fails initialization */
++        abort();
++    }
++    CRYPTO_THREAD_unlock(jent_lock);
++
++    return ec;
++}
++
++/*
++ * The following error codes can be returned by jent_read_entropy_safe():
++ *   -1  entropy_collector is NULL
++ *   -2  RCT failed
++ *   -3  APT failed
++ *   -4  The timer cannot be initialized
++ *   -5  LAG failure
++ *   -6  RCT permanent failure
++ *   -7  APT permanent failure
++ *   -8  LAG permanent failure
++ */
++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
++{
++    ssize_t ent_bytes = -1;
++
++    /*
++     * Order is important. We need to call FIPS_entropy_init() before we
++     * acquire jent_lock, otherwise it can lead to deadlock. Once we have
++     * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called
++     * in the meantime. Then it's safe to read entropy.
++     */
++    if (buf != NULL
++        && buflen != 0
++        && FIPS_entropy_init()
++        && CRYPTO_THREAD_write_lock(jent_lock) != 0
++        && stop == 0) {
++        /* Get entropy */
++        ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
++        if (ent_bytes < 0) {
++            /* abort if jitter rng fails entropy gathering because health tests failed. */
++            abort();
++        }
++        CRYPTO_THREAD_unlock(jent_lock);
++    }
++
++    return ent_bytes;
++}
++
++void FIPS_entropy_cleanup(void)
++{
++    if (jent_lock != NULL && stop == 0) {
++        CRYPTO_THREAD_write_lock(jent_lock);
++    }
++    /* Disable re-initialization in FIPS_entropy_init() */
++    stop = 1;
++    /* Free entropy collector */
++    if (ec != NULL) {
++        jent_entropy_collector_free(ec);
++        ec = NULL;
++    }
++    CRYPTO_THREAD_lock_free(jent_lock);
++    jent_lock = NULL;
++}
+Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c
++++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
+@@ -20,6 +20,7 @@
+ #include "internal/dso.h"
+ #include "internal/nelem.h"
+ #include "prov/seeding.h"
++#include "prov/jitter_entropy.h"
+ 
+ #ifdef __linux
+ # include <sys/syscall.h>
+@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
+ 
+     (void)entropy_available;    /* avoid compiler warning */
+ 
++    /* Use jitter entropy in FIPS mode */
++    if (EVP_default_properties_is_fips_enabled(NULL))
++    {
++        size_t bytes_needed;
++        unsigned char *buffer;
++        ssize_t bytes;
++        /* Maximum allowed number of consecutive unsuccessful attempts */
++        int attempts = 3;
++
++        bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
++        while (bytes_needed != 0 && attempts-- > 0) {
++            buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
++            bytes = FIPS_jitter_entropy(buffer, bytes_needed);
++            if (bytes > 0) {
++                ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
++                bytes_needed -= bytes;
++                attempts = 3; /* reset counter after successful attempt */
++            } else if (bytes < 0) {
++                break;
++            }
++        }
++        entropy_available = ossl_rand_pool_entropy_available(pool);
++        return entropy_available;
++    }
++
+ #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
+     {
+         size_t bytes_needed;
+Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
+===================================================================
+--- /dev/null
++++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
+@@ -0,0 +1,17 @@
++#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H
++# define OSSL_PROVIDERS_JITTER_ENTROPY_H
++
++# include <openssl/core.h>
++# include <openssl/types.h>
++# include <openssl/crypto.h>
++# include <openssl/fips.h>
++
++extern struct rand_data* ec;
++extern CRYPTO_RWLOCK *jent_lock;
++extern int stop;
++
++struct rand_data* FIPS_entropy_init(void);
++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen);
++void FIPS_entropy_cleanup(void);
++
++#endif
+Index: openssl-3.2.3/providers/fips/self_test.c
+===================================================================
+--- openssl-3.2.3.orig/providers/fips/self_test.c
++++ openssl-3.2.3/providers/fips/self_test.c
+@@ -20,6 +20,7 @@
+ #include "internal/tsan_assist.h"
+ #include "prov/providercommon.h"
+ #include "crypto/rand.h"
++#include "prov/jitter_entropy.h"
+ 
+ /*
+  * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
+@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+         return 0;
+     }
+ 
++    if (!FIPS_entropy_init()) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED);
++        goto end;
++    }
++
+     if (st == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
+         goto end;
+Index: openssl-3.2.3/include/openssl/proverr.h
+===================================================================
+--- openssl-3.2.3.orig/include/openssl/proverr.h
++++ openssl-3.2.3/include/openssl/proverr.h
+@@ -44,6 +44,7 @@
+ # define PROV_R_FAILED_TO_GET_PARAMETER                   103
+ # define PROV_R_FAILED_TO_SET_PARAMETER                   104
+ # define PROV_R_FAILED_TO_SIGN                            175
++# define PROV_R_FIPS_ENTROPY_INIT_FAILED                  234
+ # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR             227
+ # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
+ # define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
+Index: openssl-3.2.3/providers/common/provider_err.c
+===================================================================
+--- openssl-3.2.3.orig/providers/common/provider_err.c
++++ openssl-3.2.3/providers/common/provider_err.c
+@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re
+     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
+     "failed to set parameter"},
+     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
++    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED),
++    "fips module jitter entropy init failed"},
+     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
+     "fips module conditional error"},
+     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
+Index: openssl-3.2.3/crypto/rand/build.info
+===================================================================
+--- openssl-3.2.3.orig/crypto/rand/build.info
++++ openssl-3.2.3/crypto/rand/build.info
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ 
+-$COMMON=rand_lib.c
++$COMMON=rand_lib.c rand_jitter_entropy.c
+ $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \
+         rand_uniform.c
+ 
+Index: openssl-3.2.3/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/fips/fipsprov.c
++++ openssl-3.2.3/providers/fips/fipsprov.c
+@@ -27,6 +27,7 @@
+ #include "crypto/context.h"
+ #include "internal/core.h"
+ #include "indicator.h"
++#include "prov/jitter_entropy.h"
+ 
+ static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
+ static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
+@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
+ 
+ static void fips_teardown(void *provctx)
+ {
++    FIPS_entropy_cleanup();
+     OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
+     ossl_prov_ctx_free(provctx);
+ }
+Index: openssl-3.2.3/util/libcrypto.num
+===================================================================
+--- openssl-3.2.3.orig/util/libcrypto.num
++++ openssl-3.2.3/util/libcrypto.num
+@@ -5539,3 +5539,5 @@ BIO_ADDR_copy
+ ossl_safe_getenv                        ?	3_2_0	EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
++FIPS_entropy_init                       ?	3_1_4   EXIST::FUNCTION:
++FIPS_entropy_cleanup                    ?	3_1_4   EXIST::FUNCTION:
+Index: openssl-3.2.3/Configure
+===================================================================
+--- openssl-3.2.3.orig/Configure
++++ openssl-3.2.3/Configure
+@@ -469,6 +469,7 @@ my @disablables = (
+     "gost",
+     "http",
+     "idea",
++    "jitterentropy",
+     "ktls",
+     "legacy",
+     "loadereng",
+@@ -573,6 +574,7 @@ our %disabled = ( # "what"         => "c
+                   "external-tests"      => "default",
+                   "fuzz-afl"            => "default",
+                   "fuzz-libfuzzer"      => "default",
++                  "jitterentropy"       => "default",
+                   "ktls"                => "default",
+                   "md2"                 => "default",
+                   "msan"                => "default",
+@@ -801,7 +803,7 @@ my %cmdvars = ();               # Stores
+ my %unsupported_options = ();
+ my %deprecated_options = ();
+ # If you change this, update apps/version.c
+-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
++my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy);
+ my @seed_sources = ();
+ while (@argvcopy)
+         {
+@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) {
+ if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
+     delete $disabled{'egd'};
+ }
++if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) {
++    delete $disabled{'jitterentropy'};
++}
+ if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
+     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
+     warn <<_____ if scalar(@seed_sources) == 1;
+Index: openssl-3.2.3/crypto/info.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/info.c
++++ openssl-3.2.3/crypto/info.c
+@@ -15,6 +15,9 @@
+ #include "internal/e_os.h"
+ #include "buildinf.h"
+ 
++# include <stdio.h>
++# include <jitterentropy.h>
++
+ #if defined(__arm__) || defined(__arm) || defined(__aarch64__)
+ # include "arm_arch.h"
+ # define CPU_INFO_STR_LEN 128
+@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
+             OPENSSL_strlcat(seeds, ")", sizeof(seeds));                 \
+         } while (0)
+ 
++        /* In FIPS mode, only jitterentropy is used for seeding and
++         * reseeding the primary DRBG.
++         */
++        if (EVP_default_properties_is_fips_enabled(NULL)) {
++            char jent_version_string[32];
++            sprintf(jent_version_string, "jitterentropy (%d)", jent_version());
++            add_seeds_string(jent_version_string);
++        } else {
+ #ifdef OPENSSL_RAND_SEED_NONE
+         add_seeds_string("none");
+ #endif
+@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
+ #ifdef OPENSSL_RAND_SEED_OS
+         add_seeds_string("os-specific");
+ #endif
++        }
+         seed_sources = seeds;
+     }
+     return 1;
+Index: openssl-3.2.3/INSTALL.md
+===================================================================
+--- openssl-3.2.3.orig/INSTALL.md
++++ openssl-3.2.3/INSTALL.md
+@@ -511,6 +511,12 @@ if provided by the CPU.
+ Use librandom (not implemented yet).
+ This source is ignored by the FIPS provider.
+ 
++### jitterentropy
++
++Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library)
++dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed
++the primary DRBG.
++
+ ### none
+ 
+ Disable automatic seeding.  This is the default on some operating systems where

openssl-3-support-CPACF-sha3-shake-perf-improvement.patch

@@ -0,0 +1,196 @@
+From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Thu, 29 Feb 2024 12:50:05 +0100
+Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements
+
+On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
+can be enhanced by using additional modifier bits. This allows the application
+to omit initializing the ICV, but also affects the internal processing of the
+instructions. Performance is mostly gained when processing short messages.
+
+The new CPACF feature is backwards compatible with older machines, i.e. the new
+modifier bits are ignored on older machines. However, to save the ICV
+initialization, the application must detect the MSA level and omit the ICV
+initialization only if this feature is supported.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25235)
+---
+ crypto/s390x_arch.h                           |  3 ++
+ crypto/s390xcpuid.pl                          |  4 +--
+ crypto/sha/sha3.c                             |  8 +++++-
+ providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++----
+ 4 files changed, 34 insertions(+), 9 deletions(-)
+
+Index: openssl-3.2.3/crypto/s390x_arch.h
+===================================================================
+--- openssl-3.2.3.orig/crypto/s390x_arch.h
++++ openssl-3.2.3/crypto/s390x_arch.h
+@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex;
+ # define S390X_KMA_LAAD         0x200
+ # define S390X_KMA_HS           0x400
+ # define S390X_KDSA_D           0x80
++# define S390X_KIMD_NIP         0x8000
++# define S390X_KLMD_DUFOP       0x4000
++# define S390X_KLMD_NIP         0x8000
+ # define S390X_KLMD_PS          0x100
+ # define S390X_KMAC_IKP         0x8000
+ # define S390X_KMAC_IIMP        0x4000
+Index: openssl-3.2.3/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-3.2.3.orig/crypto/s390xcpuid.pl
++++ openssl-3.2.3/crypto/s390xcpuid.pl
+@@ -308,7 +308,7 @@ s390x_kimd:
+ 	llgfr	%r0,$fc
+ 	lgr	%r1,$param
+ 
+-	.long	0xb93e0002	# kimd %r0,%r2
++	.long	0xb93e8002	# kimd %r0,%r2[,M3]
+ 	brc	1,.-4		# pay attention to "partial completion"
+ 
+ 	br	$ra
+@@ -329,7 +329,7 @@ s390x_klmd:
+ 	llgfr	%r0,$fc
+ 	l${g}	%r1,$stdframe($sp)
+ 
+-	.long	0xb93f0042	# klmd %r4,%r2
++	.long	0xb93f8042	# klmd %r4,%r2[,M3]
+ 	brc	1,.-4		# pay attention to "partial completion"
+ 
+ 	br	$ra
+Index: openssl-3.2.3/crypto/sha/sha3.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/sha/sha3.c
++++ openssl-3.2.3/crypto/sha/sha3.c
+@@ -8,13 +8,19 @@
+  */
+ 
+ #include <string.h>
++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
++# include "crypto/s390x_arch.h"
++#endif
+ #include "internal/sha3.h"
+ 
+ void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
+ 
+ void ossl_sha3_reset(KECCAK1600_CTX *ctx)
+ {
+-    memset(ctx->A, 0, sizeof(ctx->A));
++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
++    if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12)))
++#endif
++        memset(ctx->A, 0, sizeof(ctx->A));
+     ctx->bufsz = 0;
+     ctx->xof_state = XOF_STATE_INIT;
+ }
+Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
+@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc
+ {
+     KECCAK1600_CTX *ctx = vctx;
+     size_t rem = len % ctx->block_size;
++    unsigned int fc;
+ 
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
++    fc = ctx->pad;
++    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+     ctx->xof_state = XOF_STATE_ABSORB;
+-    s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
++    s390x_kimd(inp, len - rem, fc, ctx->A);
+     return rem;
+ }
+ 
+ static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen)
+ {
+     KECCAK1600_CTX *ctx = vctx;
++    unsigned int fc;
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
++    fc = ctx->pad | S390X_KLMD_DUFOP;
++    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
+     ctx->xof_state = XOF_STATE_FINAL;
+-    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
++    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A);
+     memcpy(out, ctx->A, outlen);
+     return 1;
+ }
+@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx,
+ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
+ {
+     KECCAK1600_CTX *ctx = vctx;
++    unsigned int fc;
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
++    fc = ctx->pad | S390X_KLMD_DUFOP;
++    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
+     ctx->xof_state = XOF_STATE_FINAL;
+-    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
++    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
+     return 1;
+ }
+ 
+@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct
+     size_t bsz = ctx->block_size;
+     size_t num = ctx->bufsz;
+     size_t needed = outlen;
++    unsigned int fc;
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+     if (!(ctx->xof_state == XOF_STATE_INIT ||
+           ctx->xof_state == XOF_STATE_ABSORB))
+         return 0;
++    fc = ctx->pad;
++    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
+     ctx->xof_state = XOF_STATE_FINAL;
+     if (outlen == 0)
+         return 1;
+     memset(ctx->buf + num, 0, bsz - num);
+     ctx->buf[num] = padding;
+     ctx->buf[bsz - 1] |= 0x80;
+-    s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
++    s390x_kimd(ctx->buf, bsz, fc, ctx->A);
+     num = needed > bsz ? bsz : needed;
+     memcpy(out, ctx->A, num);
+     needed -= num;
+     if (needed > 0)
+-        s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A);
++        s390x_klmd(NULL, 0, out + bsz, needed,
++                   ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A);
+ 
+     return 1;
+ }
+@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v
+ {
+     KECCAK1600_CTX *ctx = vctx;
+     size_t len;
++    unsigned int fc;
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v
+         memset(ctx->buf + ctx->bufsz, 0, len);
+         ctx->buf[ctx->bufsz] = padding;
+         ctx->buf[ctx->block_size - 1] |= 0x80;
+-        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
++        fc = ctx->pad;
++        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
++        s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A);
+         ctx->bufsz = 0;
+         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
+     }

openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch

@@ -0,0 +1,160 @@
+commit 94898923538f686b74b6ddef34571f804d9b3811
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 15:40:47 2023 +0200
+
+    Support EVP_DigestSqueeze() for in the digest provider for s390x.
+    
+    The new EVP_DigestSqueeze() API requires changes to all keccak-based
+    digest provider implementations. Update the s390x-part of the SHA3
+    digest provider.
+    
+    Squeeze for SHA3 is not supported, so add an empty function pointer
+    (NULL).
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
+index f691273baf..2fd0f928e7 100644
+--- a/providers/implementations/digests/sha3_prov.c
++++ b/providers/implementations/digests/sha3_prov.c
+@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
+     return 1;
+ }
+ 
++static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
++{
++    KECCAK1600_CTX *ctx = vctx;
++    size_t len;
++
++    if (!ossl_prov_is_running())
++        return 0;
++    if (ctx->xof_state == XOF_STATE_FINAL)
++        return 0;
++    /*
++     * On the first squeeze call, finish the absorb process (incl. padding).
++     */
++    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
++        ctx->xof_state = XOF_STATE_SQUEEZE;
++        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
++        ctx->bufsz = outlen % ctx->block_size;
++        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
++        return 1;
++    }
++    ctx->xof_state = XOF_STATE_SQUEEZE;
++    if (ctx->bufsz != 0) {
++        len = ctx->block_size - ctx->bufsz;
++        if (outlen < len)
++            len = outlen;
++        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
++        out += len;
++        outlen -= len;
++        ctx->bufsz += len;
++        if (ctx->bufsz == ctx->block_size)
++            ctx->bufsz = 0;
++    }
++    if (outlen == 0)
++        return 1;
++    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
++    ctx->bufsz = outlen % ctx->block_size;
++
++    return 1;
++}
++
+ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
+                                int padding)
+ {
+@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen)
+     return s390x_keccakc_final(vctx, out, outlen, 0x04);
+ }
+ 
++static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen,
++                                 int padding)
++{
++    KECCAK1600_CTX *ctx = vctx;
++    size_t len;
++
++    if (!ossl_prov_is_running())
++        return 0;
++    if (ctx->xof_state == XOF_STATE_FINAL)
++        return 0;
++    /*
++     * On the first squeeze call, finish the absorb process
++     * by adding the trailing padding and then doing
++     * a final absorb.
++     */
++    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
++        len = ctx->block_size - ctx->bufsz;
++        memset(ctx->buf + ctx->bufsz, 0, len);
++        ctx->buf[ctx->bufsz] = padding;
++        ctx->buf[ctx->block_size - 1] |= 0x80;
++        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
++        ctx->bufsz = 0;
++        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
++    }
++    if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) {
++        len = ctx->block_size - ctx->bufsz;
++        if (outlen < len)
++            len = outlen;
++        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
++        out += len;
++        outlen -= len;
++        ctx->bufsz += len;
++        if (ctx->bufsz == ctx->block_size)
++            ctx->bufsz = 0;
++    }
++    ctx->xof_state = XOF_STATE_SQUEEZE;
++    if (outlen == 0)
++        return 1;
++    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
++    ctx->bufsz = outlen % ctx->block_size;
++
++    return 1;
++}
++
++static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen)
++{
++     return s390x_keccakc_squeeze(vctx, out, outlen, 0x01);
++}
++
++static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen)
++{
++     return s390x_keccakc_squeeze(vctx, out, outlen, 0x04);
++}
++
+ static PROV_SHA3_METHOD sha3_s390x_md =
+ {
+     s390x_sha3_absorb,
+-    s390x_sha3_final
++    s390x_sha3_final,
++    NULL,
+ };
+ 
+ static PROV_SHA3_METHOD keccak_s390x_md =
+ {
+     s390x_sha3_absorb,
+     s390x_keccak_final,
++    s390x_keccak_squeeze,
+ };
+ 
+ static PROV_SHA3_METHOD shake_s390x_md =
+ {
+     s390x_sha3_absorb,
+-    s390x_shake_final
++    s390x_shake_final,
++    s390x_shake_squeeze,
+ };
+ 
+ static PROV_SHA3_METHOD kmac_s390x_md =
+ {
+     s390x_sha3_absorb,
+-    s390x_kmac_final
++    s390x_kmac_final,
++    s390x_kmac_squeeze,
+ };
+ 
+ # define SHAKE_SET_MD(uname, typ)                                              \

openssl-3-support-multiple-sha3_squeeze_s390x.patch

@@ -0,0 +1,46 @@
+commit bff62480333680463c82e88fdc67ed5ec14a0017
+Author: Holger Dengler <dengler@linux.ibm.com>
+Date:   Wed Sep 27 11:18:18 2023 +0200
+
+    Support multiple calls of low level SHA3_squeeze() for s390x.
+    
+    The low level SHA3_Squeeze() function needed to change slightly so
+    that it can handle multiple squeezes. Support this on s390x
+    architecture as well.
+    
+    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Todd Short <todd.short@me.com>
+    Reviewed-by: Tomas Mraz <tomas@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/22221)
+
+diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl
+index 86233c7e38..7d5ebde117 100755
+--- a/crypto/sha/asm/keccak1600-s390x.pl
++++ b/crypto/sha/asm/keccak1600-s390x.pl
+@@ -472,7 +472,7 @@ SHA3_absorb:
+ .size	SHA3_absorb,.-SHA3_absorb
+ ___
+ }
+-{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5));
++{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6));
+ 
+ $code.=<<___;
+ .globl	SHA3_squeeze
+@@ -484,6 +484,7 @@ SHA3_squeeze:
+ 	lghi	%r14,8
+ 	st${g}	$bsz,5*$SIZE_T($sp)
+ 	la	%r1,0($A_flat)
++	cijne	$next,0,.Lnext_block
+ 
+ 	j	.Loop_squeeze
+ 
+@@ -501,6 +502,7 @@ SHA3_squeeze:
+ 
+ 	brct	$bsz,.Loop_squeeze	# bsz--
+ 
++.Lnext_block:
+ 	stm${g}	$out,$len,3*$SIZE_T($sp)
+ 	bras	%r14,.LKeccakF1600
+ 	lm${g}	$out,$bsz,3*$SIZE_T($sp)

openssl-3-use-include-directive.patch

@@ -0,0 +1,35 @@
+---
+ apps/openssl.cnf |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: openssl-3.1.4/apps/openssl.cnf
+===================================================================
+--- openssl-3.1.4.orig/apps/openssl.cnf
++++ openssl-3.1.4/apps/openssl.cnf
+@@ -19,6 +19,7 @@ openssl_conf = openssl_init
+ # Comment out the next line to ignore configuration errors
+ config_diagnostics = 1
+ 
++[ oid_section ]
+ # Extra OBJECT IDENTIFIER info:
+ # oid_file       = $ENV::HOME/.oid
+ oid_section = new_oids
+@@ -47,6 +48,18 @@ providers = provider_sect
+ # Load default TLS policy configuration
+ ssl_conf = ssl_module
+ 
++engines = engine_section
++
++[ engine_section ]
++
++# This include will look through the directory that will contain the
++# engine declarations for any engines provided by other packages.
++.include /etc/ssl/engines3.d
++
++# This include will look through the directory that will contain the
++# definitions of the engines declared in the engine section.
++.include /etc/ssl/engdef3.d
++
+ # Uncomment the sections that start with ## below to enable the legacy provider.
+ # Loading the legacy provider enables support for the following algorithms:
+ # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

openssl-3.1.4.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
+efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
+U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
+ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
+hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
+NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
+0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
+h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
+MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
+UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
+FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
+5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
+=EH33
+-----END PGP SIGNATURE-----

openssl-3.1.7.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:053a31fa80cf4aebe1068c987d2ef1e44ce418881427c4464751ae800c31d06c
+size 15684836

openssl-3.1.7.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXB9UACgkQIWCU39DL
+ge/wjg/+MwugS9yaSCXXeqfRDYphyyblQ915j30Zo4kOdxr/ZBkrrzExxQaAN9tC
+NR+w33NPmiQQk8MPKKx3dcOZ3giHv7uGlBbo8fHihoUJ5cM9jDLd0UnqSUKU6C7h
+mK0BcGBj+Y5Sj2wH0NLPbFgfqbk2rbFRyDDoszj/ZahdE/dr1m1W8vI+FFqqqLjO
+hc4J26Dn/oTA1FWgXhIAPQDjG/sUy2waF1Q/nelVkeCwrL5modcW8CXGiwZa5Wan
+93cAgk0VUVq20FGQLVVxhGJ9wMGv48nS/hJKugJci1CFqX1eLc5NrbDah3sejGpA
+9ZgNoguolbxVe+pFDF+Qj5tLM34+ONI4m2wqtKNAA9UN/W2NuQxatDlHYU2u718C
+YpiEodIuNz5ktGAtHAe0fI36rvMJGy/6nKuzMXNF+QmbFzWhtnQRXJuC6uY7dIOa
+QHHYmKboVJCb9Ak2gSuTEJvov8HFnlCRzzXBEN2sP6Xd86flERRcMH41VtEu0u2c
+wB54o5+9l/7PQ3TOSdNUD6JakjraE05KMHB0KwEUIvAEMceaIrp1q6BnVrEzRjdV
+WMsagkvHiv4dUP8lT1DpCEhq7jHyzvHtFrrQq+SAHITgnYiENF6K89w2QLkqoK33
+Co/eerwMazO3+qxASYz7pFODPyVAsTIWvuWAJ6CmtubJBinjVnM=
+=Z8CX
+-----END PGP SIGNATURE-----

openssl-3.2.4.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYbgACgkQIWCU39DL
+ge+LMhAAmVXO6X5r3P5P8czf4kT8jFp9xRkp+jlzLZ7+Vt0GOc+8JZRJ/Fmi4fsD
+6nMScDzpJAv/KxOsRCC3l+Fz7eIRWvf+qeSTQggCYAlUF+3Y9qXbnOcCj+8/HPYa
+bAXq7S4hFi3T7NXFyOOx38KxUuhNpcC/tUvMEmYoR8HTm0n1Utf/h/IC9IVoc7at
+raUOo2qTZqwMNFue8fXC7lj6wL81MRD3TYOjePNZAKe2tuPCLoyR+sN8twVbNOLH
+9TDwMZLeCRaLebL9x14knhUOT4+/gsTGH84KS56Ry0YYSDGc2u+58HRaGFBbAEId
+hy4DYrYMCRlcSofPYlzMaFAZ3PSar+6ZPvvEl+OrOzY9DPoXzj0gXQ/NCWqJu9lg
+EQvE6/TnuhXEUxO25eWnIXGBWcmJtECut/rY1sV9OZwaOUPxDWZTxkDuv1dNDqug
+EmrfJHM7KdYVwy7JONReF0ODnNIVAa4HoAZ0EF3K3oySA5KmbA3YkkDGo5aqhpAD
+LZu4+fEmemq1fsEjAxdAk2Vmx4YUElcHEoQGQxSdPlIgl/z/KQ6ONuYoGIgXUXH8
+omXxceapMLP3DkHEpFxOYACCderAxDsZAjgFxM2Rlvp8afCq/C2wFYFDERU9XNIS
+SIc4N+NAoDAxSk6ScGSzORO78lFIGzBIX3pLSCCIezGCyfeHtYo=
+=HqP/
+-----END PGP SIGNATURE-----

openssl-3.5.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmf1ITQACgkQIWCU39DL
+ge+kyhAAjicxaMPBhcQqgnp3RyZhf4hOwVEzkUu3ouEjdIccz8NMxwV4Kf298ivL
+DHF/0HZQuHzIjcO/vQLLG66XCeiS0bDDIxEj457iYDr/lbWvGOqKgH+e5u7fo4iG
+f3aRZ/ACVuFXQ9LWjtR0M15HGJ/fKCCJQgIFwZ103tz4ptO6PBtUFK3PNGUpVjbV
+00oJ0msl2NDwrKpymVNKp9gXva7RfzIggPDl6MC80m54T7aruXhqur4dxkcyD+pa
+WmYKd4659jhCHRlXGZzz8XcLUsa3gQzP8W2RIqMZY8hdaaGnPEZY942s7KwRsdq0
+Blr54GBTpK8TLAUfBuFkFejS5bSbGsCGgAt9lP8ZkscRiG5tGdBYV/KUcOD7a1Xa
+VnsLlePtWlJGAWZt54JhQz5/dQtI51xJmhzbcHB5mTtDY0SZ7EnHNgTo1UY4cZZd
+sI3QhEgCOEh9UCMBQrxpaR9+chFaTd4hlYfbJAZgfI6XZyx8uSvngl3K/22anJmR
+Js1q8sE0G4hbtaSM5YecdX+RAMAwfujwqDY6BEM032kAO9eGe0PEnCRC8b23bRxF
+Vqmuwv7VpUMxCjo0k5GUC4Bj502r3H9ArPTVTI/E9Elhrc2jGfrU6bPdMmaz3qAi
+nKMjtRtsg81LwSlxg2ypi2L+liv6md2QkaQswMS6k+JGRaR5sVc=
+=pAni
+-----END PGP SIGNATURE-----

openssl-3.spec

@@ -0,0 +1,432 @@
+#
+# spec file for package openssl-3
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define ssletcdir %{_sysconfdir}/ssl
+%define sover 3
+%define _rname openssl
+%define man_suffix 3ssl
+
+%bcond_without lto
+%if %{without lto}
+%define _lto_cflags %{nil}
+%endif
+
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%global sle_needs_crypto_policies 1
+%endif
+
+%if 0%{?suse_version} > 1600
+%global openssl_test_flags HARNESS_JOBS=${RPM_BUILD_NCPUS}
+%endif
+
+# Enable userspace livepatching.
+%define livepatchable 1
+
+Name:           openssl-3
+Version:        3.5.0
+Release:        0
+Summary:        Secure Sockets and Transport Layer Security
+License:        Apache-2.0
+URL:            https://www.openssl.org/
+Source:         https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
+Source1:        https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
+# https://keys.openpgp.org/search?q=openssl@openssl.org
+# BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF
+Source2:        %{_rname}.keyring
+# to get mtime of file:
+Source3:        %{name}.changes
+Source4:        baselibs.conf
+Source5:        showciphers.c
+Source6:        openssl-TESTS-Disable-default-provider-crypto-policies.patch
+# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
+Patch1:         openssl-no-html-docs.patch
+Patch2:         openssl-truststore.patch
+Patch3:         openssl-pkgconfig.patch
+Patch4:         openssl-ppc64-config.patch
+Patch5:         openssl-no-date.patch
+# PATCH-FIX-FEDORA Add crypto-policies support
+Patch6:         openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
+Patch7:         openssl-Add-FIPS_mode-compatibility-macro.patch
+Patch8:         openssl-Add-Kernel-FIPS-mode-flag-support.patch
+# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly
+Patch9:         openssl-Force-FIPS.patch
+# PATCH-FIX-FEDORA Disable the fipsinstall command-line utility
+Patch10:        openssl-disable-fipsinstall.patch
+# PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf
+Patch11:        openssl-load-legacy-provider.patch
+# PATCH-FIX-FEDORA Embed the FIPS hmac
+Patch12:        openssl-FIPS-embed-hmac.patch
+# PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves
+Patch13:        openssl-Add-changes-to-ectest-and-eccurve.patch
+Patch14:        openssl-Disable-explicit-ec.patch
+Patch15:        openssl-skipped-tests-EC-curves.patch
+# PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3
+Patch16:        openssl-FIPS-140-3-keychecks.patch
+# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
+Patch17:        openssl-FIPS-early-KATS.patch
+# PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed
+Patch19:        openssl-FIPS-limit-rsa-encrypt.patch
+Patch20:        openssl-FIPS-Expose-a-FIPS-indicator.patch
+# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification
+Patch21:        openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+Patch22:        openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
+# PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed
+Patch23:        openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
+# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation
+Patch24:        openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
+Patch25:        openssl-FIPS-RSA-disable-shake.patch
+# PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1
+Patch26:        openssl-FIPS-RSA-encapsulate.patch
+# PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters
+Patch27:        openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+# PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1
+Patch28:        openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch
+# PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state
+Patch29:        openssl-FIPS-Enforce-error-state.patch
+# PATCH-FIX-FEDORA Adapt pairwise tests
+Patch30:        openssl-skip-quic-pairwise.patch
+# PATCH-FIX-FEDORA Fix broken selftests in fips provider init
+Patch31:        openssl-FIPS-Fix-encoder-decoder-negative-test.patch
+Patch32:        openssl-FIPS-SUSE-FIPS-module-version.patch
+Patch33:        openssl-FIPS-EC-disable-weak-curves.patch
+Patch34:        openssl-FIPS-NO-DSA-Support.patch
+Patch35:        openssl-FIPS-NO-DES-support.patch
+Patch36:        openssl-FIPS-NO-Kmac.patch
+Patch37:        openssl-FIPS-NO-PQ-ML-SLH-DSA.patch
+# PATCH-FIX-SUSE Use the shared jitterentropy library instead of static
+Patch38:        openssl-shared-jitterentropy.patch
+# PATCH-FIX-SUSE Disable dubious broken test
+Patch39:        openssl-disable-75-test_quicapi-test.patch
+# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed
+Patch40:        openssl-FIPS-enforce-EMS-support.patch
+# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures
+Patch41:        openssl-Allow-disabling-of-SHA1-signatures.patch
+# PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider
+Patch42:        openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
+# PATCH-FIX-FEDORA FIPS: Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
+Patch43:        openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+# PATCH-FIX-FEDORA FIPS: Fix the speed command in FIPS mode for KMAC
+Patch44:        openssl-FIPS-Fix-openssl-speed-KMAC.patch
+# PATCH-FIX-UPSTREAM: The x509 application adds trusted use instead of rejected use [bsc#1243564, CVE-2025-4575]
+Patch45:        openssl-CVE-2025-4575.patch
+
+# ulp-macros is available according to SUSE version.
+%ifarch x86_64
+%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540
+BuildRequires:  ulp-macros
+%endif
+%endif
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(zlib)
+Requires:       libopenssl3 = %{version}-%{release}
+Requires:       openssl
+Provides:       ssl
+# Needed for clean upgrade path, boo#1070003
+Obsoletes:      openssl-1_0_0
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      openssl-1_1_0
+%{?suse_build_hwcaps_libs}
+%if 0%{?sle_needs_crypto_policies}
+Requires:       crypto-policies
+%endif
+BuildRequires:  jitterentropy-devel >= 3.4.0
+
+%description
+OpenSSL is a software library to be used in applications that need to
+secure communications over computer networks against eavesdropping or
+need to ascertain the identity of the party at the other end.
+OpenSSL contains an implementation of the SSL and TLS protocols.
+
+%package -n libopenssl3
+Summary:        Secure Sockets and Transport Layer Security
+Recommends:     ca-certificates-mozilla
+Conflicts:      %{name} < %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0
+%if 0%{?sle_needs_crypto_policies}
+Requires:       crypto-policies
+%endif
+# Merge back the hmac files bsc#1185116
+Provides:       libopenssl3-hmac = %{version}-%{release}
+Obsoletes:      libopenssl3-hmac < %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0-hmac
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-hmac
+
+%description -n libopenssl3
+OpenSSL is a software library to be used in applications that need to
+secure communications over computer networks against eavesdropping or
+need to ascertain the identity of the party at the other end.
+OpenSSL contains an implementation of the SSL and TLS protocols.
+
+%package -n libopenssl-3-devel
+Summary:        Development files for OpenSSL
+Requires:       jitterentropy-devel >= 3.4.0
+Requires:       libopenssl3 = %{version}
+Requires:       pkgconfig(zlib)
+Recommends:     %{name} = %{version}
+Provides:       ssl-devel
+Conflicts:      ssl-devel
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl-1_1_0-devel
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-devel
+
+%description -n libopenssl-3-devel
+This subpackage contains header files for developing applications
+that want to make use of the OpenSSL C API.
+
+%package -n libopenssl-3-fips-provider
+Summary:        OpenSSL FIPS provider
+Requires:       libjitterentropy3 >= 3.4.0
+Requires:       libopenssl3 >= %{version}
+BuildRequires:  fipscheck
+BuildRequires:  jitterentropy-devel >= 3.4.0
+
+%description -n libopenssl-3-fips-provider
+This package contains the OpenSSL FIPS provider.
+
+%package doc
+Summary:        Manpages and additional documentation for openssl
+Conflicts:      libopenssl-3-devel < %{version}-%{release}
+Conflicts:      openssl-doc
+Provides:       openssl-doc = %{version}
+Obsoletes:      openssl-doc < %{version}
+BuildArch:      noarch
+
+%description doc
+This package contains optional documentation provided in addition to
+this package's base documentation.
+
+%prep
+%autosetup -p1 -n %{_rname}-%{version}
+
+%build
+%ifarch armv5el armv5tel
+export MACHINE=armv5el
+%endif
+%ifarch armv6l armv6hl
+export MACHINE=armv6l
+%endif
+
+./Configure \
+    enable-camellia \
+%ifarch x86_64 aarch64 ppc64le
+    enable-ec_nistp_64_gcc_128 \
+%endif
+    enable-fips \
+    enable-fips-jitter \
+    enable-jitter \
+    enable-ktls \
+    enable-pie \
+    enable-rfc3779 \
+    enable-seed \
+    no-afalgeng \
+    no-atexit \
+    no-ec2m \
+    no-mdc2 \
+    zlib \
+    --prefix=%{_prefix} \
+    --libdir=%{_lib} \
+    --openssldir=%{ssletcdir} \
+    %{optflags} \
+    %{?cflags_livepatching} \
+    -Wa,--noexecstack \
+    -Wl,-z,relro,-z,now \
+    -fno-common \
+    -DTERMIO \
+    -DPURIFY \
+    -D_GNU_SOURCE \
+    -DOPENSSL_PEDANTIC_ZEROIZATION \
+    '-DSUSE_OPENSSL_RELEASE="\"%{release}\""' \
+    -DOPENSSL_NO_BUF_FREELISTS \
+    $(getconf LFS_CFLAGS) \
+    -Wall \
+    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
+
+# Show build configuration
+perl configdata.pm --dump
+
+# Do not run this in a production package the FIPS symbols must be patched-in
+# util/mkdef.pl crypto update
+
+%make_build depend
+%make_build all
+
+%check
+# Relax the crypto-policies requirements and disable the default
+# provider for the test suite regression tests
+patch -p1 < %{SOURCE6}
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+# export HARNESS_VERBOSE=yes
+# Embed HMAC into fips provider for test run
+OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
+
+# Run the tests in non FIPS mode
+LD_LIBRARY_PATH="$PWD" make test %{?_smp_mflags} %{?openssl_test_flags}
+
+# Run the tests also in FIPS mode
+# OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j16 || :
+
+# Add generation of HMAC checksum of the final stripped library
+# We manually copy standard definition of __spec_install_post
+# and add hmac calculation/embedding to fips.so
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < %{buildroot}%{_libdir}/ossl-modules/fips.so > %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
+    objcopy --update-section .rodata1=%{buildroot}%{_libdir}/ossl-modules/fips.so.hmac %{buildroot}%{_libdir}/ossl-modules/fips.so %{buildroot}%{_libdir}/ossl-modules/fips.so.mac \
+    mv %{buildroot}%{_libdir}/ossl-modules/fips.so.mac %{buildroot}%{_libdir}/ossl-modules/fips.so \
+    rm %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
+%{nil}
+
+# show ciphers
+gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
+LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
+
+%install
+%{?pack_ipa_dumps}
+%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
+
+rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
+for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
+    chmod 755 ${lib}
+    ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version})
+    ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover}
+done
+
+# Remove static libraries
+rm -f %{buildroot}%{_libdir}/*.a
+
+# Remove the cnf.dist
+rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
+rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
+
+# Make a copy of the default openssl.cnf file
+cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
+
+# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
+mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
+install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
+
+# Remove the fipsmodule.cnf because FIPS module is loaded automatically in FIPS mode
+rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
+
+ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
+mkdir %{buildroot}/%{_datadir}/ssl
+mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
+
+# Add the FIPS module configuration from crypto-policies since SP6
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
+ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf
+%endif
+
+# Avoid file conflicts with man pages from other packages
+pushd %{buildroot}/%{_mandir}
+find . -type f -exec chmod 644 {} +
+mv man5/config.5%{man_suffix} man5/openssl.cnf.5
+popd
+
+# Do not install demo scripts executable under /usr/share/doc
+find demos -type f -perm /111 -exec chmod 644 {} +
+
+# Place showciphers.c for %%doc macro
+cp %{SOURCE5} .
+
+# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
+export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}"
+
+%post -p "/bin/bash"
+if [ "$1" -gt 1 ] ; then
+    # Check if the packaged default config file for openssl-3, called openssl.cnf,
+    # is the original or if it has been modified and alert the user in that case
+    # that a copy of the original file openssl-orig.cnf can be used if needed.
+    cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null
+    if [ "$?" -eq 1 ] ; then
+        echo -e " The openssl-3 default config file openssl.cnf is different from" ;
+        echo -e " the original one shipped by the package. A copy of the original" ;
+        echo -e " file is packaged and named as openssl-orig.cnf if needed."
+    fi
+fi
+
+%pre
+
+%post -n libopenssl3 -p /sbin/ldconfig
+%postun -n libopenssl3 -p /sbin/ldconfig
+
+%files -n libopenssl3
+%license LICENSE.txt
+%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
+%{_libdir}/libssl.so.%{sover}
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
+%{_libdir}/libcrypto.so.%{sover}
+%{_libdir}/engines-%{sover}
+%dir %{_libdir}/ossl-modules
+%{_libdir}/ossl-modules/legacy.so
+%{_libdir}/.libssl.so.%{sover}.hmac
+%{_libdir}/.libcrypto.so.%{sover}.hmac
+
+%files -n libopenssl-3-fips-provider
+%{_libdir}/ossl-modules/fips.so
+
+%files -n libopenssl-3-devel
+%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
+%{_includedir}/%{_rname}/
+%{_includedir}/ssl
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%dir %{_libdir}/cmake
+%{_libdir}/cmake/OpenSSL
+%{_libdir}/cmake/OpenSSL/*.cmake
+
+%files doc
+%doc README.md
+%doc doc/html/* doc/HOWTO/* demos
+%doc showciphers.c
+%{_mandir}/man3/*
+
+%files
+%license LICENSE.txt
+%doc CHANGES.md NEWS.md README.md
+%dir %{ssletcdir}
+%config %{ssletcdir}/openssl-orig.cnf
+%config (noreplace) %{ssletcdir}/openssl.cnf
+%config (noreplace) %{ssletcdir}/ct_log_list.cnf
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
+%config %{ssletcdir}/fips_local.cnf
+%endif
+%attr(700,root,root) %{ssletcdir}/private
+%dir %{_datadir}/ssl
+%{_datadir}/ssl/misc
+%dir %{_localstatedir}/lib/ca-certificates/
+%dir %{_localstatedir}/lib/ca-certificates/openssl
+%{_bindir}/%{_rname}
+%{_bindir}/c_rehash
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%{_mandir}/man7/*
+
+%changelog

openssl-Add-FIPS-indicator-parameter-to-HKDF.patch

@@ -0,0 +1,911 @@
+From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 11 Aug 2022 09:27:12 +0200
+Subject: KDF: Add FIPS indicators
+
+FIPS requires a number of restrictions on the parameters of the various
+key derivation functions implemented in OpenSSL. The KDFs that use
+digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
+C.C). Additionally, some application-specific KDFs have further
+restrictions defined in SP 800-135r1.
+
+Generally, all KDFs shall use a key-derivation key length of at least
+112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
+to generate and output length of less than 112 bits will also set the
+indicator to unapproved.
+
+Add explicit indicators to all KDFs usable in FIPS mode except for
+PBKDF2 (which has its specific FIPS limits already implemented). The
+indicator can be queried using EVP_KDF_CTX_get_params() after setting
+the required parameters and keys for the KDF.
+
+Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
+truncated variants -224 and -384) and SHA3 (-256 and -512, and the
+truncated versions -224 and -384), as well as SHAKE-128 and -256.
+
+The SHAKE functions are generally not allowed in KDFs. For the rest, the
+support matrix is:
+
+ KDF         | SHA-1 | SHA-2 | SHA-2 truncated  | SHA-3 | SHA-3 truncated
+==========================================================================
+KBKDF        |   x   |   x   |         x        |   x   |     x
+HKDF         |   x   |   x   |         x        |   x   |     x
+TLS1PRF      |       | SHA-{256,384,512} only   |       |
+SSHKDF       |   x   |   x   |         x        |       |
+SSKDF        |   x   |   x   |         x        |   x   |     x
+X9.63KDF     |       |   x   |         x        |   x   |     x
+X9.42-ASN1   |   x   |   x   |         x        |   x   |     x
+TLS1.3PRF    |       | SHA-{256,384} only       |       |
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+Resolves: rhbz#2160733 rhbz#2164763
+Related: rhbz#2114772 rhbz#2141695
+---
+ include/crypto/evp.h                      |   7 ++
+ include/openssl/kdf.h                     |   4 +
+ providers/implementations/kdfs/hkdf.c     | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/kbkdf.c    |  82 ++++++++++++++++--
+ providers/implementations/kdfs/sshkdf.c   |  75 +++++++++++++++-
+ providers/implementations/kdfs/sskdf.c    | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/tls1_prf.c |  74 +++++++++++++++-
+ providers/implementations/kdfs/x942kdf.c  |  66 +++++++++++++-
+ util/perl/OpenSSL/paramnames.pm           |   1 +
+ 9 files changed, 487 insertions(+), 22 deletions(-)
+
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index e70d8e9e84..76fb990de4 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -219,6 +219,13 @@ struct evp_mac_st {
+     OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
+ };
+ 
++#ifdef FIPS_MODULE
++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
++ * Additional Keys from a Cryptographic Key, "[t]he length of the
++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_kdf_st {
+     OSSL_PROVIDER *prov;
+     int name_id;
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
+ 
++# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED     1
++# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index dfa7786bde..f01e40ff5a 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
+ static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+ static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
+ static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
+ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
+@@ -85,6 +86,10 @@ typedef struct {
+     size_t data_len;
+     unsigned char *info;
+     size_t info_len;
++    int is_tls13;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_HKDF;
+ 
+ static void *kdf_hkdf_new(void *provctx)
+@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     switch (ctx->mode) {
+     case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+     default:
+@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
+ {
+     KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+         size_t sz = kdf_hkdf_size(ctx);
+ 
++        any_valid = 1;
+         if (sz == 0)
+             return 0;
+         return OSSL_PARAM_set_size_t(p, sz);
+     }
+     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
++        any_valid = 1;
+         if (ctx->info == NULL || ctx->info_len == 0) {
+             p->return_size = 0;
+             return 1;
+         }
+         return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+     }
+-    return -2;
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
++            != NULL) {
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++        const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (ctx->is_tls13) {
++            if (md != NULL
++                    && !EVP_MD_is_a(md, "SHA2-256")
++                    && !EVP_MD_is_a(md, "SHA2-384")) {
++                /* Implementation Guidance for FIPS 140-3 and the Cryptographic
++                 * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
++                 * key derivation function documented in Section 7.1 of RFC
++                 * 8446. This is considered an approved CVL because the
++                 * underlying functions performed within the TLS 1.3 KDF map to
++                 * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
++                 * Option #3), SP 800-56Crev2, and SP 800-108."
++                 *
++                 * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
++                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        } else {
++            if (md != NULL
++                    && (EVP_MD_is_a(md, "SHAKE-128") ||
++                        EVP_MD_is_a(md, "SHAKE-256"))) {
++                /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
++                 * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
++                 * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
++                 * extendable-output functions may only be used as the
++                 * standalone algorithms." */
++                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif /* defined(FIPS_MODULE) */
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
+     return ret;
+ }
+ 
++static void *kdf_tls1_3_new(void *provctx)
++{
++    KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
++
++    if (hkdf != NULL)
++        hkdf->is_tls13 = 1;
++
++    return hkdf;
++}
++
++
+ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+                              const OSSL_PARAM params[])
+ {
+@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     switch (ctx->mode) {
+     default:
+         return 0;
+@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
+ }
+ 
+ const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
+-    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
++    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
+     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
+     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
+index a542f84dfa..6b6dfb94ac 100644
+--- a/providers/implementations/kdfs/kbkdf.c
++++ b/providers/implementations/kdfs/kbkdf.c
+@@ -59,6 +59,9 @@ typedef struct {
+     kbkdf_mode mode;
+     EVP_MAC_CTX *ctx_init;
+ 
++    /* HMAC digest algorithm, if any; used to compute FIPS indicator */
++    PROV_DIGEST digest;
++
+     /* Names are lowercased versions of those found in SP800-108. */
+     int r;
+     unsigned char *ki;
+@@ -73,6 +76,9 @@ typedef struct {
+     int use_l;
+     int is_kmac;
+     int use_separator;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KBKDF;
+ 
+ /* Definitions needed for typechecking. */
+@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
+     void *provctx = ctx->provctx;
+ 
+     EVP_MAC_CTX_free(ctx->ctx_init);
++    ossl_prov_digest_reset(&ctx->digest);
+     OPENSSL_clear_free(ctx->context, ctx->context_len);
+     OPENSSL_clear_free(ctx->label, ctx->label_len);
+     OPENSSL_clear_free(ctx->ki, ctx->ki_len);
+@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         goto done;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
+     if (h == 0)
+         goto done;
+@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+         }
+     }
+ 
++    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++        return 0;
++
+     p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
+     if (p != NULL
+         && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
+@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+     p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
+-    if (p == NULL)
++    if (p != NULL) {
++        any_valid = 1;
++
++        /* KBKDF can produce results as large as you like. */
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        KBKDF *ctx = (KBKDF *)vctx;
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." Note that the digest is only used when the MAC
++         * algorithm is HMAC. */
++        if (ctx->ctx_init != NULL
++                && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
++            const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++            if (md != NULL
++                    && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
++                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
+         return -2;
+ 
+-    /* KBKDF can produce results as large as you like. */
+-    return OSSL_PARAM_set_size_t(p, SIZE_MAX);
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
+                                                    ossl_unused void *provctx)
+ {
+-    static const OSSL_PARAM known_gettable_ctx_params[] =
+-        { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
++    static const OSSL_PARAM known_gettable_ctx_params[] = {
++        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
++        OSSL_PARAM_END
++    };
+     return known_gettable_ctx_params;
+ }
+ 
+diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
+index c592ba72f1..4a52b38266 100644
+--- a/providers/implementations/kdfs/sshkdf.c
++++ b/providers/implementations/kdfs/sshkdf.c
+@@ -48,6 +48,9 @@ typedef struct {
+     char type; /* X */
+     unsigned char *session_id;
+     size_t session_id_len;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSHKDF;
+ 
+ static void *kdf_sshkdf_new(void *provctx)
+@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
+         return 0;
+     }
++
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     return SSHKDF(md, ctx->key, ctx->key_len,
+                   ctx->xcghash, ctx->xcghash_len,
+                   ctx->session_id, ctx->session_id_len,
+@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        KDF_SSHKDF *ctx = vctx;
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms."
++         *
++         * Additionally, SP 800-135r1 section 5.2 specifies that the hash
++         * function used in SSHKDF "is one of the hash functions specified in
++         * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
++         * */
++        if (ctx->digest.md != NULL
++            && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
+index eb54972e1c..23865cd70f 100644
+--- a/providers/implementations/kdfs/sskdf.c
++++ b/providers/implementations/kdfs/sskdf.c
+@@ -64,6 +64,10 @@ typedef struct {
+     size_t salt_len;
+     size_t out_len; /* optional KMAC parameter */
+     int is_kmac;
++    int is_x963kdf;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSKDF;
+ 
+ #define SSKDF_MAX_INLEN (1<<30)
+@@ -73,6 +77,7 @@ typedef struct {
+ static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
+ 
+ static OSSL_FUNC_kdf_newctx_fn sskdf_new;
++static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
+ static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
+ static OSSL_FUNC_kdf_freectx_fn sskdf_free;
+ static OSSL_FUNC_kdf_reset_fn sskdf_reset;
+@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
+     return ctx;
+ }
+ 
++static void *x963kdf_new(void *provctx)
++{
++    KDF_SSKDF *ctx = sskdf_new(provctx);
++
++    if (ctx)
++        ctx->is_x963kdf = 1;
++
++    return ctx;
++}
++
+ static void sskdf_reset(void *vctx)
+ {
+     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
+     }
+     md = ossl_prov_digest_md(&ctx->digest);
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     if (ctx->macctx != NULL) {
+         /* H(x) = KMAC or H(x) = HMAC */
+         int ret;
+@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+                           ctx->info, ctx->info_len, 1, key, keylen);
+ }
+@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
++            return 0;
++    }
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
+-    return -2;
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." */
++        if (ctx->macctx == NULL
++                || (ctx->macctx != NULL &&
++                    EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
++            if (ctx->digest.md != NULL
++                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++
++            /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
++             * should only be used for 80-bit key agreement, but FIPS 140-3
++             * requires a security strength of 112 bits, so SHA-1 cannot be
++             * used with X9.63. See the discussion in
++             * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
++             */
++            if (ctx->is_x963kdf
++                    && ctx->digest.md != NULL
++                    && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
++                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
+ };
+ 
+ const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
+-    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
++    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
+     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
+     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index a4d64b9352..f6782a6ca2 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -93,6 +93,13 @@ typedef struct {
+     /* Buffer of concatenated seed data */
+     unsigned char seed[TLS1_PRF_MAXBUF];
+     size_t seedlen;
++
++    /* MAC digest algorithm; used to compute FIPS indicator */
++    PROV_DIGEST digest;
++
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } TLS1_PRF;
+ 
+ static void *kdf_tls1_prf_new(void *provctx)
+@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
+     EVP_MAC_CTX_free(ctx->P_sha1);
+     OPENSSL_clear_free(ctx->sec, ctx->seclen);
+     OPENSSL_cleanse(ctx->seed, ctx->seedlen);
++    ossl_prov_digest_reset(&ctx->digest);
+     memset(ctx, 0, sizeof(*ctx));
+     ctx->provctx = provctx;
+ }
+@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+         return 0;
+     }
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+ 
+     /*
+      * The seed buffer is prepended with a label.
+@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+         }
+     }
+ 
++    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++        return 0;
++
+     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
+         OPENSSL_clear_free(ctx->sec, ctx->seclen);
+         ctx->sec = NULL;
+@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
+ static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++#ifdef FIPS_MODULE
++    TLS1_PRF *ctx = vctx;
++#endif /* defined(FIPS_MODULE) */
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
++         * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
++        if (ctx->digest.md != NULL
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
+index b1bc6f7e1b..8173fc2cc7 100644
+--- a/providers/implementations/kdfs/x942kdf.c
++++ b/providers/implementations/kdfs/x942kdf.c
+@@ -13,11 +13,13 @@
+ #include <openssl/core_dispatch.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#include <openssl/kdf.h>
+ #include <openssl/params.h>
+ #include <openssl/proverr.h>
+ #include "internal/packet.h"
+ #include "internal/der.h"
+ #include "internal/nelem.h"
++#include "crypto/evp.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -47,6 +50,9 @@ typedef struct {
+     const unsigned char *cek_oid;
+     size_t cek_oid_len;
+     int use_keybits;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_X942;
+ 
+ /*
+@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
+         return 0;
+     }
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+     ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
+                            der, der_len, ctr, key, keylen);
+     OPENSSL_free(der);
+@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     KDF_X942 *ctx = (KDF_X942 *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
+-    return -2;
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." */
++        if (ctx->digest.md != NULL
++                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index 70f7c50fe4..6618122417 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -183,6 +183,7 @@ my %params = (
+     'KDF_PARAM_X942_SUPP_PUBINFO' =>    "supp-pubinfo",
+     'KDF_PARAM_X942_SUPP_PRIVINFO' =>   "supp-privinfo",
+     'KDF_PARAM_X942_USE_KEYBITS' =>     "use-keybits",
++    'KDF_PARAM_SUSE_FIPS_INDICATOR' =>     "suse-fips-indicator",
+     'KDF_PARAM_HMACDRBG_ENTROPY' =>     "entropy",
+     'KDF_PARAM_HMACDRBG_NONCE' =>       "nonce",
+     'KDF_PARAM_THREADS' =>        "threads",                # uint32_t
+-- 
+2.39.2
+

openssl-Add-FIPS_mode-compatibility-macro.patch

@@ -0,0 +1,83 @@
+From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
+
+Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
+Patch-id: 8
+Patch-status: |
+    # Add FIPS_mode() compatibility macro
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ include/openssl/fips.h | 26 ++++++++++++++++++++++++++
+ test/property_test.c   | 14 ++++++++++++++
+ 2 files changed, 40 insertions(+)
+ create mode 100644 include/openssl/fips.h
+
+diff --git a/include/openssl/fips.h b/include/openssl/fips.h
+new file mode 100644
+index 0000000000..4162cbf88e
+--- /dev/null
++++ b/include/openssl/fips.h
+@@ -0,0 +1,26 @@
++/*
++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_FIPS_H
++# define OPENSSL_FIPS_H
++# pragma once
++
++# include <openssl/evp.h>
++# include <openssl/macros.h>
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff --git a/test/property_test.c b/test/property_test.c
+index 45b1db3e85..8894c1c1cb 100644
+--- a/test/property_test.c
++++ b/test/property_test.c
+@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
+     return ret;
+ }
+ 
++#include <openssl/fips.h>
++static int test_downstream_FIPS_mode(void)
++{
++    int ret = 0;
++
++    ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
++          && TEST_true(FIPS_mode())
++          && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
++          && TEST_false(FIPS_mode());
++
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_TEST(test_property_string);
+@@ -690,6 +703,7 @@ int setup_tests(void)
+     ADD_TEST(test_property);
+     ADD_TEST(test_query_cache_stochastic);
+     ADD_TEST(test_fips_mode);
++    ADD_TEST(test_downstream_FIPS_mode);
+     ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
+     return 1;
+ }
+-- 
+2.41.0
+

openssl-Add-Kernel-FIPS-mode-flag-support.patch

@@ -0,0 +1,92 @@
+From 0e3f6972299bc243023c6ce38663948317bd6794 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 10/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+
+Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
+Patch-id: 9
+Patch-status: |
+    # # Add check to see if fips flag is enabled in kernel
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/context.c            | 35 +++++++++++++++++++++++++++++++++++
+ include/internal/provider.h |  3 +++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/crypto/context.c b/crypto/context.c
+index f15bc3d755..614c8a2c88 100644
+--- a/crypto/context.c
++++ b/crypto/context.c
+@@ -7,6 +7,7 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++#define _GNU_SOURCE /* needed for secure_getenv */
+ #include "crypto/cryptlib.h"
+ #include <openssl/conf.h>
+ #include <openssl/trace.h>
+@@ -19,6 +20,38 @@
+ #include "crypto/decoder.h"
+ #include "crypto/context.h"
+ 
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <openssl/evp.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static int kernel_fips_flag;
++
++static void read_kernel_fips_flag(void)
++{
++    char buf[2] = "0";
++    int fd;
++
++    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++        buf[0] = '1';
++    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++        close(fd);
++    }
++
++    if (buf[0] == '1') {
++        kernel_fips_flag = 1;
++    }
++}
++
++int ossl_get_kernel_fips_flag()
++{
++    return kernel_fips_flag;
++}
++
+ struct ossl_lib_ctx_st {
+     CRYPTO_RWLOCK *lock;
+     OSSL_EX_DATA_GLOBAL global;
+@@ -393,6 +426,8 @@ static int default_context_inited = 0;
+ 
+ DEFINE_RUN_ONCE_STATIC(default_context_do_init)
+ {
++    read_kernel_fips_flag();
++
+     if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
+         goto err;
+ 
+diff --git a/include/internal/provider.h b/include/internal/provider.h
+index 6909a1919c..9d2e355251 100644
+--- a/include/internal/provider.h
++++ b/include/internal/provider.h
+@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
+                                 const OSSL_DISPATCH *in);
+ void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+ 
++/* FIPS flag access */
++int ossl_get_kernel_fips_flag(void);
++
+ # ifdef __cplusplus
+ }
+ # endif
+-- 
+2.49.0
+

openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -0,0 +1,352 @@
+From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 10:16:46 +0200
+Subject: Add support for PROFILE=SYSTEM system default cipherlist
+
+(was openssl-1.1.1-system-cipherlist.patch)
+---
+ Configurations/unix-Makefile.tmpl |    5 ++
+ Configure                         |   11 ++++
+ doc/man1/openssl-ciphers.pod.in   |    9 +++
+ include/openssl/ssl.h.in          |    5 ++
+ ssl/ssl_ciph.c                    |   87 +++++++++++++++++++++++++++++++++-----
+ ssl/ssl_lib.c                     |    4 -
+ test/cipherlist_test.c            |    2 
+ util/libcrypto.num                |    1 
+ 8 files changed, 110 insertions(+), 14 deletions(-)
+
+Index: openssl-3.5.0-beta1/Configurations/unix-Makefile.tmpl
+===================================================================
+--- openssl-3.5.0-beta1.orig/Configurations/unix-Makefile.tmpl
++++ openssl-3.5.0-beta1/Configurations/unix-Makefile.tmpl
+@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
+ DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
+ HTMLDIR=$(DOCDIR)/html
+ 
++{- output_off() if $config{system_ciphers_file} eq ""; "" -}
++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
++{- output_on() if $config{system_ciphers_file} eq ""; "" -}
++
+ # MANSUFFIX is for the benefit of anyone who may want to have a suffix
+ # appended after the manpage file section number.  "ssl" is popular,
+ # resulting in files such as config.5ssl rather than config.5.
+@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+ CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
+ CPPFLAGS={- our $cppflags1 = join(" ",
+                                   (map { "-D".$_} @{$config{CPPDEFINES}}),
++                                  "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
+                                   (map { "-I".$_} @{$config{CPPINCLUDES}}),
+                                   @{$config{CPPFLAGS}}) -}
+ CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
+Index: openssl-3.5.0-beta1/Configure
+===================================================================
+--- openssl-3.5.0-beta1.orig/Configure
++++ openssl-3.5.0-beta1/Configure
+@@ -27,7 +27,7 @@ use OpenSSL::config;
+ my $orig_death_handler = $SIG{__DIE__};
+ $SIG{__DIE__} = \&death_handler;
+ 
+-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE]  [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+ 
+ my $banner = <<"EOF";
+ 
+@@ -61,6 +61,10 @@ EOF
+ #               given with --prefix.
+ #               This becomes the value of OPENSSLDIR in Makefile and in C.
+ #               (Default: PREFIX/ssl)
++#
++# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
++#		cipher is specified (default).
++#
+ # --banner=".." Output specified text instead of default completion banner
+ #
+ # -w            Don't wait after showing a Configure warning
+@@ -408,6 +412,7 @@ $config{prefix}="";
+ $config{openssldir}="";
+ $config{processor}="";
+ $config{libdir}="";
++$config{system_ciphers_file}="";
+ my $auto_threads=1;    # enable threads automatically? true by default
+ my $default_ranlib;
+ 
+@@ -1104,6 +1109,10 @@ while (@argvcopy)
+                         die "FIPS key too long (64 bytes max)\n"
+                            if length $1 > 64;
+                         }
++                elsif (/^--system-ciphers-file=(.*)$/)
++                        {
++                        $config{system_ciphers_file}=$1;
++                        }
+                 elsif (/^--banner=(.*)$/)
+                         {
+                         $banner = $1 . "\n";
+Index: openssl-3.5.0-beta1/doc/man1/openssl-ciphers.pod.in
+===================================================================
+--- openssl-3.5.0-beta1.orig/doc/man1/openssl-ciphers.pod.in
++++ openssl-3.5.0-beta1/doc/man1/openssl-ciphers.pod.in
+@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+ 
+ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+ 
++=item B<PROFILE=SYSTEM>
++
++The list of enabled cipher suites will be loaded from the system crypto policy
++configuration file B</etc/crypto-policies/back-ends/openssl.config>.
++See also L<update-crypto-policies(8)>.
++This is the default behavior unless an application explicitly sets a cipher
++list. If used in a cipher list configuration value this string must be at the
++beginning of the cipher list, otherwise it will not be recognized.
++
+ =item B<HIGH>
+ 
+ "High" encryption cipher suites. This currently means those with key lengths
+Index: openssl-3.5.0-beta1/include/openssl/ssl.h.in
+===================================================================
+--- openssl-3.5.0-beta1.orig/include/openssl/ssl.h.in
++++ openssl-3.5.0-beta1/include/openssl/ssl.h.in
+@@ -209,6 +209,11 @@ extern "C" {
+  * throwing out anonymous and unencrypted ciphersuites! (The latter are not
+  * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
+  */
++# ifdef SYSTEM_CIPHERS_FILE
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
++# else
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
++# endif
+ 
+ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+ # define SSL_SENT_SHUTDOWN       1
+Index: openssl-3.5.0-beta1/ssl/ssl_ciph.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/ssl/ssl_ciph.c
++++ openssl-3.5.0-beta1/ssl/ssl_ciph.c
+@@ -1421,6 +1421,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+     return ret;
+ }
+ 
++#ifdef SYSTEM_CIPHERS_FILE
++static char *load_system_str(const char *suffix)
++{
++    FILE *fp;
++    char buf[1024];
++    char *new_rules;
++    const char *ciphers_path;
++    unsigned len, slen;
++
++    if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
++        ciphers_path = SYSTEM_CIPHERS_FILE;
++    fp = fopen(ciphers_path, "r");
++    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++        /* cannot open or file is empty */
++        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
++    }
++
++    if (fp)
++        fclose(fp);
++
++    slen = strlen(suffix);
++    len = strlen(buf);
++
++    if (buf[len - 1] == '\n') {
++        len--;
++        buf[len] = 0;
++    }
++    if (buf[len - 1] == '\r') {
++        len--;
++        buf[len] = 0;
++    }
++
++    new_rules = OPENSSL_malloc(len + slen + 1);
++    if (new_rules == 0)
++        return NULL;
++
++    memcpy(new_rules, buf, len);
++    if (slen > 0) {
++        memcpy(&new_rules[len], suffix, slen);
++        len += slen;
++    }
++    new_rules[len] = 0;
++
++    return new_rules;
++}
++#endif
++
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
+                                              STACK_OF(SSL_CIPHER) **cipher_list,
+@@ -1435,15 +1482,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
+     const SSL_CIPHER **ca_list = NULL;
+     const SSL_METHOD *ssl_method = ctx->method;
++#ifdef SYSTEM_CIPHERS_FILE
++    char *new_rules = NULL;
++
++    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
++        char *p = rule_str + 14;
++
++        new_rules = load_system_str(p);
++        rule_str = new_rules;
++    }
++#endif
+ 
+     /*
+      * Return with error if nothing to do.
+      */
+     if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+-        return NULL;
++        goto err;
+ 
+     if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+-        return NULL;
++        goto err;
+ 
+     /*
+      * To reduce the work to do we only want to process the compiled
+@@ -1465,7 +1522,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     if (num_of_ciphers > 0) {
+         co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
+         if (co_list == NULL)
+-            return NULL;          /* Failure */
++            goto err;
+     }
+ 
+     ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+@@ -1531,8 +1588,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * in force within each class
+      */
+     if (!ssl_cipher_strength_sort(&head, &tail)) {
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
+     /*
+@@ -1576,8 +1632,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
+     if (ca_list == NULL) {
+-        OPENSSL_free(co_list);
+-        return NULL;          /* Failure */
++        goto err;
+     }
+     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+                                disabled_mkey, disabled_auth, disabled_enc,
+@@ -1603,8 +1658,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     OPENSSL_free(ca_list);      /* Not needed anymore */
+ 
+     if (!ok) {                  /* Rule processing failure */
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
+     /*
+@@ -1612,10 +1666,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * if we cannot get one.
+      */
+     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
++#ifdef SYSTEM_CIPHERS_FILE
++    OPENSSL_free(new_rules);    /* Not needed anymore */
++#endif
++
+     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
+     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
+         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+@@ -1667,6 +1724,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     *cipher_list = cipherstack;
+ 
+     return cipherstack;
++
++err:
++    OPENSSL_free(co_list);
++#ifdef SYSTEM_CIPHERS_FILE
++    OPENSSL_free(new_rules);
++#endif
++    return NULL;
++
+ }
+ 
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+Index: openssl-3.5.0-beta1/ssl/ssl_lib.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/ssl/ssl_lib.c
++++ openssl-3.5.0-beta1/ssl/ssl_lib.c
+@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+                                 ctx->tls13_ciphersuites,
+                                 &(ctx->cipher_list),
+                                 &(ctx->cipher_list_by_id),
+-                                OSSL_default_cipher_list(), ctx->cert);
++                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
+     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
+         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+         return 0;
+@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
+     if (!ssl_create_cipher_list(ret,
+                                 ret->tls13_ciphersuites,
+                                 &ret->cipher_list, &ret->cipher_list_by_id,
+-                                OSSL_default_cipher_list(), ret->cert)
++                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
+         || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+         ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+         goto err;
+Index: openssl-3.5.0-beta1/test/cipherlist_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/cipherlist_test.c
++++ openssl-3.5.0-beta1/test/cipherlist_test.c
+@@ -261,7 +261,9 @@ end:
+ 
+ int setup_tests(void)
+ {
++#ifndef SYSTEM_CIPHERS_FILE
+     ADD_TEST(test_default_cipherlist_implicit);
++#endif
+     ADD_TEST(test_default_cipherlist_explicit);
+     ADD_TEST(test_default_cipherlist_clear);
+     ADD_TEST(test_stdname_cipherlist);
+Index: openssl-3.5.0-beta1/util/libcrypto.num
+===================================================================
+--- openssl-3.5.0-beta1.orig/util/libcrypto.num
++++ openssl-3.5.0-beta1/util/libcrypto.num
+@@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl
+ X509_STORE_CTX_set_current_reasons      5664	3_2_0	EXIST::FUNCTION:
+ OSSL_STORE_delete                       5665	3_2_0	EXIST::FUNCTION:
+ BIO_ADDR_copy                           5666	3_2_0	EXIST::FUNCTION:SOCK
++ossl_safe_getenv                           ?	3_2_0	EXIST::FUNCTION:
+ OSSL_CMP_CTX_get0_geninfo_ITAVs         5667	3_3_0	EXIST::FUNCTION:CMP
+ OSSL_CMP_HDR_get0_geninfo_ITAVs         5668	3_3_0	EXIST::FUNCTION:CMP
+ OSSL_CMP_ITAV_new0_certProfile          5669	3_3_0	EXIST::FUNCTION:CMP
+Index: openssl-3.5.0-beta1/apps/openssl.cnf
+===================================================================
+--- openssl-3.5.0-beta1.orig/apps/openssl.cnf
++++ openssl-3.5.0-beta1/apps/openssl.cnf
+@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7
+ 
+ [openssl_init]
+ providers = provider_sect
++# Load default TLS policy configuration
++ssl_conf = ssl_module
++alg_section = evp_properties
++
++[ evp_properties ]
++# This section is intentionally added empty here to be tuned on particular systems
+ 
+ # List of providers to load
+ [provider_sect]
+@@ -71,6 +77,11 @@ default = default_sect
+ [default_sect]
+ # activate = 1
+ 
++[ ssl_module ]
++system_default = crypto_policy
++
++[ crypto_policy ]
++.include = /etc/crypto-policies/back-ends/opensslcnf.config
+ 
+ ####################################################################
+ [ ca ]

openssl-Add_support_for_Windows_CA_certificate_store.patch

@@ -0,0 +1,743 @@
+From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
+From: Hugo Landau <hlandau@openssl.org>
+Date: Fri, 8 Apr 2022 13:10:52 +0100
+Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
+ env
+
+Fixes #18068.
+---
+ CHANGES.md                                               |   21 
+ Configure                                                |    7 
+ crypto/x509/by_dir.c                                     |   17 
+ crypto/x509/by_store.c                                   |   14 
+ crypto/x509/x509_def.c                                   |   15 
+ doc/build.info                                           |    6 
+ doc/man3/X509_get_default_cert_file.pod                  |  113 +++++
+ include/internal/cryptlib.h                              |   11 
+ include/internal/e_os.h                                  |    2 
+ include/openssl/x509.h.in                                |    3 
+ providers/implementations/include/prov/implementations.h |    1 
+ providers/implementations/storemgmt/build.info           |    3 
+ providers/implementations/storemgmt/winstore_store.c     |  327 +++++++++++++++
+ providers/stores.inc                                     |    3 
+ util/libcrypto.num                                       |    3 
+ util/missingcrypto.txt                                   |    4 
+ 16 files changed, 536 insertions(+), 14 deletions(-)
+
+--- a/CHANGES.md
++++ b/CHANGES.md
+@@ -24,6 +24,27 @@ OpenSSL 3.1
+ 
+ ### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+ 
++ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
++   `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
++   `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
++   paths which are searched for root certificates.
++
++   The existing `SSL_CERT_DIR` environment variable is deprecated.
++   `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
++   list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
++   `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
++   directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
++   for the purposes of determining root certificate stores.
++
++   *Hugo Landau*
++
++ * Support for loading root certificates from the Windows certificate store
++   has been added. The support is in the form of a store which recognises the
++   URI string of `org.openssl.winstore://`. This store is enabled by default and
++   can be disabled using the new compile-time option `no-winstore`.
++
++   *Hugo Landau*
++
+  * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
+    OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
+ 
+--- a/Configure
++++ b/Configure
+@@ -420,6 +420,7 @@ my @disablables = (
+     "cached-fetch",
+     "camellia",
+     "capieng",
++    "winstore",
+     "cast",
+     "chacha",
+     "cmac",
+@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
+     }
+ }
+ 
++unless ($disabled{winstore}) {
++    unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
++        disable('not-windows', 'winstore');
++    }
++}
++
+ push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
+ 
+ # Get the extra flags used when building shared libraries and modules.  We
+--- a/crypto/x509/by_dir.c
++++ b/crypto/x509/by_dir.c
+@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
+     switch (cmd) {
+     case X509_L_ADD_DIR:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
++            /* If SSL_CERT_PATH is provided and non-empty, use that. */
++            const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
+ 
+-            if (dir)
+-                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+-            else
+-                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
+-                                   X509_FILETYPE_PEM);
++            /* Fallback to SSL_CERT_DIR. */
++            if (dir == NULL)
++                dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
++
++            /* Fallback to built-in default. */
++            if (dir == NULL)
++                dir = X509_get_default_cert_dir();
++
++            ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
+             if (!ret) {
+                 ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
+             }
+--- a/crypto/x509/by_store.c
++++ b/crypto/x509/by_store.c
+@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
+ {
+     switch (cmd) {
+     case X509_L_ADD_STORE:
+-        /* If no URI is given, use the default cert dir as default URI */
++        /* First try the newer default cert URI envvar. */
++        if (argp == NULL)
++            argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
++
++        /* If not set, see if we have a URI in the older cert dir envvar. */
+         if (argp == NULL)
+             argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
++
++        /* Fallback to default store URI. */
+         if (argp == NULL)
+-            argp = X509_get_default_cert_dir();
++            argp = X509_get_default_cert_uri();
++
++        /* No point adding an empty URI. */
++        if (!*argp)
++            return 1;
+ 
+         {
+             STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
+--- a/crypto/x509/x509_def.c
++++ b/crypto/x509/x509_def.c
+@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
+     return X509_CERT_AREA;
+ }
+ 
++const char *X509_get_default_cert_uri(void)
++{
++    return X509_CERT_URI;
++}
++
+ const char *X509_get_default_cert_dir(void)
+ {
+     return X509_CERT_DIR;
+@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
+     return X509_CERT_FILE;
+ }
+ 
++const char *X509_get_default_cert_uri_env(void)
++{
++    return X509_CERT_URI_EVP;
++}
++
++const char *X509_get_default_cert_path_env(void)
++{
++    return X509_CERT_PATH_EVP;
++}
++
+ const char *X509_get_default_cert_dir_env(void)
+ {
+     return X509_CERT_DIR_EVP;
+--- a/doc/build.info
++++ b/doc/build.info
+@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
+ GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
+ DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
+ GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
++DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
++GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
++DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
++GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
+ DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
+ GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
+ DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
+@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
+ html/man3/X509_get0_notBefore.html \
+ html/man3/X509_get0_signature.html \
+ html/man3/X509_get0_uids.html \
++html/man3/X509_get_default_cert_file.html \
+ html/man3/X509_get_extension_flags.html \
+ html/man3/X509_get_pubkey.html \
+ html/man3/X509_get_serialNumber.html \
+@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
+ man/man3/X509_get0_notBefore.3 \
+ man/man3/X509_get0_signature.3 \
+ man/man3/X509_get0_uids.3 \
++man/man3/X509_get_default_cert_file.3 \
+ man/man3/X509_get_extension_flags.3 \
+ man/man3/X509_get_pubkey.3 \
+ man/man3/X509_get_serialNumber.3 \
+--- /dev/null
++++ b/doc/man3/X509_get_default_cert_file.pod
+@@ -0,0 +1,113 @@
++=pod
++
++=head1 NAME
++
++X509_get_default_cert_file, X509_get_default_cert_file_env,
++X509_get_default_cert_path_env,
++X509_get_default_cert_dir, X509_get_default_cert_dir_env,
++X509_get_default_cert_uri, X509_get_default_cert_uri_env -
++retrieve default locations for trusted CA certificates
++
++=head1 SYNOPSIS
++
++ #include <openssl/x509.h>
++
++ const char *X509_get_default_cert_file(void);
++ const char *X509_get_default_cert_dir(void);
++ const char *X509_get_default_cert_uri(void);
++
++ const char *X509_get_default_cert_file_env(void);
++ const char *X509_get_default_cert_path_env(void);
++ const char *X509_get_default_cert_dir_env(void);
++ const char *X509_get_default_cert_uri_env(void);
++
++=head1 DESCRIPTION
++
++The X509_get_default_cert_file() function returns the default path
++to a file containing trusted CA certificates. OpenSSL will use this as
++the default path when it is asked to load trusted CA certificates
++from a file and no other path is specified. If the file exists, CA certificates
++are loaded from the file.
++
++The X509_get_default_cert_dir() function returns a default delimeter-separated
++list of paths to a directories containing trusted CA certificates named in the
++hashed format. OpenSSL will use this as the default list of paths when it is
++asked to load trusted CA certificates from a directory and no other path is
++specified. If a given directory in the list exists, OpenSSL attempts to lookup
++CA certificates in this directory by calculating a filename based on a hash of
++the certificate's subject name.
++
++The X509_get_default_cert_uri() function returns the default URI for a
++certificate store accessed programmatically via an OpenSSL provider. If there is
++no default store applicable to the system for which OpenSSL was compiled, this
++returns an empty string.
++
++X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
++environment variable names which are recommended to specify nondefault values to
++be used instead of the values returned by X509_get_default_cert_file() and
++X509_get_default_cert_uri() respectively. The values returned by the latter
++functions are not affected by these environment variables; you must check for
++these environment variables yourself, using these functions to retrieve the
++correct environment variable names. If an environment variable is not set, the
++value returned by the corresponding function above should be used.
++
++X509_get_default_cert_path_env() returns the environment variable name which is
++recommended to specify a nondefault value to be used instead of the value
++returned by X509_get_default_cert_dir(). This environment variable supercedes
++the deprecated environment variable whose name is returned by
++X509_get_default_cert_dir_env(). This environment variable was deprecated as its
++contents can be interpreted ambiguously; see NOTES.
++
++By default, OpenSSL uses the path list specified in the environment variable
++whose name is returned by X509_get_default_cert_path_env() if it is set;
++otherwise, it uses the path list specified in the environment variable whose
++name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
++uses the value returned by X509_get_default_cert_dir()).
++
++=head1 NOTES
++
++X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
++X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
++release, store URIs were expressed via the environment variable returned by
++X509_get_default_cert_dir_env(); this environment variable could be used to
++specify either a list of directories or a store URI. This creates an ambiguity
++in which the environment variable returned by X509_get_default_cert_dir_env() is
++interpreted both as a list of directories and as a store URI.
++
++This usage and the environment variable returned by
++X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
++the environment variable returned by X509_get_default_cert_uri_env(), and to
++specify a list of directories, use the environment variable returned by
++X509_get_default_cert_path_env().
++
++=head1 RETURN VALUES
++
++These functions return pointers to constant strings with static storage
++duration.
++
++=head1 SEE ALSO
++
++L<X509_LOOKUP(3)>,
++L<SSL_CTX_set_default_verify_file(3)>,
++L<SSL_CTX_set_default_verify_dir(3)>,
++L<SSL_CTX_set_default_verify_store(3)>,
++L<SSL_CTX_load_verify_file(3)>,
++L<SSL_CTX_load_verify_dir(3)>,
++L<SSL_CTX_load_verify_store(3)>,
++L<SSL_CTX_load_verify_locations(3)>
++
++=head1 HISTORY
++
++X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
++X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
++
++=head1 COPYRIGHT
++
++Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -13,6 +13,8 @@
+ 
+ # include <stdlib.h>
+ # include <string.h>
++# include "openssl/configuration.h"
++# include "internal/e_os.h" /* ossl_inline in many files */
+ 
+ # ifdef OPENSSL_USE_APPLINK
+ #  define BIO_FLAGS_UPLINK_INTERNAL 0x8000
+@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
+ #  define CTLOG_FILE              "OSSL$DATAROOT:[000000]ct_log_list.cnf"
+ # endif
+ 
++#ifndef OPENSSL_NO_WINSTORE
++# define X509_CERT_URI            "org.openssl.winstore://"
++#else
++# define X509_CERT_URI            ""
++#endif
++
++# define X509_CERT_URI_EVP        "SSL_CERT_URI"
++# define X509_CERT_PATH_EVP       "SSL_CERT_PATH"
+ # define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+ # define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
+ # define CTLOG_FILE_EVP           "CTLOG_FILE"
+@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
+ # endif
+     return path[0] == '/';
+ }
+-
+ #endif
+--- a/include/internal/e_os.h
++++ b/include/internal/e_os.h
+@@ -249,7 +249,7 @@ FILE *__iob_func();
+ /***********************************************/
+ 
+ # if defined(OPENSSL_SYS_WINDOWS)
+-#  if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
++#  if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
+ #   define open _open
+ #   define fdopen _fdopen
+ #   define close _close
+--- a/include/openssl/x509.h.in
++++ b/include/openssl/x509.h.in
+@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
+ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
+ 
+ const char *X509_get_default_cert_area(void);
++const char *X509_get_default_cert_uri(void);
+ const char *X509_get_default_cert_dir(void);
+ const char *X509_get_default_cert_file(void);
++const char *X509_get_default_cert_uri_env(void);
++const char *X509_get_default_cert_path_env(void);
+ const char *X509_get_default_cert_dir_env(void);
+ const char *X509_get_default_cert_file_env(void);
+ const char *X509_get_default_private_dir(void);
+--- a/providers/implementations/include/prov/implementations.h
++++ b/providers/implementations/include/prov/implementations.h
+@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
+ extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
+ 
+ extern const OSSL_DISPATCH ossl_file_store_functions[];
++extern const OSSL_DISPATCH ossl_winstore_store_functions[];
+--- a/providers/implementations/storemgmt/build.info
++++ b/providers/implementations/storemgmt/build.info
+@@ -4,3 +4,6 @@
+ $STORE_GOAL=../../libdefault.a
+ 
+ SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
++IF[{- !$disabled{winstore} -}]
++    SOURCE[$STORE_GOAL]=winstore_store.c
++ENDIF
+--- /dev/null
++++ b/providers/implementations/storemgmt/winstore_store.c
+@@ -0,0 +1,327 @@
++/*
++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++#include <openssl/store.h>
++#include <openssl/core_dispatch.h>
++#include <openssl/core_names.h>
++#include <openssl/core_object.h>
++#include <openssl/bio.h>
++#include <openssl/err.h>
++#include <openssl/params.h>
++#include <openssl/decoder.h>
++#include <openssl/proverr.h>
++#include <openssl/store.h>       /* The OSSL_STORE_INFO type numbers */
++#include "internal/cryptlib.h"
++#include "internal/o_dir.h"
++#include "crypto/decoder.h"
++#include "crypto/ctype.h"        /* ossl_isdigit() */
++#include "prov/implementations.h"
++#include "prov/bio.h"
++#include "file_store_local.h"
++
++#include <wincrypt.h>
++
++enum {
++    STATE_IDLE,
++    STATE_READ,
++    STATE_EOF,
++};
++
++struct winstore_ctx_st {
++    void                   *provctx;
++    char                   *propq;
++    unsigned char          *subject;
++    size_t                  subject_len;
++
++    HCERTSTORE              win_store;
++    const CERT_CONTEXT     *win_ctx;
++    int                     state;
++
++    OSSL_DECODER_CTX       *dctx;
++};
++
++static void winstore_win_reset(struct winstore_ctx_st *ctx)
++{
++    if (ctx->win_ctx != NULL) {
++        CertFreeCertificateContext(ctx->win_ctx);
++        ctx->win_ctx = NULL;
++    }
++
++    ctx->state = STATE_IDLE;
++}
++
++static void winstore_win_advance(struct winstore_ctx_st *ctx)
++{
++    CERT_NAME_BLOB name = {0};
++
++    if (ctx->state == STATE_EOF)
++        return;
++
++    name.cbData = ctx->subject_len;
++    name.pbData = ctx->subject;
++
++    ctx->win_ctx = (name.cbData == 0 ? NULL :
++        CertFindCertificateInStore(ctx->win_store,
++                                   X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
++                                   0, CERT_FIND_SUBJECT_NAME,
++                                   &name, ctx->win_ctx));
++
++    ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
++}
++
++static void *winstore_open(void *provctx, const char *uri)
++{
++    struct winstore_ctx_st *ctx = NULL;
++
++    if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
++        return NULL;
++
++    ctx = OPENSSL_zalloc(sizeof(*ctx));
++    if (ctx == NULL)
++        return NULL;
++
++    ctx->provctx    = provctx;
++    ctx->win_store  = CertOpenSystemStoreW(0, L"ROOT");
++    if (ctx->win_store == NULL) {
++        OPENSSL_free(ctx);
++        return NULL;
++    }
++
++    winstore_win_reset(ctx);
++    return ctx;
++}
++
++static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
++{
++    return NULL; /* not supported */
++}
++
++static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
++{
++    static const OSSL_PARAM known_settable_ctx_params[] = {
++        OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
++        OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
++        OSSL_PARAM_END
++    };
++    return known_settable_ctx_params;
++}
++
++static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
++{
++    struct winstore_ctx_st *ctx = loaderctx;
++    const OSSL_PARAM *p;
++    int do_reset = 0;
++
++    if (params == NULL)
++        return 1;
++
++    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
++    if (p != NULL) {
++        do_reset = 1;
++        OPENSSL_free(ctx->propq);
++        ctx->propq = NULL;
++        if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
++            return 0;
++    }
++
++    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
++    if (p != NULL) {
++        const unsigned char *der = NULL;
++        size_t der_len = 0;
++
++        if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
++            return 0;
++
++        do_reset = 1;
++
++        OPENSSL_free(ctx->subject);
++
++        ctx->subject = OPENSSL_malloc(der_len);
++        if (ctx->subject == NULL) {
++            ctx->subject_len = 0;
++            return 0;
++        }
++
++        ctx->subject_len = der_len;
++        memcpy(ctx->subject, der, der_len);
++    }
++
++    if (do_reset) {
++        winstore_win_reset(ctx);
++        winstore_win_advance(ctx);
++    }
++
++    return 1;
++}
++
++struct load_data_st {
++    OSSL_CALLBACK  *object_cb;
++    void           *object_cbarg;
++};
++
++static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
++                           const OSSL_PARAM *params, void *construct_data)
++{
++    struct load_data_st *data = construct_data;
++    return data->object_cb(params, data->object_cbarg);
++}
++
++static void load_cleanup(void *construct_data)
++{
++    /* No-op. */
++}
++
++static int setup_decoder(struct winstore_ctx_st *ctx)
++{
++    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
++    const OSSL_ALGORITHM *to_algo = NULL;
++
++    if (ctx->dctx != NULL)
++        return 1;
++
++    ctx->dctx = OSSL_DECODER_CTX_new();
++    if (ctx->dctx == NULL) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
++        return 0;
++    }
++
++    if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++        goto err;
++    }
++
++    if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++        goto err;
++    }
++
++    for (to_algo = ossl_any_to_obj_algorithm;
++         to_algo->algorithm_names != NULL;
++         to_algo++) {
++        OSSL_DECODER *to_obj = NULL;
++        OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
++
++        /*
++         * Create the internal last resort decoder implementation
++         * together with a "decoder instance".
++         * The decoder doesn't need any identification or to be
++         * attached to any provider, since it's only used locally.
++         */
++        to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
++        if (to_obj != NULL)
++            to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
++
++        OSSL_DECODER_free(to_obj);
++        if (to_obj_inst == NULL)
++            goto err;
++
++        if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
++                                               to_obj_inst)) {
++            ossl_decoder_instance_free(to_obj_inst);
++            ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++            goto err;
++        }
++    }
++
++    if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++        goto err;
++    }
++
++    if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++        goto err;
++    }
++
++    if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
++        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
++        goto err;
++    }
++
++    return 1;
++
++err:
++    OSSL_DECODER_CTX_free(ctx->dctx);
++    ctx->dctx = NULL;
++    return 0;
++}
++
++static int winstore_load_using(struct winstore_ctx_st *ctx,
++                               OSSL_CALLBACK *object_cb, void *object_cbarg,
++                               OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
++                               const void *der, size_t der_len)
++{
++    struct load_data_st data;
++    const unsigned char *der_ = der;
++    size_t der_len_ = der_len;
++
++    if (setup_decoder(ctx) == 0)
++        return 0;
++
++    data.object_cb      = object_cb;
++    data.object_cbarg   = object_cbarg;
++
++    OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
++    OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
++
++    if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
++        return 0;
++
++    return 1;
++}
++
++static int winstore_load(void *loaderctx,
++                         OSSL_CALLBACK *object_cb, void *object_cbarg,
++                         OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
++{
++    int ret = 0;
++    struct winstore_ctx_st *ctx = loaderctx;
++
++    if (ctx->state != STATE_READ)
++        return 0;
++
++    ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
++                              ctx->win_ctx->pbCertEncoded,
++                              ctx->win_ctx->cbCertEncoded);
++
++    if (ret == 1)
++        winstore_win_advance(ctx);
++
++    return ret;
++}
++
++static int winstore_eof(void *loaderctx)
++{
++    struct winstore_ctx_st *ctx = loaderctx;
++
++    return ctx->state != STATE_READ;
++}
++
++static int winstore_close(void *loaderctx)
++{
++    struct winstore_ctx_st *ctx = loaderctx;
++
++    winstore_win_reset(ctx);
++    CertCloseStore(ctx->win_store, 0);
++    OSSL_DECODER_CTX_free(ctx->dctx);
++    OPENSSL_free(ctx->propq);
++    OPENSSL_free(ctx->subject);
++    OPENSSL_free(ctx);
++    return 1;
++}
++
++const OSSL_DISPATCH ossl_winstore_store_functions[] = {
++    { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
++    { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
++    { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
++    { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
++    { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
++    { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
++    { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
++    { 0, NULL },
++};
+--- a/providers/stores.inc
++++ b/providers/stores.inc
+@@ -12,3 +12,6 @@
+ #endif
+ 
+ STORE("file", "yes", ossl_file_store_functions)
++#ifndef OPENSSL_NO_WINSTORE
++STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
++#endif
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
+ EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
+ BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
+ OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
++X509_get_default_cert_uri               ?	3_1_0	EXIST::FUNCTION:
++X509_get_default_cert_uri_env           ?	3_1_0	EXIST::FUNCTION:
++X509_get_default_cert_path_env          ?	3_1_0	EXIST::FUNCTION:
+ ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
+--- a/util/missingcrypto.txt
++++ b/util/missingcrypto.txt
+@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
+ X509_get1_email(3)
+ X509_get1_ocsp(3)
+ X509_get_default_cert_area(3)
+-X509_get_default_cert_dir(3)
+-X509_get_default_cert_dir_env(3)
+-X509_get_default_cert_file(3)
+-X509_get_default_cert_file_env(3)
+ X509_get_default_private_dir(3)
+ X509_get_pubkey_parameters(3)
+ X509_get_signature_type(3)

openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

@@ -0,0 +1,217 @@
+From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 1 Mar 2022 15:44:18 +0100
+Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
+
+NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
+in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
+on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
+to 2.
+
+On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
+level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
+we want the legacy crypto policy to allow SHA-1 in TLS, the only option
+to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
+SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
+allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
+will allow SHA-1 in OpenSSL 3).
+
+The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
+rh-allow-sha1-signatures will default to yes in Fedora (according to our
+current plans including until F38), and the security level in the
+DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
+default configuration.
+
+Related: rhbz#2055796
+Related: rhbz#2070977
+---
+ crypto/x509/x509_vfy.c        | 20 ++++++++++-
+ doc/man5/config.pod           |  7 ++++
+ ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------
+ test/recipes/25-test_verify.t |  4 +--
+ 4 files changed, 82 insertions(+), 16 deletions(-)
+
+Index: openssl-3.1.4/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
++++ openssl-3.1.4/crypto/x509/x509_vfy.c
+@@ -25,6 +25,7 @@
+ #include <openssl/objects.h>
+ #include <openssl/core_names.h>
+ #include "internal/dane.h"
++#include "internal/sslconf.h"
+ #include "crypto/x509.h"
+ #include "x509_local.h"
+ 
+@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
+ {
+     int secbits = -1;
+     int level = ctx->param->auth_level;
++    int nid;
++    OSSL_LIB_CTX *libctx = NULL;
+ 
+     if (level <= 0)
+         return 1;
+     if (level > NUM_AUTH_LEVELS)
+         level = NUM_AUTH_LEVELS;
+ 
+-    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
++    if (ctx->libctx)
++        libctx = ctx->libctx;
++    else if (cert->libctx)
++        libctx = cert->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
+         return 0;
+ 
++    if ((nid == NID_sha1 || nid == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ctx->param->auth_level < 2)
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++
+     return secbits >= minbits_table[level - 1];
+ }
+Index: openssl-3.1.4/doc/man5/config.pod
+===================================================================
+--- openssl-3.1.4.orig/doc/man5/config.pod
++++ openssl-3.1.4/doc/man5/config.pod
+@@ -317,6 +317,13 @@ this option is set to B<no>.  Because TL
+ pseudorandom function (PRF) to derive key material, disabling
+ B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+ 
++Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
++algorithms that use SHA1 in security level 1, despite the definition of
++security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
++This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
++Fedora without requiring to set the security level to 0, which would include
++further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
++
+ This is a downstream specific option, and normally it should be set up via crypto-policies.
+ 
+ =item B<fips_mode> (deprecated)
+Index: openssl-3.1.4/ssl/t1_lib.c
+===================================================================
+--- openssl-3.1.4.orig/ssl/t1_lib.c
++++ openssl-3.1.4/ssl/t1_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "crypto/x509.h"
+ #include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
+         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
+         return 0;
+     }
+-    /*
+-     * Make sure security callback allows algorithm. For historical
+-     * reasons we have to pass the sigalg as a two byte char array.
+-     */
+-    sigalgstr[0] = (sig >> 8) & 0xff;
+-    sigalgstr[1] = sig & 0xff;
+-    secbits = sigalg_security_bits(s->ctx, lu);
+-    if (secbits == 0 ||
+-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+-                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
+-                      (void *)sigalgstr)) {
+-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+-        return 0;
++
++    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
++            && SSL_get_security_level(s) < 2) {
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++    } else {
++        /*
++         * Make sure security callback allows algorithm. For historical
++         * reasons we have to pass the sigalg as a two byte char array.
++         */
++        sigalgstr[0] = (sig >> 8) & 0xff;
++        sigalgstr[1] = sig & 0xff;
++        secbits = sigalg_security_bits(s->ctx, lu);
++        if (secbits == 0 ||
++            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
++                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
++                          (void *)sigalgstr)) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
++            return 0;
++        }
+     }
+     /* Store the sigalg the peer uses */
+     s->s3.tmp.peer_sigalg = lu;
+@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
+         }
+     }
+ 
++    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
++            && SSL_get_security_level(s) < 2) {
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++    }
++
+     /* Finally see if security callback allows it */
+     secbits = sigalg_security_bits(s->ctx, lu);
+     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
+@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
+ {
+     /* Lookup signature algorithm digest */
+     int secbits, nid, pknid;
++    OSSL_LIB_CTX *libctx = NULL;
++
+     /* Don't check signature if self signed */
+     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+         return 1;
+@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
+     /* If digest NID not defined use signature NID */
+     if (nid == NID_undef)
+         nid = pknid;
++
++    if (x && x->libctx)
++        libctx = x->libctx;
++    else if (ctx && ctx->libctx)
++        libctx = ctx->libctx;
++    else if (s && s->ctx && s->ctx->libctx)
++        libctx = s->ctx->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if ((nid == NID_sha1 || nid == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ((s != NULL && SSL_get_security_level(s) < 2)
++                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
++            ))
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++
+     if (s)
+         return ssl_security(s, op, secbits, nid, x);
+     else
+Index: openssl-3.1.4/test/recipes/25-test_verify.t
+===================================================================
+--- openssl-3.1.4.orig/test/recipes/25-test_verify.t
++++ openssl-3.1.4/test/recipes/25-test_verify.t
+@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+-    "Reject PSS signature using SHA1 and auth level 1");
++ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
++    "Reject PSS signature using SHA1 and auth level 2");
+ 
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");

openssl-Allow-disabling-of-SHA1-signatures.patch

@@ -0,0 +1,471 @@
+Index: openssl-3.5.0/crypto/context.c
+===================================================================
+--- openssl-3.5.0.orig/crypto/context.c
++++ openssl-3.5.0/crypto/context.c
+@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
+ #endif
+     STACK_OF(SSL_COMP) *comp_methods;
+ 
++    void *legacy_digest_signatures;
++
+     int ischild;
+     int conf_diagnostics;
+ };
+@@ -119,6 +121,23 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *
+     return ctx->ischild;
+ }
+ 
++static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
++
++    if (ldsigs != NULL) {
++        OPENSSL_free(ldsigs);
++    }
++}
++
++static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
++    /* Default to allow SHA-1 and support disabling it via config. */
++    ldsigs->allowed = 1;
++    return ldsigs;
++}
++
+ static void context_deinit_objs(OSSL_LIB_CTX *ctx);
+ 
+ static int context_init(OSSL_LIB_CTX *ctx)
+@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ct
+         goto err;
+ #endif
+ 
++    ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
++    if (ctx->legacy_digest_signatures == NULL)
++        goto err;
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     ctx->child_provider = ossl_child_prov_ctx_new(ctx);
+@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB
+     }
+ #endif
+ 
++    if (ctx->legacy_digest_signatures != NULL) {
++        ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
++        ctx->legacy_digest_signatures = NULL;
++    }
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     if (ctx->child_provider != NULL) {
+@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX
+     case OSSL_LIB_CTX_COMP_METHODS:
+         return (void *)&ctx->comp_methods;
+ 
++    case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
++        return ctx->legacy_digest_signatures;
++
+     default:
+         return NULL;
+     }
+@@ -714,3 +747,44 @@ void OSSL_LIB_CTX_set_conf_diagnostics(O
+         return;
+     libctx->conf_diagnostics = value;
+ }
++
++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
++        OSSL_LIB_CTX *libctx, int loadconfig)
++{
++#ifndef FIPS_MODULE
++    if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
++        return NULL;
++#endif
++
++    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++ #ifndef FIPS_MODULE
++    if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
++        /* This is to be used in tests if SHA-1 is disabled. */
++        return 1;
++ #endif
++
++    /* Default to allow SHA-1 and support disabling it via config. */
++    return ldsigs != NULL ? ldsigs->allowed : 1;
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++    if (ldsigs == NULL) {
++        ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
++        return 0;
++    }
++
++    ldsigs->allowed = allow;
++    return 1;
++}
+Index: openssl-3.5.0/crypto/evp/evp_cnf.c
+===================================================================
+--- openssl-3.5.0.orig/crypto/evp/evp_cnf.c
++++ openssl-3.5.0/crypto/evp/evp_cnf.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <openssl/crypto.h>
+ #include "internal/cryptlib.h"
++#include "internal/sslconf.h"
+ #include <openssl/conf.h>
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE
+                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+                 return 0;
+             }
++        } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
++            int m;
++
++            /* Detailed error already reported. */
++            if (!X509V3_get_value_bool(oval, &m))
++                return 0;
++
++            if (!ossl_ctx_legacy_digest_signatures_allowed_set(
++                    NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
++                ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
++                return 0;
++            }
+         } else {
+             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
+                            "name=%s, value=%s", oval->name, oval->value);
+Index: openssl-3.5.0/crypto/evp/m_sigver.c
+===================================================================
+--- openssl-3.5.0.orig/crypto/evp/m_sigver.c
++++ openssl-3.5.0/crypto/evp/m_sigver.c
+@@ -15,6 +15,7 @@
+ #include "internal/provider.h"
+ #include "internal/numbers.h"   /* includes SIZE_MAX */
+ #include "evp_local.h"
++#include "internal/sslconf.h"
+ 
+ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
+ {
+@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ct
+         }
+     }
+ 
++    if (ctx->reqdigest != NULL
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(ctx->reqdigest);
++        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
++                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            goto err;
++        }
++    }
++
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+Index: openssl-3.5.0/crypto/evp/pmeth_lib.c
+===================================================================
+--- openssl-3.5.0.orig/crypto/evp/pmeth_lib.c
++++ openssl-3.5.0/crypto/evp/pmeth_lib.c
+@@ -33,6 +33,7 @@
+ #include "internal/ffc.h"
+ #include "internal/numbers.h"
+ #include "internal/provider.h"
++#include "internal/sslconf.h"
+ #include "evp_local.h"
+ 
+ #ifndef FIPS_MODULE
+@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_
+         return -2;
+     }
+ 
++    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
++            && md != NULL
++            && ctx->pkey != NULL
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            return -1;
++        }
++    }
++
+     if (fallback)
+         return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
+ 
+Index: openssl-3.5.0/doc/man5/config.pod
+===================================================================
+--- openssl-3.5.0.orig/doc/man5/config.pod
++++ openssl-3.5.0/doc/man5/config.pod
+@@ -315,6 +315,21 @@ Within the algorithm properties section,
+ The value may be anything that is acceptable as a property query
+ string for EVP_set_default_properties().
+ 
++=item B<rh-allow-sha1-signatures>
++
++The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
++it behaves as if it was set to B<yes>.
++
++When set to B<no>, any attempt to create or verify a signature with a SHA1
++digest will fail.  To test whether your software will work with future versions
++of OpenSSL, set this option to B<no>.  This setting also affects TLS, where
++signature algorithms that use SHA1 as digest will no longer be supported if
++this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
++pseudorandom function (PRF) to derive key material, disabling
++B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
++
++This is a downstream specific option, and normally it should be set up via crypto-policies.
++
+ =item B<fips_mode> (deprecated)
+ 
+ The value is a boolean that can be B<yes> or B<no>.  If the value is
+Index: openssl-3.5.0/include/crypto/context.h
+===================================================================
+--- openssl-3.5.0.orig/include/crypto/context.h
++++ openssl-3.5.0/include/crypto/context.h
+@@ -48,3 +48,11 @@ void ossl_release_default_drbg_ctx(void)
+ #if defined(OPENSSL_THREADS)
+ void ossl_threads_ctx_free(void *);
+ #endif
++
++#ifndef OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
++#define OSSL_LEGACY_DIGEST_SIGNATURES_STRUCT
++typedef struct ossl_legacy_digest_signatures_st {
++    int allowed;
++} OSSL_LEGACY_DIGEST_SIGNATURES;
++#endif
++
+Index: openssl-3.5.0/include/internal/cryptlib.h
+===================================================================
+--- openssl-3.5.0.orig/include/internal/cryptlib.h
++++ openssl-3.5.0/include/internal/cryptlib.h
+@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
+ # define OSSL_LIB_CTX_DECODER_CACHE_INDEX           20
+ # define OSSL_LIB_CTX_COMP_METHODS                  21
+ # define OSSL_LIB_CTX_INDICATOR_CB_INDEX            22
+-# define OSSL_LIB_CTX_MAX_INDEXES                   22
++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
++# define OSSL_LIB_CTX_MAX_INDEXES                   23
+ 
+ OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
+ int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
+Index: openssl-3.5.0/include/internal/sslconf.h
+===================================================================
+--- openssl-3.5.0.orig/include/internal/sslconf.h
++++ openssl-3.5.0/include/internal/sslconf.h
+@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name,
+ void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                       char **arg);
+ 
++/* Methods to support disabling all signatures with legacy digests */
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig);
+ #endif
+Index: openssl-3.5.0/providers/common/include/prov/securitycheck.h
+===================================================================
+--- openssl-3.5.0.orig/providers/common/include/prov/securitycheck.h
++++ openssl-3.5.0/providers/common/include/prov/securitycheck.h
+@@ -37,3 +37,5 @@ int ossl_digest_get_approved_nid(const E
+ /* Functions that have different implementations for the FIPS_MODULE */
+ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md);
+ int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx);
++
++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
+Index: openssl-3.5.0/providers/common/securitycheck.c
+===================================================================
+--- openssl-3.5.0.orig/providers/common/securitycheck.c
++++ openssl-3.5.0/providers/common/securitycheck.c
+@@ -19,6 +19,7 @@
+ #include <openssl/core_names.h>
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
++#include "internal/sslconf.h"
+ 
+ #define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
+ 
+@@ -220,3 +221,16 @@ int ossl_dh_check_key(const DH *dh)
+     return (L == 2048 && (N == 224 || N == 256));
+ }
+ #endif /* OPENSSL_NO_DH */
++
++int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid)
++{
++#ifndef FIPS_MODULE
++    if (!ossl_ctx_legacy_digest_signatures_allowed(libctx, 0))
++        /* SHA1 is globally disabled, check whether we want to locally allow
++         * it. */
++#endif
++        if (mdnid == NID_sha1)
++            mdnid = -1;
++
++     return mdnid;
++}
+Index: openssl-3.5.0/providers/common/securitycheck_default.c
+===================================================================
+--- openssl-3.5.0.orig/providers/common/securitycheck_default.c
++++ openssl-3.5.0/providers/common/securitycheck_default.c
+@@ -15,6 +15,7 @@
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
+ #include "internal/nelem.h"
++#include "internal/sslconf.h"
+ 
+ /* Disable the security checks in the default provider */
+ int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/dsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/dsa_sig.c
+@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
+ 
+         md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         md_nid = ossl_digest_get_approved_nid(md);
++        md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ 
+         if (md == NULL) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/ecdsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
+@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
+         goto err;
+     }
+     md_nid = ossl_digest_get_approved_nid(md);
++
+ #ifdef FIPS_MODULE
+-    if (md_nid == NID_undef) {
++    md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
++    if (md_nid <= 0) {
+         ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+                        "digest=%s", mdname);
+         goto err;
+     }
+ #endif
++
+     /* XOF digests don't work */
+     if (EVP_MD_xof(md)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
+Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/rsa_sig.c
+@@ -26,6 +26,7 @@
+ #include "internal/cryptlib.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
++#include "internal/sslconf.h"
+ #include "crypto/rsa.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -34,6 +35,7 @@
+ #include "prov/securitycheck.h"
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
+ 
+ OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+@@ -387,7 +389,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
+             goto err;
+         }
+         md_nid = ossl_digest_rsa_sign_get_md_nid(md);
+-        if (md_nid == NID_undef) {
++        md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
++        if (md_nid <= 0) {
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+                            "digest=%s", mdname);
+             goto err;
+@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CT
+                        "%s could not be fetched", mdname);
+         return 0;
+     }
+-    /* The default for mgf1 is SHA1 - so allow SHA1 */
++    /* The default for mgf1 is SHA1 - so check if we allow SHA1 */
+     if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
++        || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0
+         || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
+         if (mdnid <= 0)
+             ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
+@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprs
+     prsactx->pad_mode = pad_mode;
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+-        && pad_mode == RSA_PKCS1_PSS_PADDING)
+-        pmdname = RSA_DEFAULT_DIGEST_NAME;
++        && pad_mode == RSA_PKCS1_PSS_PADDING) {
++        if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
++            pmdname = RSA_DEFAULT_DIGEST_NAME;
++        } else {
++            pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++        }
++    }
+ 
+     if (pmgf1mdname != NULL
+         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
+Index: openssl-3.5.0/ssl/t1_lib.c
+===================================================================
+--- openssl-3.5.0.orig/ssl/t1_lib.c
++++ openssl-3.5.0/ssl/t1_lib.c
+@@ -21,6 +21,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+ #include "internal/tlsgroups.h"
+@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+     EVP_PKEY *tmpkey = EVP_PKEY_new();
+     int istls;
+     int ret = 0;
++    int ldsigs_allowed;
+ 
+     if (ctx == NULL)
+         goto err;
+@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+         goto err;
+ 
+     ERR_set_mark();
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
+     /* First fill cache and tls12_sigalgs list from legacy algorithm list */
+     for (i = 0, lu = sigalg_lookup_tbl;
+          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+             cache[i].available = 0;
+             continue;
+         }
++        if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++                && !ldsigs_allowed) {
++            cache[i].available = 0;
++            continue;
++        }
+ 
+         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
+             cache[i].available = 0;
+Index: openssl-3.5.0/util/libcrypto.num
+===================================================================
+--- openssl-3.5.0.orig/util/libcrypto.num
++++ openssl-3.5.0/util/libcrypto.num
+@@ -5925,3 +5925,5 @@ OSSL_AA_DIST_POINT_free
+ OSSL_AA_DIST_POINT_new                  6052	3_5_0	EXIST::FUNCTION:
+ OSSL_AA_DIST_POINT_it                   6053	3_5_0	EXIST::FUNCTION:
+ PEM_ASN1_write_bio_ctx                  6054	3_5_0	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:

openssl-CVE-2023-5678.patch

@@ -0,0 +1,172 @@
+From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ.  DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q.  This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/22518)
+---
+ crypto/dh/dh_check.c    | 12 ++++++++++++
+ crypto/dh/dh_err.c      |  3 ++-
+ crypto/dh/dh_key.c      | 12 ++++++++++++
+ crypto/err/openssl.txt  |  1 +
+ include/crypto/dherr.h  |  2 +-
+ include/openssl/dh.h    |  6 +++---
+ include/openssl/dherr.h |  3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 7ba2beae7fd6b..e20eb62081c5e 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
+  */
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
++    /* Don't do any checks at all with an excessively large modulus */
++    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
++        return 0;
++    }
++
++    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
++        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
++        return 1;
++    }
++
+     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
+ }
+ 
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 4152397426cc9..f76ac0dd1463f 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+     "unable to check generator"},
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index d84ea99241b9e..afc49f5cdc87d 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+         goto err;
+     }
+ 
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        goto err;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
+         return 0;
+     }
+ 
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        return 0;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index a1e6bbb617fcb..69e4f61aa1801 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
++DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
+diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
+index bb24d131eb887..519327f795742 100644
+--- a/include/crypto/dherr.h
++++ b/include/crypto/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index 8bc17448a0817..f1c0ed06b375a 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_GENERATOR_3          3
+ #   define DH_GENERATOR_5          5
+ 
+-/* DH_check error codes */
++/* DH_check error codes, some of them shared with DH_check_pub_key */
+ /*
+  * NB: These values must align with the equivalently named macros in
+  * internal/ffc.h.
+@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
+ #   define DH_NOT_SUITABLE_GENERATOR       0x08
+ #   define DH_CHECK_Q_NOT_PRIME            0x10
+-#   define DH_CHECK_INVALID_Q_VALUE        0x20
++#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
+ #   define DH_CHECK_INVALID_J_VALUE        0x40
+ #   define DH_MODULUS_TOO_SMALL            0x80
+-#   define DH_MODULUS_TOO_LARGE            0x100
++#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
+ 
+ /* DH_check_pub_key error codes */
+ #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index 5d2a762a96f8c..074a70145f9f5 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -50,6 +50,7 @@
+ #  define DH_R_NO_PRIVATE_VALUE                            100
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
++#  define DH_R_Q_TOO_LARGE                                 130
+ #  define DH_R_SHARED_INFO_ERROR                           113
+ #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
+ 

openssl-CVE-2023-6129.patch

@@ -0,0 +1,109 @@
+From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
+From: Rohan McLure <rmclure@linux.ibm.com>
+Date: Thu, 4 Jan 2024 10:25:50 +0100
+Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
+
+Fixes CVE-2023-6129
+
+The POLY1305 MAC (message authentication code) implementation in OpenSSL for
+PowerPC CPUs saves the the contents of vector registers in different order
+than they are restored. Thus the contents of some of these vector registers
+is corrupted when returning to the caller. The vulnerable code is used only
+on newer PowerPC processors supporting the PowerISA 2.07 instructions.
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23200)
+
+(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
+---
+ crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
+index 9f86134d923fb..2e601bb9c24be 100755
+--- a/crypto/poly1305/asm/poly1305-ppc.pl
++++ b/crypto/poly1305/asm/poly1305-ppc.pl
+@@ -744,7 +744,7 @@
+ my $LOCALS= 6*$SIZE_T;
+ my $VSXFRAME = $LOCALS + 6*$SIZE_T;
+    $VSXFRAME += 128;	# local variables
+-   $VSXFRAME += 13*16;	# v20-v31 offload
++   $VSXFRAME += 12*16;	# v20-v31 offload
+ 
+ my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
+ 
+@@ -919,12 +919,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
++	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
++	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
++	stvx	v25,r11,$sp
++	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1153,12 +1153,12 @@
+ 	addi	r11,r11,32
+ 	stvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	stvx	v23,r10,$sp
+-	addi	r10,r10,32
+-	stvx	v24,r11,$sp
++	stvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	stvx	v25,r10,$sp
++	stvx	v24,r10,$sp
+ 	addi	r10,r10,32
++	stvx	v25,r11,$sp
++	addi	r11,r11,32
+ 	stvx	v26,r10,$sp
+ 	addi	r10,r10,32
+ 	stvx	v27,r11,$sp
+@@ -1899,26 +1899,26 @@
+ 	mtspr	256,r12				# restore vrsave
+ 	lvx	v20,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v21,r10,$sp
+-	addi	r10,r10,32
+-	lvx	v22,r11,$sp
++	lvx	v21,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v23,r10,$sp
++	lvx	v22,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v24,r11,$sp
++	lvx	v23,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v25,r10,$sp
++	lvx	v24,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v26,r11,$sp
++	lvx	v25,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v27,r10,$sp
++	lvx	v26,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v28,r11,$sp
++	lvx	v27,r11,$sp
+ 	addi	r11,r11,32
+-	lvx	v29,r10,$sp
++	lvx	v28,r10,$sp
+ 	addi	r10,r10,32
+-	lvx	v30,r11,$sp
+-	lvx	v31,r10,$sp
++	lvx	v29,r11,$sp
++	addi	r11,r11,32
++	lvx	v30,r10,$sp
++	lvx	v31,r11,$sp
+ 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
+ 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
+ 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)

openssl-CVE-2023-6237.patch

@@ -0,0 +1,122 @@
+From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 22 Dec 2023 16:25:56 +0100
+Subject: [PATCH] Limit the execution time of RSA public key check
+
+Fixes CVE-2023-6237
+
+If a large and incorrect RSA public key is checked with
+EVP_PKEY_public_check() the computation could take very long time
+due to no limit being applied to the RSA public key size and
+unnecessarily high number of Miller-Rabin algorithm rounds
+used for non-primality check of the modulus.
+
+Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
+will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
+Also the number of Miller-Rabin rounds was set to 5.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23243)
+
+(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
+---
+ crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
+ test/recipes/91-test_pkey_check.t             |  2 +-
+ .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
+ 3 files changed, 56 insertions(+), 2 deletions(-)
+ create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+
+diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
+index fc8f19b48770b..bcbdd24fb8199 100644
+--- a/crypto/rsa/rsa_sp800_56b_check.c
++++ b/crypto/rsa/rsa_sp800_56b_check.c
+@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+         return 0;
+ 
+     nbits = BN_num_bits(rsa->n);
++    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+ #ifdef FIPS_MODULE
+     /*
+      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
+@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
+         goto err;
+     }
+ 
+-    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
++    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
++    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
+ #ifdef FIPS_MODULE
+     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
+ #else
+diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
+index dc7cc64533af2..f8088df14d36c 100644
+--- a/test/recipes/91-test_pkey_check.t
++++ b/test/recipes/91-test_pkey_check.t
+@@ -70,7 +70,7 @@ push(@positive_tests, (
+     "dhpkey.pem"
+     )) unless disabled("dh");
+ 
+-my @negative_pubtests = ();
++my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
+ 
+ push(@negative_pubtests, (
+     "dsapub_noparam.der"
+diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+new file mode 100644
+index 0000000000000..9a2eaedaf1b22
+--- /dev/null
++++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
+@@ -0,0 +1,48 @@
++-----BEGIN PUBLIC KEY-----
++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
++AQAB
++-----END PUBLIC KEY-----

openssl-CVE-2024-0727.patch

@@ -0,0 +1,120 @@
+From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+CVE-2024-0727
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23362)
+
+(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
+---
+ crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c |  5 +++++
+ crypto/pkcs12/p12_npas.c |  5 +++--
+ crypto/pkcs7/pk7_mime.c  |  7 +++++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
+index 6fd4184af5a52..80ce31b3bca66 100644
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
+         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p7->d.data == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+ 
+@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
+ {
+     if (!PKCS7_type_is_encrypted(p7))
+         return NULL;
++
++    if (p7->d.encrypted == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
+                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+                                    pass, passlen,
+@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
+         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
+         return NULL;
+     }
++
++    if (p12->authsafes->d.data == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++        return NULL;
++    }
++
+     p7s = ASN1_item_unpack(p12->authsafes->d.data,
+                            ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+     if (p7s != NULL) {
+diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
+index 67a885a45f89e..68ff54d0e90ee 100644
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+         return 0;
+     }
+ 
++    if (p12->authsafes->d.data == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++        return 0;
++    }
++
+     salt = p12->mac->salt->data;
+     saltlen = p12->mac->salt->length;
+     if (p12->mac->iter == NULL)
+diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
+index 62230bc6187ff..1e5b5495991a4 100644
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
+             bags = PKCS12_unpack_p7data(p7);
+         } else if (bagnid == NID_pkcs7_encrypted) {
+             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+-            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+-                         &pbe_nid, &pbe_iter, &pbe_saltlen))
++            if (p7->d.encrypted == NULL
++                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
++                                &pbe_nid, &pbe_iter, &pbe_saltlen))
+                 goto err;
+         } else {
+             continue;
+diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
+index 49a0da5f819c4..8228315eeaa3a 100644
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+     int ctype_nid = OBJ_obj2nid(p7->type);
+     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
+ 
+-    if (ctype_nid == NID_pkcs7_signed)
++    if (ctype_nid == NID_pkcs7_signed) {
++        if (p7->d.sign == NULL)
++            return 0;
+         mdalgs = p7->d.sign->md_algs;
+-    else
++    } else {
+         mdalgs = NULL;
++    }
+ 
+     flags ^= SMIME_OLDMIME;
+ 

openssl-CVE-2024-2511.patch

@@ -0,0 +1,116 @@
+From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2024 15:43:53 +0000
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24044)
+---
+ ssl/ssl_lib.c            |  5 +++--
+ ssl/ssl_sess.c           | 28 ++++++++++++++++++++++------
+ ssl/statem/statem_srvr.c |  5 ++---
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index b5cc4af2f0302..e747b7f90aa71 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
+ 
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+ 
+     /*
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index bf84e792251b8..241cf43c46296 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+ 
+@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+     return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 5d59d53563ed8..8e493176f658e 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+ 
+     if (usetls13) {

openssl-CVE-2024-41996.patch

@@ -0,0 +1,41 @@
+From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 5 Aug 2024 17:54:14 +0200
+Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
+ safe-prime groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The partial validation is fully sufficient to check the key validity.
+
+Thanks to Szilárd Pfeiffer for reporting the issue.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/25088)
+---
+ providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index 82c3093b122c2..ebdce767102ee 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
++++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
+     if (pub_key == NULL)
+         return 0;
+ 
+-    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
+-    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
+-        && ossl_dh_is_named_safe_prime_group(dh))
++    /*
++     * The partial test is only valid for named group's with q = (p - 1) / 2
++     * but for that case it is also fully sufficient to check the key validity.
++     */
++    if (ossl_dh_is_named_safe_prime_group(dh))
+         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
+ 
+     return DH_check_pub_key_ex(dh, pub_key);
+

openssl-CVE-2024-4603.patch

@@ -0,0 +1,199 @@
+From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+---
+ CHANGES.md                                    | 17 ++++++
+ crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
+ .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
+ 3 files changed, 114 insertions(+), 4 deletions(-)
+ create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+
+Index: openssl-3.1.4/crypto/dsa/dsa_check.c
+===================================================================
+--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
++++ openssl-3.1.4/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++    if (dsa->params.p == NULL || dsa->params.q == NULL) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
+ {
+     *ret = 0;
+ 
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
++    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+ 
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
++    if (!dsa_precheck_params(dsa, &ret))
++        return 0;
++
++    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;
+Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+===================================================================
+--- /dev/null
++++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-----BEGIN DSA PARAMETERS-----
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
++dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
++Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
++pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
++P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
++hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
++UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
++koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
++TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
++RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
++4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
++c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
++cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
++DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
++Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
++rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
++PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
++UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
++5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
++wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
++R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
++xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
++0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
++uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
++9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
++TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
++gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
++ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
++R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
++F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
++SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
+++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
++UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
++fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
++qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
++B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
++hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
++4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
++vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
++k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
++i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
++9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
++ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
++Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
++KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
++x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
++XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
++YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
++ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
++4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
++vKuje86bePD6kD/LH3wmkA==
++-----END DSA PARAMETERS-----
+Index: openssl-3.1.4/CHANGES.md
+===================================================================
+--- openssl-3.1.4.orig/CHANGES.md
++++ openssl-3.1.4/CHANGES.md
+@@ -22,6 +22,23 @@ OpenSSL Releases
+ OpenSSL 3.1
+ -----------
+ 
++ * Fixed an issue where checking excessively long DSA keys or parameters may
++   be very slow.
++
++   Applications that use the functions EVP_PKEY_param_check() or
++   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
++   experience long delays. Where the key or parameters that are being checked
++   have been obtained from an untrusted source this may lead to a Denial of
++   Service.
++
++   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
++   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
++   reason.
++
++   ([CVE-2024-4603])
++
++   *Tomáš Mráz*
++
+ ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
+ 
+  * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),

openssl-CVE-2024-4741.patch

@@ -0,0 +1,28 @@
+@@ -, +, @@ 
+---
+ ssl/record/methods/tls_common.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- openssl-3.0.8/ssl/record/ssl3_buffer.c	
++++ openssl-3.0.8/ssl/record/ssl3_buffer.c	
+@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
+         OPENSSL_cleanse(b->buf, b->len);
+     OPENSSL_free(b->buf);
+     b->buf = NULL;
++    s->rlayer.packet = NULL;
++    s->rlayer.packet_length = 0;
+     return 1;
+ }
+--- openssl-3.0.8/ssl/record/rec_layer_s3.c	
++++ openssl-3.0.8/ssl/record/rec_layer_s3.c	
+@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
+         s->rlayer.packet_length = 0;
+         /* ... now we can act as if 'extend' was set */
+     }
++    if (!ossl_assert(s->rlayer.packet != NULL)) {
++        /* does not happen */
++        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++        return -1;
++    }
+ 
+     len = s->rlayer.packet_length;
+     pkt = rb->buf + align;

openssl-CVE-2024-5535.patch

@@ -0,0 +1,326 @@
+From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:14:33 +0100
+Subject: [PATCH] Fix SSL_select_next_proto
+
+Ensure that the provided client list is non-NULL and starts with a valid
+entry. When called from the ALPN callback the client list should already
+have been validated by OpenSSL so this should not cause a problem. When
+called from the NPN callback the client list is locally configured and
+will not have already been validated. Therefore SSL_select_next_proto
+should not assume that it is correctly formatted.
+
+We implement stricter checking of the client protocol list. We also do the
+same for the server list while we are about it.
+
+CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+---
+ ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 5493d9b9c7..f218dcf1db 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                           unsigned int server_len,
+                           const unsigned char *client, unsigned int client_len)
+ {
+-    unsigned int i, j;
+-    const unsigned char *result;
+-    int status = OPENSSL_NPN_UNSUPPORTED;
++    PACKET cpkt, csubpkt, spkt, ssubpkt;
++
++    if (!PACKET_buf_init(&cpkt, client, client_len)
++            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
++            || PACKET_remaining(&csubpkt) == 0) {
++        *out = NULL;
++        *outlen = 0;
++        return OPENSSL_NPN_NO_OVERLAP;
++    }
++
++    /*
++     * Set the default opportunistic protocol. Will be overwritten if we find
++     * a match.
++     */
++    *out = (unsigned char *)PACKET_data(&csubpkt);
++    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
+ 
+     /*
+      * For each protocol in server preference order, see if we support it.
+      */
+-    for (i = 0; i < server_len;) {
+-        for (j = 0; j < client_len;) {
+-            if (server[i] == client[j] &&
+-                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
+-                /* We found a match */
+-                result = &server[i];
+-                status = OPENSSL_NPN_NEGOTIATED;
+-                goto found;
++    if (PACKET_buf_init(&spkt, server, server_len)) {
++        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
++            if (PACKET_remaining(&ssubpkt) == 0)
++                continue; /* Invalid - ignore it */
++            if (PACKET_buf_init(&cpkt, client, client_len)) {
++                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
++                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
++                                     PACKET_remaining(&ssubpkt))) {
++                        /* We found a match */
++                        *out = (unsigned char *)PACKET_data(&ssubpkt);
++                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
++                        return OPENSSL_NPN_NEGOTIATED;
++                    }
++                }
++                /* Ignore spurious trailing bytes in the client list */
++            } else {
++                /* This should never happen */
++                return OPENSSL_NPN_NO_OVERLAP;
+             }
+-            j += client[j];
+-            j++;
+         }
+-        i += server[i];
+-        i++;
++        /* Ignore spurious trailing bytes in the server list */
+     }
+ 
+-    /* There's no overlap between our protocols and the server's list. */
+-    result = client;
+-    status = OPENSSL_NPN_NO_OVERLAP;
+-
+- found:
+-    *out = (unsigned char *)result + 1;
+-    *outlen = result[0];
+-    return status;
++    /*
++     * There's no overlap between our protocols and the server's list. We use
++     * the default opportunistic protocol selected earlier
++     */
++    return OPENSSL_NPN_NO_OVERLAP;
+ }
+ 
+ #ifndef OPENSSL_NO_NEXTPROTONEG
+-- 
+2.45.2
+
+From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:18:27 +0100
+Subject: [PATCH] More correctly handle a selected_len of 0 when
+ processing NPN
+
+In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
+the selected_len is 0 we should fail. Previously this would fail with an
+internal_error alert because calling OPENSSL_malloc(selected_len) will
+return NULL when selected_len is 0. We make this error detection more
+explicit and return a handshake failure alert.
+
+Follow on from CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+---
+ ssl/statem/extensions_clnt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index 842be0722b..a07dc62e9a 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                                   PACKET_data(pkt),
+                                   PACKET_remaining(pkt),
+                                   s->ctx->ext.npn_select_cb_arg) !=
+-             SSL_TLSEXT_ERR_OK) {
++                                  SSL_TLSEXT_ERR_OK
++            || selected_len == 0) {
+         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
+         return 0;
+     }
+-- 
+2.45.2
+
+From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 31 May 2024 11:46:38 +0100
+Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
+
+We clarify the input preconditions and the expected behaviour in the event
+of no overlap.
+
+Follow on from CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+---
+ doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+index 102e657851..a29557dd91 100644
+--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
++++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
+ SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
+ set the list of protocols available to be negotiated. The B<protos> must be in
+ protocol-list format, described below. The length of B<protos> is specified in
+-B<protos_len>.
++B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
++protocols and no ALPN extension will be sent to the server.
+ 
+ SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
+ server to select which protocol to use for the incoming connection. When B<cb>
+@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
+ described below. The first item in the B<server>, B<server_len> list that
+ matches an item in the B<client>, B<client_len> list is selected, and returned
+ in B<out>, B<outlen>. The B<out> value will point into either B<server> or
+-B<client>, so it should be copied immediately. If no match is found, the first
+-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
+-function can also be used in the NPN callback.
++B<client>, so it should be copied immediately. The client list must include at
++least one valid (nonempty) protocol entry in the list.
++
++The SSL_select_next_proto() helper function can be useful from either the ALPN
++callback or the NPN callback (described below). If no match is found, the first
++item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
++B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
++the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
++must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
++SSL_select_next_proto().
+ 
+ SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
+ client needs to select a protocol from the server's provided list, and a
+@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
+ The length of the protocol name must be written into B<outlen>. The
+ server's advertised protocols are provided in B<in> and B<inlen>. The
+ callback can assume that B<in> is syntactically valid. The client must
+-select a protocol. It is fatal to the connection if this callback returns
+-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
+-set via SSL_CTX_set_next_proto_select_cb().
++select a protocol (although it may be an empty, zero length protocol). It is
++fatal to the connection if this callback returns a value other than
++B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
++parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
+ 
+ SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
+ when a TLS server needs a list of supported protocols for Next Protocol
+@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
+ =item OPENSSL_NPN_NO_OVERLAP
+ 
+ No match was found. The first item in B<client>, B<client_len> is returned in
+-B<out>, B<outlen>.
++B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
++B<client> is invalid).
+ 
+ =back
+ 
+-- 
+2.45.2
+
+From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 21 Jun 2024 10:41:55 +0100
+Subject: [PATCH] Correct return values for
+ tls_construct_stoc_next_proto_neg
+
+Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
+rather than EXT_RETURN_SENT. This actually makes no difference at all to
+the current control flow since this return value is ignored in this case
+anyway. But lets make it correct anyway.
+
+Follow on from CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+---
+ ssl/statem/extensions_srvr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 4ea085e1a1..2da880450f 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+             return EXT_RETURN_FAIL;
+         }
+         s->s3.npn_seen = 1;
++        return EXT_RETURN_SENT;
+     }
+ 
+-    return EXT_RETURN_SENT;
++    return EXT_RETURN_NOT_SENT;
+ }
+ #endif
+ 
+-- 
+2.45.2
+
+From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 21 Jun 2024 11:51:54 +0100
+Subject: [PATCH] Add ALPN validation in the client
+
+The ALPN protocol selected by the server must be one that we originally
+advertised. We should verify that it is.
+
+Follow on from CVE-2024-5535
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24718)
+---
+ ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
+index a07dc62e9a..b21ccf9273 100644
+--- a/ssl/statem/extensions_clnt.c
++++ b/ssl/statem/extensions_clnt.c
+@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                         size_t chainidx)
+ {
+     size_t len;
++    PACKET confpkt, protpkt;
++    int valid = 0;
+ 
+     /* We must have requested it. */
+     if (!s->s3.alpn_sent) {
+@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+         return 0;
+     }
++
++    /* It must be a protocol that we sent */
++    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
++        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++        return 0;
++    }
++    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
++        if (PACKET_remaining(&protpkt) != len)
++            continue;
++        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
++            /* Valid protocol found */
++            valid = 1;
++            break;
++        }
++    }
++
++    if (!valid) {
++        /* The protocol sent from the server does not match one we advertised */
++        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
++        return 0;
++    }
++
+     OPENSSL_free(s->s3.alpn_selected);
+     s->s3.alpn_selected = OPENSSL_malloc(len);
+     if (s->s3.alpn_selected == NULL) {
+-- 
+2.45.2
+

openssl-CVE-2024-6119.patch

@@ -0,0 +1,255 @@
+commit 97ebe37033e8884f4cca5544a74376633c665e11
+Author: Viktor Dukhovni <viktor@openssl.org>
+Date:   Wed Jun 19 21:04:11 2024 +1000
+
+    Avoid type errors in EAI-related name check logic.
+    
+    The incorrectly typed data is read only, used in a compare operation, so
+    neither remote code execution, nor memory content disclosure were possible.
+    However, applications performing certificate name checks were vulnerable to
+    denial of service.
+    
+    The GENERAL_TYPE data type is a union, and we must take care to access the
+    correct member, based on `gen->type`, not all the member fields have the same
+    structure, and a segfault is possible if the wrong member field is read.
+    
+    The code in question was lightly refactored with the intent to make it more
+    obviously correct.
+    
+    CVE-2024-6119
+    
+    (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
+
+diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
+index 1a18174995..a09414c972 100644
+--- a/crypto/x509/v3_utl.c
++++ b/crypto/x509/v3_utl.c
+@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
+             ASN1_STRING *cstr;
+ 
+             gen = sk_GENERAL_NAME_value(gens, i);
+-            if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
+-                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
+-                    NID_id_on_SmtpUTF8Mailbox) {
+-                    san_present = 1;
+-
+-                    /*
+-                     * If it is not a UTF8String then that is unexpected and we
+-                     * treat it as no match
+-                     */
+-                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+-                        cstr = gen->d.otherName->value->value.utf8string;
+-
+-                        /* Positive on success, negative on error! */
+-                        if ((rv = do_check_string(cstr, 0, equal, flags,
+-                                                chk, chklen, peername)) != 0)
+-                            break;
+-                    }
+-                } else
++            switch (gen->type) {
++            default:
++                continue;
++            case GEN_OTHERNAME:
++		switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
++                default:
+                     continue;
+-            } else {
+-                if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
++                case NID_id_on_SmtpUTF8Mailbox:
++                    /*-
++                     * https://datatracker.ietf.org/doc/html/rfc8398#section-3
++                     *
++                     *   Due to name constraint compatibility reasons described
++                     *   in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
++                     *   be used unless the local-part of the email address
++                     *   contains non-ASCII characters. When the local-part is
++                     *   ASCII, rfc822Name subjectAltName MUST be used instead
++                     *   of SmtpUTF8Mailbox. This is compatible with legacy
++                     *   software that supports only rfc822Name (and not
++                     *   SmtpUTF8Mailbox). [...]
++                     *
++                     *   SmtpUTF8Mailbox is encoded as UTF8String.
++                     *
++                     * If it is not a UTF8String then that is unexpected, and
++                     * we ignore the invalid SAN (neither set san_present nor
++                     * consider it a candidate for equality).  This does mean
++                     * that the subject CN may be considered, as would be the
++                     * case when the malformed SmtpUtf8Mailbox SAN is instead
++                     * simply absent.
++                     *
++                     * When CN-ID matching is not desirable, applications can
++                     * choose to turn it off, doing so is at this time a best
++                     * practice.
++                     */
++                    if (check_type != GEN_EMAIL
++                        || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
++                        continue;
++                    alt_type = 0;
++                    cstr = gen->d.otherName->value->value.utf8string;
++                    break;
++                }
++                break;
++            case GEN_EMAIL:
++                if (check_type != GEN_EMAIL)
+                     continue;
+-            }
+-            san_present = 1;
+-            if (check_type == GEN_EMAIL)
+                 cstr = gen->d.rfc822Name;
+-            else if (check_type == GEN_DNS)
++                break;
++            case GEN_DNS:
++                if (check_type != GEN_DNS)
++                    continue;
+                 cstr = gen->d.dNSName;
+-            else
++                break;
++            case GEN_IPADD:
++                if (check_type != GEN_IPADD)
++                    continue;
+                 cstr = gen->d.iPAddress;
++                break;
++            }
++            san_present = 1;
+             /* Positive on success, negative on error! */
+             if ((rv = do_check_string(cstr, alt_type, equal, flags,
+                                       chk, chklen, peername)) != 0)
+diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
+index 522982ddfb..e18735d89a 100644
+--- a/test/recipes/25-test_eai_data.t
++++ b/test/recipes/25-test_eai_data.t
+@@ -21,16 +21,18 @@ setup("test_eai_data");
+ #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
+ #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
+ 
+-plan tests => 12;
++plan tests => 16;
+ 
+ require_ok(srctop_file('test','recipes','tconversion.pl'));
+ my $folder = "test/recipes/25-test_eai_data";
+ 
+ my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
+ my $utf8_pem  = srctop_file($folder, "utf8_leaf.pem");
++my $kdc_pem   = srctop_file($folder, "kdc-cert.pem");
+ 
+ my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
+ my $utf8_chain_pem  = srctop_file($folder, "utf8_chain.pem");
++my $kdc_chain_pem  = srctop_file($folder, "kdc-root-cert.pem");
+ 
+ my $out;
+ my $outcnt = 0;
+@@ -56,10 +58,18 @@ SKIP: {
+ 
+ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
+ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
+ 
+ ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
+ ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
+ 
++# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
++ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++
+ #Check that we get the expected failure return code
+ with({ exit_checker => sub { return shift == 2; } },
+      sub {
+diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
+new file mode 100644
+index 0000000000..e8a2c6f55d
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc-cert.pem
+@@ -0,0 +1,21 @@
++-----BEGIN CERTIFICATE-----
++MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
++MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
++RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
++6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
++BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
++vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
++Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
++7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
++3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
++te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
++AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
++RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
++ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
++T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
++iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
++UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
++El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
++0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
++oDQ9fKfUOAmUFth2/R/eGA==
++-----END CERTIFICATE-----
+diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
+new file mode 100644
+index 0000000000..a74c96bf31
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
+@@ -0,0 +1,16 @@
++-----BEGIN CERTIFICATE-----
++MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
++b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
++DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
++61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
++qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
++MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
++dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
++3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
++pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
++lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
++Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
++KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
++7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
++vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
++-----END CERTIFICATE-----
+diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
+new file mode 100755
+index 0000000000..7a8dbc719f
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc.sh
+@@ -0,0 +1,41 @@
++#! /usr/bin/env bash
++
++# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
++# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
++# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
++# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
++# should likewise lead to ASAN issues with email name checks.
++
++rm -f root-key.pem root-cert.pem
++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
++        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
++
++exts=$(
++    printf "%s\n%s\n%s\n%s = " \
++        "subjectKeyIdentifier = hash" \
++        "authorityKeyIdentifier = keyid" \
++        "basicConstraints = CA:false" \
++        "subjectAltName"
++    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
++    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
++    printf "%s, " "email:joe@example.com"
++    printf "%s\n" "DNS:mx1.example.com"
++    printf "[kdc_princ_name]\n"
++    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
++    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
++    printf "[kdc_principal_seq]\n"
++    printf "name_type = EXP:0, INTEGER:1\n"
++    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
++    printf "[kdc_principal_components]\n"
++    printf "princ1 = GeneralString:krbtgt\n"
++    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
++    )
++
++printf "%s\n" "$exts"
++
++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
++    -subj "/CN=TEST.EXAMPLE" |
++    openssl x509 -req -out kdc-cert.pem \
++        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
++        -set_serial 2 -days 36524 \
++        -extfile <(printf "%s\n" "$exts")

openssl-CVE-2024-9143.patch

@@ -0,0 +1,198 @@
+From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+---
+ crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6b15..bcc66613cc14d 100644
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd05631696..02cfd4e9d8858 100644
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);

openssl-CVE-2025-4575.patch

@@ -0,0 +1,61 @@
+From 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 20 May 2025 16:34:10 +0200
+Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
+ of rejection
+
+Fixes CVE-2025-4575
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/27672)
+
+Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
+---
+ apps/x509.c                 |  2 +-
+ test/recipes/25-test_x509.t | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+Index: openssl-3.5.0/apps/x509.c
+===================================================================
+--- openssl-3.5.0.orig/apps/x509.c
++++ openssl-3.5.0/apps/x509.c
+@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
+                            prog, opt_arg());
+                 goto opthelp;
+             }
+-            if (!sk_ASN1_OBJECT_push(trust, objtmp))
++            if (!sk_ASN1_OBJECT_push(reject, objtmp))
+                 goto end;
+             trustout = 1;
+             break;
+Index: openssl-3.5.0/test/recipes/25-test_x509.t
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/25-test_x509.t
++++ openssl-3.5.0/test/recipes/25-test_x509.t
+@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
+ 
+ setup("test_x509");
+ 
+-plan tests => 134;
++plan tests => 138;
+ 
+ # Prevent MSys2 filename munging for arguments that look like file paths but
+ # aren't
+@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "
+ && run(app(["openssl", "verify", "-no_check_time",
+             "-trusted", $ca, "-partial_chain", $caout])));
+ 
++# test trust decoration
++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
++            "-out", "ca-trusted.pem"])));
++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
++              1, 'trusted use - E-mail Protection');
++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
++            "-out", "ca-rejected.pem"])));
++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
++              1, 'rejected use - E-mail Protection');
++
+ subtest 'x509 -- x.509 v1 certificate' => sub {
+     tconversion( -type => 'x509', -prefix => 'x509v1',
+                  -in => srctop_file("test", "testx509.pem") );

openssl-DEFAULT_SUSE_cipher.patch

@@ -0,0 +1,64 @@
+Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
+===================================================================
+--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
++++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
+@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      */
+     ok = 1;
+     rule_p = rule_str;
+-    if (strncmp(rule_str, "DEFAULT", 7) == 0) {
++    if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
++        ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
++                                        &head, &tail, ca_list, c);
++        rule_p += 12;
++        if (*rule_p == ':')
++            rule_p++;
++    }
++    else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+         ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
+                                         &head, &tail, ca_list, c);
+         rule_p += 7;
+Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
+===================================================================
+--- /dev/null
++++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
+@@ -0,0 +1,23 @@
++#! /usr/bin/env perl
++
++use strict;
++use warnings;
++
++use OpenSSL::Test qw/:DEFAULT/;
++use OpenSSL::Test::Utils;
++
++setup("test_default_ciphersuites");
++
++plan tests => 6;
++
++my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
++
++foreach my $cipherlist (@cipher_suites) {
++  ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
++     "openssl ciphers works with ciphersuite $cipherlist");
++  ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
++         "$cipherlist shouldn't contain MD5, DES or RC4\n");
++  ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
++         "$cipherlist should contain TLSv1.3 ciphers\n");
++}
++
+Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
+===================================================================
+--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
++++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
+@@ -189,6 +189,11 @@ extern "C" {
+  */
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
++    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
++    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
++    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
++    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+ /*
+  * This is the default set of TLSv1.3 ciphersuites
+  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()

openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch

@@ -0,0 +1,327 @@
+From 89dbaf8a756111a530f6422679b59bf134acfd66 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 39/53] FIPS: DH: Disable FIPS 186-4 type parameters
+
+For DH parameter and key pair generation/verification, the DSA
+procedures specified in FIPS 186-4 are used. With the release of FIPS
+186-5 and the removal of DSA, the approved status of these groups is in
+peril. Once the transition for DSA ends (this transition will be 1 year
+long and start once CMVP has published the guidance), no more
+submissions claiming DSA will be allowed. Hence, FIPS 186-type
+parameters will also be automatically non-approved.
+
+In the FIPS provider, disable validation of any DH parameters that are
+not well-known groups, and remove DH parameter generation completely.
+
+Adjust tests to use well-known groups or larger DH groups where this
+change would now cause failures, and skip tests that are expected to
+fail due to this change.
+
+Related: rhbz#2169757, rhbz#2169757
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+
+NOTE: Dropped changes in test/recipes/80-test_cms.t
+---
+ crypto/dh/dh_backend.c                       | 10 ++++
+ crypto/dh/dh_check.c                         | 12 ++--
+ crypto/dh/dh_gen.c                           | 12 +++-
+ crypto/dh/dh_key.c                           | 13 ++--
+ crypto/dh/dh_pmeth.c                         | 10 +++-
+ providers/implementations/keymgmt/dh_kmgmt.c |  5 ++
+ test/endecode_test.c                         |  4 +-
+ test/evp_libctx_test.c                       |  2 +-
+ test/helpers/predefined_dhparams.c           | 62 ++++++++++++++++++++
+ test/helpers/predefined_dhparams.h           |  1 +
+ test/recipes/80-test_ssl_old.t               |  3 +
+ 11 files changed, 116 insertions(+), 18 deletions(-)
+
+Index: openssl-3.5.0-beta1/crypto/dh/dh_backend.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_backend.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_backend.c
+@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, cons
+     if (!dh_ffc_params_fromdata(dh, params))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    if (!ossl_dh_is_named_safe_prime_group(dh)) {
++        ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                       "FIPS 186-4 type domain parameters no longer allowed in"
++                       " FIPS mode, since the required validation routines"
++                       " were removed from FIPS 186-5");
++        return 0;
++    }
++#endif
++
+     param_priv_len =
+         OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+     if (param_priv_len != NULL
+Index: openssl-3.5.0-beta1/crypto/dh/dh_check.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_check.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_check.c
+@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *r
+     nid = DH_get_nid((DH *)dh);
+     if (nid != NID_undef)
+         return 1;
++
+     /*
+-     * OR
+-     * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+-     * validity tests.
++     * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
+      */
+-    return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
+-                                              FFC_PARAM_TYPE_DH, ret, NULL);
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required validation routines were"
++                   " removed from FIPS 186-5");
++    return 0;
+ }
+ #else
+ int DH_check_params(const DH *dh, int *ret)
+Index: openssl-3.5.0-beta1/crypto/dh/dh_gen.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_gen.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_gen.c
+@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret,
+ int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
+                                     BN_GENCB *cb)
+ {
+-    int ret, res;
++    int ret = 0;
+ 
+ #ifndef FIPS_MODULE
++    int res;
++
+     if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
+         ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
+     else
+-#endif
+         ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
++#else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++#endif
+     if (ret > 0)
+         dh->dirty_cnt++;
+     return ret;
+Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_key.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_key.c
+@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
+                 goto err;
+         } else {
+ #ifdef FIPS_MODULE
+-            if (dh->params.q == NULL)
+-                goto err;
++            ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                           "FIPS 186-4 type domain parameters no longer"
++                           " allowed in FIPS mode, since the required"
++                           " generation routines were removed from FIPS"
++                           " 186-5");
++            goto err;
+ #else
+             if (dh->params.q == NULL) {
+                 /* secret exponent length, must satisfy 2^(l-1) <= p */
+@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
+                     if (!BN_clear_bit(priv_key, 0))
+                         goto err;
+                 }
+-            } else
+-#endif
+-            {
++            } else {
+                 /* Do a partial check for invalid p, q, g */
+                 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
+                                                      FFC_PARAM_TYPE_DH, NULL))
+@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
+                                                    priv_key))
+                     goto err;
+             }
++#endif
+         }
+     }
+ 
+Index: openssl-3.5.0-beta1/crypto/dh/dh_pmeth.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_pmeth.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_pmeth.c
+@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
+     else
+-# endif
+-    /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
+-    if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
+         rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+                                                 FFC_PARAM_TYPE_DH,
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
++# else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++# endif
+     if (rv <= 0) {
+         DH_free(ret);
+         return NULL;
+Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/dh_kmgmt.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/dh_kmgmt.c
++++ openssl-3.5.0-beta1/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -420,6 +420,11 @@ static int dh_validate(const void *keyda
+     if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+         return 1; /* nothing to validate */
+ 
++#ifdef FIPS_MODULE
++    /* In FIPS provider, always check the domain parameters to disallow
++     * operations on keys with FIPS 186-4 params. */
++    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
++#endif
+     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+         /*
+          * Both of these functions check parameters. DH_check_params_ex()
+Index: openssl-3.5.0-beta1/test/endecode_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/endecode_test.c
++++ openssl-3.5.0-beta1/test/endecode_test.c
+@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const cha
+      * for testing only. Use a minimum key size of 2048 for security purposes.
+      */
+     if (strcmp(type, "DH") == 0)
+-        return get_dh512(keyctx);
++        return get_dh2048(keyctx);
+ 
+     if (strcmp(type, "X9.42 DH") == 0)
+-        return get_dhx512(keyctx);
++        return get_dhx_ffdhe2048(keyctx);
+ # endif
+ 
+     /*
+Index: openssl-3.5.0-beta1/test/evp_libctx_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/evp_libctx_test.c
++++ openssl-3.5.0-beta1/test/evp_libctx_test.c
+@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid,
+ 
+     if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
+         || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
+-        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
++        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
+         goto err;
+ 
+     if (expected) {
+Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/helpers/predefined_dhparams.c
++++ openssl-3.5.0-beta1/test/helpers/predefined_dhparams.c
+@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libct
+                           dhx512_q, sizeof(dhx512_q));
+ }
+ 
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
++{
++    /* This is RFC 7919 ffdhe2048, since SUSE/openSUSE removes support for
++     * non-well-known groups in FIPS mode. */
++    static unsigned char dhx_p[] = {
++        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
++        0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++        0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
++        0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++        0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
++        0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++        0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
++        0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++        0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
++        0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++        0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
++        0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++        0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
++        0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++        0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
++        0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++        0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
++        0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++        0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
++        0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++        0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++    static unsigned char dhx_g[] = {
++        0x02
++    };
++    static unsigned char dhx_q[] = {
++        0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
++        0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++        0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
++        0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++        0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
++        0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++        0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
++        0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++        0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
++        0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++        0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
++        0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++        0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
++        0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++        0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
++        0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++        0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
++        0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++        0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
++        0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++        0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++
++    return get_dh_from_pg(libctx, "X9.42 DH",
++                          dhx_p, sizeof(dhx_p),
++                          dhx_g, sizeof(dhx_g),
++                          dhx_q, sizeof(dhx_q));
++}
++
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
+ {
+     static unsigned char dh1024_p[] = {
+Index: openssl-3.5.0-beta1/test/helpers/predefined_dhparams.h
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/helpers/predefined_dhparams.h
++++ openssl-3.5.0-beta1/test/helpers/predefined_dhparams.h
+@@ -12,6 +12,7 @@
+ #ifndef OPENSSL_NO_DH
+ EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
+ EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
+Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_old.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
+@@ -458,6 +458,9 @@ sub testssl {
+             skip "skipping dhe1024dsa test", 1
+                 if ($no_dh);
+ 
++            skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
++                if $provider eq "fips";
++
+             ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }

openssl-Disable-default-provider-for-test-suite.patch

@@ -0,0 +1,19 @@
+Index: openssl-3.1.4/apps/openssl.cnf
+===================================================================
+--- openssl-3.1.4.orig/apps/openssl.cnf
++++ openssl-3.1.4/apps/openssl.cnf
+@@ -70,11 +70,11 @@ engines = engine_section
+ # to side-channel attacks and as such have been deprecated.
+ 
+ [provider_sect]
+-default = default_sect
++##default = default_sect
+ ##legacy = legacy_sect
+ 
+-[default_sect]
+-activate = 1
++##[default_sect]
++##activate = 1
+ 
+ ##[legacy_sect]
+ ##activate = 1

openssl-Disable-explicit-ec.patch

@@ -0,0 +1,235 @@
+From 9cc542ae6077ca689f7fe2f7e64edb4bb9d72f7f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 12/53] RH: Disable explicit ec curves
+
+Patch-name: 0012-Disable-explicit-ec.patch
+Patch-id: 12
+Patch-status: |
+    # # Disable explicit EC curves
+    # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/ec/ec_asn1.c                           | 11 ++++++++++
+ crypto/ec/ec_lib.c                            |  6 +++++
+ test/ectest.c                                 | 22 ++++++++++---------
+ test/endecode_test.c                          | 20 ++++++++---------
+ .../30-test_evp_data/evppkey_ecdsa.txt        | 12 ----------
+ 5 files changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
+index 643d2d8d7b..5895606176 100644
+--- a/crypto/ec/ec_asn1.c
++++ b/crypto/ec/ec_asn1.c
+@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
+     if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
+         group->decoded_from_explicit_params = 1;
+ 
++    if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++        EC_GROUP_free(group);
++        ECPKPARAMETERS_free(params);
++        return NULL;
++    }
++
+     if (a) {
+         EC_GROUP_free(*a);
+         *a = group;
+@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
+         goto err;
+     }
+ 
++    if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
++        ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++        goto err;
++    }
++
+     ret->version = priv_key->version;
+ 
+     if (priv_key->privateKey) {
+diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
+index b55677fb1f..dcfdef408e 100644
+--- a/crypto/ec/ec_lib.c
++++ b/crypto/ec/ec_lib.c
+@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+         goto err;
+     }
+     if (named_group == group) {
++        if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++            ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++            goto err;
++        }
++#if 0
+         /*
+          * If we did not find a named group then the encoding should be explicit
+          * if it was specified
+@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+             goto err;
+         }
+         EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
++#endif
+     } else {
+         EC_GROUP_free(group);
+         group = named_group;
+diff --git a/test/ectest.c b/test/ectest.c
+index 0ddbba3b98..f736d13feb 100644
+--- a/test/ectest.c
++++ b/test/ectest.c
+@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
+         || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
+         || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+-        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
++        || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
+                                           EVP_PKEY_KEY_PARAMETERS, params), 0))
+         goto err;
+-
++/* As creating the key should fail, the rest of the test is pointless */
++# if 0
+     /*- Check that all the set values are retrievable -*/
+ 
+     /* There should be no match to a group name since the generator changed */
+@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+ #endif
+         )
+         goto err;
++#endif
+     ret = 1;
+ err:
+     BN_free(order_out);
+@@ -2826,21 +2828,21 @@ static int custom_params_test(int id)
+ 
+     /* Compute keyexchange in both directions */
+     if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
+             || !TEST_int_gt(bsize, sslen)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
+         goto err;
+     if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
+             || !TEST_int_gt(bsize, t)
+             || !TEST_int_le(sslen, t)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
+         goto err;
+-
++#if 0
+     /* Both sides should expect the same shared secret */
+     if (!TEST_mem_eq(buf1, sslen, buf2, t))
+         goto err;
+@@ -2892,7 +2894,7 @@ static int custom_params_test(int id)
+             /* compare with previous result */
+             || !TEST_mem_eq(buf1, t, buf2, sslen))
+         goto err;
+-
++#endif
+     ret = 1;
+ 
+  err:
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 028deb4ed1..85c84f6592 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL;
+ static OSSL_PARAM_BLD *bld_prime_nc = NULL;
+ static OSSL_PARAM_BLD *bld_prime = NULL;
+ static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
+-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
+ 
+ # ifndef OPENSSL_NO_EC2M
+ static OSSL_PARAM_BLD *bld_tri_nc = NULL;
+@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
+ DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
+ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
+-DOMAIN_KEYS(ECExplicitPrime2G);
+-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
+-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
++/*DOMAIN_KEYS(ECExplicitPrime2G);*/
++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
+ # ifndef OPENSSL_NO_EC2M
+ DOMAIN_KEYS(ECExplicitTriNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
+@@ -1445,7 +1445,7 @@ int setup_tests(void)
+         || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
+         || !create_ec_explicit_prime_params(bld_prime)
+         || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
+-        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
++/*        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
+ # ifndef OPENSSL_NO_EC2M
+         || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
+         || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
+@@ -1473,7 +1473,7 @@ int setup_tests(void)
+     TEST_info("Generating EC keys...");
+     MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
+     MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
+-    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
++/*    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
+ # ifndef OPENSSL_NO_EC2M
+     MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
+     MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
+@@ -1553,8 +1553,8 @@ int setup_tests(void)
+         ADD_TEST_SUITE_LEGACY(EC);
+         ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
+-        ADD_TEST_SUITE(ECExplicitPrime2G);
+-        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
++/*        ADD_TEST_SUITE(ECExplicitPrime2G);*/
++/*        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+         ADD_TEST_SUITE(ECExplicitTriNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
+@@ -1631,7 +1631,7 @@ void cleanup_tests(void)
+ {
+ #ifndef OPENSSL_NO_EC
+     OSSL_PARAM_free(ec_explicit_prime_params_nc);
+-    OSSL_PARAM_free(ec_explicit_prime_params_explicit);
++/*    OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
+     OSSL_PARAM_BLD_free(bld_prime_nc);
+     OSSL_PARAM_BLD_free(bld_prime);
+ # ifndef OPENSSL_NO_EC2M
+@@ -1653,7 +1653,7 @@ void cleanup_tests(void)
+ #ifndef OPENSSL_NO_EC
+     FREE_DOMAIN_KEYS(EC);
+     FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+-    FREE_DOMAIN_KEYS(ECExplicitPrime2G);
++/*    FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+     FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
+     FREE_DOMAIN_KEYS(ECExplicitTri2G);
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index 54b143bead..06ec905be0 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
+ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
+ -----END PRIVATE KEY-----
+ 
+-PrivateKey = EC_EXPLICIT
+------BEGIN PRIVATE KEY-----
+-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
+-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
+-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
+-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
+-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
+------END PRIVATE KEY-----
+-
+ PrivateKey = B-163
+ -----BEGIN PRIVATE KEY-----
+ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+-- 
+2.49.0
+

openssl-Enable-BTI-feature-for-md5-on-aarch64.patch

@@ -0,0 +1,28 @@
+From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
+From: "fangming.fang" <fangming.fang@arm.com>
+Date: Thu, 7 Dec 2023 06:17:51 +0000
+Subject: [PATCH] Enable BTI feature for md5 on aarch64
+
+Fixes: #22959
+---
+ crypto/md5/asm/md5-aarch64.pl | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
+index 3200a0fa9bff0..5a8608069691d 100755
+--- a/crypto/md5/asm/md5-aarch64.pl
++++ b/crypto/md5/asm/md5-aarch64.pl
+@@ -28,10 +28,13 @@
+ *STDOUT=*OUT;
+ 
+ $code .= <<EOF;
++#include "arm_arch.h"
++
+ .text
+ .globl  ossl_md5_block_asm_data_order
+ .type   ossl_md5_block_asm_data_order,\@function
+ ossl_md5_block_asm_data_order:
++        AARCH64_VALID_CALL_TARGET
+         // Save all callee-saved registers
+         stp     x19,x20,[sp,#-80]!
+         stp     x21,x22,[sp,#16]

openssl-FIPS-140-3-DRBG.patch

@@ -0,0 +1,137 @@
+Index: openssl-3.2.3/crypto/rand/prov_seed.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/rand/prov_seed.c
++++ openssl-3.2.3/crypto/rand/prov_seed.c
+@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
+     size_t entropy_available;
+     RAND_POOL *pool;
+ 
+-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
+         return 0;
+Index: openssl-3.2.3/crypto/rand/rand_lib.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/rand/rand_lib.c
++++ openssl-3.2.3/crypto/rand/rand_lib.c
+@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB
+         return ret;
+     }
+ 
+-#ifndef FIPS_MODULE
+-    if (dgbl->seed == NULL) {
+-        ERR_set_mark();
+-        dgbl->seed = rand_new_seed(ctx);
+-        ERR_pop_to_mark();
+-    }
+-#endif
+-
+-    ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
++    ret = dgbl->primary = rand_new_drbg(ctx, NULL,
+                                         PRIMARY_RESEED_INTERVAL,
+                                         PRIMARY_RESEED_TIME_INTERVAL, 1);
+     /*
+Index: openssl-3.2.3/providers/implementations/rands/crngt.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/rands/crngt.c
++++ openssl-3.2.3/providers/implementations/rands/crngt.c
+@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
+      * to the nearest byte.  If the entropy is of less than full quality,
+      * the amount required should be scaled up appropriately here.
+      */
+-    bytes_needed = (entropy + 7) / 8;
++    /*
++     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
++     * + 128 bits during initial seeding
++     */
++    bytes_needed = (entropy + 128 + 7) / 8;
+     if (bytes_needed < min_len)
+         bytes_needed = min_len;
+     if (bytes_needed > max_len)
+Index: openssl-3.2.3/providers/implementations/rands/drbg.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/rands/drbg.c
++++ openssl-3.2.3/providers/implementations/rands/drbg.c
+@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke
+ #endif
+     }
+ 
++#ifdef FIPS_MODULE
++    prediction_resistance = 1;
++#endif
+     /* Reseed using our sources in addition */
+     entropylen = get_entropy(drbg, &entropy, drbg->strength,
+                              drbg->min_entropylen, drbg->max_entropylen,
+@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
+             reseed_required = 1;
+     }
+     if (drbg->parent != NULL
+-            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
++#ifdef FIPS_MODULE
++        /* SUSE patches provide chain reseeding when necessary so just sync counters*/
++        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
++#else
+         reseed_required = 1;
++#endif
++        }
+ 
+     if (reseed_required || prediction_resistance) {
+         if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
+Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h
++++ openssl-3.2.3/providers/implementations/rands/drbg_local.h
+@@ -38,7 +38,7 @@
+  *
+  * The value is in bytes.
+  */
+-#define CRNGT_BUFSIZ    16
++#define CRNGT_BUFSIZ   32
+ 
+ /*
+  * Maximum input size for the DRBG (entropy, nonce, personalization string)
+Index: openssl-3.2.3/providers/implementations/rands/seed_src.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c
++++ openssl-3.2.3/providers/implementations/rands/seed_src.c
+@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
+         return 0;
+     }
+ 
+-    pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+         return 0;
+@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
+     size_t i;
+     RAND_POOL *pool;
+ 
+-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
+         return 0;

openssl-FIPS-140-3-keychecks.patch

@@ -0,0 +1,379 @@
+From 36d037a91a3ad76988c4495547c2bca33b525811 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 24 Mar 2025 10:50:37 -0400
+Subject: [PATCH 27/53] FIPS: RSA: PCTs
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
+ providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
+ 2 files changed, 61 insertions(+), 4 deletions(-)
+
+Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/rsa_kmgmt.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/rsa_kmgmt.c
++++ openssl-3.5.0-beta1/providers/implementations/keymgmt/rsa_kmgmt.c
+@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     /* ACVP test parameters */
+     OSSL_PARAM *acvp_test_params;
++    void *prov_rsa_ctx;
+ #endif
+ };
+ 
+@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GE
+     return gctx->cb(params, gctx->cbarg);
+ }
+ 
++#ifdef FIPS_MODULE
++void *rsa_newctx(void *provctx, const char *propq);
++void rsa_freectx(void *vctx);
++int do_rsa_pct(void *, const char *, void *);
++#endif
++
+ static void *gen_init(void *provctx, int selection, int rsa_type,
+                       const OSSL_PARAM params[])
+ {
+@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int
+ 
+     if (!rsa_gen_set_params(gctx, params))
+         goto err;
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ 
+ err:
+@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_
+ 
+     rsa = rsa_tmp;
+     rsa_tmp = NULL;
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
++        abort();
++#endif
+  err:
+     BN_GENCB_free(gencb);
+     RSA_free(rsa_tmp);
+@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+     gctx->acvp_test_params = NULL;
++    rsa_freectx(gctx->prov_rsa_ctx);
++    gctx->prov_rsa_ctx = NULL;
+ #endif
+     BN_clear_free(gctx->pub_exp);
+     OPENSSL_free(gctx);
+Index: openssl-3.5.0-beta1/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.5.0-beta1/providers/implementations/signature/rsa_sig.c
+@@ -35,7 +35,7 @@
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+ 
+-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
++OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
+ static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
+@@ -52,7 +52,7 @@ static OSSL_FUNC_signature_digest_sign_f
+ static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_verify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
++OSSL_FUNC_signature_freectx_fn rsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
+ static OSSL_FUNC_signature_query_key_types_fn rsa_sigalg_query_key_types;
+ static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
+@@ -224,7 +224,7 @@ static int rsa_check_parameters(PROV_RSA
+     return 1;
+ }
+ 
+-static void *rsa_newctx(void *provctx, const char *propq)
++void *rsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_RSA_CTX *prsactx = NULL;
+     char *propq_copy = NULL;
+@@ -1313,7 +1313,7 @@ int rsa_digest_verify_final(void *vprsac
+     return ok;
+ }
+ 
+-static void rsa_freectx(void *vprsactx)
++void rsa_freectx(void *vprsactx)
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ 
+@@ -1858,6 +1858,45 @@ static const OSSL_PARAM *rsa_settable_ct
+     return EVP_MD_settable_ctx_params(prsactx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
++{
++    static const unsigned char data[32];
++    unsigned char *sigbuf = NULL;
++    size_t siglen = 0;
++    int ret = 0;
++
++    if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
++        return 0;
++
++    if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_update(vctx, data, sizeof(data)) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        goto err;
++    ret = 1;
++
++ err:
++    OPENSSL_free(sigbuf);
++    return ret;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
+Index: openssl-3.5.0-beta1/crypto/dh/dh_key.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/crypto/dh/dh_key.c
++++ openssl-3.5.0-beta1/crypto/dh/dh_key.c
+@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *z = NULL, *pminus1;
+     int ret = -1;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *k
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        return 0;
++    }
++#endif
++
+     ctx = BN_CTX_new_ex(dh->libctx);
+     if (ctx == NULL)
+         goto err;
+@@ -271,6 +281,9 @@ static int generate_key(DH *dh)
+ #endif
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
+     if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
+         goto err;
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        goto err;
++    }
++#endif
++
+     dh->pub_key = pub_key;
+     dh->priv_key = priv_key;
++#ifdef FIPS_MODULE
++    if (ossl_dh_check_pairwise(dh) <= 0) {
++        abort();
++    }
++#endif
++
+     dh->dirty_cnt++;
+     ok = 1;
+  err:
+Index: openssl-3.5.0-beta1/providers/implementations/exchange/ecdh_exch.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/exchange/ecdh_exch.c
++++ openssl-3.5.0-beta1/providers/implementations/exchange/ecdh_exch.c
+@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, u
+ #endif
+ 
+     ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
++#ifdef FIPS_MODULE
++    {
++        BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
++        int check = 0;
++
++        if (bn_ctx == NULL) {
++            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
++            goto end;
++        }
++
++        check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
++        BN_CTX_free(bn_ctx);
++
++        if (check <= 0) {
++            ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
++            goto end;
++        }
++    }
++#endif
+ 
+     retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
+ 
+Index: openssl-3.5.0-beta1/providers/implementations/keymgmt/ec_kmgmt.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/keymgmt/ec_kmgmt.c
++++ openssl-3.5.0-beta1/providers/implementations/keymgmt/ec_kmgmt.c
+@@ -993,9 +993,18 @@ struct ec_gen_ctx {
+     EC_GROUP *gen_group;
+     unsigned char *dhkem_ikm;
+     size_t dhkem_ikmlen;
++#ifdef FIPS_MODULE
++    void *ecdsa_sig_ctx;
++#endif
+     OSSL_FIPS_IND_DECLARE
+ };
+ 
++#ifdef FIPS_MODULE
++void *ecdsa_newctx(void *provctx, const char *propq);
++void ecdsa_freectx(void *vctx);
++int do_ec_pct(void *, const char *, void *);
++#endif
++
+ static void *ec_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
+ {
+@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx,
+             gctx = NULL;
+         }
+     }
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ }
+ 
+@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_C
+ 
+     if (gctx->ecdh_mode != -1)
+         ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
++        && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
++        abort();
++#endif
+ 
+     if (gctx->group_check != NULL)
+         ret = ret && ossl_ec_set_check_group_type_from_name(ec,
+@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
+ 
+     if (gctx == NULL)
+         return;
+-
++#ifdef FIPS_MODULE
++    ecdsa_freectx(gctx->ecdsa_sig_ctx);
++    gctx->ecdsa_sig_ctx = NULL;
++#endif
+     OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen);
+     EC_GROUP_free(gctx->gen_group);
+     BN_free(gctx->p);
+Index: openssl-3.5.0-beta1/providers/implementations/signature/ecdsa_sig.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/signature/ecdsa_sig.c
++++ openssl-3.5.0-beta1/providers/implementations/signature/ecdsa_sig.c
+@@ -33,7 +33,7 @@
+ #include "prov/der_ec.h"
+ #include "crypto/ec.h"
+ 
+-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
++OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
+ static OSSL_FUNC_signature_sign_fn ecdsa_sign;
+@@ -48,7 +48,7 @@ static OSSL_FUNC_signature_digest_sign_f
+ static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
++OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
+ static OSSL_FUNC_signature_query_key_types_fn ecdsa_sigalg_query_key_types;
+ static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
+@@ -139,7 +139,7 @@ typedef struct {
+     OSSL_FIPS_IND_DECLARE
+ } PROV_ECDSA_CTX;
+ 
+-static void *ecdsa_newctx(void *provctx, const char *propq)
++void *ecdsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_ECDSA_CTX *ctx;
+ 
+@@ -604,7 +604,7 @@ int ecdsa_digest_verify_final(void *vctx
+     return ok;
+ }
+ 
+-static void ecdsa_freectx(void *vctx)
++void ecdsa_freectx(void *vctx)
+ {
+     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
+ 
+@@ -853,6 +853,35 @@ static const OSSL_PARAM *ecdsa_settable_
+     return EVP_MD_settable_ctx_params(ctx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_ec_pct(void *vctx, const char *mdname, void *ec)
++{
++    static const unsigned char data[32];
++    unsigned char sigbuf[256];
++    size_t siglen = sizeof(sigbuf);
++
++    if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        return 0;
++
++    return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },

openssl-FIPS-140-3-zeroization.patch

@@ -0,0 +1,81 @@
+Index: openssl-3.2.3/crypto/ec/ec_lib.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/ec/ec_lib.c
++++ openssl-3.2.3/crypto/ec/ec_lib.c
+@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
+ 
+ void EC_POINT_free(EC_POINT *point)
+ {
++#ifdef FIPS_MODULE
++    EC_POINT_clear_free(point);
++#else
+     if (point == NULL)
+         return;
+ 
+     if (point->meth->point_finish != 0)
+         point->meth->point_finish(point);
+     OPENSSL_free(point);
++#endif
+ }
+ 
+ void EC_POINT_clear_free(EC_POINT *point)
+Index: openssl-3.2.3/crypto/ffc/ffc_params.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/ffc/ffc_params.c
++++ openssl-3.2.3/crypto/ffc/ffc_params.c
+@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
+ 
+ void ossl_ffc_params_cleanup(FFC_PARAMS *params)
+ {
+-    BN_free(params->p);
+-    BN_free(params->q);
+-    BN_free(params->g);
+-    BN_free(params->j);
++    BN_clear_free(params->p);
++    BN_clear_free(params->q);
++    BN_clear_free(params->g);
++    BN_clear_free(params->j);
+     OPENSSL_free(params->seed);
+     ossl_ffc_params_init(params);
+ }
+Index: openssl-3.2.3/crypto/rsa/rsa_lib.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c
++++ openssl-3.2.3/crypto/rsa/rsa_lib.c
+@@ -159,8 +159,8 @@ void RSA_free(RSA *r)
+     CRYPTO_THREAD_lock_free(r->lock);
+     CRYPTO_FREE_REF(&r->references);
+ 
+-    BN_free(r->n);
+-    BN_free(r->e);
++    BN_clear_free(r->n);
++    BN_clear_free(r->e);
+     BN_clear_free(r->d);
+     BN_clear_free(r->p);
+     BN_clear_free(r->q);
+Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c
++++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c
+@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)
+     void *provctx = ctx->provctx;
+ 
+     ossl_prov_digest_reset(&ctx->digest);
+-    OPENSSL_free(ctx->salt);
++    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+     OPENSSL_free(ctx->prefix);
+     OPENSSL_free(ctx->label);
+     OPENSSL_clear_free(ctx->data, ctx->data_len);
+Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
++++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
+@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct
+ static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
+ {
+     ossl_prov_digest_reset(&ctx->digest);
+-    OPENSSL_free(ctx->salt);
++    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+     OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+     memset(ctx, 0, sizeof(*ctx));
+ }

openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch

@@ -0,0 +1,16 @@
+Index: openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
+===================================================================
+--- openssl-3.1.4.orig/crypto/rsa/rsa_sp800_56b_check.c
++++ openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c
+@@ -405,7 +405,10 @@ int ossl_rsa_sp800_56b_check_keypair(con
+         return 0;
+     }
+     /* (Step 3.b): check the modulus */
+-    if (nbits != BN_num_bits(rsa->n)) {
++    /* If nBits is not a positive even integer, output an indication of an
++     * invalid key pair, and exit without further processing.
++     */
++    if (nbits <= 0 || nbits % 2 || nbits != BN_num_bits(rsa->n)) {
+         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR);
+         return 0;
+     }

openssl-FIPS-Add-explicit-indicator-for-key-length.patch

@@ -0,0 +1,108 @@
+From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 17 Nov 2022 18:08:24 +0100
+Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
+
+NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
+specifies key lengths < 112 bytes are disallowed for HMAC generation and
+are legacy use for HMAC verification.
+
+Add an explicit indicator that will mark shorter key lengths as
+unsupported. The indicator can be queries from the EVP_MAC_CTX object
+using EVP_MAC_CTX_get_params() with the
+  OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR
+parameter.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ include/crypto/evp.h                       |  7 +++++++
+ include/openssl/evp.h                      |  3 +++
+ providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
+ 4 files changed, 28 insertions(+)
+
+Index: openssl-3.2.3/include/crypto/evp.h
+===================================================================
+--- openssl-3.2.3.orig/include/crypto/evp.h
++++ openssl-3.2.3/include/crypto/evp.h
+@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
+ const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
+ const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
+ 
++#ifdef FIPS_MODULE
++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
++ * HMAC verification. */
++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_mac_st {
+     OSSL_PROVIDER *prov;
+     int name_id;
+Index: openssl-3.2.3/include/openssl/evp.h
+===================================================================
+--- openssl-3.2.3.orig/include/openssl/evp.h
++++ openssl-3.2.3/include/openssl/evp.h
+@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
+                             void *arg);
+ 
+ /* MAC stuff */
++# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED     1
++# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
+ 
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+                        const char *properties);
+Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c
++++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c
+@@ -23,6 +23,8 @@
+ 
+ #include "internal/ssl3_cbc.h"
+ 
++#include "crypto/evp.h"
++
+ #include "prov/implementations.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/provider_util.h"
+@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
+     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
++#ifdef FIPS_MODULE
++    OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+     OSSL_PARAM_END
+ };
+ static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
+@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma
+             && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) {
++        int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED;
++        /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
++         * specifies key lengths < 112 bytes are disallowed for HMAC generation
++         * and legacy use for HMAC verification. */
++        if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++        return OSSL_PARAM_set_int(p, fips_indicator);
++    }
++#endif /* defined(FIPS_MODULE) */
++
+     return 1;
+ }
+ 
+Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+===================================================================
+--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+@@ -143,6 +143,7 @@ my %params = (
+     'MAC_PARAM_SIZE' =>             "size",                     # size_t
+     'MAC_PARAM_BLOCK_SIZE' =>       "block-size",               # size_t
+     'MAC_PARAM_TLS_DATA_SIZE' =>    "tls-data-size",            # size_t
++    'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",   # size_t
+ 
+ # KDF / PRF parameters
+     'KDF_PARAM_SECRET' =>       "secret",                   # octet string

openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

@@ -0,0 +1,184 @@
+From c63599ee9708d543205a9173207ee7167315c624 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 1 Mar 2022 15:44:18 +0100
+Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
+
+---
+ crypto/x509/x509_vfy.c        | 19 ++++++++++-
+ doc/man5/config.pod           |  7 +++-
+ ssl/t1_lib.c                  | 64 ++++++++++++++++++++++++++++-------
+ test/recipes/25-test_verify.t |  7 ++--
+ 4 files changed, 79 insertions(+), 18 deletions(-)
+
+Index: openssl-3.5.0/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-3.5.0.orig/crypto/x509/x509_vfy.c
++++ openssl-3.5.0/crypto/x509/x509_vfy.c
+@@ -25,6 +25,7 @@
+ #include <openssl/objects.h>
+ #include <openssl/core_names.h>
+ #include "internal/dane.h"
++#include "internal/sslconf.h"
+ #include "crypto/x509.h"
+ #include "x509_local.h"
+ 
+@@ -3745,14 +3746,30 @@ static int check_sig_level(X509_STORE_CT
+ {
+     int secbits = -1;
+     int level = ctx->param->auth_level;
++    int nid;
++    OSSL_LIB_CTX *libctx = NULL;
+ 
+     if (level <= 0)
+         return 1;
+     if (level > NUM_AUTH_LEVELS)
+         level = NUM_AUTH_LEVELS;
+ 
+-    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
++    if (ctx->libctx)
++        libctx = ctx->libctx;
++    else if (cert->libctx)
++        libctx = cert->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
+         return 0;
+ 
++    if (nid == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ctx->param->auth_level < 3)
++        /* When rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility. */
++        return 1;
++
+     return secbits >= minbits_table[level - 1];
+ }
+Index: openssl-3.5.0/ssl/t1_lib.c
+===================================================================
+--- openssl-3.5.0.orig/ssl/t1_lib.c
++++ openssl-3.5.0/ssl/t1_lib.c
+@@ -21,6 +21,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "crypto/x509.h"
+ #include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+@@ -2807,19 +2808,27 @@ int tls12_check_peer_sigalg(SSL_CONNECTI
+         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
+         return 0;
+     }
+-    /*
+-     * Make sure security callback allows algorithm. For historical
+-     * reasons we have to pass the sigalg as a two byte char array.
+-     */
+-    sigalgstr[0] = (sig >> 8) & 0xff;
+-    sigalgstr[1] = sig & 0xff;
+-    secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
+-    if (secbits == 0 ||
+-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+-                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
+-                      (void *)sigalgstr)) {
+-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+-        return 0;
++
++    if (lu->hash == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
++            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
++        /* when rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility */
++    } else {
++        /*
++         * Make sure security callback allows algorithm. For historical
++         * reasons we have to pass the sigalg as a two byte char array.
++         */
++        sigalgstr[0] = (sig >> 8) & 0xff;
++        sigalgstr[1] = sig & 0xff;
++        secbits = sigalg_security_bits(s->session_ctx, lu);
++        if (secbits == 0 ||
++            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
++                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
++                          (void *)sigalgstr)) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
++            return 0;
++        }
+     }
+     /* Store the sigalg the peer uses */
+     s->s3.tmp.peer_sigalg = lu;
+@@ -3391,6 +3400,14 @@ static int tls12_sigalg_allowed(const SS
+         }
+     }
+ 
++    if (lu->hash == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0)
++            && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) {
++        /* when rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility */
++        return 1;
++    }
++
+     /* Finally see if security callback allows it */
+     secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu);
+     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
+@@ -4381,6 +4398,8 @@ static int ssl_security_cert_sig(SSL_CON
+ {
+     /* Lookup signature algorithm digest */
+     int secbits, nid, pknid;
++    OSSL_LIB_CTX *libctx = NULL;
++
+ 
+     /* Don't check signature if self signed */
+     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+@@ -4390,6 +4409,25 @@ static int ssl_security_cert_sig(SSL_CON
+     /* If digest NID not defined use signature NID */
+     if (nid == NID_undef)
+         nid = pknid;
++
++    if (x && x->libctx)
++        libctx = x->libctx;
++    else if (ctx && ctx->libctx)
++        libctx = ctx->libctx;
++    else if (s && s->session_ctx && s->session_ctx->libctx)
++        libctx = s->session_ctx->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (nid == NID_sha1
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3)
++                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3)
++            ))
++        /* When rh-allow-sha1-signatures = yes and security level <= 2,
++         * explicitly allow SHA1 for backwards compatibility. */
++        return 1;
++
+     if (s != NULL)
+         return ssl_security(s, op, secbits, nid, x);
+     else
+Index: openssl-3.5.0/test/recipes/25-test_verify.t
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/25-test_verify.t
++++ openssl-3.5.0/test/recipes/25-test_verify.t
+@@ -29,7 +29,7 @@ sub verify {
+     run(app([@args]));
+ }
+ 
+-plan tests => 194;
++plan tests => 193;
+ 
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -484,8 +484,9 @@ ok(verify("ee-pss-sha1-cert", "", ["root
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+-    "Reject PSS signature using SHA1 and auth level 1");
++## rh-allow-sha1-signatures=yes allows this to pass despite -auth_level 1
++#ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
++#    "Reject PSS signature using SHA1 and auth level 1");
+ 
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");

openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

@@ -0,0 +1,992 @@
+Index: openssl-3.5.0/providers/implementations/signature/dsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/dsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/dsa_sig.c
+@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
+         }
+ #ifdef FIPS_MODULE
+         {
+-            int sha1_allowed
+-                = ((ctx->operation
+-                    & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++            int sha1_allowed = 0;
+ 
+             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                                  OSSL_FIPS_IND_SETTABLE1,
+Index: openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/ecdsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/ecdsa_sig.c
+@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
+ 
+ #ifdef FIPS_MODULE
+     {
+-        int sha1_allowed
+-            = ((ctx->operation
+-                & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++        int sha1_allowed = 0;
+ 
+         if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                              OSSL_FIPS_IND_SETTABLE1,
+Index: openssl-3.5.0/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.5.0.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.5.0/providers/implementations/signature/rsa_sig.c
+@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
+         }
+ #ifdef FIPS_MODULE
+         {
+-            int sha1_allowed
+-                = ((ctx->operation
+-                    & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
++            int sha1_allowed = 0;
+ 
+             if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
+                                                  OSSL_FIPS_IND_SETTABLE1,
+@@ -1770,11 +1768,15 @@ static int rsa_set_ctx_params(void *vprs
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+         && pad_mode == RSA_PKCS1_PSS_PADDING) {
++#ifdef FIPS_MODULE
++        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++#else
+         if (ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+             pmdname = RSA_DEFAULT_DIGEST_NAME;
+         } else {
+             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+         }
++#endif
+     }
+ 
+     if (pmgf1mdname != NULL
+Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1235"
+@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -237,7 +244,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Key = P-256
+ Input = "Hello World"
+-Result = SIGNATURE_MISMATCH
++Result = DIGESTSIGNINIT_ERROR
+ 
+ # Test that SHA1 is not allowed in fips mode for signing
+ FIPSversion = >=3.4.0
+@@ -247,7 +254,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+-Result = KEYOP_MISMATCH
++Result = PKEY_CTRL_ERROR
+ 
+ Title = XOF disallowed
+ 
+Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
++++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
+@@ -37,34 +37,34 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF12345"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF123"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1235"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
+@@ -78,16 +78,64 @@ Output = 3045022100b1d1cb1a577035bccdd5a
+ Result = VERIFY_ERROR
+ 
+ # BER signature
+-FIPSversion = >=3.4.0
++Availablein = default
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = fips
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest too long
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF12345"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest too short
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF123"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Digest invalid
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1235"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
++
++# Invalid signature
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
++Result = KEYOP_INIT_ERROR
++
++# BER signature
++Availablein = fips
++FIPSversion = >=3.4.0
++Verify = ECDSA-SHA1:P-256-PUBLIC
++Input = "0123456789ABCDEF1234"
++Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
++Result = KEYOP_INIT_ERROR
++
++Availablein = fips
+ FIPSversion = >=3.4.0
+ Verify = ECDSA-SHA1:P-256-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
++Result = KEYOP_INIT_ERROR
+ 
+ Title = Sign-Message and Verify-Message
+ 
+@@ -236,7 +284,7 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = digest-check:0
+ Input = "Hello World"
+-Result = KEYOP_MISMATCH
++Result = KEYOP_INIT_ERROR
+ 
+ # Test that SHA1 is not allowed in fips mode for signing
+ Availablein = fips
+@@ -246,4 +294,4 @@ Securitycheck = 1
+ Unapproved = 1
+ CtrlInit = digest-check:0
+ Input = "0123456789ABCDEF1234"
+-Result = KEYOP_MISMATCH
++Result = KEYOP_INIT_ERROR
+Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -96,6 +96,7 @@ NDL6WCBbets=
+ 
+ Title = RSA tests
+ 
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+ Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Output = "0123456789ABCDEF1234"
+ 
+ # Leading zero in the signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = KEYOP_ERROR
+ 
+ # Mismatched digest
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547
+ Result = VERIFY_ERROR
+ 
+ # Corrupted signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547
+ Result = VERIFY_ERROR
+ 
+ # parameter is not NULLt
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b
+ Result = VERIFY_ERROR
+ 
+ # embedded digest too long
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # embedded digest too short
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # Garbage after DigestInfo
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = KEYOP_ERROR
+ 
+ # invalid tag for parameter
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
+ 
+ # Verify using public key
+ 
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -939,7 +954,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+ # Verify using salt length auto detect
+-FIPSversion = <3.4.0
++# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:auto
+@@ -974,6 +990,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters, explicitly setting parameters
++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
++# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked
++# Availablein = default.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:20
+@@ -982,6 +1002,7 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify explicitly setting parameters "digest" salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:digest
+@@ -990,20 +1011,21 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify using salt length larger than minimum
+-FIPSversion = <3.4.0
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:30
+ Input="0123456789ABCDEF0123"
+ Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
+ 
+ # Verify using maximum salt length
+-FIPSversion = <3.4.0
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:max
+ Input="0123456789ABCDEF0123"
+ Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
+ 
+ # Attempt to change salt length below minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:0
+ Result = PKEY_CTRL_ERROR
+@@ -1011,21 +1033,25 @@ Result = PKEY_CTRL_ERROR
+ # Attempt to change padding mode
+ # Note this used to return PKEY_CTRL_INVALID
+ # but it is limited because setparams only returns 0 or 1.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pkcs1
+ Result = PKEY_CTRL_ERROR
+ 
+ # Attempt to change digest
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = digest:sha256
+ Result = PKEY_CTRL_ERROR
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD2
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+@@ -1081,36 +1107,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
+ 4fINDOjP+yJJvZohNwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
+ Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
+ Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0652ec67bcee30f9d2699122b91c19abdba89f91
+ Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=39c21c4cceda9c1adf839c744e1212a6437575ec
+ Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36dae913b77bd17cae6e7b09453d24544cebb33c
+ Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1126,36 +1158,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
+ 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
+ Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2dac956d53964748ac364d06595827c6b4f143cd
+ Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
+ Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
+ Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
+ Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1173,36 +1211,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
+ BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
+ Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=b503319399277fd6c1c8f1033cbf04199ea21716
+ Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=50aaede8536b2c307208b275a67ae2df196c7628
+ Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
+ Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=fad3902c9750622a2bc672622c48270cc57d3ea8
+ Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1999,11 +2043,13 @@ Securitycheck = 1
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Result = KEYOP_INIT_ERROR
+ 
+-# Verifying with SHA1 is permitted in fips mode for older applications
++# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode
++Availablein = fips
+ DigestVerify = SHA1
+ Key = RSA-2048
+ Input = "Hello "
+ Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
++Result = DIGESTVERIFYINIT_ERROR
+ 
+ # Verifying with a 1024 bit key is permitted in fips mode for older applications
+ DigestVerify = SHA256
+@@ -2019,7 +2065,7 @@ Securitycheck = 1
+ Key = RSA-2048
+ Input = "Hello"
+ Result = DIGESTSIGNINIT_ERROR
+-Reason = invalid digest
++Reason = digest not allowed
+ 
+ # Signing with a 1024 bit key is not allowed in fips mode
+ Availablein = fips
+@@ -2085,7 +2131,7 @@ Unapproved = 1
+ CtrlInit = digest-check:0
+ Key = RSA-2048
+ Input = "Hello"
+-Result = SIGNATURE_MISMATCH
++Result = DIGESTSIGNINIT_ERROR
+ 
+ Availablein = fips
+ FIPSversion = >=3.4.0
+Index: openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa.txt
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/30-test_evp_data/evppkey_rsa.txt
++++ openssl-3.5.0/test/recipes/30-test_evp_data/evppkey_rsa.txt
+@@ -268,8 +268,8 @@ TwIDAQAB
+ 
+ PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT
+ 
+-
+ # Wrong MGF1 digest
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -280,6 +280,7 @@ Output=4DE433D5844043EF08D354DA03CB29068
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+@@ -303,36 +304,42 @@ fc6CnohE9iWxFeXpxKWc+PgRO2g0M2ov0mibRyy7
+ PRdqAX7cYf0ybEszyQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=5c81a3e2a658246628cd0ee8b00bb4c012bc9739
+ Output=014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=27f71611446aa6eabf037f7dedeede3203244991
+ Output=010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=03ecc2c33e93f05fc7224fcc0d461356cb897217
+ Output=007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=246c727b4b9494849dddb068d582e179ac20999c
+ Output=009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912
+ Output=00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf
+ 
++Availablein = default
+ Verify=RSA-PSS-2
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -348,36 +355,42 @@ nQ6tsIdYbKSJM9o8yVPZW9DtUN4Q3ctnNhB9bIMc
+ 6OWncxclZbkUpHGkQwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3552be69dd74bdc56d2cf8c38ef7bafe269040fe
+ Output=0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=609143ff7240e55c062aba8b9e4426a781919bc9
+ Output=02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0afd22f879a9cda7c584f4135f8f1c961db114c0
+ Output=0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=405dd56d395ef0f01b555c48f748cc32b210650b
+ Output=0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=a2c313b0440c8a0c47233b87f0a160c61af3eae7
+ Output=021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83
+ 
++Availablein = default
+ Verify=RSA-PSS-3
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -393,36 +406,42 @@ MAz5u2xTrR3IoXi4FdtCNamp2gwG3k5hXqEnfOVZ
+ iEjIuVlAdAvnv3w3BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd
+ Output=0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=04a10944bfe11ab801e77889f3fd3d7f4ff0b629
+ Output=049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ba01243db223eb97fb86d746c3148adaaa0ca344
+ Output=03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=934bb0d38d6836daec9de82a9648d4593da67cd2
+ Output=0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ec35d81abd1cceac425a935758b683465c8bd879
+ Output=022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a
+ 
++Availablein = default
+ Verify=RSA-PSS-4
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -438,18 +457,21 @@ pLDMjaMl7YqmdrDQ9ibgp38HaSFwrKyAgvQvqn3H
+ 3Sst3vXgU5L8ITvFBwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=d98b7061943510bc3dd9162f7169aabdbdcd0222
+ Output=0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7ae8e699f754988f4fd645e463302e49a2552072
+ Output=08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -463,12 +485,14 @@ Ctrl = rsa_mgf1_md:sha1
+ Input=ee3de96783fd0a157c8b20bf5566124124dcfe65
+ Output=0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1204df0b03c2724e2709c23fc71789a21b00ae4c
+ Output=0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd
+ 
++Availablein = default
+ Verify=RSA-PSS-5
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -484,36 +508,42 @@ Kl8QsJwxGvjA/7W3opfy78Y7jWsFEJMfC5jki/X8
+ nJnpaUMfYcuMTcaY0QIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6
+ Output=04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=92d0bcae82b641f578f040f5151be8eda6d42299
+ Output=0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3569bd8fd2e28f2443375efa94f186f6911ffc2b
+ Output=086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7abbb7b42de335730a0b641f1e314b6950b84f98
+ Output=0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=55b7eb27be7a787a59eb7e5fac468db8917a7725
+ Output=02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b
+ 
++Availablein = default
+ Verify=RSA-PSS-6
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -529,36 +559,42 @@ MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgTfJ
+ 2LXF01SAItcGTqKaswIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d
+ Output=187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=402140dc605b2f5c5ec0d15bce9f9ba8857fe117
+ Output=10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20
+ Output=2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1fc2201d0c442a4736cd8b2cd00c959c47a3bf42
+ Output=32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e4351b66819e5a31501f89acc7faf57030e9aac5
+ Output=07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1
+ 
++Availablein = default
+ Verify=RSA-PSS-7
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -574,36 +610,42 @@ R1PbPO4O4Gx9+uix1TtZUyGPnM7qaVsIZo7eqtzt
+ +rBWGwgQNEc5raBzPwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=a1dd230d8ead860199b6277c2ecfe3d95f6d9160
+ Output=0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=f6e68e53c602c5c65fa67b5aa6d786e5524b12ab
+ Output=2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=d6f9fcd3ae27f32bb2c7c93536782eba52af1f76
+ Output=2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=7ff2a53ce2e2d900d468e498f230a5f5dd0020de
+ Output=1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=4eb309f7022ba0b03bb78601b12931ec7c1be8d3
+ Output=33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee
+ 
++Availablein = default
+ Verify=RSA-PSS-8
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+Index: openssl-3.5.0/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/80-test_cms.t
++++ openssl-3.5.0/test/recipes/80-test_cms.t
+@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
+         "-certfile", $smroot,
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
+     [ "signed zero-length content S/MIME format, RSA key SHA1",
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
+         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&zero_compare
+     ],
+Index: openssl-3.5.0/test/recipes/80-test_ssl_old.t
+===================================================================
+--- openssl-3.5.0.orig/test/recipes/80-test_ssl_old.t
++++ openssl-3.5.0/test/recipes/80-test_ssl_old.t
+@@ -465,6 +465,9 @@ sub testssl {
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+ 
++        SKIP: {
++          skip "SSLv3 is not supported by the FIPS provider", 4
++              if $provider eq "fips";
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
+              'test sslv2/sslv3 with server authentication');
+           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
+@@ -473,6 +476,7 @@ sub testssl {
+              'test sslv2/sslv3 with both client and server authentication via BIO pair');
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
+              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
++         }
+ 
+         SKIP: {
+             skip "No IPv4 available on this machine", 4
+Index: openssl-3.5.0/apps/openssl.cnf
+===================================================================
+--- openssl-3.5.0.orig/apps/openssl.cnf
++++ openssl-3.5.0/apps/openssl.cnf
+@@ -119,7 +119,7 @@ cert_opt 	= ca_default		# Certificate fi
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
++default_md	= sha256		# use public key default MD
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look

openssl-FIPS-EC-disable-weak-curves.patch

@@ -0,0 +1,31 @@
+From 8a8265970a7497010b9b39182315f20521e7e15b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:06:36 -0500
+Subject: [PATCH 45/53] FIPS: EC: disable weak curves
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ apps/ecparam.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/apps/ecparam.c b/apps/ecparam.c
+index f0879dfb11..a6042e7d2a 100644
+--- a/apps/ecparam.c
++++ b/apps/ecparam.c
+@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
++        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
++            continue;
++
+         if (comment == NULL)
+             comment = "CURVE DESCRIPTION NOT AVAILABLE";
+         if (sname == NULL)
+-- 
+2.49.0
+

openssl-FIPS-Enforce-error-state.patch

@@ -0,0 +1,20 @@
+Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
+@@ -988,6 +988,7 @@ int OSSL_provider_init_int(const OSSL_CO
+         /* Error already raised */
+         goto err;
+     }
++#if 0 /* Don't allow to skip the error state */
+     /*
+      * Disable the conditional error check if it's disabled in the fips config
+      * file.
+@@ -995,6 +996,7 @@ int OSSL_provider_init_int(const OSSL_CO
+     if (fgbl->selftest_params.conditional_error_check != NULL
+         && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
+         SELF_TEST_disable_conditional_error_state();
++#endif
+ 
+     /* Enable or disable FIPS provider options */
+ #define OSSL_FIPS_PARAM(structname, paramname, unused)                         \

openssl-FIPS-Expose-a-FIPS-indicator.patch

@@ -0,0 +1,462 @@
+From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 7 Jun 2022 12:02:49 +0200
+Subject: [PATCH] fips: Expose a FIPS indicator
+
+FIPS 140-3 requires us to indicate whether an operation was using
+approved services or not. The FIPS 140-3 implementation guidelines
+provide two basic approaches to doing this: implicit indicators, and
+explicit indicators.
+
+Implicit indicators are basically the concept of "if the operation
+passes, it was approved". We were originally aiming for implicit
+indicators in our copy of OpenSSL. However, this proved to be a problem,
+because we wanted to certify a signature service, and FIPS 140-3
+requires that a signature service computes the digest to be signed
+within the boundaries of the FIPS module. Since we were planning to
+certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
+would have to be blocked. Unfortunately, EVP_SignFinal uses
+EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
+FIPS module boundary. This means that using implicit indicators in
+combination with certifying only fips.so would require us to block both
+EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
+by most users of OpenSSL for signatures.
+
+EVP_DigestSign would be acceptable, but has only been added in 3.0 and
+is thus not yet widely used.
+
+As a consequence, we've decided to introduce explicit indicators so that
+EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
+FIPS-aware applications can query the explicit indicator to check
+whether the operation was approved.
+
+To avoid affecting the ABI and public API too much, this is implemented
+as an exported symbol in fips.so and a private header, so applications
+that wish to use this will have to dlopen(3) fips.so, locate the
+function using dlsym(3), and then call it. These applications will have
+to build against the private header in order to use the returned
+pointer.
+
+Modify util/mkdef.pl to support exposing a symbol only for a specific
+provider identified by its name and path.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ doc/build.info                      |   6 ++
+ doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
+ providers/fips/fipsprov.c           |  71 +++++++++++++
+ providers/fips/indicator.h          |  66 ++++++++++++
+ util/mkdef.pl                       |  25 ++++-
+ util/providers.num                  |   1 +
+ 6 files changed, 322 insertions(+), 1 deletion(-)
+ create mode 100644 doc/man7/fips_module_indicators.pod
+ create mode 100644 providers/fips/indicator.h
+
+Index: openssl-3.5.0-beta1/doc/build.info
+===================================================================
+--- openssl-3.5.0-beta1.orig/doc/build.info
++++ openssl-3.5.0-beta1/doc/build.info
+@@ -4939,6 +4939,10 @@ DEPEND[html/man7/fips_module.html]=man7/
+ GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
+ DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
+ GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
++DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
++GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
++DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
++GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
+ DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
+ GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
+ DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
+@@ -5266,6 +5270,7 @@ html/man7/ct.html \
+ html/man7/des_modes.html \
+ html/man7/evp.html \
+ html/man7/fips_module.html \
++html/man7/fips_module_indicators.html \
+ html/man7/life_cycle-cipher.html \
+ html/man7/life_cycle-digest.html \
+ html/man7/life_cycle-kdf.html \
+@@ -5423,6 +5428,7 @@ man/man7/ct.7 \
+ man/man7/des_modes.7 \
+ man/man7/evp.7 \
+ man/man7/fips_module.7 \
++man/man7/fips_module_indicators.7 \
+ man/man7/life_cycle-cipher.7 \
+ man/man7/life_cycle-digest.7 \
+ man/man7/life_cycle-kdf.7 \
+Index: openssl-3.5.0-beta1/doc/man7/fips_module_indicators.pod
+===================================================================
+--- /dev/null
++++ openssl-3.5.0-beta1/doc/man7/fips_module_indicators.pod
+@@ -0,0 +1,155 @@
++=pod
++
++=head1 NAME
++
++fips_module_indicators - SUSE OpenSSL FIPS module indicators guide
++
++=head1 DESCRIPTION
++
++This guide documents how the SUSE Linux Enterprise OpenSSL FIPS provider
++implements Approved Security Service Indicators according to the FIPS 140-3
++Implementation Guidelines, section 2.4.C. See
++L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
++for the FIPS 140-3 Implementation Guidelines.
++
++For all approved services except signatures, the SUSE OpenSSL FIPS provider
++uses the return code as the indicator as understood by FIPS 140-3. That means
++that every operation that succeeds denotes use of an approved security service.
++Operations that do not succeed may not have been approved security services, or
++may have been used incorrectly.
++
++For signatures, an explicit indicator API is available to determine whether
++a selected operation is an approved security service, in combination with the
++return code of the operation. For a signature operation to be approved, the
++explicit indicator must claim it as approved, and it must succeed.
++
++=head2 Querying the explicit indicator
++
++The SUSE OpenSSL FIPS provider exports a symbol named
++I<suse_ossl_query_fipsindicator> that provides information on which signature
++operations are approved security functions. To use this function, either link
++against I<fips.so> directly, or load it at runtime using dlopen(3) and
++dlsym(3).
++
++    #include <openssl/core_dispatch.h>
++    #include "providers/fips/indicator.h"
++
++    void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
++    if (provider == NULL) {
++        fprintf(stderr, "%s\n", dlerror());
++        // handle error
++    }
++
++    const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *(*suse_ossl_query_fipsindicator)(int) \
++        = dlsym(provider, "suse_ossl_query_fipsindicator");
++    if (suse_ossl_query_fipsindicator == NULL) {
++        fprintf(stderr, "%s\n", dlerror());
++        fprintf(stderr, "Does your copy of fips.so have the required SUSE"
++                        " patches?\n");
++        // handle error
++    }
++
++Note that this uses the I<providers/fips/indicator.h> header, which is not
++public. Install the I<openssl-3-debugsource> package from the I<Debuginfo-Pool>
++repository using I<zypper install openssl-3-debugsource> and include
++I</usr/src/debug/openssl-3.*/> in the compiler's include path.
++
++I<suse_ossl_query_fipsindicator> expects an operation ID as its only
++argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
++obtain the indicators for signature operations. On success, the return value is
++a pointer to an array of I<OSSL_SUSE_FIPSINDICATOR_STRUCT>s. On failure, NULL is
++returned. The last entry in the array is indicated by I<algorithm_names> being
++NULL.
++
++    typedef struct ossl_suse_fipsindicator_algorithm_st {
++        const char *algorithm_names;     /* key */
++        const char *property_definition; /* key */
++        const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators;
++    } OSSL_SUSE_FIPSINDICATOR_ALGORITHM;
++
++    typedef struct ossl_suse_fipsindicator_dispatch_st {
++        int function_id;
++        int approved;
++    } OSSL_SUSE_FIPSINDICATOR_DISPATCH;
++
++The I<algorithm_names> field is a colon-separated list of algorithm names from
++one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
++be used to locate the appropriate entry. See the example below, where
++I<algorithm> contains the algorithm name to search for:
++
++    const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
++    const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *indicator =
++        suse_ossl_query_fipsindicator(operation_id);
++    if (indicator == NULL) {
++        fprintf(stderr, "No indicator for operation, probably using implicit"
++                        " indicators.\n");
++        // handle error
++    }
++
++    for (; indicator->algorithm_names != NULL; ++indicator) {
++        char *algorithm_names = strdup(indicator->algorithm_names);
++        if (algorithm_names == NULL) {
++            perror("strdup(3)");
++            // handle error
++        }
++
++        const char *algorithm_name = strtok(algorithm_names, ":");
++        for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
++            if (strcasecmp(algorithm_name, algorithm) == 0) {
++                indicator_dispatch = indicator->indicators;
++                free(algorithm_names);
++                algorithm_names = NULL;
++                break;
++            }
++        }
++        free(algorithm_names);
++    }
++    if (indicator_dispatch == NULL) {
++        fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
++        // handle error
++    }
++
++If an appropriate I<OSSL_SUSE_FIPSINDICATOR_DISPATCH> array is available for the
++given algorithm name, it maps function IDs to their approval status. The last
++entry is indicated by a zero I<function_id>. I<approved> is
++I<OSSL_SUSE_FIPSINDICATOR_APPROVED> if the operation is an approved security
++service, or part of an approved security service, or
++I<OSSL_SUSE_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
++Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
++e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
++
++Assuming I<function_id> is the function in question, the following code can be
++used to query the approval status:
++
++    for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
++        if (indicator_dispatch->function_id == function_id) {
++            switch (indicator_dispatch->approved) {
++                case OSSL_SUSE_FIPSINDICATOR_APPROVED:
++                    // approved security service
++                    break;
++                case OSSL_SUSE_FIPSINDICATOR_UNAPPROVED:
++                    // unapproved security service
++                    break;
++                default:
++                    // invalid result
++                    break;
++            }
++            break;
++        }
++    }
++
++=head1 SEE ALSO
++
++L<fips_module(7)>, L<provider(7)>
++
++=head1 COPYRIGHT
++
++Copyright 2022 Red Hat, Inc. All Rights Reserved.
++Copyright 2024 SUSE LLC. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
+@@ -28,6 +28,7 @@
+ #include "crypto/context.h"
+ #include "fipscommon.h"
+ #include "internal/core.h"
++#include "indicator.h"
+ 
+ static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
+ static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
+@@ -542,6 +543,68 @@ static const OSSL_ALGORITHM fips_signatu
+     { NULL, NULL, NULL }
+ };
+ 
++static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_rsa_signature_indicators[] = {
++    { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }
++};
++
++static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_ecdsa_signature_indicators[] = {
++    { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED },
++    { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }
++};
++
++static const OSSL_SUSE_FIPSINDICATOR_ALGORITHM suse_indicator_fips_signature[] = {
++    { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
++        suse_rsa_signature_indicators },
++#ifndef OPENSSL_NO_EC
++    { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
++        suse_ecdsa_signature_indicators },
++#endif
++    { NULL, NULL, NULL }
++};
++
+ static const OSSL_ALGORITHM fips_asym_cipher[] = {
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
+     { NULL, NULL, NULL }
+@@ -696,6 +759,14 @@ static const OSSL_ALGORITHM *fips_query(
+     }
+     return NULL;
+ }
++
++const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id) {
++    switch (operation_id) {
++    case OSSL_OP_SIGNATURE:
++        return suse_indicator_fips_signature;
++    }
++    return NULL;
++}
+ 
+ static const OSSL_ALGORITHM *fips_query_internal(void *provctx, int operation_id,
+                                                  int *no_cache)
+Index: openssl-3.5.0-beta1/providers/fips/indicator.h
+===================================================================
+--- /dev/null
++++ openssl-3.5.0-beta1/providers/fips/indicator.h
+@@ -0,0 +1,66 @@
++/*
++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_FIPS_INDICATOR_H
++# define OPENSSL_FIPS_INDICATOR_H
++# pragma once
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define OSSL_SUSE_FIPSINDICATOR_UNAPPROVED (0)
++# define OSSL_SUSE_FIPSINDICATOR_APPROVED (1)
++
++/*
++ * FIPS indicator dispatch table element.  function_id numbers and the
++ * functions are defined in core_dispatch.h, see macros with
++ * 'OSSL_CORE_MAKE_FUNC' in their names.
++ *
++ * An array of these is always terminated by function_id == 0
++ */
++typedef struct ossl_suse_fipsindicator_dispatch_st {
++    int function_id;
++    int approved;
++} OSSL_SUSE_FIPSINDICATOR_DISPATCH;
++
++/*
++ * Type to tie together algorithm names, property definition string and the
++ * algorithm implementation's FIPS indicator status in the form of a FIPS
++ * indicator dispatch table.
++ *
++ * An array of these is always terminated by algorithm_names == NULL
++ */
++typedef struct ossl_suse_fipsindicator_algorithm_st {
++    const char *algorithm_names;     /* key */
++    const char *property_definition; /* key */
++    const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators;
++} OSSL_SUSE_FIPSINDICATOR_ALGORITHM;
++
++/**
++ * Query FIPS indicator status for the given operation.  Possible values for
++ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
++ * use implicit indicators.  The return value is an array of
++ * OSSL_SUSE_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
++ * algorithm_names == NULL.  'algorithm_names' is a colon-separated list of
++ * algorithm names, 'property_definition' a comma-separated list of properties,
++ * and 'indicators' is a list of OSSL_SUSE_FIPSINDICATOR_DISPATCH structs.  This
++ * list is terminated by function_id == 0.  'function_id' is one of the
++ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
++ *
++ * If there is no entry in the returned struct for the given operation_id,
++ * algorithm name, or function_id, the algorithm is unapproved.
++ */
++const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id);
++
++# ifdef __cplusplus
++}
++# endif
++
++#endif
+Index: openssl-3.5.0-beta1/util/mkdef.pl
+===================================================================
+--- openssl-3.5.0-beta1.orig/util/mkdef.pl
++++ openssl-3.5.0-beta1/util/mkdef.pl
+@@ -154,7 +154,8 @@ $ordinal_opts{filter} =
+         return
+             $item->exists()
+             && platform_filter($item)
+-            && feature_filter($item);
++            && feature_filter($item)
++            && fips_filter($item, $name);
+     };
+ my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
+ 
+@@ -210,6 +211,28 @@ sub feature_filter {
+     return $verdict;
+ }
+ 
++sub fips_filter {
++    my $item = shift;
++    my $name = uc(shift);
++    my @features = ( $item->features() );
++
++    # True if no features are defined
++    return 1 if scalar @features == 0;
++
++    my @matches = grep(/^ONLY_.*$/, @features);
++    if (@matches) {
++        # There is at least one only_* flag on this symbol, check if any of
++        # them match the name
++        for (@matches) {
++            if ($_ eq "ONLY_${name}") {
++                return 1;
++            }
++        }
++        return 0;
++    }
++    return 1;
++}
++
+ sub sorter_unix {
+     my $by_name = OpenSSL::Ordinals::by_name();
+     my %weight = (
+Index: openssl-3.5.0-beta1/util/providers.num
+===================================================================
+--- openssl-3.5.0-beta1.orig/util/providers.num
++++ openssl-3.5.0-beta1/util/providers.num
+@@ -1 +1,2 @@
+ OSSL_provider_init                     1	*	EXIST::FUNCTION:
++suse_ossl_query_fipsindicator          1	*	EXIST::FUNCTION:ONLY_PROVIDERS/FIPS

openssl-FIPS-Fix-encoder-decoder-negative-test.patch

@@ -0,0 +1,35 @@
+From fee4537648b335f708e78d15a4c3b6018169b5cd Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 5 Mar 2025 13:22:03 -0500
+Subject: [PATCH 43/53] FIPS: Fix encoder/decoder negative test
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/04-test_encoder_decoder.t | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+ mode change 100644 => 100755 test/recipes/04-test_encoder_decoder.t
+
+diff --git a/test/recipes/04-test_encoder_decoder.t b/test/recipes/04-test_encoder_decoder.t
+old mode 100644
+new mode 100755
+index 2acc980e90..660d4e1115
+--- a/test/recipes/04-test_encoder_decoder.t
++++ b/test/recipes/04-test_encoder_decoder.t
+@@ -75,10 +75,10 @@ SKIP: {
+ }
+     my $no_des = disabled("des");
+ SKIP: {
+-    skip "MD5 disabled", 2 if disabled("md5");
+-    ok(run(app([ 'openssl', 'genrsa', '-aes128', '-out', 'epki.pem',
+-                 '-traditional', '-passout', 'pass:pass' ])),
+-       "rsa encrypted using a non fips algorithm MD5 in pbe");
++    skip "DES disabled", 2 if disabled("des3");
++    ok(run(app([ 'openssl', 'genrsa', '-des3', '-out', 'epki.pem',
++                 '-traditional', '-passout', 'pass:pass'])),
++       "rsa encrypted using a non fips algorithm DES3 in pbe");
+ 
+     my $conf2 = srctop_file("test", "default-and-fips.cnf");
+     ok(run(test(['decoder_propq_test', '-config', $conf2,
+-- 
+2.49.0
+

openssl-FIPS-Fix-openssl-speed-KMAC.patch

@@ -0,0 +1,73 @@
+From e128762a1b1f047633e76022a6a8097cb88b49a6 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 9 May 2025 15:09:46 +0200
+Subject: [PATCH 51/54] Make `openssl speed` run in FIPS mode
+
+---
+ apps/speed.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+Index: openssl-3.5.0/apps/speed.c
+===================================================================
+--- openssl-3.5.0.orig/apps/speed.c
++++ openssl-3.5.0/apps/speed.c
+@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
+                                                       (void *)key32, 16);
+         params[1] = OSSL_PARAM_construct_end();
+ 
+-        if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
+-            goto end;
+-        for (testnum = 0; testnum < size_num; testnum++) {
+-            print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+-            Time_F(START);
+-            count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+-            d = Time_F(STOP);
+-            print_result(D_KMAC128, testnum, count, d);
+-            if (count < 0)
+-                break;
++        if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
++            for (testnum = 0; testnum < size_num; testnum++) {
++                print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
++                Time_F(START);
++                count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
++                d = Time_F(STOP);
++                print_result(D_KMAC128, testnum, count, d);
++                if (count < 0)
++                    break;
++            }
++            mac_teardown(&mac, loopargs, loopargs_len);
+         }
+-        mac_teardown(&mac, loopargs, loopargs_len);
+     }
+ 
+     if (doit[D_KMAC256]) {
+@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
+                                                       (void *)key32, 32);
+         params[1] = OSSL_PARAM_construct_end();
+ 
+-        if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
+-            goto end;
+-        for (testnum = 0; testnum < size_num; testnum++) {
+-            print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+-            Time_F(START);
+-            count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+-            d = Time_F(STOP);
+-            print_result(D_KMAC256, testnum, count, d);
+-            if (count < 0)
+-                break;
++        if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
++            for (testnum = 0; testnum < size_num; testnum++) {
++                print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
++                Time_F(START);
++                count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
++                d = Time_F(STOP);
++                print_result(D_KMAC256, testnum, count, d);
++                if (count < 0)
++                    break;
++            }
++            mac_teardown(&mac, loopargs, loopargs_len);
+         }
+-        mac_teardown(&mac, loopargs, loopargs_len);
+     }
+ 
+     for (i = 0; i < loopargs_len; i++)

openssl-FIPS-Mark-SHA1-as-nonapproved.patch

@@ -0,0 +1,25 @@
+Index: openssl-3.2.4/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.2.4.orig/providers/fips/fipsprov.c
++++ openssl-3.2.4/providers/fips/fipsprov.c
+@@ -278,7 +278,7 @@ static int fips_self_test(void *provctx)
+  */
+ static const OSSL_ALGORITHM fips_digests[] = {
+     /* Our primary name:NiST name[:our older names] */
+-    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
++    { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
+     { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
+     { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
+     { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
+@@ -355,9 +355,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
+     ALG(PROV_NAMES_AES_256_WRAP_PAD_INV, ossl_aes256wrappadinv_functions),
+     ALG(PROV_NAMES_AES_192_WRAP_PAD_INV, ossl_aes192wrappadinv_functions),
+     ALG(PROV_NAMES_AES_128_WRAP_PAD_INV, ossl_aes128wrappadinv_functions),
+-    ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
++    UNAPPROVED_ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha1),
+-    ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
++    UNAPPROVED_ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha1),
+     ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA256, ossl_aes128cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),

openssl-FIPS-NO-DES-support.patch

@@ -0,0 +1,152 @@
+From 3a1abccdfc3bb78dd472bbb7ff36313959ef0cdf Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:15:13 -0500
+Subject: [PATCH 47/53] FIPS: NO DES support
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                           |  3 ++-
+ providers/fips/self_test_data.inc                   |  5 ++++-
+ test/evp_libctx_test.c                              |  4 +++-
+ .../30-test_evp_data/evpciph_des3_common.txt        | 13 ++++---------
+ test/recipes/80-test_cms.t                          |  2 +-
+ 5 files changed, 14 insertions(+), 13 deletions(-)
+
+Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
+@@ -358,7 +358,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+-#ifndef OPENSSL_NO_DES
++/* We don't certify 3DES in our FIPS provider */
++#if 0 /* ifndef OPENSSL_NO_DES */
+     ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+     ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+ #endif  /* OPENSSL_NO_DES */
+Index: openssl-3.5.0-beta1/providers/fips/self_test_data.inc
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/self_test_data.inc
++++ openssl-3.5.0-beta1/providers/fips/self_test_data.inc
+@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest
+ /*- CIPHER TEST DATA */
+ 
+ /* DES3 test data */
++#if 0
+ static const unsigned char des_ede3_cbc_pt[] = {
+     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_
+     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
+     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
+ };
+-
++#endif
+ /* AES-256 GCM test data */
+ static const unsigned char aes_256_gcm_key[] = {
+     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
+@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher
+         CIPHER_MODE_DECRYPT,
+         ITM(aes_128_ecb_key)
+     },
++#if 0
+ #ifndef OPENSSL_NO_DES
+     {
+         {
+@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher
+         ITM(tdes_key)
+     }
+ #endif
++#endif
+ };
+ 
+ static const char hkdf_digest[] = "SHA256";
+Index: openssl-3.5.0-beta1/test/evp_libctx_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/evp_libctx_test.c
++++ openssl-3.5.0-beta1/test/evp_libctx_test.c
+@@ -831,7 +831,9 @@ int setup_tests(void)
+     ADD_TEST(kem_invalid_keytype);
+ #endif
+ #ifndef OPENSSL_NO_DES
+-    ADD_TEST(test_cipher_tdes_randkey);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_TEST(test_cipher_tdes_randkey);
++    }
+ #endif
+     return 1;
+ }
+Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evpciph_des3_common.txt
++++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+@@ -14,7 +14,7 @@
+ Title = DES3 Tests
+ 
+ # DES EDE3 CBC tests (from destest)
+-FIPSversion = <3.4.0
++Availablein = default
+ Cipher = DES-EDE3-CBC
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ IV = fedcba9876543210
+@@ -24,8 +24,7 @@ NextIV = 1c673812cfde9675
+ 
+ # DES EDE3 ECB test
+ # FIPS(3.0.0): has a bug in the IV length #17591
+-FIPSversion = >3.0.0
+-FIPSversion = <3.4.0
++Availablein = default
+ Cipher = DES-EDE3-ECB
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+@@ -42,7 +41,6 @@ Ciphertext = 4d1332e49f380e23d80a0d8b2ba
+ 
+ # Test that DES3 CBC mode encryption fails because it is not FIPS approved
+ Availablein = fips
+-FIPSversion = >=3.4.0
+ Cipher = DES-EDE3-CBC
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ IV = fedcba9876543210
+@@ -52,7 +50,6 @@ Result = CIPHERINIT_ERROR
+ 
+ # Test that DES3 EBC mode encryption fails because it is not FIPS approved
+ Availablein = fips
+-FIPSversion = >=3.4.0
+ Cipher = DES-EDE3-ECB
+ Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+ Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+@@ -62,8 +59,7 @@ Result = CIPHERINIT_ERROR
+ Title = DES3 FIPS Indicator Tests
+ 
+ # Test that DES3 CBC mode encryption is not FIPS approved
+-Availablein = fips
+-FIPSversion = >=3.4.0
++Availablein = none
+ Cipher = DES-EDE3-CBC
+ Unapproved = 1
+ CtrlInit = encrypt-check:0
+@@ -74,8 +70,7 @@ Plaintext = 37363534333231204E6F77206973
+ Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+ 
+ # Test that DES3 ECB mode encryption is not FIPS approved
+-Availablein = fipss
+-FIPSversion = >=3.4.0
++Availablein = none
+ Cipher = DES-EDE3-ECB
+ Operation = ENCRYPT
+ Unapproved = 1
+Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+@@ -398,7 +398,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "encrypted content test streaming PEM format, triple DES key",
++    [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
+       [ "{cmd1}", @defaultprov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
+         "-stream", "-out", "{output}.cms" ],

openssl-FIPS-NO-DSA-Support.patch

@@ -0,0 +1,377 @@
+From f5c420d8e5eed82bf4a6712085a18746d2bc7aff Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:10:52 -0500
+Subject: [PATCH 46/53] FIPS: NO DSA Support
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                     |  8 +++++---
+ providers/fips/self_test_data.inc             |  6 +++++-
+ test/acvp_test.c                              |  2 ++
+ test/endecode_test.c                          |  2 ++
+ test/recipes/15-test_gendsa.t                 |  2 +-
+ test/recipes/20-test_cli_fips.t               |  3 +--
+ test/recipes/30-test_evp.t                    |  1 -
+ test/recipes/30-test_evp_data/evppkey_dsa.txt | 18 ++++++++++++++++-
+ test/recipes/80-test_cms.t                    | 20 +++++++++----------
+ 9 files changed, 43 insertions(+), 19 deletions(-)
+
+Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
+@@ -434,7 +434,8 @@ static const OSSL_ALGORITHM fips_keyexch
+ };
+ 
+ static const OSSL_ALGORITHM fips_signature[] = {
+-#ifndef OPENSSL_NO_DSA
++/* We don't certify DSA in our FIPS provider */
++#if 0 /* #ifndef OPENSSL_NO_DSA */
+     { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
+     { PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
+     { PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
+@@ -626,8 +627,9 @@ static const OSSL_ALGORITHM fips_keymgmt
+       PROV_DESCS_DHX },
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+-      PROV_DESCS_DSA },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
++      PROV_DESCS_DSA }, */
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
+       PROV_DESCS_RSA },
+Index: openssl-3.5.0-beta1/providers/fips/self_test_data.inc
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/self_test_data.inc
++++ openssl-3.5.0-beta1/providers/fips/self_test_data.inc
+@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expecte
+ # endif /* OPENSSL_NO_ECX */
+ #endif /* OPENSSL_NO_EC */
+ 
+-#ifndef OPENSSL_NO_DSA
+ /* dsa 2048 */
++#if 0
++#ifndef OPENSSL_NO_DSA
+ static const unsigned char dsa_p[] = {
+     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
+     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
+@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = {
+     ST_KAT_PARAM_END()
+ };
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_ML_DSA
+ static const unsigned char ml_dsa_65_pub_key[] = {
+@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
+     },
+ # endif /* OPENSSL_NO_ECX */
+ #endif /* OPENSSL_NO_EC */
++#if 0
+ #ifndef OPENSSL_NO_DSA
+     {
+         OSSL_SELF_TEST_DESC_SIGN_DSA,
+@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
+         ITM(dsa_expected_sig)
+     },
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_ML_DSA
+     {
+Index: openssl-3.5.0-beta1/test/acvp_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/acvp_test.c
++++ openssl-3.5.0-beta1/test/acvp_test.c
+@@ -1735,6 +1735,7 @@ int setup_tests(void)
+                   OSSL_NELEM(dh_safe_prime_keyver_data));
+ #endif /* OPENSSL_NO_DH */
+ 
++#if 0 /* SUSE/openSUSE FIPS provider doesn't have fips=yes property on DSA */
+ #ifndef OPENSSL_NO_DSA
+     dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0);
+     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
+@@ -1743,6 +1744,7 @@ int setup_tests(void)
+     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
+     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_EC
+     ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0);
+Index: openssl-3.5.0-beta1/test/endecode_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/endecode_test.c
++++ openssl-3.5.0-beta1/test/endecode_test.c
+@@ -1536,6 +1536,7 @@ int setup_tests(void)
+          * so no legacy tests.
+          */
+ #endif
++    if (is_fips == 0) {
+ #ifndef OPENSSL_NO_DSA
+         ADD_TEST_SUITE(DSA);
+         ADD_TEST_SUITE_PARAMS(DSA);
+@@ -1546,6 +1547,7 @@ int setup_tests(void)
+         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
+ # endif
+ #endif
++    }
+ #ifndef OPENSSL_NO_EC
+         ADD_TEST(ec_encode_to_data_multi);
+         ADD_TEST_SUITE(EC);
+Index: openssl-3.5.0-beta1/test/recipes/15-test_gendsa.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/15-test_gendsa.t
++++ openssl-3.5.0-beta1/test/recipes/15-test_gendsa.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "This test is unsupported in a no-dsa build"
+     if disabled("dsa");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1;
+ 
+ plan tests =>
+     ($no_fips ? 0 : 2)          # FIPS related tests
+Index: openssl-3.5.0-beta1/test/recipes/20-test_cli_fips.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/20-test_cli_fips.t
++++ openssl-3.5.0-beta1/test/recipes/20-test_cli_fips.t
+@@ -283,8 +283,7 @@ SKIP: {
+ }
+ 
+ SKIP : {
+-    skip "FIPS DSA tests because of no dsa in this build", 1
+-        if disabled("dsa") || $dsasignpass == '0';
++    skip "FIPS DSA tests because of no dsa in this build", 1;
+ 
+     subtest DSA => sub {
+         my $testtext_prefix = 'DSA';
+Index: openssl-3.5.0-beta1/test/recipes/30-test_evp.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp.t
++++ openssl-3.5.0-beta1/test/recipes/30-test_evp.t
+@@ -166,7 +166,6 @@ my @defltfiles = qw(
+ push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_ecx_kem.txt) unless $no_ecx;
+-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
+ push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
+ push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
+ push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
+Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_dsa.txt
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evppkey_dsa.txt
++++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_dsa.txt
+@@ -44,17 +44,22 @@ PrivPubKeyPair = DSA-1024:DSA-1024-PUBLI
+ 
+ Title = DSA tests
+ 
++## SUSE all SHA1 tests are unavailable
++
++Availablein = none
+ Verify = DSA-1024
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+ 
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+ 
+ # Modified signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -62,6 +67,7 @@ Output = 302d021500942b8c5850e05b59e2449
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -69,6 +75,7 @@ Output = 302d021500942b8c5850e05b59e2449
+ Result = VERIFY_ERROR
+ 
+ # Digest too long
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -76,12 +83,14 @@ Output = 302d021500942b8c5850e05b59e2449
+ Result = VERIFY_ERROR
+ 
+ # Garbage after signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Input = "0123456789ABCDEF1234"
+ Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700
+ Result = VERIFY_ERROR
+ 
+ # Invalid tag
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -89,6 +98,7 @@ Output = 312d021500942b8c5850e05b59e2449
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = none
+ Verify = DSA-1024-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -277,6 +287,7 @@ Output = 00
+ Result = DIGESTSIGNINIT_ERROR
+ 
+ # Test sign with a 2048 bit key with N == 224 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-2048-224
+@@ -285,6 +296,7 @@ Output = 00
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 2048 bit key with N == 256 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-2048-256
+@@ -292,6 +304,7 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 3072 bit key with N == 256 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA256
+ Key = DSA-3072-256
+@@ -299,6 +312,7 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test sign with a 2048 bit SHA3 is allowed in fips mode
++Availablein = none
+ FIPSversion = <3.4.0
+ DigestSign = SHA3-224
+ Key = DSA-2048-256
+@@ -306,19 +320,21 @@ Input = "Hello"
+ Result = SIGNATURE_MISMATCH
+ 
+ # Test verify with a 1024 bit key is allowed in fips mode
++Availablein = default
+ DigestVerify = SHA256
+ Key = DSA-1024
+ Input = "Hello "
+ Output = 302c02142e32c8a5b0bd19b2ba33fd9c78aad3729dcb1b9e02142c006f7726a9d6833d414865b95167ea5f4f7713
+ 
+ # Test verify with SHA1 is allowed in fips mode
++Availablein = none
+ DigestVerify = SHA1
+ Key = DSA-1024
+ Input = "Hello "
+ Output = 302c0214602d21ed37e46051bb3d06cc002adddeb4cdb3bd02144f39f75587b286588862d06366b2f29bddaf8cf6
+ 
+ # Test verify with a 2048/160 bit key is allowed in fips mode
+-FIPSversion = >3.1.1
++Availablein = default
+ DigestVerify = SHA256
+ Key = DSA-2048-160
+ Input = "Hello"
+Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content DER format, DSA key",
++    [ "signed content DER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, DSA key",
++    [ "signed detached content DER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, add RSA signer (with DSA existing)",
++    [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
+@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, DSA key",
++    [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-noattr", "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
+       \&zero_compare
+     ],
+ 
+-    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) {
+ 
+ my @smime_cms_tests = (
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-keyid",
+         "-signer", $smrsa1,
+@@ -278,7 +278,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),

openssl-FIPS-NO-Kmac.patch

@@ -0,0 +1,277 @@
+From cc0b5ccd6ee404b4faa969d19440078bc8b49f35 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:22:07 -0500
+Subject: [PATCH 48/53] FIPS: NO Kmac
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/fipsprov.c                     | 10 +++++----
+ providers/fips/self_test_data.inc             |  4 ++++
+ test/recipes/30-test_evp_data/evpkdf_ss.txt   |  2 ++
+ .../30-test_evp_data/evpmac_common.txt        | 22 +++++++++++++++++++
+ 4 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 30f0c8ca14..00b7d1e2aa 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
+      * KMAC128 and KMAC256.
+      */
+-    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
++    /* We don't certify KECCAK in our FIPS provider */
++    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+       ossl_keccak_kmac_128_functions },
+     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
+-      ossl_keccak_kmac_256_functions },
++      ossl_keccak_kmac_256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+ #endif
+     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
+-    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+-    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
++    /* We don't certify KMAC in our FIPS provider */
++    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
++    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 6a69e1687b..f3059a8446 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
+     ST_KAT_PARAM_END()
+ };
+ 
++#if 0
+ static const char kbkdf_kmac_mac[] = "KMAC128";
+ static unsigned char kbkdf_kmac_label[] = {
+     0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
+@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
+     ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
+     ST_KAT_PARAM_END()
+ };
++#endif
+ 
+ static const char tls13_kdf_digest[] = "SHA256";
+ static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
+@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
+         kbkdf_params,
+         ITM(kbkdf_expected)
+     },
++#if 0
+     {
+         OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC,
+         OSSL_KDF_NAME_KBKDF,
+         kbkdf_kmac_params,
+         ITM(kbkdf_kmac_expected)
+     },
++#endif
+     {
+         OSSL_SELF_TEST_DESC_KDF_HKDF,
+         OSSL_KDF_NAME_HKDF,
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+index 07691ccf57..ce315ecf76 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+@@ -1171,6 +1171,7 @@ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96CB056DEBAEB6E5E706F99435257C
+ Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
+ Output = 428979EA52175DC833C04215AC6B4BA89BA4FCAA0E0FA3B4E2C0E264C5746F0A5C788F2907A2C2B90719E396B35A14C4B583C51B9911125D34100FADDC4D94C0D936263CC1EF0B0D526E3891FE1F67BCB94DEA2525B84A8E7949A4CA34F36AEEC55099BF0EC5DE24B86428F4E6E6E23FE9AA443E2BDCF25A77ECD22BF758D554
+ 
++Availablein = default
+ KDF = SSKDF
+ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsecret = hexsecret:EAD54AE33FFAFFE7875610390ADBA9DFB291EE8C1920CB13452FDF851E0A6DBBB862FD8811F8CB29CDEC13591D8C047065FCD2
+@@ -1257,6 +1258,7 @@ Ctrl.hexsalt = hexsalt:00
+ Ctrl.hexinfo = hexinfo:861aa2886798231259bd0314
+ Output = 02cfca07797566285b38982b86762abd
+ 
++Availablein = default
+ KDF = SSKDF
+ Ctrl.mac = mac:KMAC-128
+ Ctrl.hexsalt = hexsalt:00000000
+diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
+index 831eecbac9..f18b558796 100644
+--- a/test/recipes/30-test_evp_data/evpmac_common.txt
++++ b/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -399,6 +399,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C
+ Result = MAC_INIT_ERROR
+ Reason = invalid mode
+ 
++Availablein = default
+ Title = KMAC Tests (From NIST)
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+@@ -409,12 +410,14 @@ Ctrl = xof:0
+ OutputSize = 32
+ BlockSize = 168
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Custom = "My Tagged Application"
+ Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -422,6 +425,7 @@ Custom = "My Tagged Application"
+ Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -430,12 +434,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
+ OutputSize = 64
+ BlockSize = 136
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+ Custom = ""
+ Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -445,12 +451,14 @@ Ctrl = size:64
+ 
+ Title = KMAC XOF Tests (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -458,6 +466,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -466,6 +475,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ XOF = 1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -473,6 +483,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -480,6 +491,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -490,6 +502,7 @@ XOF = 1
+ 
+ Title = KMAC long customisation string (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -500,12 +513,14 @@ XOF = 1
+ 
+ Title = KMAC XOF Tests via ctrl (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -513,6 +528,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -521,6 +537,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ Ctrl = xof:1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -528,6 +545,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -535,6 +553,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -545,6 +564,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string via ctrl (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -555,6 +575,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string negative test
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -564,6 +585,7 @@ Reason = invalid custom length
+ 
+ Title = KMAC output is too large
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+-- 
+2.49.0
+

openssl-FIPS-NO-PQ-ML-SLH-DSA.patch

@@ -0,0 +1,33 @@
+From 181aed0bb72694e08a87584add058db1dd562576 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 7 Mar 2025 18:24:36 -0500
+Subject: [PATCH 50/53] FIPS: NO PQ (ML/SLH-DSA)
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/self_test_data.inc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index cdba162674..136a580f25 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -3039,6 +3039,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+ #endif /* OPENSSL_NO_DSA */
+ #endif
+ 
++#if 0
+ #ifndef OPENSSL_NO_ML_DSA
+     {
+         OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
+@@ -3083,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         slh_dsa_sig_params, slh_dsa_sig_params
+     },
+ #endif /* OPENSSL_NO_SLH_DSA */
++#endif
+ };
+ 
+ #if !defined(OPENSSL_NO_ML_DSA)
+-- 
+2.49.0
+

openssl-FIPS-RSA-disable-shake.patch

@@ -0,0 +1,97 @@
+From 63e39e25829ae04c804f1353a1774b27db2b2051 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 29/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+
+According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
+must not be used in higher-level algorithms (such as RSA-OAEP and
+RSASSA-PSS):
+
+"To be used in an approved mode of operation, the SHA-3 hash functions
+may be implemented either as part of an approved higher-level algorithm,
+for example, a digital signature algorithm, or as the standalone
+functions. The SHAKE128 and SHAKE256 extendable-output functions may
+only be used as the standalone algorithms."
+
+Add a check to prevent their use as message digest in PSS signatures and
+as MGF1 hash function in both OAEP and PSS.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/rsa/rsa_oaep.c | 16 ++++++++++++++++
+ crypto/rsa/rsa_pss.c  | 16 ++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index 5a1c080fcd..11cd78618b 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
++        EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return 0;
++    }
++#endif
++
+ #ifdef FIPS_MODULE
+     /* XOF are approved as standalone; Shake256 in Ed448; MGF */
+     if (EVP_MD_xof(md)) {
+@@ -194,6 +202,14 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256") ||
++        EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return -1;
++    }
++#endif
++
+ #ifdef FIPS_MODULE
+     /* XOF are approved as standalone; Shake256 in Ed448; MGF */
+     if (EVP_MD_xof(md)) {
+diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
+index a2bc198a89..2833ca50f3 100644
+--- a/crypto/rsa/rsa_pss.c
++++ b/crypto/rsa/rsa_pss.c
+@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen <= 0)
+         goto err;
+@@ -186,6 +194,14 @@ int ossl_rsa_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen <= 0)
+         goto err;
+-- 
+2.49.0
+

openssl-FIPS-RSA-encapsulate.patch

@@ -0,0 +1,43 @@
+From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:01:48 +0200
+Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
+
+Patch-name: 0091-FIPS-RSA-encapsulate.patch
+Patch-id: 91
+---
+ providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c
+===================================================================
+--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c
++++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c
+@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /*
+      * Step (2): Generate a random byte string z of nlen bytes where
+      *            1 < z < n - 1
+@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX *
+         return 1;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /*
+      * Step (2): check the input ciphertext 'inlen' matches the nlen
+      * and that outlen is at least nlen bytes

openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch

@@ -0,0 +1,282 @@
+From 0010acdf5d7c1a1285189c36fa2fc46bea93cee8 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:16 +0100
+Subject: [PATCH 32/53] FIPS: RSA: Remove X9.31 padding signatures tests
+
+The current draft of FIPS 186-5 [1] no longer contains specifications
+for X9.31 signature padding. Instead, it contains the following
+information in Appendix E:
+
+> ANSI X9.31 was withdrawn, so X9.31 RSA signatures were removed from
+> this standard.
+
+Since this situation is unlikely to change in future revisions of the
+draft, and future FIPS 140-3 validations of the provider will require
+X9.31 to be disabled or marked as not approved with an explicit
+indicator, disallow this padding mode now.
+
+Remove the X9.31 tests from the acvp test, since they will always fail
+now.
+
+ [1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ test/acvp_test.inc | 225 ---------------------------------------------
+ 1 file changed, 225 deletions(-)
+
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index 97ec1ff3e5..31fa0eafc6 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -1354,13 +1354,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
+         ITM(rsa_siggen0_msg),
+         NO_PSS_SALT_LEN,
+     },
+-    {
+-        "x931",
+-        2048,
+-        "SHA384",
+-        ITM(rsa_siggen0_msg),
+-        NO_PSS_SALT_LEN,
+-    },
+     {
+         "pss",
+         2048,
+@@ -1772,202 +1765,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
+     0xe9, 0x97, 0x20, 0x35, 0xf8, 0xf1, 0x78, 0xe1
+ };
+ 
+-static const unsigned char rsa_sigverx931_0_n[] = {
+-    0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
+-    0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
+-    0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
+-    0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
+-    0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
+-    0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
+-    0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
+-    0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
+-    0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
+-    0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
+-    0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
+-    0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
+-    0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
+-    0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
+-    0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
+-    0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
+-    0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
+-    0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
+-    0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
+-    0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
+-    0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
+-    0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
+-    0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
+-    0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
+-    0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
+-    0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
+-    0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
+-    0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
+-    0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
+-    0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
+-    0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
+-    0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
+-    0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
+-    0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
+-    0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
+-    0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
+-    0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
+-    0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
+-    0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
+-    0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
+-    0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
+-    0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
+-    0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
+-    0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
+-    0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
+-    0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
+-    0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
+-    0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_e[] = {
+-    0x01, 0x00, 0x01,
+-};
+-static const unsigned char rsa_sigverx931_0_msg[] = {
+-    0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
+-    0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
+-    0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
+-    0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
+-    0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
+-    0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
+-    0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
+-    0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
+-    0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
+-    0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
+-    0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
+-    0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
+-    0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
+-    0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
+-    0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
+-    0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_sig[] = {
+-    0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
+-    0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
+-    0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
+-    0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
+-    0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
+-    0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
+-    0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
+-    0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
+-    0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
+-    0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
+-    0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
+-    0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
+-    0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
+-    0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
+-    0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
+-    0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
+-    0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
+-    0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
+-    0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
+-    0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
+-    0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
+-    0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
+-    0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
+-    0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
+-    0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
+-    0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
+-    0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
+-    0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
+-    0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
+-    0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
+-    0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
+-    0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
+-    0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
+-    0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
+-    0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
+-    0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
+-    0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
+-    0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
+-    0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
+-    0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
+-    0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
+-    0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
+-    0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
+-    0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
+-    0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
+-    0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
+-    0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
+-    0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
+-};
+-
+-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
+-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
+-static const unsigned char rsa_sigverx931_1_msg[] = {
+-    0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
+-    0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
+-    0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
+-    0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
+-    0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
+-    0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
+-    0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
+-    0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
+-    0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
+-    0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
+-    0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
+-    0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
+-    0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
+-    0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
+-    0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
+-    0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
+-};
+-
+-static const unsigned char rsa_sigverx931_1_sig[] = {
+-    0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
+-    0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
+-    0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
+-    0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
+-    0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
+-    0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
+-    0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
+-    0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
+-    0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
+-    0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
+-    0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
+-    0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
+-    0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
+-    0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
+-    0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
+-    0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
+-    0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
+-    0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
+-    0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
+-    0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
+-    0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
+-    0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
+-    0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
+-    0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
+-    0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
+-    0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
+-    0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
+-    0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
+-    0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
+-    0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
+-    0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
+-    0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
+-    0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
+-    0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
+-    0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
+-    0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
+-    0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
+-    0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
+-    0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
+-    0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
+-    0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
+-    0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
+-    0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
+-    0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
+-    0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
+-    0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
+-    0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
+-    0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
+-};
+-
+ static const struct rsa_sigver_st rsa_sigver_data[] = {
+     {
+         "pkcs1", /* pkcs1v1.5 */
+@@ -1991,28 +1788,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
+         NO_PSS_SALT_LEN,
+         FAIL
+     },
+-    {
+-        "x931",
+-        3072,
+-        "SHA1",
+-        ITM(rsa_sigverx931_0_msg),
+-        ITM(rsa_sigverx931_0_n),
+-        ITM(rsa_sigverx931_0_e),
+-        ITM(rsa_sigverx931_0_sig),
+-        NO_PSS_SALT_LEN,
+-        PASS
+-    },
+-    {
+-        "x931",
+-        3072,
+-        "SHA256",
+-        ITM(rsa_sigverx931_1_msg),
+-        ITM(rsa_sigverx931_1_n),
+-        ITM(rsa_sigverx931_1_e),
+-        ITM(rsa_sigverx931_1_sig),
+-        NO_PSS_SALT_LEN,
+-        FAIL
+-    },
+     {
+         "pss",
+         4096,
+-- 
+2.49.0
+

openssl-FIPS-SUSE-FIPS-module-version.patch

@@ -0,0 +1,29 @@
+Index: openssl-3.5.0-beta1/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/fipsprov.c
++++ openssl-3.5.0-beta1/providers/fips/fipsprov.c
+@@ -195,18 +195,21 @@ static const OSSL_PARAM *fips_gettable_p
+ 
+ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+ {
++    #define SUSE_FIPS_VENDOR "SUSE Linux Enterprise - OpenSSL FIPS Provider"
++    #define SUSE_FIPS_VERSION "SUSE Release"
++
+     OSSL_PARAM *p;
+     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VENDOR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

openssl-FIPS-Use-FFDHE2048-in-self-test.patch

@@ -0,0 +1,378 @@
+From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 22 Jul 2022 17:51:16 +0200
+Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
+ 1 file changed, 172 insertions(+), 170 deletions(-)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index a29cc650b5..1b5623833f 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
+ 
+ #ifndef OPENSSL_NO_DH
+ /* DH KAT */
++/* RFC7919 FFDHE2048 p */
+ static const unsigned char dh_p[] = {
+-    0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
+-    0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
+-    0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
+-    0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
+-    0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
+-    0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
+-    0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
+-    0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
+-    0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
+-    0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
+-    0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
+-    0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
+-    0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
+-    0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
+-    0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
+-    0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
+-    0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
+-    0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
+-    0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
+-    0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
+-    0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
+-    0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
+-    0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
+-    0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
+-    0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
+-    0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
+-    0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
+-    0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
+-    0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
+-    0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
+-    0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
+-    0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
+-};
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++    0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
++    0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++    0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
++    0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
++    0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++    0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
++    0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
++    0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++    0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
++    0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
++    0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++    0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
++    0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
++    0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++    0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
++    0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
++    0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++    0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
++    0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
++    0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++    0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
++    0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
++    0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++    0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
++    0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
++    0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++    0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
++    0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
++    0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++    0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++/* RFC7919 FFDHE2048 q */
+ static const unsigned char dh_q[] = {
+-    0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
+-    0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
+-    0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
+-    0x11, 0xac, 0xb5, 0x7d
+-};
++    0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++    0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
++    0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++    0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
++    0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
++    0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++    0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
++    0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
++    0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++    0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
++    0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
++    0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++    0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
++    0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
++    0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++    0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
++    0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
++    0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++    0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
++    0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
++    0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++    0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
++    0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
++    0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++    0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
++    0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
++    0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++    0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
++    0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
++    0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++    0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++/* RFC7919 FFDHE2048 g */
+ static const unsigned char dh_g[] = {
+-    0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
+-    0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
+-    0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
+-    0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
+-    0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
+-    0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
+-    0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
+-    0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
+-    0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
+-    0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
+-    0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
+-    0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
+-    0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
+-    0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
+-    0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
+-    0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
+-    0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
+-    0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
+-    0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
+-    0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
+-    0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
+-    0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
+-    0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
+-    0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
+-    0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
+-    0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
+-    0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
+-    0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
+-    0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
+-    0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
+-    0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
+-    0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
++    0x02
+ };
+ static const unsigned char dh_priv[] = {
+-    0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
+-    0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
+-    0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
+-    0x40, 0xb8, 0xfc, 0xe6
++    0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
++    0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
++    0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
++    0x6c, 0xdc, 0x5d, 0x6e, 0x94
+ };
+ static const unsigned char dh_pub[] = {
+-    0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
+-    0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
+-    0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
+-    0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
+-    0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
+-    0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
+-    0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
+-    0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
+-    0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
+-    0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
+-    0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
+-    0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
+-    0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
+-    0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
+-    0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
+-    0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
+-    0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
+-    0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
+-    0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
+-    0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
+-    0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
+-    0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
+-    0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
+-    0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
+-    0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
+-    0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
+-    0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
+-    0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
+-    0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
+-    0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
+-    0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
+-    0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
++    0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
++    0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
++    0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
++    0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
++    0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
++    0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
++    0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
++    0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
++    0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
++    0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
++    0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
++    0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
++    0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
++    0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
++    0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
++    0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
++    0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
++    0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
++    0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
++    0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
++    0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
++    0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
++    0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
++    0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
++    0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
++    0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
++    0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
++    0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
++    0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
++    0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
++    0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
++    0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
++    0x32
+ };
+ static const unsigned char dh_peer_pub[] = {
+-    0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
+-    0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
+-    0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
+-    0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
+-    0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
+-    0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
+-    0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
+-    0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
+-    0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
+-    0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
+-    0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
+-    0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
+-    0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
+-    0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
+-    0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
+-    0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
+-    0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
+-    0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
+-    0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
+-    0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
+-    0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
+-    0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
+-    0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
+-    0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
+-    0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
+-    0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
+-    0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
+-    0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
+-    0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
+-    0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
+-    0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
+-    0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
++    0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
++    0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
++    0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
++    0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
++    0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
++    0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
++    0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
++    0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
++    0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
++    0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
++    0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
++    0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
++    0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
++    0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
++    0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
++    0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
++    0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
++    0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
++    0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
++    0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
++    0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
++    0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
++    0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
++    0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
++    0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
++    0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
++    0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
++    0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
++    0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
++    0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
++    0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
++    0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
++    0x64
+ };
+ 
+ static const unsigned char dh_secret_expected[] = {
+-    0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
+-    0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
+-    0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
+-    0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
+-    0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
+-    0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
+-    0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
+-    0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
+-    0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
+-    0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
+-    0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
+-    0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
+-    0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
+-    0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
+-    0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
+-    0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
+-    0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
+-    0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
+-    0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
+-    0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
+-    0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
+-    0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
+-    0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
+-    0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
+-    0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
+-    0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
+-    0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
+-    0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
+-    0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
+-    0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
+-    0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
+-    0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
++    0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
++    0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
++    0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
++    0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
++    0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
++    0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
++    0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
++    0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
++    0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
++    0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
++    0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
++    0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
++    0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
++    0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
++    0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
++    0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
++    0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
++    0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
++    0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
++    0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
++    0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
++    0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
++    0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
++    0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
++    0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
++    0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
++    0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
++    0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
++    0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
++    0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
++    0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
++    0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
+ };
+ 
+ static const ST_KAT_PARAM dh_group[] = {
+-- 
+2.35.3
+

openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch

@@ -0,0 +1,387 @@
+From 4b5430728a7a3f7b4d60a15c5ee1ce6632fa6fb3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 12 Feb 2025 17:12:02 -0500
+Subject: [PATCH 33/53] FIPS: RSA: NEEDS-REWORK:
+ FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ ...EP-in-KATs-support-fixed-OAEP-seed.p.patch | 348 ++++++++++++++++++
+ REBASE.txt                                    |  10 +
+ 2 files changed, 358 insertions(+)
+ create mode 100644 Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+ create mode 100644 REBASE.txt
+
+diff --git a/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+new file mode 100644
+index 0000000000..793b8a4dac
+--- /dev/null
++++ b/Originally-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+@@ -0,0 +1,348 @@
++From a0e92712c141cda0b8321feb492982506b18c612 Mon Sep 17 00:00:00 2001
++From: rpm-build <rpm-build>
++Date: Wed, 6 Mar 2024 19:17:15 +0100
++Subject: [PATCH 28/55] 
++ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
++
++Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
++Patch-id: 73
++Patch-status: |
++    # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
++From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
++---
++ crypto/rsa/rsa_local.h                        |  8 ++
++ crypto/rsa/rsa_oaep.c                         | 34 ++++++--
++ providers/fips/self_test_data.inc             | 79 ++++++++++---------
++ providers/fips/self_test_kats.c               |  7 ++
++ .../implementations/asymciphers/rsa_enc.c     | 41 +++++++++-
++ util/perl/OpenSSL/paramnames.pm               |  1 +
++ 6 files changed, 126 insertions(+), 44 deletions(-)
++
++diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
++index ea70da05ad..dde57a1a0e 100644
++--- a/crypto/rsa/rsa_local.h
+++++ b/crypto/rsa/rsa_local.h
++@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
++                                          int tlen, const unsigned char *from,
++                                          int flen);
++ 
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+++                                             unsigned char *to, int tlen,
+++                                             const unsigned char *from, int flen,
+++                                             const unsigned char *param,
+++                                             int plen, const EVP_MD *md,
+++                                             const EVP_MD *mgf1md,
+++                                             const char *redhat_st_seed);
+++
++ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */
++diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
++index b9030440c4..3d665c3860 100644
++--- a/crypto/rsa/rsa_oaep.c
+++++ b/crypto/rsa/rsa_oaep.c
++@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
++                                                    param, plen, NULL, NULL);
++ }
++ 
+++#ifdef FIPS_MODULE
+++extern int REDHAT_FIPS_asym_cipher_st;
+++#endif /* FIPS_MODULE */
+++
++ /*
++  * Perform the padding as per NIST 800-56B 7.2.2.3
++  *      from (K) is the key material.
++@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
++  * Step numbers are included here but not in the constant time inverse below
++  * to avoid complicating an already difficult enough function.
++  */
++-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++-                                            unsigned char *to, int tlen,
++-                                            const unsigned char *from, int flen,
++-                                            const unsigned char *param,
++-                                            int plen, const EVP_MD *md,
++-                                            const EVP_MD *mgf1md)
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+++                                             unsigned char *to, int tlen,
+++                                             const unsigned char *from, int flen,
+++                                             const unsigned char *param,
+++                                             int plen, const EVP_MD *md,
+++                                             const EVP_MD *mgf1md,
+++                                             const char *redhat_st_seed)
++ {
++     int rv = 0;
++     int i, emlen = tlen - 1;
++@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++     db[emlen - flen - mdlen - 1] = 0x01;
++     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
++     /* step 3d: generate random byte string */
+++#ifdef FIPS_MODULE
+++    if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
+++        memcpy(seed, redhat_st_seed, mdlen);
+++    } else
+++#endif
++     if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
++         goto err;
++ 
++@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++     return rv;
++ }
++ 
+++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+++                                            unsigned char *to, int tlen,
+++                                            const unsigned char *from, int flen,
+++                                            const unsigned char *param,
+++                                            int plen, const EVP_MD *md,
+++                                            const EVP_MD *mgf1md)
+++{
+++    return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
+++                                                    flen, param, plen, md,
+++                                                    mgf1md, NULL);
+++}
+++
++ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
++                                     const unsigned char *from, int flen,
++                                     const unsigned char *param, int plen,
++diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
++index 4b80bb70b9..c33ecd0791 100644
++--- a/providers/fips/self_test_data.inc
+++++ b/providers/fips/self_test_data.inc
++@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
++ };
++ 
++ /*-
++- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
+++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
++  * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
++  * HP/UX PA-RISC compilers.
++  */
++-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
+++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
+++static const char oaep_fixed_seed[] = {
+++    0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
+++    0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
+++    0x2e, 0x4b, 0x2c, 0xe6
+++};
++ 
++ static const ST_KAT_PARAM rsa_enc_params[] = {
++-    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
+++    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
+++    ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
+++                       oaep_fixed_seed),
++     ST_KAT_PARAM_END()
++ };
++ 
++@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
++     0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
++ };
++ 
++-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
+++static const unsigned char rsa_asym_plaintext_encrypt[208] = {
++    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
++    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
++ };
++ static const unsigned char rsa_asym_expected_encrypt[256] = {
++-    0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
++-    0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
++-    0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
++-    0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
++-    0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
++-    0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
++-    0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
++-    0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
++-    0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
++-    0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
++-    0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
++-    0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
++-    0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
++-    0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
++-    0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
++-    0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
++-    0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
++-    0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
++-    0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
++-    0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
++-    0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
++-    0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
++-    0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
++-    0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
++-    0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
++-    0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
++-    0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
++-    0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
++-    0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
++-    0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
++-    0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
++-    0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
+++    0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
+++    0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
+++    0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
+++    0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
+++    0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
+++    0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
+++    0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
+++    0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
+++    0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
+++    0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
+++    0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
+++    0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
+++    0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
+++    0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
+++    0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
+++    0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
+++    0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
+++    0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
+++    0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
+++    0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
+++    0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
+++    0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
+++    0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
+++    0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
+++    0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
+++    0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
+++    0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
+++    0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
+++    0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
+++    0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
+++    0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
+++    0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
++ };
++ 
++ #ifndef OPENSSL_NO_EC
++diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
++index f13c41abd6..4ea10670c0 100644
++--- a/providers/fips/self_test_kats.c
+++++ b/providers/fips/self_test_kats.c
++@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
++     return ret;
++ }
++ 
+++int REDHAT_FIPS_asym_cipher_st = 0;
+++
++ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
++ {
++     int i, ret = 1;
++ 
+++    REDHAT_FIPS_asym_cipher_st = 1;
+++
++     for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
++         if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
++             ret = 0;
++     }
+++
+++    REDHAT_FIPS_asym_cipher_st = 0;
+++
++     return ret;
++ }
++ 
++diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
++index d548560f1f..f3443b0c66 100644
++--- a/providers/implementations/asymciphers/rsa_enc.c
+++++ b/providers/implementations/asymciphers/rsa_enc.c
++@@ -30,6 +30,9 @@
++ #include "prov/implementations.h"
++ #include "prov/providercommon.h"
++ #include "prov/securitycheck.h"
+++#ifdef FIPS_MODULE
+++# include "crypto/rsa/rsa_local.h"
+++#endif
++ 
++ #include <stdlib.h>
++ 
++@@ -75,6 +78,9 @@ typedef struct {
++     /* TLS padding */
++     unsigned int client_version;
++     unsigned int alt_version;
+++#ifdef FIPS_MODULE
+++    char *redhat_st_oaep_seed;
+++#endif /* FIPS_MODULE */
++     /* PKCS#1 v1.5 decryption mode */
++     unsigned int implicit_rejection;
++ } PROV_RSA_CTX;
++@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
++             }
++         }
++         ret =
++-            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
+++#ifdef FIPS_MODULE
+++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
+++#else
+++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
+++#endif
+++                                                    prsactx->libctx, tbuf,
++                                                     rsasize, in, inlen,
++                                                     prsactx->oaep_label,
++                                                     prsactx->oaep_labellen,
++                                                     prsactx->oaep_md,
++-                                                    prsactx->mgf1_md);
+++                                                    prsactx->mgf1_md
+++#ifdef FIPS_MODULE
+++                                                    , prsactx->redhat_st_oaep_seed
+++#endif
+++                                                    );
++ 
++         if (!ret) {
++             OPENSSL_free(tbuf);
++@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx)
++     EVP_MD_free(prsactx->oaep_md);
++     EVP_MD_free(prsactx->mgf1_md);
++     OPENSSL_free(prsactx->oaep_label);
+++#ifdef FIPS_MODULE
+++    OPENSSL_free(prsactx->redhat_st_oaep_seed);
+++#endif /* FIPS_MODULE */
++ 
++     OPENSSL_free(prsactx);
++ }
++@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
++                     NULL, 0),
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
+++#ifdef FIPS_MODULE
+++    OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+++#endif /* FIPS_MODULE */
++     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
++     OSSL_PARAM_END
++ };
++@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
++     return known_gettable_ctx_params;
++ }
++ 
+++#ifdef FIPS_MODULE
+++extern int REDHAT_FIPS_asym_cipher_st;
+++#endif /* FIPS_MODULE */
+++
++ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
++ {
++     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
++@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
++         prsactx->oaep_labellen = tmp_labellen;
++     }
++ 
+++#ifdef FIPS_MODULE
+++    p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
+++    if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
+++        void *tmp_oaep_seed = NULL;
+++
+++        if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
+++            return 0;
+++        OPENSSL_free(prsactx->redhat_st_oaep_seed);
+++        prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
+++    }
+++#endif /* FIPS_MODULE */
+++
++     p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
++     if (p != NULL) {
++         unsigned int client_version;
++diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
++index c37ed7815f..70f7c50fe4 100644
++--- a/util/perl/OpenSSL/paramnames.pm
+++++ b/util/perl/OpenSSL/paramnames.pm
++@@ -401,6 +401,7 @@ my %params = (
++     'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' =>       "tls-client-version",
++     'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' =>   "tls-negotiated-version",
++     'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' =>       "implicit-rejection",
+++    'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' =>     "redhat-kat-oaep-seed",
++ 
++ # Encoder / decoder parameters
++ 
++-- 
++2.48.1
++
+diff --git a/REBASE.txt b/REBASE.txt
+new file mode 100644
+index 0000000000..2833a383c1
+--- /dev/null
++++ b/REBASE.txt
+@@ -0,0 +1,10 @@
++0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
++
++Some asym testing has been dropped upstream, unclear if this needs to survive,
++if so we may need to resurrect deleted code in upstream patch:
++
++    commit 635bf4946a7e948f26a348ddc3b5a8d282354f64
++
++    fips: remove redundant RSA encrypt/decrypt KAT
++--
++
+-- 
+2.49.0
+

openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch

@@ -0,0 +1,312 @@
+From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:16 +0100
+Subject: [PATCH 28/49] 
+ 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+
+Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+Patch-id: 74
+Patch-status: |
+    # [PATCH 29/46]
+    # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/evp/m_sigver.c           | 54 ++++++++++++++++++++++++++++-----
+ providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
+ 2 files changed, 73 insertions(+), 24 deletions(-)
+
+Index: openssl-3.2.3/crypto/evp/m_sigver.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/evp/m_sigver.c
++++ openssl-3.2.3/crypto/evp/m_sigver.c
+@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const
+     ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
+     return 0;
+ }
++#endif /* !defined(FIPS_MODULE) */
+ 
+ /*
+  * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
+@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
+         reinit = 0;
+         if (e == NULL)
+             ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
++#ifndef FIPS_MODULE
+         else
+             ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
++#endif /* !defined(FIPS_MODULE) */
+     }
+     if (ctx->pctx == NULL)
+         return 0;
+@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
+     locpctx = ctx->pctx;
+     ERR_set_mark();
+ 
++#ifndef FIPS_MODULE
+     if (evp_pkey_ctx_is_legacy(locpctx))
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
+     /* do not reinitialize if pkey is set or operation is different */
+     if (reinit
+@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
+             signature =
+                 evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
+                                               supported_sig, locpctx->propquery);
++#ifndef FIPS_MODULE
+             if (signature == NULL)
+                 goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+             break;
+         }
+         if (signature == NULL)
+@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
+             ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
+             if (ctx->fetched_digest != NULL) {
+                 ctx->digest = ctx->reqdigest = ctx->fetched_digest;
++#ifndef FIPS_MODULE
+             } else {
+                 /* legacy engine support : remove the mark when this is deleted */
+                 ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
+@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
+                     ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+                     goto err;
+                 }
++#endif /* !defined(FIPS_MODULE) */
+             }
+             (void)ERR_pop_to_mark();
+         }
+     }
+ 
++#ifndef FIPS_MODULE
+     if (ctx->reqdigest != NULL
+             && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+             && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
+             goto err;
+         }
+     }
++#endif /* !defined(FIPS_MODULE) */
+ 
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
+     EVP_KEYMGMT_free(tmp_keymgmt);
+     return 0;
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     /*
+      * If we don't have the full support we need with provided methods,
+@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
+         ctx->pctx->flag_call_digest_custom = 1;
+ 
+     ret = 1;
++#endif /* !defined(FIPS_MODULE) */
+ 
+  end:
+ #ifndef FIPS_MODULE
+@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
+     return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
+                           NULL);
+ }
+-#endif /* FIPS_MDOE */
+ 
+ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
+ {
+@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
+     return EVP_DigestUpdate(ctx, data, dsize);
+ }
+ 
+-#ifndef FIPS_MODULE
+ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+                         size_t *siglen)
+ {
+-    int sctx = 0, r = 0;
+-    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
++    int r = 0;
++#ifndef FIPS_MODULE
++    int sctx = 0;
++    EVP_PKEY_CTX *dctx = NULL;
++#endif /* !defined(FIPS_MODULE) */
++    EVP_PKEY_CTX *pctx = ctx->pctx;
+ 
+     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
+         return 0;
+     }
+ 
++#ifndef FIPS_MODULE
+     if (pctx == NULL
+             || pctx->operation != EVP_PKEY_OP_SIGNCTX
+             || pctx->op.sig.algctx == NULL
+             || pctx->op.sig.signature == NULL)
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
++#ifndef FIPS_MODULE
+     if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
+         /* try dup */
+         dctx = EVP_PKEY_CTX_dup(pctx);
+@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
+     else
+         EVP_PKEY_CTX_free(dctx);
+     return r;
++#else
++    r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
++                                                  sigret, siglen,
++                                                  sigret == NULL ? 0 : *siglen);
++    return r;
++#endif /* !defined(FIPS_MODULE) */
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     if (pctx == NULL || pctx->pmeth == NULL) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
+         }
+     }
+     return 1;
++#endif /* !defined(FIPS_MODULE) */
+ }
+ 
+ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
+ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+                           size_t siglen)
+ {
+-    unsigned char md[EVP_MAX_MD_SIZE];
+     int r = 0;
++#ifndef FIPS_MODULE
++    unsigned char md[EVP_MAX_MD_SIZE];
+     unsigned int mdlen = 0;
+     int vctx = 0;
+-    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
++    EVP_PKEY_CTX *dctx = NULL;
++#endif /* !defined(FIPS_MODULE) */
++    EVP_PKEY_CTX *pctx = ctx->pctx;
+ 
+     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
+         return 0;
+     }
+ 
++#ifndef FIPS_MODULE
+     if (pctx == NULL
+             || pctx->operation != EVP_PKEY_OP_VERIFYCTX
+             || pctx->op.sig.algctx == NULL
+             || pctx->op.sig.signature == NULL)
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
++#ifndef FIPS_MODULE
+     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
+         /* try dup */
+         dctx = EVP_PKEY_CTX_dup(pctx);
+@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
+     else
+         EVP_PKEY_CTX_free(dctx);
+     return r;
++#else
++    r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
++                                                    sig, siglen);
++    return r;
++#endif /* !defined(FIPS_MODULE) */
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     if (pctx == NULL || pctx->pmeth == NULL) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
+     if (vctx || !r)
+         return r;
+     return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
++#endif /* !defined(FIPS_MODULE) */
+ }
+ 
+ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
+         return -1;
+     return EVP_DigestVerifyFinal(ctx, sigret, siglen);
+ }
+-#endif /* FIPS_MODULE */
+Index: openssl-3.2.3/providers/fips/self_test_kats.c
+===================================================================
+--- openssl-3.2.3.orig/providers/fips/self_test_kats.c
++++ openssl-3.2.3/providers/fips/self_test_kats.c
+@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S
+     int ret = 0;
+     OSSL_PARAM *params = NULL, *params_sig = NULL;
+     OSSL_PARAM_BLD *bld = NULL;
++    EVP_MD *md = NULL;
++    EVP_MD_CTX *ctx = NULL;
+     EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
+     EVP_PKEY *pkey = NULL;
+-    unsigned char sig[256];
+     BN_CTX *bnctx = NULL;
++    const char *msg = "Hello World!";
++    unsigned char sig[256];
+     size_t siglen = sizeof(sig);
+     static const unsigned char dgst[] = {
+         0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
+@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S
+         || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+         goto err;
+ 
+-    /* Create a EVP_PKEY_CTX to use for the signing operation */
+-    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+-    if (sctx == NULL
+-        || EVP_PKEY_sign_init(sctx) <= 0)
+-        goto err;
+-
+-    /* set signature parameters */
+-    if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
+-                                         t->mdalgorithm,
+-                                         strlen(t->mdalgorithm) + 1))
+-        goto err;
++    /* Create a EVP_MD_CTX to use for the signature operation, assign signature
++     * parameters and sign */
+     params_sig = OSSL_PARAM_BLD_to_param(bld);
+-    if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
++    md = EVP_MD_fetch(libctx, "SHA256", NULL);
++    ctx = EVP_MD_CTX_new();
++    if (md == NULL || ctx == NULL)
++        goto err;
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++    if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
++        || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
++        || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
++        || EVP_MD_CTX_reset(ctx) <= 0)
+         goto err;
+ 
+-    if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
+-        || EVP_PKEY_verify_init(sctx) <= 0
++    /* sctx is not freed automatically inside the FIPS module */
++    EVP_PKEY_CTX_free(sctx);
++    sctx = NULL;
++
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++    if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
+         || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+         goto err;
+ 
+@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S
+         goto err;
+ 
+     OSSL_SELF_TEST_oncorrupt_byte(st, sig);
+-    if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
++    if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
+         goto err;
+     ret = 1;
+ err:
+     BN_CTX_free(bnctx);
+     EVP_PKEY_free(pkey);
+-    EVP_PKEY_CTX_free(kctx);
++    EVP_MD_free(md);
++    EVP_MD_CTX_free(ctx);
++    /* sctx is not freed automatically inside the FIPS module */
+     EVP_PKEY_CTX_free(sctx);
++    EVP_PKEY_CTX_free(kctx);
+     OSSL_PARAM_free(params);
+     OSSL_PARAM_free(params_sig);
+     OSSL_PARAM_BLD_free(bld);

openssl-FIPS-early-KATS.patch

@@ -0,0 +1,45 @@
+From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 19 Oct 2023 13:12:40 +0200
+Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
+
+Patch-name: 0047-FIPS-early-KATS.patch
+Patch-id: 47
+Patch-status: |
+    # # Execute KATS before HMAC verification
+From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
+---
+ providers/fips/self_test.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+Index: openssl-3.5.0-beta1/providers/fips/self_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/self_test.c
++++ openssl-3.5.0-beta1/providers/fips/self_test.c
+@@ -524,6 +524,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+     if (ev == NULL)
+         goto end;
+ 
++    /*
++     * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
++     */
++    if (!SELF_TEST_kats(ev, st->libctx)) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
++        goto end;
++    }
++
+    if (st->module_checksum_data == NULL) {
+         module_checksum = fips_hmac_container;
+         checksum_len = sizeof(fips_hmac_container);
+@@ -562,11 +570,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+         }
+     }
+ 
+-    if (!SELF_TEST_kats(ev, st->libctx)) {
+-        ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+-        goto end;
+-    }
+-
+     /* Verify that the RNG has been restored properly */
+     rng = ossl_rand_get0_private_noncreating(st->libctx);
+     if (rng != NULL)

openssl-FIPS-embed-hmac.patch

@@ -0,0 +1,404 @@
+From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch
+
+Patch-name: 0033-FIPS-embed-hmac.patch
+Patch-id: 33
+Patch-status: |
+    # # Embed HMAC into the fips.so
+    # Modify fips self test as per
+    # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/fips/self_test.c            | 204 ++++++++++++++++++++++++--
+ test/fipsmodule.cnf                   |   2 +
+ test/recipes/00-prep_fipsmodule_cnf.t |   2 +-
+ test/recipes/01-test_fipsmodule_cnf.t |   2 +-
+ test/recipes/03-test_fipsinstall.t    |   2 +-
+ test/recipes/30-test_defltfips.t      |   2 +-
+ test/recipes/80-test_ssl_new.t        |   2 +-
+ test/recipes/90-test_sslapi.t         |   2 +-
+ 8 files changed, 200 insertions(+), 18 deletions(-)
+ create mode 100644 test/fipsmodule.cnf
+
+Index: openssl-3.5.0-beta1/providers/fips/self_test.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/self_test.c
++++ openssl-3.5.0-beta1/providers/fips/self_test.c
+@@ -235,11 +235,133 @@ err:
+     return ok;
+ }
+ 
++#define HMAC_LEN 32
++/*
++ * The __attribute__ ensures we've created the .rodata1 section
++ * static ensures it's zero filled
++*/
++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
++
+ /*
+  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
+  * the result matches the expected value.
+  * Return 1 if verified, or 0 if it fails.
+  */
++
++#ifndef __USE_GNU
++#define __USE_GNU
++#include <dlfcn.h>
++#undef __USE_GNU
++#else
++#include <dlfcn.h>
++#endif
++#include <link.h>
++
++static int verify_integrity_rodata(OSSL_CORE_BIO *bio,
++                                   OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
++                                   unsigned char *expected, size_t expected_len,
++                                   OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
++                                   const char *event_type)
++{
++    int ret = 0, status;
++    unsigned char out[MAX_MD_SIZE];
++    unsigned char buf[INTEGRITY_BUF_SIZE];
++    size_t bytes_read = 0, out_len = 0;
++    EVP_MAC *mac = NULL;
++    EVP_MAC_CTX *ctx = NULL;
++    OSSL_PARAM params[2], *p = params;
++    Dl_info info;
++    void *extra_info = NULL;
++    struct link_map *lm = NULL;
++    unsigned long paddr;
++    unsigned long off = 0;
++
++    if (expected_len != HMAC_LEN)
++        goto err;
++
++    if (!integrity_self_test(ev, libctx))
++        goto err;
++
++    OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
++
++    if (!dladdr1 ((const void *)fips_hmac_container,
++                &info, &extra_info, RTLD_DL_LINKMAP))
++        goto err;
++    lm = extra_info;
++    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
++
++    mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
++    if (mac == NULL)
++        goto err;
++    ctx = EVP_MAC_CTX_new(mac);
++    if (ctx == NULL)
++        goto err;
++
++    *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0);
++    *p = OSSL_PARAM_construct_end();
++
++    if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
++        goto err;
++
++    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++    }
++
++    if (off < paddr) {
++        int delta = paddr - off;
++        status = read_ex_cb(bio, buf, delta, &bytes_read);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++    }
++
++    /* read away the buffer */
++    status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
++    if (status != 1)
++        goto err;
++
++    /* check that it is the expect bytes, no point in continuing otherwise */
++    if (memcmp(expected, buf, HMAC_LEN) != 0)
++        goto err;
++
++    /* replace in-file HMAC buffer with the original zeros */
++    memset(buf, 0, HMAC_LEN);
++    if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
++        goto err;
++    off += HMAC_LEN;
++
++    while (bytes_read > 0) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++    }
++
++    if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
++        goto err;
++
++    OSSL_SELF_TEST_oncorrupt_byte(ev, out);
++    if (expected_len != out_len
++            || memcmp(expected, out, out_len) != 0)
++        goto err;
++    ret = 1;
++err:
++    OPENSSL_cleanse(out, MAX_MD_SIZE);
++    OSSL_SELF_TEST_onend(ev, ret);
++    EVP_MAC_CTX_free(ctx);
++    EVP_MAC_free(mac);
++    return ret;
++}
++
+ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+                             unsigned char *expected, size_t expected_len,
+                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+@@ -252,12 +374,23 @@ static int verify_integrity(OSSL_CORE_BI
+     EVP_MAC *mac = NULL;
+     EVP_MAC_CTX *ctx = NULL;
+     OSSL_PARAM params[2], *p = params;
++    Dl_info info;
++    void *extra_info = NULL;
++    struct link_map *lm = NULL;
++    unsigned long paddr;
++    unsigned long off = 0;
+ 
+     if (!integrity_self_test(ev, libctx))
+         goto err;
+ 
+     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ 
++    if (!dladdr1 ((const void *)fips_hmac_container,
++                &info, &extra_info, RTLD_DL_LINKMAP))
++        goto err;
++    lm = extra_info;
++    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
++
+     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+     if (mac == NULL)
+         goto err;
+@@ -271,13 +404,42 @@ static int verify_integrity(OSSL_CORE_BI
+     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+         goto err;
+ 
+-    while (1) {
+-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
++    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++    }
++
++    if (off + INTEGRITY_BUF_SIZE > paddr) {
++        int delta = paddr - off;
++        status = read_ex_cb(bio, buf, delta, &bytes_read);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++
++        status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
++        memset(buf, 0, HMAC_LEN);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++        off += bytes_read;
++    }
++
++    while (bytes_read > 0) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+         if (status != 1)
+             break;
+         if (!EVP_MAC_update(ctx, buf, bytes_read))
+             goto err;
++        off += bytes_read;
+     }
++
+     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+         goto err;
+ 
+@@ -287,6 +449,7 @@ static int verify_integrity(OSSL_CORE_BI
+         goto err;
+     ret = 1;
+ err:
++    OPENSSL_cleanse(out, sizeof(out));
+     OSSL_SELF_TEST_onend(ev, ret);
+     EVP_MAC_CTX_free(ctx);
+     EVP_MAC_free(mac);
+@@ -320,6 +483,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+     OSSL_SELF_TEST *ev = NULL;
+     EVP_RAND *testrand = NULL;
+     EVP_RAND_CTX *rng;
++    unsigned char *alloc_checksum = NULL;
+ #endif
+ 
+     if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init))
+@@ -352,8 +516,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+         return 0;
+     }
+ 
+-    if (st == NULL
+-            || st->module_checksum_data == NULL) {
++    if (st == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
+         goto end;
+     }
+@@ -362,8 +525,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+     if (ev == NULL)
+         goto end;
+ 
+-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+-                                         &checksum_len);
++   if (st->module_checksum_data == NULL) {
++        module_checksum = fips_hmac_container;
++        checksum_len = sizeof(fips_hmac_container);
++    } else {
++        alloc_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
++                                             &checksum_len);
++        module_checksum = alloc_checksum;
++    }
++
+     if (module_checksum == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
+         goto end;
+@@ -371,14 +541,29 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+     bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
+ 
+     /* Always check the integrity of the fips module */
+-    if (bio_module == NULL
+-            || !verify_integrity(bio_module, st->bio_read_ex_cb,
+-                                 module_checksum, checksum_len, st->libctx,
+-                                 ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++    if (bio_module == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
+         goto end;
+     }
+ 
++    if (st->module_checksum_data == NULL) {
++        if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb,
++                                     module_checksum, checksum_len,
++                                     st->libctx, ev,
++                                     OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
++            goto end;
++        }
++    } else {
++        if (!verify_integrity(bio_module, st->bio_read_ex_cb,
++                              module_checksum, checksum_len,
++                              st->libctx, ev,
++                              OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
++            goto end;
++        }
++    }
++
+     if (!SELF_TEST_kats(ev, st->libctx)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+         goto end;
+@@ -398,7 +583,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
+ end:
+     EVP_RAND_free(testrand);
+     OSSL_SELF_TEST_free(ev);
+-    OPENSSL_free(module_checksum);
++    if (alloc_checksum != NULL)
++        OPENSSL_free(alloc_checksum);
+ 
+     if (st != NULL)
+         (*st->bio_free_cb)(bio_module);
+Index: openssl-3.5.0-beta1/test/fipsmodule.cnf
+===================================================================
+--- /dev/null
++++ openssl-3.5.0-beta1/test/fipsmodule.cnf
+@@ -0,0 +1,2 @@
++[fips_sect]
++activate = 1
+Index: openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/00-prep_fipsmodule_cnf.t
++++ openssl-3.5.0-beta1/test/recipes/00-prep_fipsmodule_cnf.t
+@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
++my $no_check = 1;
+ plan skip_all => "FIPS module config file only supported in a fips build"
+     if $no_check;
+ 
+Index: openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/01-test_fipsmodule_cnf.t
++++ openssl-3.5.0-beta1/test/recipes/01-test_fipsmodule_cnf.t
+@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
++my $no_check = 1;
+ plan skip_all => "Test only supported in a fips build"
+     if $no_check;
+ plan tests => 1;
+Index: openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/03-test_fipsinstall.t
++++ openssl-3.5.0-beta1/test/recipes/03-test_fipsinstall.t
+@@ -24,7 +24,7 @@ use platform;
+ 
+ plan skip_all => "Fipsinstall not available in SUSE/openSUSE FIPS build";
+ 
+-plan skip_all => "Test only supported in a fips build" if disabled("fips");
++plan skip_all => "Test only supported in a fips build" if 1;
+ 
+ # Compatible options for pedantic FIPS compliance
+ my @pedantic_okay =
+Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_new.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_new.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_new.t
+@@ -27,7 +27,7 @@ setup("test_ssl_new");
+ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+ $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
+ 
+Index: openssl-3.5.0-beta1/test/recipes/90-test_sslapi.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/90-test_sslapi.t
++++ openssl-3.5.0-beta1/test/recipes/90-test_sslapi.t
+@@ -14,7 +14,7 @@ BEGIN {
+ setup("test_sslapi");
+ }
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ my $fipsmodcfg_filename = "fipsmodule.cnf";
+ my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
+ 
+Index: openssl-3.5.0-beta1/test/recipes/30-test_defltfips.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/30-test_defltfips.t
++++ openssl-3.5.0-beta1/test/recipes/30-test_defltfips.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "Configuration loading is turned off"
+     if disabled("autoload-config");
+ 
+-my $no_fips = disabled('fips') || disabled('fips-post') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || disabled('fips-post') || ($ENV{NO_FIPS} // 0);
+ 
+ plan tests =>
+     ($no_fips ? 1 : 5);

openssl-FIPS-enforce-EMS-support.patch

@@ -0,0 +1,187 @@
+From f95df45ab70817723efc449552c0a5f5c3779280 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:17 +0100
+Subject: [PATCH 40/53] FIPS: TLS: Enforce EMS in TLS 1.2
+
+NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
+change the option to enforce it seem to be available only in FIPS build
+
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ doc/man3/SSL_CONF_cmd.pod                          |  3 +++
+ doc/man5/fips_config.pod                           | 13 +++++++++++++
+ include/openssl/ssl.h.in                           |  1 +
+ providers/fips/include/fips_indicator_params.inc   |  2 +-
+ ssl/ssl_conf.c                                     |  1 +
+ ssl/statem/extensions_srvr.c                       |  8 +++++++-
+ ssl/t1_enc.c                                       | 11 +++++++++--
+ test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++
+ test/sslapitest.c                                  |  2 +-
+ 9 files changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
+index e2c1e69847..009b683b27 100644
+--- a/doc/man3/SSL_CONF_cmd.pod
++++ b/doc/man3/SSL_CONF_cmd.pod
+@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
+ default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
+ B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+ 
++B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
++This is a downstream specific option, and normally it should be set up via crypto policies.
++
+ B<CANames>: use CA names extension, enabled by
+ default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
+ B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index 15748c5756..34cbfbb2ad 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
+ environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
+ for more information.
+ 
++SUSE Enterprise Linux uses a supplementary config for FIPS module located in
++OpenSSL configuration directory and managed by crypto policies. If present, it
++should have format
++
++ [fips_sect]
++ tls1-prf-ems-check = 0
++ activate = 1
++
++The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
++presence of extended master secret or not.
++
++The B<activate> option enforces FIPS provider activation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 0b2232b01c..99b2ad4eb3 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
+      * interoperability with CryptoPro CSP 3.x
+      */
+ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)
++# define SSL_OP_RH_PERMIT_NOEMS_FIPS                     SSL_OP_BIT(48)
+ /*
+  * Disable RFC8879 certificate compression
+  * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
+diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
+index c1b029de86..47d1cf2d01 100644
+--- a/providers/fips/include/fips_indicator_params.inc
++++ b/providers/fips/include/fips_indicator_params.inc
+@@ -1,5 +1,5 @@
+ OSSL_FIPS_PARAM(security_checks, SECURITY_CHECKS, 1)
+-OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 0)
++OSSL_FIPS_PARAM(tls1_prf_ems_check, TLS1_PRF_EMS_CHECK, 1)
+ OSSL_FIPS_PARAM(no_short_mac, NO_SHORT_MAC, 1)
+ OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
+ OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
+diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
+index 946d20be52..b52c1675fd 100644
+--- a/ssl/ssl_conf.c
++++ b/ssl/ssl_conf.c
+@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+         SSL_FLAG_TBL("ClientRenegotiation",
+                      SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
+         SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
++        SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
+         SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
+         SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+         SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index dd771207f6..48db802b1f 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -12,6 +12,7 @@
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
+ #include "internal/ssl_unwrap.h"
++#include <openssl/fips.h>
+ 
+ #define COOKIE_STATE_FORMAT_VERSION     1
+ 
+@@ -1874,8 +1875,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
+                                   unsigned int context,
+                                   X509 *x, size_t chainidx)
+ {
+-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
++    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
++        if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++            return EXT_RETURN_FAIL;
++        }
+         return EXT_RETURN_NOT_SENT;
++    }
+ 
+     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
+             || !WPACKET_put_bytes_u16(pkt, 0)) {
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 474ea7bf5b..e0e595e989 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -21,6 +21,7 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/core_names.h>
+ #include <openssl/trace.h>
++#include <openssl/fips.h>
+ 
+ /* seed1 through seed5 are concatenated */
+ static int tls1_PRF(SSL_CONNECTION *s,
+@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s,
+     }
+ 
+  err:
+-    if (fatal)
+-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    if (fatal) {
++        /* The calls to this function are local so it's safe to implement the check */
++        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
++            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++	else
++            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    }
+     else
+         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+     EVP_KDF_CTX_free(kctx);
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index 50944328cb..edb2e81273 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+ Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ 
++Availablein = fips
++KDF = TLS1-PRF
++Ctrl.digest = digest:SHA256
++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Result = KDF_DERIVE_ERROR
++
+ FIPSversion = <=3.1.0
+ KDF = TLS1-PRF
+ Ctrl.digest = digest:SHA256
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 16155afccb..93766fae23 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
+     STACK_OF(X509) *server_chain;
+     SSL_CTX *cctx = NULL, *sctx = NULL;
+     SSL *clientssl = NULL, *serverssl = NULL;
+-    int testresult = 0;
++    int testresult = 0, status;
+ 
+     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+                                        TLS_client_method(), TLS1_VERSION, 0,
+-- 
+2.49.0
+

openssl-FIPS-enforce-security-checks-during-initialization.patch

@@ -0,0 +1,22 @@
+Index: openssl-3.1.4/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.1.4.orig/providers/fips/fipsprov.c
++++ openssl-3.1.4/providers/fips/fipsprov.c
+@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
+         return NULL;
+     init_fips_option(&fgbl->fips_security_checks, 1);
+     init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
+-    init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
++    init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */
+     return fgbl;
+ }
+ 
+@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO
+     if (fgbl->field.option != NULL) {                                       \
+         if (strcmp(fgbl->field.option, "1") == 0)                           \
+             fgbl->field.enabled = 1;                                        \
+-        else if (strcmp(fgbl->field.option, "0") == 0)                      \
+-            fgbl->field.enabled = 0;                                        \
+         else                                                                \
+             goto err;                                                       \
+     }

openssl-FIPS-limit-rsa-encrypt.patch

@@ -0,0 +1,980 @@
+From 3b0b89e7b30425add1889c0ed6c6b45e8d0ea744 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 26/53] FIPS: RSA: encrypt limits - REVIEW
+
+Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
+Patch-id: 58
+Patch-status: |
+    # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ providers/common/securitycheck.c              |   1 +
+ .../fips/include/fips_indicator_params.inc    |   2 +-
+ .../implementations/asymciphers/rsa_enc.c     |  26 ++++
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 146 +++++++++++++-----
+ test/recipes/80-test_cms.t                    |   5 +-
+ test/recipes/80-test_ssl_old.t                |  27 +++-
+ 6 files changed, 164 insertions(+), 43 deletions(-)
+ mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
+
+Index: openssl-3.5.0-beta1/providers/common/securitycheck.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/common/securitycheck.c
++++ openssl-3.5.0-beta1/providers/common/securitycheck.c
+@@ -64,6 +64,7 @@ int ossl_rsa_key_op_get_protect(const RS
+  * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
+  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
+  */
++/* openSUSE/SUSE build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
+ int ossl_rsa_check_key_size(const RSA *rsa, int protect)
+ {
+     int sz = RSA_bits(rsa);
+Index: openssl-3.5.0-beta1/providers/fips/include/fips_indicator_params.inc
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/fips/include/fips_indicator_params.inc
++++ openssl-3.5.0-beta1/providers/fips/include/fips_indicator_params.inc
+@@ -13,7 +13,7 @@ OSSL_FIPS_PARAM(sskdf_digest_check, SSKD
+ OSSL_FIPS_PARAM(x963kdf_digest_check, X963KDF_DIGEST_CHECK, 0)
+ OSSL_FIPS_PARAM(dsa_sign_disallowed, DSA_SIGN_DISABLED, 0)
+ OSSL_FIPS_PARAM(tdes_encrypt_disallowed, TDES_ENCRYPT_DISABLED, 0)
+-OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 0)
++OSSL_FIPS_PARAM(rsa_pkcs15_padding_disabled, RSA_PKCS15_PAD_DISABLED, 1)
+ OSSL_FIPS_PARAM(rsa_pss_saltlen_check, RSA_PSS_SALTLEN_CHECK, 0)
+ OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
+ OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
+Index: openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
+===================================================================
+--- openssl-3.5.0-beta1.orig/providers/implementations/asymciphers/rsa_enc.c
++++ openssl-3.5.0-beta1/providers/implementations/asymciphers/rsa_enc.c
+@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, u
+     }
+ #endif
+ 
++# ifdef FIPS_MODULE
++    if (prsactx->pad_mode == RSA_NO_PADDING) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (out == NULL) {
+         size_t len = RSA_size(prsactx->rsa);
+ 
+@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, u
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if ((prsactx->pad_mode == RSA_PKCS1_PADDING
++         || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING
++         || prsactx->pad_mode == RSA_NO_PADDING)) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
+         if (out == NULL) {
+             *outlen = SSL_MAX_MASTER_KEY_LENGTH;
+Index: openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ openssl-3.5.0-beta1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974
+ Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ 
+ # RSA decrypt
+-
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Output = "Hello World"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Note: disable the Bleichenbacher workaround to see if it passes
+ Decrypt = RSA-2048
+ Ctrl = rsa_pkcs1_implicit_rejection:0
+@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
+ Output = "Hello World"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Corrupted ciphertext
+ # Note: output is generated synthethically by the Bleichenbacher workaround
+ Decrypt = RSA-2048
+@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235
+ Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # Corrupted ciphertext
+ # Note: disable the Bleichenbacher workaround to see if it fails
+ Decrypt = RSA-2048
+@@ -296,13 +296,14 @@ Input = 00000000000000000000000000000000
+ Result = KEYOP_ERROR
+ 
+ # RSADP Ciphertext = 2 should pass
++Availablein = default
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = 0000000000000000000000000000000000000002
+ Output = 93d0bae8ad0d94de400eb078dd10edd7418ef1bf11b8e8b5d2b86b142e77d603e108fbcca2b976aa7b5326e5369db3bb73bf74f8d47c36a6318e913888c873502a561fc69329e7c24a0a016d81310449a52b29e49a6a41bdfe6c10a8d90072d64b4486756fd007c0071da2a8c7107a904621c11f0d81aa80b655a713c28170594ece28133dfbfddd61d4e4dad0d6781f6145a351a994054993fd57cd1330966ce97d7ac259b15616fd7235e2cac29fdc1c05f1612c61785614b80e7b650c03ef77d64163d75fa637cc2a9a7e570b3176fdcfb6ad6d25e8515f6ced02cfb3a441c87220044110fd27dcb53888f0377e1797bf297b7da27d3f033cd8b5d60ececc
+ 
+ # RSADP Ciphertext = n-2 should pass
+-Availablein = fips
++Availablein = none
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44d
+@@ -317,6 +318,7 @@ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb9
+ Result = KEYOP_ERROR
+ 
+ # RSADP Ciphertext = n should fail
++Availablein = default
+ Decrypt = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = cd0081ea7b2ae1ea06d59f7c73d9ffb94a09615c2e4ba7c636cef08dd3533ec3185525b015c769b99a77d6725bf9c3532a9b6e5f6627d5fb85160768d3dda9cbd35974511717dc3d309d2fc47ee41f97e32adb7f9dd864a1c4767a666ecd71bc1aacf5e7517f4b38594fea9b05e42d5ada9912008013e45316a4d9bb8ed086b88d28758bacaf922d46a868b485d239c9baeb0e2b64592710f42b2d1ea0a4b4802c0becab328f8a68b0073bdb546feea9809d2849912b390c1532bc7e29c7658f8175fae46f34332ff87bcab3e40649b98577869da0ea718353f0722754886913648760d122be676e0fc483dd20ffc31bda96a31966c9aa2e75ad03de47e1c44f
+@@ -406,82 +408,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P
+ # RSA decrypt
+ 
+ # a random positive test case
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
+ Output = "lorem ipsum dolor sit amet"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case decrypting to empty
+ Decrypt = RSA-2048-2
+ Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
+ Output =
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # invalid decrypting to max length message
+ Decrypt = RSA-2048-2
+ Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
+ Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
+ # invalid decrypting to message with length specified by second to last value from PRF
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
+ Output = 0f9b
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # invalid decrypting to message with length specified by third to last value from PRF
+ Decrypt = RSA-2048-2
+ Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
+ Output = 4f02
+ 
+ # positive test with 11 byte long value
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and zero padded ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and zero truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and double zero padded ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
+ Output = "lorem ipsum"
+ 
+ # positive test with 11 byte long value and double zero truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
+ Output = "lorem ipsum"
+ 
+ # positive that generates a 0 byte long synthetic message internally
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
+ Output = "lorem ipsum"
+ 
+ # positive that generates a 245 byte long synthetic message internally
++Availablein = default
+ Decrypt = RSA-2048-2
+ Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
+ Output = "lorem ipsum"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test that generates an 11 byte long message
+ Decrypt = RSA-2048-2
+ Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
+ Output = af9ac70191c92413cb9f2d
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise correct plaintext, but with wrong first byte
+ # (0x01 instead of 0x00), generates a random 11 byte long plaintext
+ Decrypt = RSA-2048-2
+@@ -489,7 +499,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5
+ Output = a1f8c9255c35cfba403ccc
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise correct plaintext, but with wrong second byte
+ # (0x01 instead of 0x02), generates a random 11 byte long plaintext
+ Decrypt = RSA-2048-2
+@@ -497,7 +507,7 @@ Input = 782c2b59a21a511243820acedd567c13
+ Output = e6d700309ca0ed62452254
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with a zero byte in first byte of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -506,7 +516,7 @@ Input = 0096136621faf36d5290b16bd26295de
+ Output = ba27b1842e7c21c0e7ef6a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with a zero byte removed from first byte of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -515,7 +525,7 @@ Input = 96136621faf36d5290b16bd26295de27
+ Output = ba27b1842e7c21c0e7ef6a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with two zero bytes in first bytes of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -524,7 +534,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880
+ Output = d5cf555b1d6151029a429a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an invalid ciphertext, with two zero bytes removed from first bytes of
+ # ciphertext, decrypts to a random 11 byte long synthetic
+ # plaintext
+@@ -533,7 +543,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa
+ Output = d5cf555b1d6151029a429a
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # and invalid ciphertext, otherwise valid but starting with 000002, decrypts
+ # to random 11 byte long synthetic plaintext
+ Decrypt = RSA-2048-2
+@@ -541,7 +551,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30
+ Output = 3d4a054d9358209e9cbbb9
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with otherwise valid padding but a zero byte in first byte
+ # of padding
+ Decrypt = RSA-2048-2
+@@ -549,7 +559,7 @@ Input = 179598823812d2c58a7eb50521150a48
+ Output = 1f037dd717b07d3e7f7359
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with otherwise valid padding but a zero byte at the eighth
+ # byte of padding
+ Decrypt = RSA-2048-2
+@@ -557,7 +567,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3
+ Output = 63cb0bf65fc8255dd29e17
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # negative test with an otherwise valid plaintext but with missing separator
+ # byte
+ Decrypt = RSA-2048-2
+@@ -612,53 +622,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI
+ # RSA decrypt
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # malformed that generates length specified by 3rd last value from PRF
+ Decrypt = RSA-2049
+ Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
+ Output = 42
+ 
+ # simple positive test case
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
+ Output = "lorem ipsum"
+ 
+ # positive test case with null padded ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
+ Output = "lorem ipsum"
+ 
+ # positive test case with null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
+ Output = "lorem ipsum"
+ 
+ # positive test case with double null padded ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
+ Output = "lorem ipsum"
+ 
+ # positive test case with double null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-2049
+ Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
+ Output = "lorem ipsum"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates an 11 byte long message
+ Decrypt = RSA-2049
+ Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
+ Output = 1189b6f5498fd6df532b00
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
+ Decrypt = RSA-2049
+ Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
+ Output = f6d0f5b78082fe61c04674
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
+ Decrypt = RSA-2049
+ Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
+@@ -722,14 +737,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu
+ PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid ciphertext that generates an empty synthetic one
+ Decrypt = RSA-3072
+ Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
+ Output =
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid that has PRF output with a length one byte too long
+ # in the last value
+ Decrypt = RSA-3072
+@@ -737,46 +752,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8
+ Output = 56a3bea054e01338be9b7d7957539c
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random invalid that generates a synthetic of maximum size
+ Decrypt = RSA-3072
+ Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
+ Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
+ 
+ # a positive test case that decrypts to 9 byte long value
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
+ Output = "forty two"
+ 
+ # a positive test case with null padded ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
+ Output = "forty two"
+ 
+ # a positive test case with null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
+ Output = "forty two"
+ 
+ # a positive test case with double null padded ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
+ Output = "forty two"
+ 
+ # a positive test case with double null truncated ciphertext
++Availablein = default
+ Decrypt = RSA-3072
+ Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
+ Output = "forty two"
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates a 9 byte long message
+ Decrypt = RSA-3072
+ Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
+ Output = 257906ca6de8307728
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test case that generates a 9 byte long message based on
+ # second to last value from PRF
+ Decrypt = RSA-3072
+@@ -784,7 +804,7 @@ Input = 758c215aa6acd61248062b88284bf43c
+ Output = 043383c929060374ed
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # a random negative test that generates message based on 3rd last value from
+ # PRF
+ Decrypt = RSA-3072
+@@ -792,35 +812,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4
+ Output = 70263fa6050534b9e0
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
+ Decrypt = RSA-3072
+ Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
+ Output = 6d8d3a094ff3afff4c
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
+ Decrypt = RSA-3072
+ Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
+ Output = c6ae80ffa80bc184b0
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with zero byte in first byte of padding
+ Decrypt = RSA-3072
+ Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
+ Output = a8a9301daa01bb25c7
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with zero byte in eight byte of padding
+ Decrypt = RSA-3072
+ Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
+ Output = 6c716fe01d44398018
+ 
+ # The old FIPS provider doesn't include the workaround (#13817)
+-FIPSversion = >=3.2.0
++Availablein = default
+ # an otherwise valid plaintext, but with null separator missing
+ Decrypt = RSA-3072
+ Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
+@@ -912,9 +932,9 @@ Output=4DE433D5844043EF08D354DA03CB29068
+ 
+ # Verify of above signature
+ Verify = RSA-2048-PUBLIC
++Ctrl = digest:sha256
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+-Ctrl = digest:sha256
+ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+@@ -1207,36 +1227,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN
+ h90qjKHS9PvY4Q==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
+ Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
+ Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
+ Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
+ Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
+ Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1261,36 +1287,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64
+ eG2e4XlBcKjI6A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
+ Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
+ Output=2d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
+ Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
+ Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
+ Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1315,36 +1347,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W
+ Ya4qnqZe1onjY5o=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
+ Output=087820b569e8fa8d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
+ Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
+ Output=d94cd0e08fa404ed89
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
+ Output=6cc641b6b61e6f963974dad23a9013284ef1
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
+ Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1369,36 +1407,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/
+ aD0x7TDrmEvkEro=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
+ Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
+ Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
+ Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
+ Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
+ Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1423,36 +1467,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/
+ MSwGUGLx60i3nRyDyw==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
+ Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
+ Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
+ Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
+ Output=15c5b9ee1185
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
+ Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1477,36 +1527,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq
+ Yejn5Ly8mU2q+jBcRQ==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
+ Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
+ Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
+ Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
+ Output=684e3038c5c041f7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
+ Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1531,36 +1587,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4
+ FMlxv0gq65dqc3DC
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
+ Output=47aae909
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
+ Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
+ Output=d976fc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
+ Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
+ Output=bb47231ca5ea1d3ad46c99345d9a8a61
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1585,36 +1647,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E
+ 2MiPa249Z+lh3Luj0A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
+ Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
+ Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
+ Output=8604ac56328c1ab5ad917861
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
+ Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
+ Output=4a5f4914bee25de3c69341de07
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1645,36 +1713,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc
+ tKo5Eb69iFQvBb4=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
+ Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
+ Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
+ Output=fd326429df9b890e09b54b18b8f34f1e24
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
+ Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
+ Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+Index: openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_cms.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_cms.t
+@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
+ 
+ if ($no_fips || $old_fips) {
+     push(@smime_pkcs7_tests,
+-         [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
++         [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no SUSE FIPS",
+            [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+              "-aes256", "-stream", "-out", "{output}.cms",
+              $smrsa1,
+@@ -1267,6 +1267,9 @@ sub check_availability {
+     return "$tnam: skipped, DSA disabled\n"
+         if ($no_dsa && $tnam =~ / DSA/);
+ 
++    return "$tnam: skipped, SUSE/openSUSE FIPS\n"
++        if ($tnam =~ /no SUSE FIPS/);
++
+     return "";
+ }
+ 
+Index: openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
+===================================================================
+--- openssl-3.5.0-beta1.orig/test/recipes/80-test_ssl_old.t
++++ openssl-3.5.0-beta1/test/recipes/80-test_ssl_old.t
+@@ -561,6 +561,18 @@ sub testssl {
+             # the default choice if TLSv1.3 enabled
+             my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
+             my $ciphersuites = "";
++            my %redhat_skip_cipher = map {$_ => 1} qw(
++AES256-GCM-SHA384:@SECLEVEL=0
++AES256-CCM8:@SECLEVEL=0
++AES256-CCM:@SECLEVEL=0
++AES128-GCM-SHA256:@SECLEVEL=0
++AES128-CCM8:@SECLEVEL=0
++AES128-CCM:@SECLEVEL=0
++AES256-SHA256:@SECLEVEL=0
++AES128-SHA256:@SECLEVEL=0
++AES256-SHA:@SECLEVEL=0
++AES128-SHA:@SECLEVEL=0
++	    );
+             foreach my $cipher (@{$ciphersuites{$protocol}}) {
+                 if ($dsaallow == '0' && index($cipher, "DSS") != -1) {
+                     # DSA is not allowed in FIPS 140-3
+@@ -576,11 +588,16 @@ sub testssl {
+                     } else {
+                         $cipher = $cipher.':@SECLEVEL=0';
+                     }
+-                    ok(run(test([@ssltest, @exkeys, "-cipher",
+-                                 $cipher,
+-                                 "-ciphersuites", $ciphersuites,
+-                                 $flag || ()])),
+-                       "Testing $cipher");
++                    if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
++                        note "*****SKIPPING $cipher in SUSE/openSUSE FIPS mode";
++                        ok(1);
++                    } else {
++                        ok(run(test([@ssltest, @exkeys, "-cipher",
++                                     $cipher,
++                                     "-ciphersuites", $ciphersuites,
++                                     $flag || ()])),
++                           "Testing $cipher");
++                    }
+                 }
+             }
+             next if $protocol eq "-tls1_3";

openssl-FIPS-release_num_in_version_string.patch

@@ -0,0 +1,27 @@
+Index: openssl-3.1.4/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.1.4.orig/providers/fips/fipsprov.c
++++ openssl-3.1.4/providers/fips/fipsprov.c
+@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
+ 
+ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+ {
++#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
+     OSSL_PARAM *p;
+     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

openssl-FIPS-services-minimize.patch

@@ -0,0 +1,782 @@
+From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
+
+Patch-name: 0045-FIPS-services-minimize.patch
+Patch-id: 45
+Patch-status: |
+    # # Minimize fips services
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ apps/ecparam.c                                |  7 +++
+ apps/req.c                                    |  2 +-
+ providers/common/capabilities.c               |  2 +-
+ providers/fips/fipsprov.c                     | 44 +++++++++++--------
+ providers/fips/self_test_data.inc             |  9 +++-
+ providers/implementations/signature/rsa_sig.c | 26 +++++++++++
+ ssl/ssl_ciph.c                                |  3 ++
+ test/acvp_test.c                              |  2 +
+ test/endecode_test.c                          |  4 ++
+ test/evp_libctx_test.c                        |  9 +++-
+ test/recipes/15-test_gendsa.t                 |  2 +-
+ test/recipes/20-test_cli_fips.t               |  3 +-
+ test/recipes/30-test_evp.t                    | 20 ++++-----
+ .../30-test_evp_data/evpmac_common.txt        | 22 ++++++++++
+ test/recipes/80-test_cms.t                    | 22 +++++-----
+ test/recipes/80-test_ssl_old.t                |  2 +-
+ 16 files changed, 128 insertions(+), 51 deletions(-)
+
+Index: openssl-3.2.3/apps/ecparam.c
+===================================================================
+--- openssl-3.2.3.orig/apps/ecparam.c
++++ openssl-3.2.3/apps/ecparam.c
+@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
++        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
++            continue;
++
+         if (comment == NULL)
+             comment = "CURVE DESCRIPTION NOT AVAILABLE";
+         if (sname == NULL)
+Index: openssl-3.2.3/apps/req.c
+===================================================================
+--- openssl-3.2.3.orig/apps/req.c
++++ openssl-3.2.3/apps/req.c
+@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
+     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
+ 
+ #ifndef OPENSSL_NO_DES
+-    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
++    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
+ #endif
+ 
+     opt_set_unknown_name("digest");
+Index: openssl-3.2.3/providers/common/capabilities.c
+===================================================================
+--- openssl-3.2.3.orig/providers/common/capabilities.c
++++ openssl-3.2.3/providers/common/capabilities.c
+@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list
+     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
+     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
+     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
+-#  endif
+     TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
+     TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
++#  endif
+ #  ifndef FIPS_MODULE
+     TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
+     TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
+Index: openssl-3.2.3/providers/fips/fipsprov.c
+===================================================================
+--- openssl-3.2.3.orig/providers/fips/fipsprov.c
++++ openssl-3.2.3/providers/fips/fipsprov.c
+@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
+ 
+ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+ {
++#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
+     OSSL_PARAM *p;
+     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
+@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests
+      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
+      * KMAC128 and KMAC256.
+      */
+-    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
++    /* We don't certify KECCAK in our FIPS provider */
++    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+       ossl_keccak_kmac_128_functions },
+     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
+-      ossl_keccak_kmac_256_functions },
++      ossl_keccak_kmac_256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
+     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+ #ifndef OPENSSL_NO_DES
+-    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+-    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
++    /* We don't certify 3DES in our FIPS provider */
++    /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
++    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
+ #endif  /* OPENSSL_NO_DES */
+     { { NULL, NULL, NULL }, NULL }
+ };
+@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[]
+ #endif
+     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
+-    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+-    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
++    /* We don't certify KMAC in our FIPS provider */
++    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
++    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch
+ #ifndef OPENSSL_NO_EC
+     { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
+ # ifndef OPENSSL_NO_ECX
+-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
+-    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
++    /* We don't certify Edwards curves in our FIPS provider */
++    /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
++    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
+ # endif
+ #endif
+     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
+@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch
+ 
+ static const OSSL_ALGORITHM fips_signature[] = {
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
+ #ifndef OPENSSL_NO_EC
+ # ifndef OPENSSL_NO_ECX
+-    { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
++    /* We don't certify Edwards curves in our FIPS provider */
++    /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+       ossl_ed25519_signature_functions },
+-    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
++    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
+ # endif
+     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
+ #endif
+@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt
+       PROV_DESCS_DHX },
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+-      PROV_DESCS_DSA },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
++      PROV_DESCS_DSA }, */
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
+       PROV_DESCS_RSA },
+@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt
+     { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
+       PROV_DESCS_EC },
+ # ifndef OPENSSL_NO_ECX
+-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
++    /* We don't certify Edwards curves in our FIPS provider */
++    /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+       PROV_DESCS_X25519 },
+     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
+       PROV_DESCS_X448 },
+     { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
+       PROV_DESCS_ED25519 },
+     { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
+-      PROV_DESCS_ED448 },
++      PROV_DESCS_ED448 }, */
+ # endif
+ #endif
+     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+Index: openssl-3.2.3/providers/fips/self_test_data.inc
+===================================================================
+--- openssl-3.2.3.orig/providers/fips/self_test_data.inc
++++ openssl-3.2.3/providers/fips/self_test_data.inc
+@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest
+ /*- CIPHER TEST DATA */
+ 
+ /* DES3 test data */
++#if 0
+ static const unsigned char des_ede3_cbc_pt[] = {
+     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_
+     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
+     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
+ };
+-
++#endif
+ /* AES-256 GCM test data */
+ static const unsigned char aes_256_gcm_key[] = {
+     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
+@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
+ # endif /* OPENSSL_NO_EC2M */
+ #endif /* OPENSSL_NO_EC */
+ 
+-#ifndef OPENSSL_NO_DSA
+ /* dsa 2048 */
++#if 0
++#ifndef OPENSSL_NO_DSA
+ static const unsigned char dsa_p[] = {
+     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
+     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
+@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
+     ST_KAT_PARAM_END()
+ };
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ /* Hash DRBG inputs for signature KATs */
+ static const unsigned char sig_kat_entropyin[] = {
+@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
+     },
+ # endif
+ #endif /* OPENSSL_NO_EC */
++#if 0
+ #ifndef OPENSSL_NO_DSA
+     {
+         OSSL_SELF_TEST_DESC_SIGN_DSA,
+@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
+         ITM(dsa_expected_sig)
+     },
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ };
+ 
+ static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
+Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     int ret;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     size_t rslen;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+Index: openssl-3.2.3/ssl/ssl_ciph.c
+===================================================================
+--- openssl-3.2.3.orig/ssl/ssl_ciph.c
++++ openssl-3.2.3/ssl/ssl_ciph.c
+@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
+     ctx->disabled_mkey_mask = 0;
+     ctx->disabled_auth_mask = 0;
+ 
++    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
++        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
++
+     /*
+      * We ignore any errors from the fetches below. They are expected to fail
+      * if these algorithms are not available.
+Index: openssl-3.2.3/test/acvp_test.c
+===================================================================
+--- openssl-3.2.3.orig/test/acvp_test.c
++++ openssl-3.2.3/test/acvp_test.c
+@@ -1478,6 +1478,7 @@ int setup_tests(void)
+                   OSSL_NELEM(dh_safe_prime_keyver_data));
+ #endif /* OPENSSL_NO_DH */
+ 
++#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */
+ #ifndef OPENSSL_NO_DSA
+     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
+     ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
+@@ -1485,6 +1486,7 @@ int setup_tests(void)
+     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
+     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_EC
+     ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
+Index: openssl-3.2.3/test/endecode_test.c
+===================================================================
+--- openssl-3.2.3.orig/test/endecode_test.c
++++ openssl-3.2.3/test/endecode_test.c
+@@ -1424,6 +1424,7 @@ int setup_tests(void)
+          * so no legacy tests.
+          */
+ #endif
++    if (is_fips == 0) {
+ #ifndef OPENSSL_NO_DSA
+         ADD_TEST_SUITE(DSA);
+         ADD_TEST_SUITE_PARAMS(DSA);
+@@ -1434,6 +1435,7 @@ int setup_tests(void)
+         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
+ # endif
+ #endif
++    }
+ #ifndef OPENSSL_NO_EC
+         ADD_TEST_SUITE(EC);
+         ADD_TEST_SUITE_PARAMS(EC);
+@@ -1454,10 +1456,12 @@ int setup_tests(void)
+             ADD_TEST_SUITE(SM2);
+         }
+ # endif
++    if (is_fips == 0) {
+         ADD_TEST_SUITE(ED25519);
+         ADD_TEST_SUITE(ED448);
+         ADD_TEST_SUITE(X25519);
+         ADD_TEST_SUITE(X448);
++    }
+         /*
+          * ED25519, ED448, X25519 and X448 have no support for
+          * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
+Index: openssl-3.2.3/test/evp_libctx_test.c
+===================================================================
+--- openssl-3.2.3.orig/test/evp_libctx_test.c
++++ openssl-3.2.3/test/evp_libctx_test.c
+@@ -21,6 +21,7 @@
+  */
+ #include "internal/deprecated.h"
+ #include <assert.h>
++#include <string.h>
+ #include <openssl/evp.h>
+ #include <openssl/provider.h>
+ #include <openssl/dsa.h>
+@@ -726,7 +727,9 @@ int setup_tests(void)
+         return 0;
+ 
+ #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
+-    ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
++    }
+ #endif
+ #ifndef OPENSSL_NO_DH
+     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
+@@ -746,7 +749,9 @@ int setup_tests(void)
+     ADD_TEST(kem_invalid_keytype);
+ #endif
+ #ifndef OPENSSL_NO_DES
+-    ADD_TEST(test_cipher_tdes_randkey);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_TEST(test_cipher_tdes_randkey);
++    }
+ #endif
+     return 1;
+ }
+Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t
++++ openssl-3.2.3/test/recipes/15-test_gendsa.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "This test is unsupported in a no-dsa build"
+     if disabled("dsa");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1;
+ 
+ plan tests =>
+     ($no_fips ? 0 : 2)          # FIPS related tests
+Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t
++++ openssl-3.2.3/test/recipes/20-test_cli_fips.t
+@@ -278,8 +278,7 @@ SKIP: {
+ }
+ 
+ SKIP : {
+-    skip "FIPS DSA tests because of no dsa in this build", 1
+-        if disabled("dsa");
++    skip "FIPS DSA tests because of no dsa in this build", 1;
+ 
+     subtest DSA => sub {
+         my $testtext_prefix = 'DSA';
+Index: openssl-3.2.3/test/recipes/30-test_evp.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/30-test_evp.t
++++ openssl-3.2.3/test/recipes/30-test_evp.t
+@@ -46,10 +46,8 @@ my @files = qw(
+                 evpciph_aes_cts.txt
+                 evpciph_aes_wrap.txt
+                 evpciph_aes_stitched.txt
+-                evpciph_des3_common.txt
+                 evpkdf_hkdf.txt
+                 evpkdf_kbkdf_counter.txt
+-                evpkdf_kbkdf_kmac.txt
+                 evpkdf_pbkdf1.txt
+                 evpkdf_pbkdf2.txt
+                 evpkdf_ss.txt
+@@ -70,15 +68,6 @@ push @files, qw(
+                 evppkey_dh.txt
+                ) unless $no_dh;
+ push @files, qw(
+-                evpkdf_x942_des.txt
+-                evpmac_cmac_des.txt
+-               ) unless $no_des;
+-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
+-push @files, qw(
+-                evppkey_ecx.txt
+-                evppkey_mismatch_ecx.txt
+-               ) unless $no_ecx;
+-push @files, qw(
+                 evppkey_ecc.txt
+                 evppkey_ecdh.txt
+                 evppkey_ecdsa.txt
+@@ -97,6 +86,7 @@ my @defltfiles = qw(
+                      evpciph_cast5.txt
+                      evpciph_chacha.txt
+                      evpciph_des.txt
++                     evpciph_des3_common.txt
+                      evpciph_idea.txt
+                      evpciph_rc2.txt
+                      evpciph_rc4.txt
+@@ -121,13 +111,19 @@ my @defltfiles = qw(
+                      evpmd_whirlpool.txt
+                      evppbe_scrypt.txt
+                      evppbe_pkcs12.txt
++                     evpkdf_kbkdf_kmac.txt
+                      evppkey_kdf_scrypt.txt
+                      evppkey_kdf_tls1_prf.txt
+                      evppkey_rsa.txt
+                     );
++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
++push @defltfiles, qw(
++                evpkdf_x942_des.txt
++                evpmac_cmac_des.txt
++               ) unless $no_des;
+ push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
+-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
+ push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
+ push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
+ push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
+Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt
++++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
+ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
+ Result = MAC_INIT_ERROR
+ 
++Availablein = default
+ Title = KMAC Tests (From NIST)
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+@@ -373,12 +374,14 @@ Ctrl = xof:0
+ OutputSize = 32
+ BlockSize = 168
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Custom = "My Tagged Application"
+ Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
+ Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
+ OutputSize = 64
+ BlockSize = 136
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+ Custom = ""
+ Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -409,12 +415,14 @@ Ctrl = size:64
+ 
+ Title = KMAC XOF Tests (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584
+ XOF = 1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -444,6 +455,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -454,6 +466,7 @@ XOF = 1
+ 
+ Title = KMAC long customisation string (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -464,12 +477,14 @@ XOF = 1
+ 
+ Title = KMAC XOF Tests via ctrl (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584
+ Ctrl = xof:1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -499,6 +517,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -509,6 +528,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string via ctrl (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -519,6 +539,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string negative test
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
+ 
+ Title = KMAC output is too large
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+Index: openssl-3.2.3/test/recipes/80-test_cms.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/80-test_cms.t
++++ openssl-3.2.3/test/recipes/80-test_cms.t
+@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content DER format, DSA key",
++    [ "signed content DER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, DSA key",
++    [ "signed detached content DER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, add RSA signer (with DSA existing)",
++    [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
+@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, DSA key",
++    [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-noattr", "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
+       \&zero_compare
+     ],
+ 
+-    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
+ 
+ my @smime_cms_tests = (
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-keyid",
+         "-signer", $smrsa1,
+@@ -263,7 +263,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -373,7 +373,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "encrypted content test streaming PEM format, triple DES key",
++    [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
+       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
+         "-stream", "-out", "{output}.cms" ],
+Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
+@@ -436,7 +436,7 @@ sub testssl {
+         my @exkeys = ();
+         my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
+ 
+-        if (!$no_dsa) {
++        if (!$no_dsa && $provider ne "fips") {
+             push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
+         }
+ 

openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch

@@ -0,0 +1,113 @@
+From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Thu, 17 Nov 2022 19:33:02 +0100
+Subject: [PATCH] signature: Add indicator for PSS salt length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
+5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the
+salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
+the hash function output block (in bytes)."
+
+It is not exactly clear from this text whether hLen refers to the
+message digest or the hash function used for the mask generation
+function MGF1. PKCS#1 v2.1 suggests it is the former:
+
+| Typical salt lengths in octets are hLen (the length of the output of
+| the hash function Hash) and 0. In both cases the security of
+| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
+| Bellare and Rogaway [4] give a tight lower bound for the security of
+| the original RSA-PSS scheme, which corresponds roughly to the former
+| case, while Coron [12] gives a lower bound for the related Full Domain
+| Hashing scheme, which corresponds roughly to the latter case. In [13]
+| Coron provides a general treatment with various salt lengths ranging
+| from 0 to hLen; see [27] for discussion. See also [31], which adapts
+| the security proofs in [4][13] to address the differences between the
+| original and the present version of RSA-PSS as listed in Note 1 above.
+
+Since OpenSSL defaults to creating signatures with the maximum salt
+length, blocking the use of longer salts would probably lead to
+significant problems in practice. Instead, introduce an explicit
+indicator that can be obtained from the EVP_PKEY_CTX object using
+EVP_PKEY_CTX_get_params() with the
+  OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR
+parameter.
+
+We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
+Dmitry Belyavskiy <dbelyavs@redhat.com>
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ include/openssl/evp.h                         |  4 ++++
+ providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
+ util/perl/OpenSSL/paramnames.pm               | 23 ++++++++++---------
+ 3 files changed, 37 insertions(+), 11 deletions(-)
+
+Index: openssl-3.2.3/include/openssl/evp.h
+===================================================================
+--- openssl-3.2.3.orig/include/openssl/evp.h
++++ openssl-3.2.3/include/openssl/evp.h
+@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+                               int *outl);
+ 
++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED     1
++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+                          EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+===================================================================
+--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
+@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs
+         }
+     }
+ 
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED;
++        if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
++            if (prsactx->md == NULL) {
++                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED;
++            } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
++                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        } else if (prsactx->pad_mode == RSA_NO_PADDING) {
++            if (prsactx->md == NULL) /* Should always be the case */
++                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
++        }
++        return OSSL_PARAM_set_int(p, fips_indicator);
++    }
++#endif
++
+     return 1;
+ }
+ 
+@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
++#ifdef FIPS_MODULE
++    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL),
++#endif
+     OSSL_PARAM_END
+ };
+ 
+Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+===================================================================
+--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
+@@ -386,6 +386,7 @@ my %params = (
+     'SIGNATURE_PARAM_MGF1_PROPERTIES' =>    '*PKEY_PARAM_MGF1_PROPERTIES',
+     'SIGNATURE_PARAM_DIGEST_SIZE' =>        '*PKEY_PARAM_DIGEST_SIZE',
+     'SIGNATURE_PARAM_NONCE_TYPE' =>         "nonce-type",
++    'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",
+     'SIGNATURE_PARAM_INSTANCE' =>           "instance",
+     'SIGNATURE_PARAM_CONTEXT_STRING' =>     "context-string",
+ 

openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch

@@ -0,0 +1,309 @@
+From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
+From: Todd Short <todd.short@me.com>
+Date: Thu, 1 Feb 2024 23:09:38 -0500
+Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
+
+Fix #23448
+
+`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
+
+Fix the setting of the parameter in the params code.
+Update the TLS_PRF code to also use the params code.
+Add tests.
+
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23456)
+
+(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
+---
+ crypto/evp/pmeth_lib.c                        | 65 ++++++++++++++++++-
+ providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
+ providers/implementations/kdfs/hkdf.c         |  8 +++
+ test/pkey_meth_kdf_test.c                     | 53 +++++++++++----
+ 4 files changed, 156 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index ba1971c..d0eeaf7 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+     return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
+ }
+ 
++static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
++                                          const char *param, int op, int ctrl,
++                                          const unsigned char *data,
++                                          int datalen)
++{
++    OSSL_PARAM os_params[2];
++    unsigned char *info = NULL;
++    size_t info_len = 0;
++    size_t info_alloc = 0;
++    int ret = 0;
++
++    if (ctx == NULL || (ctx->operation & op) == 0) {
++        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
++        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
++        return -2;
++    }
++
++    /* Code below to be removed when legacy support is dropped. */
++    if (fallback)
++        return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
++    /* end of legacy support */
++
++    if (datalen < 0) {
++        ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
++        return 0;
++    }
++
++    /* Get the original value length */
++    os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
++    os_params[1] = OSSL_PARAM_construct_end();
++
++    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
++        return 0;
++
++    /* Older provider that doesn't support getting this parameter */
++    if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
++        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
++
++    info_alloc = os_params[0].return_size + datalen;
++    if (info_alloc == 0)
++        return 0;
++    info = OPENSSL_zalloc(info_alloc);
++    if (info == NULL)
++        return 0;
++    info_len = os_params[0].return_size;
++
++    os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
++
++    /* if we have data, then go get it */
++    if (info_len > 0) {
++        if (!EVP_PKEY_CTX_get_params(ctx, os_params))
++            goto error;
++    }
++
++    /* Copy the input data */
++    memcpy(&info[info_len], data, datalen);
++    ret = EVP_PKEY_CTX_set_params(ctx, os_params);
++
++ error:
++    OPENSSL_clear_free(info, info_alloc);
++    return ret;
++}
++
+ int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
+                                       const unsigned char *sec, int seclen)
+ {
+@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
+ int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
+                                       const unsigned char *info, int infolen)
+ {
+-    return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
++    return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
+                                           OSSL_KDF_PARAM_INFO,
+                                           EVP_PKEY_OP_DERIVE,
+                                           EVP_PKEY_CTRL_HKDF_INFO,
+diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
+index 527a866..4bc8102 100644
+--- a/providers/implementations/exchange/kdf_exch.c
++++ b/providers/implementations/exchange/kdf_exch.c
+@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
+ static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
+ static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
+ static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
++static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
+ 
+ typedef struct {
+     void *provctx;
+@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
+     return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
+ }
+ 
++static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
++{
++    PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
++
++    return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
++}
++
+ static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
+                                                  void *provctx,
+                                                  const char *kdfname)
+@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+ KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
+ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+ 
++static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
++                                                 void *provctx,
++                                                 const char *kdfname)
++{
++    EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
++                                 NULL);
++    const OSSL_PARAM *params;
++
++    if (kdf == NULL)
++        return NULL;
++
++    params = EVP_KDF_gettable_ctx_params(kdf);
++    EVP_KDF_free(kdf);
++
++    return params;
++}
++
++#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
++    static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
++                                                                  void *provctx) \
++    { \
++        return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
++    }
++
++KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
++KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
++KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
++
+ #define KDF_KEYEXCH_FUNCTIONS(funcname) \
+     const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
+         { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
+@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+         { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
+         { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
+         { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
++        { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
+         { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
+         (void (*)(void))kdf_##funcname##_settable_ctx_params }, \
++        { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
++        (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
+         { 0, NULL } \
+     };
+ 
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index daa619b..dd65a2a 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+             return 0;
+         return OSSL_PARAM_set_size_t(p, sz);
+     }
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
++        if (ctx->info == NULL || ctx->info_len == 0) {
++            p->return_size = 0;
++            return 1;
++        }
++        return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
++    }
+     return -2;
+ }
+ 
+@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
+index f816d24..c09e2f3 100644
+--- a/test/pkey_meth_kdf_test.c
++++ b/test/pkey_meth_kdf_test.c
+@@ -16,7 +16,7 @@
+ #include <openssl/kdf.h>
+ #include "testutil.h"
+ 
+-static int test_kdf_tls1_prf(void)
++static int test_kdf_tls1_prf(int index)
+ {
+     int ret = 0;
+     EVP_PKEY_CTX *pctx;
+@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
+         TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
+         goto err;
+     }
+-    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+-                                        (unsigned char *)"seed", 4) <= 0) {
+-        TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+-        goto err;
++    if (index == 0) {
++        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
++                                            (unsigned char *)"seed", 4) <= 0) {
++            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
++            goto err;
++        }
++    } else {
++        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
++                                            (unsigned char *)"se", 2) <= 0) {
++            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
++            goto err;
++        }
++        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
++                                            (unsigned char *)"ed", 2) <= 0) {
++            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
++            goto err;
++        }
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+@@ -65,7 +78,7 @@ err:
+     return ret;
+ }
+ 
+-static int test_kdf_hkdf(void)
++static int test_kdf_hkdf(int index)
+ {
+     int ret = 0;
+     EVP_PKEY_CTX *pctx;
+@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
+         TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
+         goto err;
+     }
+-    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
++    if (index == 0) {
++        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+             <= 0) {
+-        TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
+-        goto err;
++            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
++            goto err;
++        }
++    } else {
++        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
++            <= 0) {
++            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
++            goto err;
++        }
++        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
++            <= 0) {
++            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
++            goto err;
++        }
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+@@ -195,8 +221,13 @@ err:
+ 
+ int setup_tests(void)
+ {
+-    ADD_TEST(test_kdf_tls1_prf);
+-    ADD_TEST(test_kdf_hkdf);
++    int tests = 1;
++
++    if (fips_provider_version_ge(NULL, 3, 3, 1))
++        tests = 2;
++
++    ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
++    ADD_ALL_TESTS(test_kdf_hkdf, tests);
+ #ifndef OPENSSL_NO_SCRYPT
+     ADD_TEST(test_kdf_scrypt);
+ #endif
+-- 
+2.45.1
+

openssl-Force-FIPS.patch

@@ -0,0 +1,79 @@
+From 22c5e2dc99406629b2c37c1ddf1151d6fb8ad7d1 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 6 Mar 2024 19:17:15 +0100
+Subject: [PATCH 22/53] FIPS: Force fips provider on
+
+Patch-name: 0032-Force-fips.patch
+Patch-id: 32
+Patch-status: |
+    # # We load FIPS provider and set FIPS properties implicitly
+From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
+---
+ crypto/provider_conf.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
+index 5ec50f97e4..a2a9786e1c 100644
+--- a/crypto/provider_conf.c
++++ b/crypto/provider_conf.c
+@@ -10,6 +10,8 @@
+ #include <string.h>
+ #include <openssl/trace.h>
+ #include <openssl/err.h>
++#include <openssl/evp.h>
++#include <unistd.h>
+ #include <openssl/conf.h>
+ #include <openssl/safestack.h>
+ #include <openssl/provider.h>
+@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+         if (path != NULL)
+             ossl_provider_set_module_path(prov, path);
+ 
+-        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
++        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
+ 
+         if (ok == 1) {
+             if (!ossl_provider_activate(prov, 1, 0)) {
+@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+ 
+         if (ok <= 0)
+             ossl_provider_free(prov);
++    } else {
++        ok = 1;
+     }
+     CRYPTO_THREAD_unlock(pcgbl->lock);
+ 
+@@ -420,6 +424,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+             return 0;
+     }
+ 
++    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
++        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
++#  define FIPS_LOCAL_CONF           OPENSSLDIR "/fips_local.cnf"
++
++        if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
++            CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
++            if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
++                return 0;
++
++            if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
++                NCONF_free(fips_conf);
++                return 0;
++            }
++            NCONF_free(fips_conf);
++        } else {
++            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
++                return 0;
++        }
++        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
++            return 0;
++        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
++            return 0;
++    }
++
+     return 1;
+ }
+ 
+-- 
+2.49.0
+

openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch

@@ -0,0 +1,94 @@
+From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
+From: trinity-1686a <trinity@deuxfleurs.fr>
+Date: Mon, 15 Apr 2024 11:13:14 +0200
+Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
+
+Fixes #24130
+The regression was introduced in PR #23456.
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24141)
+
+(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
+---
+ crypto/evp/pmeth_lib.c |  2 ++
+ test/evp_extra_test.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index d0eeaf7..bce1ebc 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+     if (datalen < 0) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+         return 0;
++    } else if (datalen == 0) {
++        return 1;
+     }
+ 
+     /* Get the original value length */
+diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
+index 9b3bee7..22121ce 100644
+--- a/test/evp_extra_test.c
++++ b/test/evp_extra_test.c
+@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
+     return ret;
+ }
+ 
++static int test_empty_salt_info_HKDF(void)
++{
++    EVP_PKEY_CTX *pctx;
++    unsigned char out[20];
++    size_t outlen;
++    int ret = 0;
++    unsigned char salt[] = "";
++    unsigned char key[] = "012345678901234567890123456789";
++    unsigned char info[] = "";
++    const unsigned char expected[] = {
++	0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
++	0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
++    };
++    size_t expectedlen = sizeof(expected);
++
++    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
++        goto done;
++
++    outlen = sizeof(out);
++    memset(out, 0, outlen);
++
++    if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
++            || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
++            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
++                                                        sizeof(salt) - 1), 0)
++            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
++                                                       sizeof(key) - 1), 0)
++            || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
++                                                        sizeof(info) - 1), 0)
++            || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
++            || !TEST_mem_eq(out, outlen, expected, expectedlen))
++        goto done;
++
++    ret = 1;
++
++ done:
++    EVP_PKEY_CTX_free(pctx);
++
++    return ret;
++}
++
+ #ifndef OPENSSL_NO_EC
+ static int test_X509_PUBKEY_inplace(void)
+ {
+@@ -5166,6 +5207,7 @@ int setup_tests(void)
+ #endif
+     ADD_TEST(test_HKDF);
+     ADD_TEST(test_emptyikm_HKDF);
++    ADD_TEST(test_empty_salt_info_HKDF);
+ #ifndef OPENSSL_NO_EC
+     ADD_TEST(test_X509_PUBKEY_inplace);
+     ADD_TEST(test_X509_PUBKEY_dup);
+-- 
+2.45.1
+

openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch

@@ -0,0 +1,495 @@
+From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
+From: Danny Tsen <dtsen@linux.ibm.com>
+Date: Tue, 22 Aug 2023 15:58:53 -0400
+Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
+ instruction
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21812)
+---
+ crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
+ 1 file changed, 95 insertions(+), 50 deletions(-)
+
+diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
+index 60cf86f52aed2..38b9405a283b7 100755
+--- a/crypto/aes/asm/aesp8-ppc.pl
++++ b/crypto/aes/asm/aesp8-ppc.pl
+@@ -99,11 +99,12 @@
+ .long	0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000	?rev
+ .long	0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c	?rev
+ .long	0,0,0,0						?asis
++.long	0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
+ Lconsts:
+ 	mflr	r0
+ 	bcl	20,31,\$+4
+ 	mflr	$ptr	 #vvvvv "distance between . and rcon
+-	addi	$ptr,$ptr,-0x48
++	addi	$ptr,$ptr,-0x58
+ 	mtlr	r0
+ 	blr
+ 	.long	0
+@@ -2405,7 +2406,7 @@ ()
+ my $key_=$key2;
+ my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
+     $x00=0 if ($flavour =~ /osx/);
+-my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5 )=map("v$_",(0..5));
++my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5)=map("v$_",(0..5));
+ my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
+ my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
+ my $rndkey0="v23";	# v24-v25 rotating buffer for first found keys
+@@ -2460,6 +2461,18 @@ ()
+ 	li		$x70,0x70
+ 	mtspr		256,r0
+ 
++	# Reverse eighty7 to 0x010101..87
++	xxlor		2, 32+$eighty7, 32+$eighty7
++	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
++	xxlor		1, 32+$eighty7, 32+$eighty7
++
++	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
++	mr		$x70, r6
++	bl		Lconsts
++	lxvw4x		0, $x40, r6		# load XOR contents
++	mr		r6, $x70
++	li		$x70,0x70
++
+ 	subi		$rounds,$rounds,3	# -4 in total
+ 
+ 	lvx		$rndkey0,$x00,$key1	# load key schedule
+@@ -2502,69 +2515,77 @@ ()
+ 	?vperm		v31,v31,$twk5,$keyperm
+ 	lvx		v25,$x10,$key_		# pre-load round[2]
+ 
++	# Switch to use the following codes with 0x010101..87 to generate tweak.
++	#     eighty7 = 0x010101..87
++	# vsrab		tmp, tweak, seven	# next tweak value, right shift 7 bits
++	# vand		tmp, tmp, eighty7	# last byte with carry
++	# vaddubm	tweak, tweak, tweak	# left shift 1 bit (x2)
++	# xxlor		vsx, 0, 0
++	# vpermxor	tweak, tweak, tmp, vsx
++
+ 	 vperm		$in0,$inout,$inptail,$inpperm
+ 	 subi		$inp,$inp,31		# undo "caller"
+ 	vxor		$twk0,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out0,$in0,$twk0
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in1, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in1
+ 
+ 	 lvx_u		$in1,$x10,$inp
+ 	vxor		$twk1,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in1,$in1,$in1,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out1,$in1,$twk1
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in2, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in2
+ 
+ 	 lvx_u		$in2,$x20,$inp
+ 	 andi.		$taillen,$len,15
+ 	vxor		$twk2,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in2,$in2,$in2,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out2,$in2,$twk2
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in3, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in3
+ 
+ 	 lvx_u		$in3,$x30,$inp
+ 	 sub		$len,$len,$taillen
+ 	vxor		$twk3,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in3,$in3,$in3,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out3,$in3,$twk3
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in4, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in4
+ 
+ 	 lvx_u		$in4,$x40,$inp
+ 	 subi		$len,$len,0x60
+ 	vxor		$twk4,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in4,$in4,$in4,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out4,$in4,$twk4
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in5, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in5
+ 
+ 	 lvx_u		$in5,$x50,$inp
+ 	 addi		$inp,$inp,0x60
+ 	vxor		$twk5,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in5,$in5,$in5,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out5,$in5,$twk5
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in0, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in0
+ 
+ 	vxor		v31,v31,$rndkey0
+ 	mtctr		$rounds
+@@ -2590,6 +2611,8 @@ ()
+ 	lvx		v25,$x10,$key_		# round[4]
+ 	bdnz		Loop_xts_enc6x
+ 
++	xxlor		32+$eighty7, 1, 1		# 0x010101..87
++
+ 	subic		$len,$len,96		# $len-=96
+ 	 vxor		$in0,$twk0,v31		# xor with last round key
+ 	vcipher		$out0,$out0,v24
+@@ -2599,7 +2622,6 @@ ()
+ 	 vaddubm	$tweak,$tweak,$tweak
+ 	vcipher		$out2,$out2,v24
+ 	vcipher		$out3,$out3,v24
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vcipher		$out4,$out4,v24
+ 	vcipher		$out5,$out5,v24
+ 
+@@ -2607,7 +2629,8 @@ ()
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vcipher		$out0,$out0,v25
+ 	vcipher		$out1,$out1,v25
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in1, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in1
+ 	vcipher		$out2,$out2,v25
+ 	vcipher		$out3,$out3,v25
+ 	 vxor		$in1,$twk1,v31
+@@ -2618,13 +2641,13 @@ ()
+ 
+ 	and		r0,r0,$len
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vcipher		$out0,$out0,v26
+ 	vcipher		$out1,$out1,v26
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vcipher		$out2,$out2,v26
+ 	vcipher		$out3,$out3,v26
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in2, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in2
+ 	vcipher		$out4,$out4,v26
+ 	vcipher		$out5,$out5,v26
+ 
+@@ -2638,7 +2661,6 @@ ()
+ 	 vaddubm	$tweak,$tweak,$tweak
+ 	vcipher		$out0,$out0,v27
+ 	vcipher		$out1,$out1,v27
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vcipher		$out2,$out2,v27
+ 	vcipher		$out3,$out3,v27
+ 	 vand		$tmp,$tmp,$eighty7
+@@ -2646,7 +2668,8 @@ ()
+ 	vcipher		$out5,$out5,v27
+ 
+ 	addi		$key_,$sp,$FRAME+15	# rewind $key_
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in3, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in3
+ 	vcipher		$out0,$out0,v28
+ 	vcipher		$out1,$out1,v28
+ 	 vxor		$in3,$twk3,v31
+@@ -2655,7 +2678,6 @@ ()
+ 	vcipher		$out2,$out2,v28
+ 	vcipher		$out3,$out3,v28
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vcipher		$out4,$out4,v28
+ 	vcipher		$out5,$out5,v28
+ 	lvx		v24,$x00,$key_		# re-pre-load round[1]
+@@ -2663,7 +2685,8 @@ ()
+ 
+ 	vcipher		$out0,$out0,v29
+ 	vcipher		$out1,$out1,v29
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in4, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in4
+ 	vcipher		$out2,$out2,v29
+ 	vcipher		$out3,$out3,v29
+ 	 vxor		$in4,$twk4,v31
+@@ -2673,14 +2696,14 @@ ()
+ 	vcipher		$out5,$out5,v29
+ 	lvx		v25,$x10,$key_		# re-pre-load round[2]
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 
+ 	vcipher		$out0,$out0,v30
+ 	vcipher		$out1,$out1,v30
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vcipher		$out2,$out2,v30
+ 	vcipher		$out3,$out3,v30
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in5, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in5
+ 	vcipher		$out4,$out4,v30
+ 	vcipher		$out5,$out5,v30
+ 	 vxor		$in5,$twk5,v31
+@@ -2690,7 +2713,6 @@ ()
+ 	vcipherlast	$out0,$out0,$in0
+ 	 lvx_u		$in0,$x00,$inp		# load next input block
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vcipherlast	$out1,$out1,$in1
+ 	 lvx_u		$in1,$x10,$inp
+ 	vcipherlast	$out2,$out2,$in2
+@@ -2703,7 +2725,10 @@ ()
+ 	vcipherlast	$out4,$out4,$in4
+ 	 le?vperm	$in2,$in2,$in2,$leperm
+ 	 lvx_u		$in4,$x40,$inp
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		10, 32+$in0, 32+$in0
++	 xxlor		32+$in0, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in0
++	 xxlor		32+$in0, 10, 10
+ 	vcipherlast	$tmp,$out5,$in5		# last block might be needed
+ 						# in stealing mode
+ 	 le?vperm	$in3,$in3,$in3,$leperm
+@@ -2736,6 +2761,8 @@ ()
+ 	mtctr		$rounds
+ 	beq		Loop_xts_enc6x		# did $len-=96 borrow?
+ 
++	xxlor		32+$eighty7, 2, 2		# 0x870101..01
++
+ 	addic.		$len,$len,0x60
+ 	beq		Lxts_enc6x_zero
+ 	cmpwi		$len,0x20
+@@ -3112,6 +3139,18 @@ ()
+ 	li		$x70,0x70
+ 	mtspr		256,r0
+ 
++	# Reverse eighty7 to 0x010101..87
++	xxlor		2, 32+$eighty7, 32+$eighty7
++	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
++	xxlor		1, 32+$eighty7, 32+$eighty7
++
++	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
++	mr		$x70, r6
++	bl		Lconsts
++	lxvw4x		0, $x40, r6		# load XOR contents
++	mr		r6, $x70
++	li		$x70,0x70
++
+ 	subi		$rounds,$rounds,3	# -4 in total
+ 
+ 	lvx		$rndkey0,$x00,$key1	# load key schedule
+@@ -3159,64 +3198,64 @@ ()
+ 	vxor		$twk0,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out0,$in0,$twk0
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in1, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in1
+ 
+ 	 lvx_u		$in1,$x10,$inp
+ 	vxor		$twk1,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in1,$in1,$in1,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out1,$in1,$twk1
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in2, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in2
+ 
+ 	 lvx_u		$in2,$x20,$inp
+ 	 andi.		$taillen,$len,15
+ 	vxor		$twk2,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in2,$in2,$in2,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out2,$in2,$twk2
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in3, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in3
+ 
+ 	 lvx_u		$in3,$x30,$inp
+ 	 sub		$len,$len,$taillen
+ 	vxor		$twk3,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in3,$in3,$in3,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out3,$in3,$twk3
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in4, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in4
+ 
+ 	 lvx_u		$in4,$x40,$inp
+ 	 subi		$len,$len,0x60
+ 	vxor		$twk4,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in4,$in4,$in4,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out4,$in4,$twk4
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in5, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in5
+ 
+ 	 lvx_u		$in5,$x50,$inp
+ 	 addi		$inp,$inp,0x60
+ 	vxor		$twk5,$tweak,$rndkey0
+ 	vsrab		$tmp,$tweak,$seven	# next tweak value
+ 	vaddubm		$tweak,$tweak,$tweak
+-	vsldoi		$tmp,$tmp,$tmp,15
+ 	 le?vperm	$in5,$in5,$in5,$leperm
+ 	vand		$tmp,$tmp,$eighty7
+ 	 vxor		$out5,$in5,$twk5
+-	vxor		$tweak,$tweak,$tmp
++	xxlor		32+$in0, 0, 0
++	vpermxor	$tweak, $tweak, $tmp, $in0
+ 
+ 	vxor		v31,v31,$rndkey0
+ 	mtctr		$rounds
+@@ -3242,6 +3281,8 @@ ()
+ 	lvx		v25,$x10,$key_		# round[4]
+ 	bdnz		Loop_xts_dec6x
+ 
++	xxlor		32+$eighty7, 1, 1
++
+ 	subic		$len,$len,96		# $len-=96
+ 	 vxor		$in0,$twk0,v31		# xor with last round key
+ 	vncipher	$out0,$out0,v24
+@@ -3251,7 +3292,6 @@ ()
+ 	 vaddubm	$tweak,$tweak,$tweak
+ 	vncipher	$out2,$out2,v24
+ 	vncipher	$out3,$out3,v24
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vncipher	$out4,$out4,v24
+ 	vncipher	$out5,$out5,v24
+ 
+@@ -3259,7 +3299,8 @@ ()
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vncipher	$out0,$out0,v25
+ 	vncipher	$out1,$out1,v25
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in1, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in1
+ 	vncipher	$out2,$out2,v25
+ 	vncipher	$out3,$out3,v25
+ 	 vxor		$in1,$twk1,v31
+@@ -3270,13 +3311,13 @@ ()
+ 
+ 	and		r0,r0,$len
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vncipher	$out0,$out0,v26
+ 	vncipher	$out1,$out1,v26
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vncipher	$out2,$out2,v26
+ 	vncipher	$out3,$out3,v26
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in2, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in2
+ 	vncipher	$out4,$out4,v26
+ 	vncipher	$out5,$out5,v26
+ 
+@@ -3290,7 +3331,6 @@ ()
+ 	 vaddubm	$tweak,$tweak,$tweak
+ 	vncipher	$out0,$out0,v27
+ 	vncipher	$out1,$out1,v27
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vncipher	$out2,$out2,v27
+ 	vncipher	$out3,$out3,v27
+ 	 vand		$tmp,$tmp,$eighty7
+@@ -3298,7 +3338,8 @@ ()
+ 	vncipher	$out5,$out5,v27
+ 
+ 	addi		$key_,$sp,$FRAME+15	# rewind $key_
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in3, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in3
+ 	vncipher	$out0,$out0,v28
+ 	vncipher	$out1,$out1,v28
+ 	 vxor		$in3,$twk3,v31
+@@ -3307,7 +3348,6 @@ ()
+ 	vncipher	$out2,$out2,v28
+ 	vncipher	$out3,$out3,v28
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vncipher	$out4,$out4,v28
+ 	vncipher	$out5,$out5,v28
+ 	lvx		v24,$x00,$key_		# re-pre-load round[1]
+@@ -3315,7 +3355,8 @@ ()
+ 
+ 	vncipher	$out0,$out0,v29
+ 	vncipher	$out1,$out1,v29
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in4, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in4
+ 	vncipher	$out2,$out2,v29
+ 	vncipher	$out3,$out3,v29
+ 	 vxor		$in4,$twk4,v31
+@@ -3325,14 +3366,14 @@ ()
+ 	vncipher	$out5,$out5,v29
+ 	lvx		v25,$x10,$key_		# re-pre-load round[2]
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 
+ 	vncipher	$out0,$out0,v30
+ 	vncipher	$out1,$out1,v30
+ 	 vand		$tmp,$tmp,$eighty7
+ 	vncipher	$out2,$out2,v30
+ 	vncipher	$out3,$out3,v30
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		32+$in5, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in5
+ 	vncipher	$out4,$out4,v30
+ 	vncipher	$out5,$out5,v30
+ 	 vxor		$in5,$twk5,v31
+@@ -3342,7 +3383,6 @@ ()
+ 	vncipherlast	$out0,$out0,$in0
+ 	 lvx_u		$in0,$x00,$inp		# load next input block
+ 	 vaddubm	$tweak,$tweak,$tweak
+-	 vsldoi		$tmp,$tmp,$tmp,15
+ 	vncipherlast	$out1,$out1,$in1
+ 	 lvx_u		$in1,$x10,$inp
+ 	vncipherlast	$out2,$out2,$in2
+@@ -3355,7 +3395,10 @@ ()
+ 	vncipherlast	$out4,$out4,$in4
+ 	 le?vperm	$in2,$in2,$in2,$leperm
+ 	 lvx_u		$in4,$x40,$inp
+-	 vxor		$tweak,$tweak,$tmp
++	 xxlor		10, 32+$in0, 32+$in0
++	 xxlor		32+$in0, 0, 0
++	 vpermxor	$tweak, $tweak, $tmp, $in0
++	 xxlor		32+$in0, 10, 10
+ 	vncipherlast	$out5,$out5,$in5
+ 	 le?vperm	$in3,$in3,$in3,$leperm
+ 	 lvx_u		$in5,$x50,$inp
+@@ -3386,6 +3429,8 @@ ()
+ 	mtctr		$rounds
+ 	beq		Loop_xts_dec6x		# did $len-=96 borrow?
+ 
++	xxlor		32+$eighty7, 2, 2
++
+ 	addic.		$len,$len,0x60
+ 	beq		Lxts_dec6x_zero
+ 	cmpwi		$len,0x20

openssl-Remove-EC-curves.patch

@@ -0,0 +1,267 @@
+From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:46:40 +0200
+Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
+
+Patch-name: 0011-Remove-EC-curves.patch
+Patch-id: 11
+Patch-status: |
+    # remove unsupported EC curves
+---
+ apps/speed.c                 |  8 +---
+ crypto/evp/ec_support.c      | 87 ------------------------------------
+ test/acvp_test.inc           |  9 ----
+ test/ecdsatest.h             | 17 -------
+ test/recipes/15-test_genec.t | 27 -----------
+ 5 files changed, 1 insertion(+), 147 deletions(-)
+
+Index: openssl-3.2.3/apps/speed.c
+===================================================================
+--- openssl-3.2.3.orig/apps/speed.c
++++ openssl-3.2.3/apps/speed.c
+@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1];
+ #endif /* OPENSSL_NO_DH */
+ 
+ enum ec_curves_t {
+-    R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
++    R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
+ #ifndef OPENSSL_NO_EC2M
+     R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
+     R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
+@@ -411,8 +411,6 @@ enum ec_curves_t {
+ };
+ /* list of ecdsa curves */
+ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
+-    {"ecdsap160", R_EC_P160},
+-    {"ecdsap192", R_EC_P192},
+     {"ecdsap224", R_EC_P224},
+     {"ecdsap256", R_EC_P256},
+     {"ecdsap384", R_EC_P384},
+@@ -445,8 +443,6 @@ enum {
+ };
+ /* list of ecdh curves, extension of |ecdsa_choices| list above */
+ static const OPT_PAIR ecdh_choices[EC_NUM] = {
+-    {"ecdhp160", R_EC_P160},
+-    {"ecdhp192", R_EC_P192},
+     {"ecdhp224", R_EC_P224},
+     {"ecdhp256", R_EC_P256},
+     {"ecdhp384", R_EC_P384},
+@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv)
+      */
+     static const EC_CURVE ec_curves[EC_NUM] = {
+         /* Prime Curves */
+-        {"secp160r1", NID_secp160r1, 160},
+-        {"nistp192", NID_X9_62_prime192v1, 192},
+         {"nistp224", NID_secp224r1, 224},
+         {"nistp256", NID_X9_62_prime256v1, 256},
+         {"nistp384", NID_secp384r1, 384},
+Index: openssl-3.2.3/crypto/evp/ec_support.c
+===================================================================
+--- openssl-3.2.3.orig/crypto/evp/ec_support.c
++++ openssl-3.2.3/crypto/evp/ec_support.c
+@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
+ static const EC_NAME2NID curve_list[] = {
+     /* prime field curves */
+     /* secg curves */
+-    {"secp112r1", NID_secp112r1 },
+-    {"secp112r2", NID_secp112r2 },
+-    {"secp128r1", NID_secp128r1 },
+-    {"secp128r2", NID_secp128r2 },
+-    {"secp160k1", NID_secp160k1 },
+-    {"secp160r1", NID_secp160r1 },
+-    {"secp160r2", NID_secp160r2 },
+-    {"secp192k1", NID_secp192k1 },
+-    {"secp224k1", NID_secp224k1 },
+     {"secp224r1", NID_secp224r1 },
+     {"secp256k1", NID_secp256k1 },
+     {"secp384r1", NID_secp384r1 },
+     {"secp521r1", NID_secp521r1 },
+     /* X9.62 curves */
+-    {"prime192v1", NID_X9_62_prime192v1 },
+-    {"prime192v2", NID_X9_62_prime192v2 },
+-    {"prime192v3", NID_X9_62_prime192v3 },
+-    {"prime239v1", NID_X9_62_prime239v1 },
+-    {"prime239v2", NID_X9_62_prime239v2 },
+-    {"prime239v3", NID_X9_62_prime239v3 },
+     {"prime256v1", NID_X9_62_prime256v1 },
+     /* characteristic two field curves */
+     /* NIST/SECG curves */
+-    {"sect113r1", NID_sect113r1 },
+-    {"sect113r2", NID_sect113r2 },
+-    {"sect131r1", NID_sect131r1 },
+-    {"sect131r2", NID_sect131r2 },
+-    {"sect163k1", NID_sect163k1 },
+-    {"sect163r1", NID_sect163r1 },
+-    {"sect163r2", NID_sect163r2 },
+-    {"sect193r1", NID_sect193r1 },
+-    {"sect193r2", NID_sect193r2 },
+-    {"sect233k1", NID_sect233k1 },
+-    {"sect233r1", NID_sect233r1 },
+-    {"sect239k1", NID_sect239k1 },
+-    {"sect283k1", NID_sect283k1 },
+-    {"sect283r1", NID_sect283r1 },
+-    {"sect409k1", NID_sect409k1 },
+-    {"sect409r1", NID_sect409r1 },
+-    {"sect571k1", NID_sect571k1 },
+-    {"sect571r1", NID_sect571r1 },
+-    /* X9.62 curves */
+-    {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
+-    {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
+-    {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
+-    {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
+-    {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
+-    {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
+-    {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
+-    {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
+-    {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
+-    {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
+-    {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
+-    {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
+-    {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
+-    {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
+-    {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
+-    {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
+-    /*
+-     * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
+-     * from X9.62]
+-     */
+-    {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
+-    {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
+-    {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
+-    {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
+-    {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
+-    {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
+-    {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
+-    {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
+-    {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
+-    {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
+-    {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
+-    /* IPSec curves */
+-    {"Oakley-EC2N-3", NID_ipsec3 },
+-    {"Oakley-EC2N-4", NID_ipsec4 },
+     /* brainpool curves */
+-    {"brainpoolP160r1", NID_brainpoolP160r1 },
+-    {"brainpoolP160t1", NID_brainpoolP160t1 },
+-    {"brainpoolP192r1", NID_brainpoolP192r1 },
+-    {"brainpoolP192t1", NID_brainpoolP192t1 },
+-    {"brainpoolP224r1", NID_brainpoolP224r1 },
+-    {"brainpoolP224t1", NID_brainpoolP224t1 },
+     {"brainpoolP256r1", NID_brainpoolP256r1 },
+     {"brainpoolP256t1", NID_brainpoolP256t1 },
+     {"brainpoolP320r1", NID_brainpoolP320r1 },
+@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n
+ /* Functions to translate between common NIST curve names and NIDs */
+ 
+ static const EC_NAME2NID nist_curves[] = {
+-    {"B-163", NID_sect163r2},
+-    {"B-233", NID_sect233r1},
+-    {"B-283", NID_sect283r1},
+-    {"B-409", NID_sect409r1},
+-    {"B-571", NID_sect571r1},
+-    {"K-163", NID_sect163k1},
+-    {"K-233", NID_sect233k1},
+-    {"K-283", NID_sect283k1},
+-    {"K-409", NID_sect409k1},
+-    {"K-571", NID_sect571k1},
+-    {"P-192", NID_X9_62_prime192v1},
+     {"P-224", NID_secp224r1},
+     {"P-256", NID_X9_62_prime256v1},
+     {"P-384", NID_secp384r1},
+Index: openssl-3.2.3/test/acvp_test.inc
+===================================================================
+--- openssl-3.2.3.orig/test/acvp_test.inc
++++ openssl-3.2.3/test/acvp_test.inc
+@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_
+ };
+ static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
+     {
+-        "SHA-1",
+-        "P-192",
+-        ITM(ecdsa_sigver_msg0),
+-        ITM(ecdsa_sigver_pub0),
+-        ITM(ecdsa_sigver_r0),
+-        ITM(ecdsa_sigver_s0),
+-        PASS,
+-    },
+-    {
+         "SHA2-512",
+         "P-521",
+         ITM(ecdsa_sigver_msg1),
+Index: openssl-3.2.3/test/ecdsatest.h
+===================================================================
+--- openssl-3.2.3.orig/test/ecdsatest.h
++++ openssl-3.2.3/test/ecdsatest.h
+@@ -32,23 +32,6 @@ typedef struct {
+ } ecdsa_cavs_kat_t;
+ 
+ static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
+-    /* prime KATs from X9.62 */
+-    {NID_X9_62_prime192v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
+-     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
+-     "5ca5c0d69716dfcb3474373902",
+-     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+-     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
+-     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
+-    {NID_X9_62_prime239v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
+-     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
+-     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
+-     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
+-     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
+-     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
+     /* prime KATs from NIST CAVP */
+     {NID_secp224r1, NID_sha224,
+      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+Index: openssl-3.2.3/test/recipes/15-test_genec.t
+===================================================================
+--- openssl-3.2.3.orig/test/recipes/15-test_genec.t
++++ openssl-3.2.3/test/recipes/15-test_genec.t
+@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport
+     if disabled("ec");
+ 
+ my @prime_curves = qw(
+-    secp112r1
+-    secp112r2
+-    secp128r1
+-    secp128r2
+-    secp160k1
+-    secp160r1
+-    secp160r2
+-    secp192k1
+-    secp224k1
+     secp224r1
+     secp256k1
+     secp384r1
+     secp521r1
+-    prime192v1
+-    prime192v2
+-    prime192v3
+-    prime239v1
+-    prime239v2
+-    prime239v3
+     prime256v1
+-    wap-wsg-idm-ecid-wtls6
+-    wap-wsg-idm-ecid-wtls7
+-    wap-wsg-idm-ecid-wtls8
+-    wap-wsg-idm-ecid-wtls9
+-    wap-wsg-idm-ecid-wtls12
+-    brainpoolP160r1
+-    brainpoolP160t1
+-    brainpoolP192r1
+-    brainpoolP192t1
+-    brainpoolP224r1
+-    brainpoolP224t1
+     brainpoolP256r1
+     brainpoolP256t1
+     brainpoolP320r1
+@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
+     if !disabled("sm2");
+ 
+ my @curve_aliases = qw(
+-    P-192
+     P-224
+     P-256
+     P-384