Accepting request 1297961 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1297961 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=45
Accepting request 1296523 from security:tls
2025-08-09 17:57:12 +00:00 · 2025-07-31 15:45:52 +00:00 · 2025-07-30 09:28:14 +00:00 · 2025-07-29 08:21:34 +00:00 · 2025-07-09 15:25:32 +00:00 · 2025-07-08 06:49:27 +00:00
78 changed files with 0 additions and 17265 deletions
--- a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
+++ b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
@@ -1,570 +0,0 @@
 From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Wed, 18 May 2022 17:25:59 +0200
 Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
 For RHEL, we already disable SHA-1 signatures by default in the default
 provider, so it is unexpected that the FIPS provider would have a more
 lenient configuration in this regard. Additionally, we do not think
 continuing to accept SHA-1 signatures is a good idea due to the
 published chosen-prefix collision attacks.
 As a consequence, disable verification of SHA-1 signatures in the FIPS
 provider.
 This requires adjusting a few tests that would otherwise fail:
 - 30-test_acvp: Remove the test vectors that use SHA-1.
 - 30-test_evp: Mark tests in evppkey_rsa_common.txt and
  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
  which will not run them when the FIPS provider is enabled.
 - 80-test_cms: Re-create all certificates in test/smime-certificates
  with SHA256 signatures while keeping the same private keys. These
  certificates were signed with SHA-1 and thus fail verification in the
  FIPS provider.
  Fix some other tests by explicitly running them in the default
  provider, where SHA-1 is available.
 - 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
  the FIPS provider.
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 providers/implementations/signature/dsa_sig.c |  4 --
 .../implementations/signature/ecdsa_sig.c     |  4 --
 providers/implementations/signature/rsa_sig.c |  8 +--
 test/acvp_test.inc                            | 20 -------
 .../30-test_evp_data/evppkey_ecdsa.txt        |  7 +++
 .../30-test_evp_data/evppkey_rsa_common.txt   | 51 +++++++++++++++-
 test/recipes/80-test_cms.t                    |  4 +-
 test/recipes/80-test_ssl_old.t                |  4 ++
 test/smime-certs/smdh.pem                     | 18 +++---
 test/smime-certs/smdsa1.pem                   | 60 +++++++++----------
 test/smime-certs/smdsa2.pem                   | 60 +++++++++----------
 test/smime-certs/smdsa3.pem                   | 60 +++++++++----------
 test/smime-certs/smec1.pem                    | 30 +++++-----
 test/smime-certs/smec2.pem                    | 30 +++++-----
 test/smime-certs/smec3.pem                    | 30 +++++-----
 test/smime-certs/smroot.pem                   | 38 ++++++------
 test/smime-certs/smrsa1.pem                   | 38 ++++++------
 test/smime-certs/smrsa2.pem                   | 38 ++++++------
 test/smime-certs/smrsa3.pem                   | 38 ++++++------
 19 files changed, 286 insertions(+), 256 deletions(-)
 Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c
 +++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c
@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
         int md_nid;
         size_t mdname_len = strlen(mdname);
 -#ifdef FIPS_MODULE
 -        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
 -#else
         int sha1_allowed = 0;
 -#endif
         md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
                                                             sha1_allowed);
 Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c
 +++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
                        "%s could not be fetched", mdname);
         return 0;
     }
 -#ifdef FIPS_MODULE
 -    sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
 -#else
     sha1_allowed = 0;
 -#endif
     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
                                                     sha1_allowed);
     if (md_nid < 0) {
 Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
 +++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
         int md_nid;
         size_t mdname_len = strlen(mdname);
 -#ifdef FIPS_MODULE
 -        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
 -#else
         int sha1_allowed = 0;
 -#endif
         md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
                                                      sha1_allowed);
@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs
     if (prsactx->md == NULL && pmdname == NULL
         && pad_mode == RSA_PKCS1_PSS_PADDING) {
 +#ifdef FIPS_MODULE
 +        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
 +#else
         pmdname = RSA_DEFAULT_DIGEST_NAME;
 -#ifndef FIPS_MODULE
         if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
         }
 Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
 +++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
 Title = ECDSA tests
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
 # Digest too long
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF12345"
@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
 Result = VERIFY_ERROR
 # Digest too short
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF123"
@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
 Result = VERIFY_ERROR
 # Digest invalid
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1235"
@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
 Result = VERIFY_ERROR
 # Invalid signature
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a
 Result = VERIFY_ERROR
 # BER signature
 +Availablein = default
 Verify = P-256
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
 Result = VERIFY_ERROR
 +Availablein = default
 Verify = P-256-PUBLIC
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
 +++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
@@ -96,6 +96,7 @@ NDL6WCBbets=
 Title = RSA tests
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
 Input = "0123456789ABCDEF123456789ABC"
 Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
 +Availablein = default
 VerifyRecover = RSA-2048
 Ctrl = digest:SHA1
 Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
 Output = "0123456789ABCDEF1234"
 # Leading zero in the signature
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
 Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
 Result = VERIFY_ERROR
 +Availablein = default
 VerifyRecover = RSA-2048
 Ctrl = digest:SHA1
 Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
 Result = KEYOP_ERROR
 # Mismatched digest
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1233"
@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547
 Result = VERIFY_ERROR
 # Corrupted signature
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1233"
@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547
 Result = VERIFY_ERROR
 # parameter is not NULLt
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:sha1
 Input = "0123456789ABCDEF1234"
@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b
 Result = VERIFY_ERROR
 # embedded digest too long
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:sha1
 Input = "0123456789ABCDEF1234"
 Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
 Result = VERIFY_ERROR
 +Availablein = default
 VerifyRecover = RSA-2048
 Ctrl = digest:sha1
 Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
 Result = KEYOP_ERROR
 # embedded digest too short
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:sha1
 Input = "0123456789ABCDEF1234"
 Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
 Result = VERIFY_ERROR
 +Availablein = default
 VerifyRecover = RSA-2048
 Ctrl = digest:sha1
 Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
 Result = KEYOP_ERROR
 # Garbage after DigestInfo
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:sha1
 Input = "0123456789ABCDEF1234"
 Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
 Result = VERIFY_ERROR
 +Availablein = default
 VerifyRecover = RSA-2048
 Ctrl = digest:sha1
 Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
 Result = KEYOP_ERROR
 # invalid tag for parameter
 +Availablein = default
 Verify = RSA-2048
 Ctrl = digest:sha1
 Input = "0123456789ABCDEF1234"
@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
 # Verify using public key
 +Availablein = default
 Verify = RSA-2048-PUBLIC
 Ctrl = digest:SHA1
 Input = "0123456789ABCDEF1234"
@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
 Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
 # Verify using salt length auto detect
 +# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256
 +Availablein = default
 Verify = RSA-2048-PUBLIC
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_pss_saltlen:auto
@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
 Result = VERIFY_ERROR
 # Verify using default parameters, explicitly setting parameters
 +# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
 +# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked
 +# Availablein = default.
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_pss_saltlen:20
@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123"
 Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
 # Verify explicitly setting parameters "digest" salt length
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_pss_saltlen:digest
@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123"
 Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
 # Verify using salt length larger than minimum
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_pss_saltlen:30
 Input="0123456789ABCDEF0123"
 Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
 # Verify using maximum salt length
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_pss_saltlen:max
 Input="0123456789ABCDEF0123"
 Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
 # Attempt to change salt length below minimum
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_pss_saltlen:0
 Result = PKEY_CTRL_ERROR
@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR
 # Attempt to change padding mode
 # Note this used to return PKEY_CTRL_INVALID
 # but it is limited because setparams only returns 0 or 1.
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = rsa_padding_mode:pkcs1
 Result = PKEY_CTRL_ERROR
 # Attempt to change digest
 +Availablein = default
 Verify = RSA-PSS-DEFAULT
 Ctrl = digest:sha256
 Result = PKEY_CTRL_ERROR
 # Invalid key: rejected when we try to init
 +Availablein = default
 Verify = RSA-PSS-BAD
 Result = KEYOP_INIT_ERROR
 Reason = invalid salt length
 # Invalid key: rejected when we try to init
 +Availablein = default
 Verify = RSA-PSS-BAD2
 Result = KEYOP_INIT_ERROR
 Reason = invalid salt length
@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
 4fINDOjP+yJJvZohNwIDAQAB
 -----END PUBLIC KEY-----
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
 Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
 Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=0652ec67bcee30f9d2699122b91c19abdba89f91
 Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=39c21c4cceda9c1adf839c744e1212a6437575ec
 Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=36dae913b77bd17cae6e7b09453d24544cebb33c
 Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
 +Availablein = default
 Verify=RSA-PSS-1
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
 -----END PUBLIC KEY-----
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
 Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=2dac956d53964748ac364d06595827c6b4f143cd
 Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
 Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
 Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
 Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
 +Availablein = default
 Verify=RSA-PSS-9
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
 BQIDAQAB
 -----END PUBLIC KEY-----
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
 Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=b503319399277fd6c1c8f1033cbf04199ea21716
 Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=50aaede8536b2c307208b275a67ae2df196c7628
 Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
 Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
 Input=fad3902c9750622a2bc672622c48270cc57d3ea8
 Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
 +Availablein = default
 Verify=RSA-PSS-10
 Ctrl = rsa_padding_mode:pss
 Ctrl = rsa_mgf1_md:sha1
@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests
 # FIPS tests
 -# Verifying with SHA1 is permitted in fips mode for older applications
 +# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode
 +Availablein = fips
 DigestVerify = SHA1
 Key = RSA-2048
 Input = "Hello "
 Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
 +Result = DIGESTVERIFYINIT_ERROR
 # Verifying with a 1024 bit key is permitted in fips mode for older applications
 DigestVerify = SHA256
 Index: openssl-3.2.3/test/recipes/80-test_cms.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/80-test_cms.t
 +++ openssl-3.2.3/test/recipes/80-test_cms.t
@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = (
       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
         "-certfile", $smroot,
         "-signer", $smrsa1, "-out", "{output}.cms" ],
 -      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 +      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
         "-CAfile", $smroot, "-out", "{output}.txt" ],
       \&final_compare
     ],
@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = (
     [ "signed zero-length content S/MIME format, RSA key SHA1",
       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
 -      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
 +      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
         "-CAfile", $smroot, "-out", "{output}.txt" ],
       \&zero_compare
     ],
 Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
 +++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
@@ -394,6 +394,9 @@ sub testssl {
                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
           }
 +        SKIP: {
 +          skip "SSLv3 is not supported by the FIPS provider", 4
 +              if $provider eq "fips";
           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
              'test sslv2/sslv3 with server authentication');
           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
@@ -402,6 +405,7 @@ sub testssl {
              'test sslv2/sslv3 with both client and server authentication via BIO pair');
           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
 +         }
         SKIP: {
             skip "No IPv4 available on this machine", 4
 Index: openssl-3.2.3/test/acvp_test.inc
 ===================================================================
 --- openssl-3.2.3.orig/test/acvp_test.inc
 +++ openssl-3.2.3/test/acvp_test.inc
@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si
     {
         "x931",
         3072,
 -        "SHA1",
 -        ITM(rsa_sigverx931_0_msg),
 -        ITM(rsa_sigverx931_0_n),
 -        ITM(rsa_sigverx931_0_e),
 -        ITM(rsa_sigverx931_0_sig),
 -        NO_PSS_SALT_LEN,
 -        PASS
 -    },
 -    {
 -        "x931",
 -        3072,
         "SHA256",
         ITM(rsa_sigverx931_1_msg),
         ITM(rsa_sigverx931_1_n),
--- a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
+++ b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
@@ -1,98 +0,0 @@
 From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Fri, 17 Feb 2023 15:31:08 +0100
 Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
 Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 Verification Program, Section C.H requires guarantees about the
 uniqueness of key/iv pairs, and proposes a few approaches to ensure
 this. Provide an indicator for option 2 "The IV may be generated
 internally at its entirety randomly."
 Resolves: rhbz#2168289
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 include/openssl/core_names.h                  |  1 +
 include/openssl/evp.h                         |  4 +++
 .../implementations/ciphers/ciphercommon.c    |  4 +++
 .../ciphers/ciphercommon_gcm.c                | 25 +++++++++++++++++++
 4 files changed, 34 insertions(+)
 Index: openssl-3.2.3/include/openssl/evp.h
 ===================================================================
 --- openssl-3.2.3.orig/include/openssl/evp.h
 +++ openssl-3.2.3/include/openssl/evp.h
@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
 void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
 int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
 +# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0
 +# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED     1
 +# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
 +
 __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                            const unsigned char *key, const unsigned char *iv);
 __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
 Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c
 +++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know
     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
 +    /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
 +     * not work in ciphercommon.c because it is compiled only once into
 +     * libcommon.a */
 +    OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL),
     OSSL_PARAM_END
 };
 const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
 Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c
 +++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
             break;
         }
     }
 +
 +    /* We would usually hide this under #ifdef FIPS_MODULE, but
 +     * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
 +     * not work here. */
 +    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section C.H requires guarantees about the
 +         * uniqueness of key/iv pairs, and proposes a few approaches to ensure
 +         * this. This provides an indicator for option 2 "The IV may be
 +         * generated internally at its entirety randomly." Note that one of the
 +         * conditions of this option is that "The IV length shall be at least
 +         * 96 bits (per SP 800-38D)." We do not specically check for this
 +         * condition here, because gcm_iv_generate will fail in this case. */
 +        if (ctx->enc && !ctx->iv_gen_rand)
 +            fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator)) {
 +            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
 +            return 0;
 +        }
 +    }
 +
     return 1;
 }
 Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
 ===================================================================
 --- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
 +++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -102,6 +102,7 @@ my %params = (
     'CIPHER_PARAM_CTS_MODE' =>             "cts_mode",    # utf8_string
 # For passing the AlgorithmIdentifier parameter in DER form
     'CIPHER_PARAM_ALGORITHM_ID_PARAMS' =>  "alg_id_param",# octet_string
 +    'CIPHER_PARAM_SUSE_FIPS_INDICATOR' =>  "suse-fips-indicator",# int
     'CIPHER_PARAM_XTS_STANDARD' =>         "xts_standard",# utf8_string
     'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' =>  "tls1multi_maxsndfrag",# uint
--- a/openssl-3-FIPS-PCT_rsa_keygen.patch
+++ b/openssl-3-FIPS-PCT_rsa_keygen.patch
@@ -1,28 +0,0 @@
 Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
 ===================================================================
 --- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
 +++ openssl-3.1.4/crypto/rsa/rsa_gen.c
@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
 #ifdef FIPS_MODULE
     ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
 -    pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
 +     /* FIPS MODE needs to always run the pairwise test. But, the
 +      * rsa_keygen_pairwise_test() PCT as self-test requirements will be
 +      * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
 +      * this PCT can be skipped here. See bsc#1221760 for more info.
 +      */
 +    pairwise_test = 0;
 #else
     /*
      * Only multi-prime keys or insecure keys with a small key length or a
@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
             rsa->dmp1 = NULL;
             rsa->dmq1 = NULL;
             rsa->iqmp = NULL;
 +#ifdef FIPS_MODULE
 +            abort();
 +#endif /* FIPS_MODULE */
         }
     }
     return ok;
--- a/openssl-3-add-defines-CPACF-funcs.patch
+++ b/openssl-3-add-defines-CPACF-funcs.patch
@@ -1,82 +0,0 @@
 commit 518b53b139d7b4ac082ccedd401d2ee08fc66985
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Wed Jan 31 16:26:52 2024 +0100
    s390x: Add defines for new CPACF functions
    Add defines for new CPACF functions codes, its required MSA levels, and
    document how to disable these functions via the OPENSSL_s390xcap environment
    variable.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/25161)
 diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
 index fdc682af06..88ed866b0d 100644
 --- a/crypto/s390x_arch.h
 +++ b/crypto/s390x_arch.h
@@ -1,5 +1,5 @@
 /*
 - * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex;
 # define S390X_MSA5             57      /* message-security-assist-ext. 5 */
 # define S390X_MSA3             76      /* message-security-assist-ext. 3 */
 # define S390X_MSA4             77      /* message-security-assist-ext. 4 */
 +# define S390X_MSA12            86      /* message-security-assist-ext. 12 */
 # define S390X_VX               129     /* vector */
 # define S390X_VXD              134     /* vector packed decimal */
 # define S390X_VXE              135     /* vector enhancements 1 */
@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex;
 /* km */
 # define S390X_XTS_AES_128      50
 # define S390X_XTS_AES_256      52
 +# define S390X_XTS_AES_128_MSA10 82
 +# define S390X_XTS_AES_256_MSA10 84
 +
 +/* kmac */
 +# define S390X_HMAC_SHA_224     112
 +# define S390X_HMAC_SHA_256     113
 +# define S390X_HMAC_SHA_384     114
 +# define S390X_HMAC_SHA_512     115
 /* prno */
 # define S390X_SHA_512_DRNG     3
 diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
 index d7185530ec..363003d8d3 100644
 --- a/doc/man3/OPENSSL_s390xcap.pod
 +++ b/doc/man3/OPENSSL_s390xcap.pod
@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries.
       :
       # 76    1<<51    message-security assist extension 3
       # 77    1<<50    message-security assist extension 4
 +      # 86    1<<41    message-security-assist extension 12
       :
       #129    1<<62    vector facility
       #134    1<<57    vector packed decimal facility
@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries.
       # 50    1<<13    KM-XTS-AES-128
       # 52    1<<11    KM-XTS-AES-256
       :
 +      # 82    1<<45    KM-XTS-AES-128-MSA10
 +      # 84    1<<43    KM-XTS-AES-256-MSA10
  kmc  :
       # 18    1<<45    KMC-AES-128
@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries.
       # 19    1<<44    KMAC-AES-192
       # 20    1<<43    KMAC-AES-256
       :
 +      # 112   1<<15    KMAC-SHA-224
 +      # 113   1<<14    KMAC-SHA-256
 +      # 114   1<<13    KMAC-SHA-384
 +      # 115   1<<12    KMAC-SHA-512
  kmctr:
       :
--- a/openssl-3-add-hw-acceleration-hmac.patch
+++ b/openssl-3-add-hw-acceleration-hmac.patch
@@ -1,506 +0,0 @@
 commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Thu Feb 1 15:15:27 2024 +0100
    s390x: Add hardware acceleration for HMAC
    The CPACF instruction KMAC provides support for accelerating the HMAC
    algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and
    SHA-512.
    Preliminary measurements showed performance improvements of up to a factor
    of 2, dependent on the message size, whether chunking is used and the size
    of the chunks.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/25161)
 Index: openssl-3.2.3/crypto/hmac/build.info
 ===================================================================
 --- openssl-3.2.3.orig/crypto/hmac/build.info
 +++ openssl-3.2.3/crypto/hmac/build.info
@@ -2,5 +2,22 @@ LIBS=../../libcrypto
 $COMMON=hmac.c
 -SOURCE[../../libcrypto]=$COMMON
 -SOURCE[../../providers/libfips.a]=$COMMON
 +IF[{- !$disabled{asm} -}]
 +  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
 +    $HMACASM_s390x=hmac_s390x.c
 +    $HMACDEF_s390x=OPENSSL_HMAC_S390X
 +  ENDIF
 +
 +  # Now that we have defined all the arch specific variables, use the
 +  # appropriate ones, and define the appropriate macros
 +  IF[$HMACASM_{- $target{asm_arch} -}]
 +    $HMACASM=$HMACASM_{- $target{asm_arch} -}
 +    $HMACDEF=$HMACDEF_{- $target{asm_arch} -}
 +  ENDIF
 +ENDIF
 +
 +DEFINE[../../libcrypto]=$HMACDEF
 +DEFINE[../../providers/libfips.a]=$HMACDEF
 +
 +SOURCE[../../libcrypto]=$COMMON $HMACASM
 +SOURCE[../../providers/libfips.a]=$COMMON $HMACASM
 Index: openssl-3.2.3/crypto/hmac/hmac.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/hmac/hmac.c
 +++ openssl-3.2.3/crypto/hmac/hmac.c
@@ -1,5 +1,5 @@
 /*
 - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
         return 0;
 +#ifdef OPENSSL_HMAC_S390X
 +    rv = s390x_HMAC_init(ctx, key, len, impl);
 +    if (rv >= 1)
 +        return rv;
 +#endif
 +
     if (key != NULL) {
         reset = 1;
@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns
 {
     if (!ctx->md)
         return 0;
 +
 +#ifdef OPENSSL_HMAC_S390X
 +    if (ctx->plat.s390x.fc)
 +        return s390x_HMAC_update(ctx, data, len);
 +#endif
 +
     return EVP_DigestUpdate(ctx->md_ctx, data, len);
 }
@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
     if (!ctx->md)
         goto err;
 +#ifdef OPENSSL_HMAC_S390X
 +    if (ctx->plat.s390x.fc)
 +        return s390x_HMAC_final(ctx, md, len);
 +#endif
 +
     if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i))
         goto err;
     if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx))
@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c
     EVP_MD_CTX_reset(ctx->o_ctx);
     EVP_MD_CTX_reset(ctx->md_ctx);
     ctx->md = NULL;
 +
 +#ifdef OPENSSL_HMAC_S390X
 +    s390x_HMAC_CTX_cleanup(ctx);
 +#endif
 }
 void HMAC_CTX_free(HMAC_CTX *ctx)
@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
     if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
         goto err;
     dctx->md = sctx->md;
 +
 +#ifdef OPENSSL_HMAC_S390X
 +    if (s390x_HMAC_CTX_copy(dctx, sctx) == 0)
 +        goto err;
 +#endif
 +
     return 1;
  err:
     hmac_ctx_cleanup(dctx);
 Index: openssl-3.2.3/crypto/hmac/hmac_local.h
 ===================================================================
 --- openssl-3.2.3.orig/crypto/hmac/hmac_local.h
 +++ openssl-3.2.3/crypto/hmac/hmac_local.h
@@ -1,5 +1,5 @@
 /*
 - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,6 +10,10 @@
 #ifndef OSSL_CRYPTO_HMAC_LOCAL_H
 # define OSSL_CRYPTO_HMAC_LOCAL_H
 +# include "internal/common.h"
 +# include "internal/numbers.h"
 +# include "openssl/sha.h"
 +
 /* The current largest case is for SHA3-224 */
 #define HMAC_MAX_MD_CBLOCK_SIZE     144
@@ -18,6 +22,45 @@ struct hmac_ctx_st {
     EVP_MD_CTX *md_ctx;
     EVP_MD_CTX *i_ctx;
     EVP_MD_CTX *o_ctx;
 +
 +    /* Platform specific data */
 +    union {
 +        int dummy;
 +# ifdef OPENSSL_HMAC_S390X
 +        struct {
 +            unsigned int fc; /* 0 if not supported by kmac instruction */
 +            int blk_size;
 +            int ikp;
 +            int iimp;
 +            unsigned char *buf;
 +            size_t size; /* must be multiple of digest block size */
 +            size_t num;
 +            union {
 +                OSSL_UNION_ALIGN;
 +                struct {
 +                    uint32_t h[8];
 +                    uint64_t imbl;
 +                    unsigned char key[64];
 +                } hmac_224_256;
 +                struct {
 +                    uint64_t h[8];
 +                    uint128_t imbl;
 +                    unsigned char key[128];
 +                } hmac_384_512;
 +            } param;
 +        } s390x;
 +# endif /* OPENSSL_HMAC_S390X */
 +    } plat;
 };
 +# ifdef OPENSSL_HMAC_S390X
 +#  define HMAC_S390X_BUF_NUM_BLOCKS 64
 +
 +int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl);
 +int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
 +int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 +int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
 +int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx);
 +# endif /* OPENSSL_HMAC_S390X */
 +
 #endif
 Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c
 ===================================================================
 --- /dev/null
 +++ openssl-3.2.3/crypto/hmac/hmac_s390x.c
@@ -0,0 +1,298 @@
 +/*
 + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
 + *
 + * Licensed under the Apache License 2.0 (the "License").  You may not use
 + * this file except in compliance with the License.  You can obtain a copy
 + * in the file LICENSE in the source distribution or at
 + * https://www.openssl.org/source/license.html
 + */
 +
 +#include "crypto/s390x_arch.h"
 +#include "hmac_local.h"
 +#include "openssl/obj_mac.h"
 +#include "openssl/evp.h"
 +
 +#ifdef OPENSSL_HMAC_S390X
 +
 +static int s390x_fc_from_md(const EVP_MD *md)
 +{
 +    int fc;
 +
 +    switch (EVP_MD_get_type(md)) {
 +    case NID_sha224:
 +        fc = S390X_HMAC_SHA_224;
 +        break;
 +    case NID_sha256:
 +        fc = S390X_HMAC_SHA_256;
 +        break;
 +    case NID_sha384:
 +        fc = S390X_HMAC_SHA_384;
 +        break;
 +    case NID_sha512:
 +        fc = S390X_HMAC_SHA_512;
 +        break;
 +    default:
 +        return 0;
 +    }
 +
 +    if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
 +        return 0;
 +
 +    return fc;
 +}
 +
 +static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
 +{
 +    unsigned int fc = ctx->plat.s390x.fc;
 +
 +    if (ctx->plat.s390x.ikp)
 +        fc |= S390X_KMAC_IKP;
 +
 +    if (ctx->plat.s390x.iimp)
 +        fc |= S390X_KMAC_IIMP;
 +
 +    switch (ctx->plat.s390x.fc) {
 +    case S390X_HMAC_SHA_224:
 +    case S390X_HMAC_SHA_256:
 +        ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8);
 +        break;
 +    case S390X_HMAC_SHA_384:
 +    case S390X_HMAC_SHA_512:
 +        ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8);
 +        break;
 +    default:
 +        break;
 +    }
 +
 +    s390x_kmac(in, len, fc, &ctx->plat.s390x.param);
 +
 +    ctx->plat.s390x.ikp = 1;
 +}
 +
 +int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
 +{
 +    unsigned char *key_param;
 +    unsigned int key_param_len;
 +
 +    ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md);
 +    if (ctx->plat.s390x.fc == 0)
 +        return -1; /* Not supported by kmac instruction */
 +
 +    ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
 +    if (ctx->plat.s390x.blk_size < 0)
 +        return 0;
 +
 +    if (ctx->plat.s390x.size !=
 +        (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) {
 +        OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
 +        ctx->plat.s390x.size = 0;
 +        ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size *
 +                                             HMAC_S390X_BUF_NUM_BLOCKS);
 +        if (ctx->plat.s390x.buf == NULL)
 +            return 0;
 +        ctx->plat.s390x.size = ctx->plat.s390x.blk_size *
 +            HMAC_S390X_BUF_NUM_BLOCKS;
 +    }
 +    ctx->plat.s390x.num = 0;
 +
 +    ctx->plat.s390x.ikp = 0;
 +    ctx->plat.s390x.iimp = 1;
 +
 +    switch (ctx->plat.s390x.fc) {
 +    case S390X_HMAC_SHA_224:
 +    case S390X_HMAC_SHA_256:
 +        ctx->plat.s390x.param.hmac_224_256.imbl = 0;
 +        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h,
 +                        sizeof(ctx->plat.s390x.param.hmac_224_256.h));
 +        break;
 +    case S390X_HMAC_SHA_384:
 +    case S390X_HMAC_SHA_512:
 +        ctx->plat.s390x.param.hmac_384_512.imbl = 0;
 +        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h,
 +                        sizeof(ctx->plat.s390x.param.hmac_384_512.h));
 +        break;
 +    default:
 +        return 0;
 +    }
 +
 +    if (key != NULL) {
 +        switch (ctx->plat.s390x.fc) {
 +        case S390X_HMAC_SHA_224:
 +        case S390X_HMAC_SHA_256:
 +            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key,
 +                            sizeof(ctx->plat.s390x.param.hmac_224_256.key));
 +            key_param = ctx->plat.s390x.param.hmac_224_256.key;
 +            key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key);
 +            break;
 +        case S390X_HMAC_SHA_384:
 +        case S390X_HMAC_SHA_512:
 +            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key,
 +                            sizeof(ctx->plat.s390x.param.hmac_384_512.key));
 +            key_param = ctx->plat.s390x.param.hmac_384_512.key;
 +            key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key);
 +            break;
 +        default:
 +            return 0;
 +        }
 +
 +        if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len))
 +            return 0;
 +
 +        if (key_len > ctx->plat.s390x.blk_size) {
 +            if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl)
 +                    || !EVP_DigestUpdate(ctx->md_ctx, key, key_len)
 +                    || !EVP_DigestFinal_ex(ctx->md_ctx, key_param,
 +                                           &key_param_len))
 +                return 0;
 +        } else {
 +            if (key_len < 0 || key_len > (int)key_param_len)
 +                return 0;
 +            memcpy(key_param, key, key_len);
 +            /* remaining key bytes already zeroed out above */
 +        }
 +    }
 +
 +    return 1;
 +}
 +
 +int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 +{
 +    size_t remain, num;
 +
 +    if (len == 0)
 +        return 1;
 +
 +    /* buffer is full, process it now */
 +    if (ctx->plat.s390x.num == ctx->plat.s390x.size) {
 +        s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
 +
 +        ctx->plat.s390x.num = 0;
 +    }
 +
 +    remain = ctx->plat.s390x.size - ctx->plat.s390x.num;
 +    if (len > remain) {
 +        /* data does not fit into buffer */
 +        if (ctx->plat.s390x.num > 0) {
 +            /* first fill buffer and process it */
 +            memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain);
 +            ctx->plat.s390x.num += remain;
 +
 +            s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
 +
 +            ctx->plat.s390x.num = 0;
 +
 +            data += remain;
 +            len -= remain;
 +        }
 +
 +        if (!ossl_assert(ctx->plat.s390x.num == 0))
 +            return 0;
 +
 +        if (len > ctx->plat.s390x.size) {
 +            /*
 +             * remaining data is still larger than buffer, process remaining
 +             * full blocks of input directly
 +             */
 +            remain = len % ctx->plat.s390x.blk_size;
 +            num = len - remain;
 +
 +            s390x_call_kmac(ctx, data, num);
 +
 +            data += num;
 +            len -= num;
 +        }
 +    }
 +
 +    /* add remaining input data (which is < buffer size) to buffer */
 +    if (!ossl_assert(len <= ctx->plat.s390x.size))
 +        return 0;
 +
 +    if (len > 0) {
 +        memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len);
 +        ctx->plat.s390x.num += len;
 +    }
 +
 +    return 1;
 +}
 +
 +int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
 +{
 +    void *result;
 +    unsigned int res_len;
 +
 +    ctx->plat.s390x.iimp = 0; /* last block */
 +    s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
 +
 +    ctx->plat.s390x.num = 0;
 +
 +    switch (ctx->plat.s390x.fc) {
 +    case S390X_HMAC_SHA_224:
 +        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
 +        res_len = SHA224_DIGEST_LENGTH;
 +        break;
 +    case S390X_HMAC_SHA_256:
 +        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
 +        res_len = SHA256_DIGEST_LENGTH;
 +        break;
 +    case S390X_HMAC_SHA_384:
 +        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
 +        res_len = SHA384_DIGEST_LENGTH;
 +        break;
 +    case S390X_HMAC_SHA_512:
 +        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
 +        res_len = SHA512_DIGEST_LENGTH;
 +        break;
 +    default:
 +        return 0;
 +    }
 +
 +    memcpy(md, result, res_len);
 +    if (len != NULL)
 +        *len = res_len;
 +
 +    return 1;
 +}
 +
 +int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
 +{
 +    dctx->plat.s390x.fc = sctx->plat.s390x.fc;
 +    dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size;
 +    dctx->plat.s390x.ikp = sctx->plat.s390x.ikp;
 +    dctx->plat.s390x.iimp = sctx->plat.s390x.iimp;
 +
 +    memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
 +           sizeof(dctx->plat.s390x.param));
 +
 +    dctx->plat.s390x.buf = NULL;
 +    if (sctx->plat.s390x.buf != NULL) {
 +        dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,
 +                                              sctx->plat.s390x.size);
 +        if (dctx->plat.s390x.buf == NULL)
 +            return 0;
 +    }
 +
 +    dctx->plat.s390x.size = sctx->plat.s390x.size;
 +    dctx->plat.s390x.num = sctx->plat.s390x.num;
 +
 +    return 1;
 +}
 +
 +int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx)
 +{
 +    OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
 +    ctx->plat.s390x.buf = NULL;
 +    ctx->plat.s390x.size = 0;
 +    ctx->plat.s390x.num = 0;
 +
 +    OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param));
 +
 +    ctx->plat.s390x.blk_size = 0;
 +    ctx->plat.s390x.ikp = 0;
 +    ctx->plat.s390x.iimp = 1;
 +
 +    ctx->plat.s390x.fc = 0;
 +
 +    return 1;
 +}
 +
 +#endif
 Index: openssl-3.2.3/crypto/s390x_arch.h
 ===================================================================
 --- openssl-3.2.3.orig/crypto/s390x_arch.h
 +++ openssl-3.2.3/crypto/s390x_arch.h
@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex;
 # define S390X_KMA_HS           0x400
 # define S390X_KDSA_D           0x80
 # define S390X_KLMD_PS          0x100
 +# define S390X_KMAC_IKP         0x8000
 +# define S390X_KMAC_IIMP        0x4000
 +# define S390X_KMAC_CCUP        0x2000
 #endif
--- a/openssl-3-add-xof-state-handling-s3_absorb.patch
+++ b/openssl-3-add-xof-state-handling-s3_absorb.patch
@@ -1,32 +0,0 @@
 commit 1337b50936ed190a98af1ee6601d857b42a3d296
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 21:54:34 2023 +0200
    Add xof state handing for generic sha3 absorb.
    The digest life-cycle diagram specifies state transitions to `updated`
    (aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this
    checking to the generic sha3 absorb implementation.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void *
 {
     KECCAK1600_CTX *ctx = vctx;
 +    if (!(ctx->xof_state == XOF_STATE_INIT ||
 +          ctx->xof_state == XOF_STATE_ABSORB))
 +        return 0;
 +    ctx->xof_state = XOF_STATE_ABSORB;
     return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
 }
--- a/openssl-3-add_EVP_DigestSqueeze_api.patch
+++ b/openssl-3-add_EVP_DigestSqueeze_api.patch
--- a/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
+++ b/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
@@ -1,90 +0,0 @@
 commit a75d62637aa165a7f37e39a3a36e2a8b089913bc
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Mon Aug 26 11:26:03 2024 +0200
    s390x: Disable HMAC hardware acceleration when an engine is used for the digest
    The TLSProxy uses the 'ossltest' engine to produce known output for digests
    and HMAC calls. However, when running on a s390x system that supports
    hardware acceleration of HMAC, the engine is not used for calculating HMACs,
    but the s390x specific HMAC implementation is used, which does produce correct
    output, but not the known output that the engine would produce. This causes
    some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
    test_sslvertol, and test_tlsextms) to fail.
    Disable the s390x HMAC hardware acceleration if an engine is used for the
    digest of the HMAC calculation. This provides compatibility for engines that
    provide digest implementations, and assume that these implementations are also
    used when calculating an HMAC.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/25287)
 diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
 index 5db7e9a221..02e1cd1dd6 100644
 --- a/crypto/hmac/hmac_s390x.c
 +++ b/crypto/hmac/hmac_s390x.c
@@ -7,10 +7,16 @@
  * https://www.openssl.org/source/license.html
  */
 +/* We need to use some engine deprecated APIs */
 +#define OPENSSL_SUPPRESS_DEPRECATED
 +
 #include "crypto/s390x_arch.h"
 #include "hmac_local.h"
 #include "openssl/obj_mac.h"
 #include "openssl/evp.h"
 +#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
 +# include <openssl/engine.h>
 +#endif
 #ifdef OPENSSL_HMAC_S390X
@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
     ctx->plat.s390x.ikp = 1;
 }
 +static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl)
 +{
 +# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
 +    const EVP_MD *d;
 +
 +    if (impl != NULL) {
 +        if (!ENGINE_init(impl))
 +            return 0;
 +    } else {
 +        impl = ENGINE_get_digest_engine(EVP_MD_get_type(md));
 +    }
 +
 +    if (impl == NULL)
 +        return 0;
 +
 +    d = ENGINE_get_digest(impl, EVP_MD_get_type(md));
 +    ENGINE_finish(impl);
 +
 +    if (d != NULL)
 +        return 1;
 +# endif
 +
 +    return 0;
 +}
 +
 int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
 {
     unsigned char *key_param;
@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
     if (ctx->plat.s390x.fc == 0)
         return -1; /* Not supported by kmac instruction */
 +    if (s390x_check_engine_used(ctx->md, impl)) {
 +        ctx->plat.s390x.fc = 0;
 +        return -1; /* An engine handles the digest, disable acceleration */
 +    }
 +
     ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
     if (ctx->plat.s390x.blk_size < 0)
         return 0;
--- a/openssl-3-fix-hmac-digest-detection-s390x.patch
+++ b/openssl-3-fix-hmac-digest-detection-s390x.patch
@@ -1,49 +0,0 @@
 commit d5b3c0e24bc56614e92ffafdd705622beaef420a
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Wed Aug 28 14:56:33 2024 +0200
    s390x: Fix HMAC digest detection
    Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
    type. EVP_MD_get_type() does not always return the expected NID, e.g.
    when running in the FIPS provider, EVP_MD_get_type() returns zero,
    causing to skip the HMAC acceleration path.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/25304)
 diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
 index 8b0da0d59d..5db7e9a221 100644
 --- a/crypto/hmac/hmac_s390x.c
 +++ b/crypto/hmac/hmac_s390x.c
@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md)
 {
     int fc;
 -    switch (EVP_MD_get_type(md)) {
 -    case NID_sha224:
 +    if (EVP_MD_is_a(md, "SHA2-224"))
         fc = S390X_HMAC_SHA_224;
 -        break;
 -    case NID_sha256:
 +    else if (EVP_MD_is_a(md, "SHA2-256"))
         fc = S390X_HMAC_SHA_256;
 -        break;
 -    case NID_sha384:
 +    else if (EVP_MD_is_a(md, "SHA2-384"))
         fc = S390X_HMAC_SHA_384;
 -        break;
 -    case NID_sha512:
 +    else if (EVP_MD_is_a(md, "SHA2-512"))
         fc = S390X_HMAC_SHA_512;
 -        break;
 -    default:
 +    else
         return 0;
 -    }
     if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
         return 0;
--- a/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
+++ b/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
@@ -1,28 +0,0 @@
 commit 19b87d2d2b022c20dd9043c3b6d021315011b45f
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Tue Aug 20 11:35:20 2024 +0200
    s390x: Fix memory leak in s390x_HMAC_CTX_copy()
    When s390x_HMAC_CTX_copy() is called, but the destination context already
    has a buffer allocated, it is not freed before duplicating the buffer from
    the source context.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/25238)
 diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
 index 1124d9bc5d..8b0da0d59d 100644
 --- a/crypto/hmac/hmac_s390x.c
 +++ b/crypto/hmac/hmac_s390x.c
@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
     memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
            sizeof(dctx->plat.s390x.param));
 +    OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size);
     dctx->plat.s390x.buf = NULL;
     if (sctx->plat.s390x.buf != NULL) {
         dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,
--- a/openssl-3-fix-quic_multistream_test.patch
+++ b/openssl-3-fix-quic_multistream_test.patch
@@ -1,25 +0,0 @@
 From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001
 From: "Randall S. Becker" <randall.becker@nexbridge.ca>
 Date: Mon, 20 May 2024 22:23:04 +0000
 Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for
 cooperative threading.
 Fixes: #24442
 Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
 ---
 test/quic_multistream_test.c | 1 +
 1 file changed, 1 insertion(+)
 Index: openssl-3.2.3/test/quic_multistream_test.c
 ===================================================================
 --- openssl-3.2.3.orig/test/quic_multistream_test.c
 +++ openssl-3.2.3/test/quic_multistream_test.c
@@ -2397,6 +2397,7 @@ static const struct script_op script_13_
     OP_C_ACCEPT_STREAM_WAIT (a)
     OP_C_READ_EXPECT        (a, "foo", 3)
 +    OP_SLEEP                (10)
     OP_C_EXPECT_FIN         (a)
     OP_C_FREE_STREAM        (a)
--- a/openssl-3-fix-s390x_sha3_absorb.patch
+++ b/openssl-3-fix-s390x_sha3_absorb.patch
@@ -1,50 +0,0 @@
 From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Thu, 5 Sep 2024 08:45:29 +0200
 Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
 KIMD
 If the data to absorb is less than a block, then the KIMD instruction is
 called with zero bytes. This is superfluous, and causes incorrect hash
 output later on if this is the very first absorb call, i.e. when the
 xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
 the NIP flag is set in the function code for KIMD, but KIMD ignores the
 NIP flag when it is called with zero bytes to process.
 Skip any KIMD calls for zero length data. Also do not set the xof_state
 to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
 the next KIMD (with non-zero length data) or KLMD call will get the NIP
 flag set and will then honor it to produce correct output.
 Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/25388)
 ---
 providers/implementations/digests/sha3_prov.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
     if (!(ctx->xof_state == XOF_STATE_INIT ||
           ctx->xof_state == XOF_STATE_ABSORB))
         return 0;
 -    fc = ctx->pad;
 -    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
 -    ctx->xof_state = XOF_STATE_ABSORB;
 -    s390x_kimd(inp, len - rem, fc, ctx->A);
 +    if (len - rem > 0) {
 +        fc = ctx->pad;
 +        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
 +        ctx->xof_state = XOF_STATE_ABSORB;
 +        s390x_kimd(inp, len - rem, fc, ctx->A);
 +    }
     return rem;
 }
--- a/openssl-3-fix-s390x_shake_squeeze.patch
+++ b/openssl-3-fix-s390x_shake_squeeze.patch
@@ -1,98 +0,0 @@
 From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Wed, 4 Sep 2024 13:42:09 +0200
 Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available
 On the first squeeze call, when finishing the absorb process, also set
 the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
 available, the state buffer A has not been zeroed during initialization,
 thus we must also pass the NIP flag here. This situation can happen
 when a squeeze is performed without a preceding absorb (i.e. a SHAKE
 of the empty message).
 Add a test that performs a squeeze without a preceding absorb and check
 if the result is correct.
 Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/25388)
 ---
 providers/implementations/digests/sha3_prov.c |  5 +++-
 test/evp_xof_test.c                           | 29 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx,
 static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
 {
     KECCAK1600_CTX *ctx = vctx;
 +    unsigned int fc;
     size_t len;
     if (!ossl_prov_is_running())
@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct
      * On the first squeeze call, finish the absorb process (incl. padding).
      */
     if (ctx->xof_state != XOF_STATE_SQUEEZE) {
 +        fc = ctx->pad;
 +        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
         ctx->xof_state = XOF_STATE_SQUEEZE;
 -        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
 +        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
         ctx->bufsz = outlen % ctx->block_size;
         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
         return 1;
 Index: openssl-3.2.3/test/evp_xof_test.c
 ===================================================================
 --- openssl-3.2.3.orig/test/evp_xof_test.c
 +++ openssl-3.2.3/test/evp_xof_test.c
@@ -479,6 +479,34 @@ err:
     return ret;
 }
 +/* Test that a squeeze without a preceding absorb works */
 +static int shake_squeeze_no_absorb_test(void)
 +{
 +    int ret = 0;
 +    EVP_MD_CTX *ctx = NULL;
 +    unsigned char out[1000];
 +    unsigned char out2[1000];
 +    const char *alg = "SHAKE128";
 +
 +    if (!TEST_ptr(ctx = shake_setup(alg))
 +        || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))))
 +        goto err;
 +
 +    if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))
 +        || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2))
 +        || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2,
 +                                        sizeof(out2) / 2)))
 +        goto err;
 +
 +    if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out)))
 +        goto err;
 +    ret = 1;
 +
 +err:
 +    EVP_MD_CTX_free(ctx);
 +    return ret;
 +}
 +
 int setup_tests(void)
 {
     ADD_TEST(shake_kat_test);
@@ -488,5 +516,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests));
     ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests));
     ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests));
 +    ADD_TEST(shake_squeeze_no_absorb_test);
 +
     return 1;
 }
--- a/openssl-3-fix-sha3-squeeze-ppc64.patch
+++ b/openssl-3-fix-sha3-squeeze-ppc64.patch
@@ -1,31 +0,0 @@
 commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1
 Author: Rohan McLure <rmclure@linux.ibm.com>
 Date:   Tue Nov 14 14:14:33 2023 +1100
    ppc64: Fix SHA3_squeeze
    Fix the conditional on the 'next' parameter passed into SHA3_squeeze.
    Reported-by: David Benjamin <davidben@davidben.net>
    Signed-off-by: Rohan McLure <rmclure@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Paul Dale <pauli@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22722)
 diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl
 index 3f8ba817f8..fe7d6db20e 100755
 --- a/crypto/sha/asm/keccak1600-ppc64.pl
 +++ b/crypto/sha/asm/keccak1600-ppc64.pl
@@ -668,8 +668,8 @@ SHA3_squeeze:
 	subi	$out,r4,1		; prepare for stbu
 	mr	$len,r5
 	mr	$bsz,r6
 -	${UCMP}i r7,1                   ; r7 = 'next' argument
 -	blt	.Lnext_block
 +	${UCMP}i r7,0                   ; r7 = 'next' argument
 +	bne	.Lnext_block
 	b	.Loop_squeeze
 .align	4
--- a/openssl-3-fix-state-handling-keccak_final_s390x.patch
+++ b/openssl-3-fix-state-handling-keccak_final_s390x.patch
@@ -1,32 +0,0 @@
 commit 1022131d16e30cfbf896e02419019de48e8e1149
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 15:43:18 2023 +0200
    Fix state handling of keccak_final for s390x.
    The digest life-cycle state diagram has been updated for XOF. Fix the
    state handling in s390x_keccac_final() according to the updated state
    diagram.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
 index 34620cf95a..f691273baf 100644
 --- a/providers/implementations/digests/sha3_prov.c
 +++ b/providers/implementations/digests/sha3_prov.c
@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
     if (!ossl_prov_is_running())
         return 0;
 +    if (!(ctx->xof_state == XOF_STATE_INIT ||
 +          ctx->xof_state == XOF_STATE_ABSORB))
 +        return 0;
 +    ctx->xof_state = XOF_STATE_FINAL;
     if (outlen == 0)
         return 1;
     memset(ctx->buf + num, 0, bsz - num);
--- a/openssl-3-fix-state-handling-sha3_absorb_s390x.patch
+++ b/openssl-3-fix-state-handling-sha3_absorb_s390x.patch
@@ -1,32 +0,0 @@
 commit 7aa45b8bb3269e881d0378aa785ff344efdd2897
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 15:36:23 2023 +0200
    Fix state handling of sha3_absorb for s390x.
    The digest life-cycle state diagram has been updated for XOF. Fix the
    state handling in s390x_sha3_aborb() according to the updated state
    diagram.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc
     KECCAK1600_CTX *ctx = vctx;
     size_t rem = len % ctx->block_size;
 +    if (!(ctx->xof_state == XOF_STATE_INIT ||
 +          ctx->xof_state == XOF_STATE_ABSORB))
 +        return 0;
 +    ctx->xof_state = XOF_STATE_ABSORB;
     s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
     return rem;
 }
--- a/openssl-3-fix-state-handling-sha3_final_s390x.patch
+++ b/openssl-3-fix-state-handling-sha3_final_s390x.patch
@@ -1,32 +0,0 @@
 commit 017acc58f6b67d5b347db411a7a1c4e890434f42
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 15:36:59 2023 +0200
    Fix state handling of sha3_final for s390x.
    The digest life-cycle state diagram has been updated for XOF. Fix the
    state handling in s390x_sha3_final() according to the updated state
    diagram.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx,
     if (!ossl_prov_is_running())
         return 0;
 +    if (!(ctx->xof_state == XOF_STATE_INIT ||
 +          ctx->xof_state == XOF_STATE_ABSORB))
 +        return 0;
 +    ctx->xof_state = XOF_STATE_FINAL;
     s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
     memcpy(out, ctx->A, outlen);
     return 1;
--- a/openssl-3-fix-state-handling-shake_final_s390x.patch
+++ b/openssl-3-fix-state-handling-shake_final_s390x.patch
@@ -1,32 +0,0 @@
 commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 15:37:29 2023 +0200
    Fix state handling of shake_final for s390x.
    The digest life-cycle state diagram has been updated for XOF. Fix the
    state handling in s390x_shake_final() according to the updated state
    diagram.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx,
     if (!ossl_prov_is_running())
         return 0;
 +    if (!(ctx->xof_state == XOF_STATE_INIT ||
 +          ctx->xof_state == XOF_STATE_ABSORB))
 +        return 0;
 +    ctx->xof_state = XOF_STATE_FINAL;
     s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
     return 1;
 }
--- a/openssl-3-hw-acceleration-aes-xts-s390x.patch
+++ b/openssl-3-hw-acceleration-aes-xts-s390x.patch
@@ -1,327 +0,0 @@
 commit 9cd4051e47c8da8398f93f42f0f56750552965f4
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Tue Aug 6 14:00:49 2024 +0200
    s390x: Add hardware acceleration for full AES-XTS
    The CPACF instruction KM provides support for accelerating the full
    AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256.
    Preliminary measurements showed performance improvements of up to 50%,
    dependent on the message size.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    Reviewed-by: Paul Dale <pauli@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/25414)
 diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info
 index 5eb705969f..1837070c21 100644
 --- a/providers/implementations/ciphers/build.info
 +++ b/providers/implementations/ciphers/build.info
@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}]
   ENDIF
 ENDIF
 +IF[{- !$disabled{asm} -}]
 +  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
 +    $AESXTSDEF_s390x=AES_XTS_S390X
 +  ENDIF
 +
 +  # Now that we have defined all the arch specific variables, use the
 +  # appropriate one, and define the appropriate macros
 +
 +  IF[$AESXTSDEF_{- $target{asm_arch} -}]
 +    $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -}
 +  ENDIF
 +ENDIF
 +
 # This source is common building blocks for all ciphers in all our providers.
 SOURCE[$COMMON_GOAL]=\
         ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\
         cipher_aes_cbc_hmac_sha.c \
         cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
         cipher_cts.c
 +DEFINE[$AES_GOAL]=$AESXTSDEF
 # Extra code to satisfy the FIPS and non-FIPS separation.
 # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.
 diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
 index cce2537ea7..2287834d62 100644
 --- a/providers/implementations/ciphers/cipher_aes_xts.c
 +++ b/providers/implementations/ciphers/cipher_aes_xts.c
@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes,
     return 1;
 }
 +#ifdef AES_XTS_S390X
 +# include "cipher_aes_xts_s390x.inc"
 +#endif
 +
 /*-
  * Provider dispatch functions
  */
@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen,
                          const unsigned char *iv, size_t ivlen,
                          const OSSL_PARAM params[])
 {
 +#ifdef AES_XTS_S390X
 +    if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1)
 +        return 1;
 +#endif
     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen,
                          const unsigned char *iv, size_t ivlen,
                          const OSSL_PARAM params[])
 {
 +#ifdef AES_XTS_S390X
 +    if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1)
 +        return 1;
 +#endif
     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx)
     if (!ossl_prov_is_running())
         return NULL;
 +#ifdef AES_XTS_S390X
 +    if (in->plat.s390x.fc)
 +        return s390x_aes_xts_dupctx(vctx);
 +#endif
 +
     if (in->xts.key1 != NULL) {
         if (in->xts.key1 != &in->ks1)
             return NULL;
@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
 {
     PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx;
 +#ifdef AES_XTS_S390X
 +    if (ctx->plat.s390x.fc)
 +        return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl);
 +#endif
 +
     if (!ossl_prov_is_running()
             || ctx->xts.key1 == NULL
             || ctx->xts.key2 == NULL
 diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h
 index afc42ef444..56891ca98c 100644
 --- a/providers/implementations/ciphers/cipher_aes_xts.h
 +++ b/providers/implementations/ciphers/cipher_aes_xts.h
@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream,
                   const AES_KEY *key1, const AES_KEY *key2,
                   const unsigned char iv[16]));
 +#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
 +typedef struct S390X_km_xts_params_st {
 +    unsigned char key[64];
 +    unsigned char tweak[16];
 +    unsigned char nap[16];
 +} S390X_KM_XTS_PARAMS;
 +#endif
 +
 typedef struct prov_aes_xts_ctx_st {
     PROV_CIPHER_CTX base;      /* Must be first */
     union {
@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st {
     } ks1, ks2;                /* AES key schedules to use */
     XTS128_CONTEXT xts;
     OSSL_xts_stream_fn stream;
 +
 +    /* Platform specific data */
 +    union {
 +        int dummy;
 +#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
 +        struct {
 +            union {
 +                OSSL_UNION_ALIGN;
 +                S390X_KM_XTS_PARAMS km;
 +            } param;
 +            size_t offset;
 +            unsigned int fc;
 +            unsigned int iv_set : 1;
 +            unsigned int key_set : 1;
 +        } s390x;
 +#endif
 +    } plat;
 } PROV_AES_XTS_CTX;
 const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits);
 diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
 new file mode 100644
 index 0000000000..77341b3bbd
 --- /dev/null
 +++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
@@ -0,0 +1,167 @@
 +/*
 + * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
 + *
 + * Licensed under the Apache License 2.0 (the "License").  You may not use
 + * this file except in compliance with the License.  You can obtain a copy
 + * in the file LICENSE in the source distribution or at
 + * https://www.openssl.org/source/license.html
 + */
 +
 +#include "crypto/s390x_arch.h"
 +
 +static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit;
 +static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit;
 +static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher;
 +static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx;
 +
 +static int s390x_aes_xts_init(void *vctx, const unsigned char *key,
 +                              size_t keylen, const unsigned char *iv,
 +                              size_t ivlen, const OSSL_PARAM params[],
 +                              unsigned int dec)
 +{
 +    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
 +    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
 +    unsigned int fc, offs;
 +
 +    switch (xctx->base.keylen) {
 +    case 128 / 8 * 2:
 +        fc = S390X_XTS_AES_128_MSA10;
 +        offs = 32;
 +        break;
 +    case 256 / 8 * 2:
 +        fc = S390X_XTS_AES_256_MSA10;
 +        offs = 0;
 +        break;
 +    default:
 +        goto not_supported;
 +    }
 +
 +    if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc)))
 +        goto not_supported;
 +
 +    if (iv != NULL) {
 +        if (ivlen != xctx->base.ivlen
 +                || ivlen > sizeof(km->tweak)) {
 +            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
 +            return 0;
 +        }
 +        memcpy(km->tweak, iv, ivlen);
 +        xctx->plat.s390x.iv_set = 1;
 +    }
 +
 +    if (key != NULL) {
 +        if (keylen != xctx->base.keylen) {
 +            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
 +            return 0;
 +        }
 +        if (!aes_xts_check_keys_differ(key, keylen / 2, !dec))
 +            return 0;
 +
 +        memcpy(km->key + offs, key, keylen);
 +        xctx->plat.s390x.key_set = 1;
 +    }
 +
 +    xctx->plat.s390x.fc = fc | dec;
 +    xctx->plat.s390x.offset = offs;
 +
 +    memset(km->nap, 0, sizeof(km->nap));
 +    km->nap[0] = 0x1;
 +
 +    return aes_xts_set_ctx_params(xctx, params);
 +
 +not_supported:
 +    xctx->plat.s390x.fc = 0;
 +    xctx->plat.s390x.offset = 0;
 +    return 0;
 +}
 +
 +static int s390x_aes_xts_einit(void *vctx, const unsigned char *key,
 +                               size_t keylen, const unsigned char *iv,
 +                               size_t ivlen, const OSSL_PARAM params[])
 +{
 +    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
 +}
 +
 +static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key,
 +                               size_t keylen, const unsigned char *iv,
 +                               size_t ivlen, const OSSL_PARAM params[])
 +{
 +    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params,
 +                              S390X_DECRYPT);
 +}
 +
 +static void *s390x_aes_xts_dupctx(void *vctx)
 +{
 +    PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx;
 +    PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in));
 +
 +    if (ret != NULL)
 +        *ret = *in;
 +
 +    return ret;
 +}
 +
 +static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
 +                                size_t outsize, const unsigned char *in,
 +                                size_t inl)
 +{
 +    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
 +    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
 +    unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset;
 +    unsigned int fc = xctx->plat.s390x.fc;
 +    unsigned char tmp[2][AES_BLOCK_SIZE];
 +    unsigned char nap_n1[AES_BLOCK_SIZE];
 +    unsigned char drop[AES_BLOCK_SIZE];
 +    size_t len_incomplete, len_complete;
 +
 +    if (!ossl_prov_is_running()
 +            || inl < AES_BLOCK_SIZE
 +            || in == NULL
 +            || out == NULL
 +            || !xctx->plat.s390x.iv_set
 +            || !xctx->plat.s390x.key_set)
 +        return 0;
 +
 +    /*
 +     * Impose a limit of 2^20 blocks per data unit as specified by
 +     * IEEE Std 1619-2018.  The earlier and obsolete IEEE Std 1619-2007
 +     * indicated that this was a SHOULD NOT rather than a MUST NOT.
 +     * NIST SP 800-38E mandates the same limit.
 +     */
 +    if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
 +        ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE);
 +        return 0;
 +    }
 +
 +    len_incomplete = inl % AES_BLOCK_SIZE;
 +    len_complete = (len_incomplete == 0) ? inl :
 +                       (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE;
 +
 +    if (len_complete > 0)
 +        s390x_km(in, len_complete, out, fc, param);
 +    if (len_incomplete == 0)
 +       goto out;
 +
 +    memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete);
 +    /* swap NAP for decrypt */
 +    if (fc & S390X_DECRYPT) {
 +        memcpy(nap_n1, km->nap, AES_BLOCK_SIZE);
 +        s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param);
 +    }
 +    s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param);
 +    if (fc & S390X_DECRYPT)
 +        memcpy(km->nap, nap_n1, AES_BLOCK_SIZE);
 +
 +    memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete,
 +           AES_BLOCK_SIZE - len_incomplete);
 +    s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param);
 +    memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete);
 +
 +    /* do not expose temporary data */
 +    OPENSSL_cleanse(tmp, sizeof(tmp));
 +out:
 +    memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE);
 +    *outl = inl;
 +
 +    return 1;
 +}
--- a/openssl-3-jitterentropy-3.4.0.patch
+++ b/openssl-3-jitterentropy-3.4.0.patch
@@ -1,364 +0,0 @@
 Index: openssl-3.2.3/Configurations/00-base-templates.conf
 ===================================================================
 --- openssl-3.2.3.orig/Configurations/00-base-templates.conf
 +++ openssl-3.2.3/Configurations/00-base-templates.conf
@@ -88,6 +88,7 @@ my %targets=(
             sub {
                 my @libs = ();
                 push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
 +		push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
                 if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
                     push(@libs, "-lbrotlienc");
                     push(@libs, "-lbrotlidec");
 Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
 ===================================================================
 --- /dev/null
 +++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
@@ -0,0 +1,97 @@
 +# include "jitterentropy.h"
 +# include "prov/jitter_entropy.h"
 +
 +struct rand_data* ec = NULL;
 +CRYPTO_RWLOCK *jent_lock = NULL;
 +int stop = 0;
 +
 +struct rand_data* FIPS_entropy_init(void)
 +{
 +    if (ec != NULL) {
 +        /* Entropy source has been initiated and collector allocated */
 +        return ec;
 +    }
 +    if (stop != 0) {
 +        /* FIPS_entropy_cleanup() already called, don't initialize it again */
 +        return NULL;
 +    }
 +    if (jent_lock == NULL) {
 +        /* Allocates a new lock to serialize access to jent library */
 +        jent_lock = CRYPTO_THREAD_lock_new();
 +        if (jent_lock == NULL) {
 +            return NULL;
 +        }
 +    }
 +    if (CRYPTO_THREAD_write_lock(jent_lock) == 0) {
 +        return NULL;
 +    }
 +    /* If the initialization is successful, the call returns with 0 */
 +    if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) {
 +        /* Allocate entropy collector */
 +        ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
 +    } else {
 +        /* abort if jitter rng fails initialization */
 +        abort();
 +    }
 +    if (ec == NULL) {
 +        /* abort if jitter rng fails initialization */
 +        abort();
 +    }
 +    CRYPTO_THREAD_unlock(jent_lock);
 +
 +    return ec;
 +}
 +
 +/*
 + * The following error codes can be returned by jent_read_entropy_safe():
 + *   -1  entropy_collector is NULL
 + *   -2  RCT failed
 + *   -3  APT failed
 + *   -4  The timer cannot be initialized
 + *   -5  LAG failure
 + *   -6  RCT permanent failure
 + *   -7  APT permanent failure
 + *   -8  LAG permanent failure
 + */
 +ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
 +{
 +    ssize_t ent_bytes = -1;
 +
 +    /*
 +     * Order is important. We need to call FIPS_entropy_init() before we
 +     * acquire jent_lock, otherwise it can lead to deadlock. Once we have
 +     * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called
 +     * in the meantime. Then it's safe to read entropy.
 +     */
 +    if (buf != NULL
 +        && buflen != 0
 +        && FIPS_entropy_init()
 +        && CRYPTO_THREAD_write_lock(jent_lock) != 0
 +        && stop == 0) {
 +        /* Get entropy */
 +        ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
 +        if (ent_bytes < 0) {
 +            /* abort if jitter rng fails entropy gathering because health tests failed. */
 +            abort();
 +        }
 +        CRYPTO_THREAD_unlock(jent_lock);
 +    }
 +
 +    return ent_bytes;
 +}
 +
 +void FIPS_entropy_cleanup(void)
 +{
 +    if (jent_lock != NULL && stop == 0) {
 +        CRYPTO_THREAD_write_lock(jent_lock);
 +    }
 +    /* Disable re-initialization in FIPS_entropy_init() */
 +    stop = 1;
 +    /* Free entropy collector */
 +    if (ec != NULL) {
 +        jent_entropy_collector_free(ec);
 +        ec = NULL;
 +    }
 +    CRYPTO_THREAD_lock_free(jent_lock);
 +    jent_lock = NULL;
 +}
 Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c
 +++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
@@ -20,6 +20,7 @@
 #include "internal/dso.h"
 #include "internal/nelem.h"
 #include "prov/seeding.h"
 +#include "prov/jitter_entropy.h"
 #ifdef __linux
 # include <sys/syscall.h>
@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
     (void)entropy_available;    /* avoid compiler warning */
 +    /* Use jitter entropy in FIPS mode */
 +    if (EVP_default_properties_is_fips_enabled(NULL))
 +    {
 +        size_t bytes_needed;
 +        unsigned char *buffer;
 +        ssize_t bytes;
 +        /* Maximum allowed number of consecutive unsuccessful attempts */
 +        int attempts = 3;
 +
 +        bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
 +        while (bytes_needed != 0 && attempts-- > 0) {
 +            buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
 +            bytes = FIPS_jitter_entropy(buffer, bytes_needed);
 +            if (bytes > 0) {
 +                ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
 +                bytes_needed -= bytes;
 +                attempts = 3; /* reset counter after successful attempt */
 +            } else if (bytes < 0) {
 +                break;
 +            }
 +        }
 +        entropy_available = ossl_rand_pool_entropy_available(pool);
 +        return entropy_available;
 +    }
 +
 #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
     {
         size_t bytes_needed;
 Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
 ===================================================================
 --- /dev/null
 +++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
@@ -0,0 +1,17 @@
 +#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H
 +# define OSSL_PROVIDERS_JITTER_ENTROPY_H
 +
 +# include <openssl/core.h>
 +# include <openssl/types.h>
 +# include <openssl/crypto.h>
 +# include <openssl/fips.h>
 +
 +extern struct rand_data* ec;
 +extern CRYPTO_RWLOCK *jent_lock;
 +extern int stop;
 +
 +struct rand_data* FIPS_entropy_init(void);
 +ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen);
 +void FIPS_entropy_cleanup(void);
 +
 +#endif
 Index: openssl-3.2.3/providers/fips/self_test.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/fips/self_test.c
 +++ openssl-3.2.3/providers/fips/self_test.c
@@ -20,6 +20,7 @@
 #include "internal/tsan_assist.h"
 #include "prov/providercommon.h"
 #include "crypto/rand.h"
 +#include "prov/jitter_entropy.h"
 /*
  * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
         return 0;
     }
 +    if (!FIPS_entropy_init()) {
 +        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED);
 +        goto end;
 +    }
 +
     if (st == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
         goto end;
 Index: openssl-3.2.3/include/openssl/proverr.h
 ===================================================================
 --- openssl-3.2.3.orig/include/openssl/proverr.h
 +++ openssl-3.2.3/include/openssl/proverr.h
@@ -44,6 +44,7 @@
 # define PROV_R_FAILED_TO_GET_PARAMETER                   103
 # define PROV_R_FAILED_TO_SET_PARAMETER                   104
 # define PROV_R_FAILED_TO_SIGN                            175
 +# define PROV_R_FIPS_ENTROPY_INIT_FAILED                  234
 # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR             227
 # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
 # define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
 Index: openssl-3.2.3/providers/common/provider_err.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/common/provider_err.c
 +++ openssl-3.2.3/providers/common/provider_err.c
@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
     "failed to set parameter"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
 +    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED),
 +    "fips module jitter entropy init failed"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
     "fips module conditional error"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
 Index: openssl-3.2.3/crypto/rand/build.info
 ===================================================================
 --- openssl-3.2.3.orig/crypto/rand/build.info
 +++ openssl-3.2.3/crypto/rand/build.info
@@ -1,6 +1,6 @@
 LIBS=../../libcrypto
 -$COMMON=rand_lib.c
 +$COMMON=rand_lib.c rand_jitter_entropy.c
 $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \
         rand_uniform.c
 Index: openssl-3.2.3/providers/fips/fipsprov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/fips/fipsprov.c
 +++ openssl-3.2.3/providers/fips/fipsprov.c
@@ -27,6 +27,7 @@
 #include "crypto/context.h"
 #include "internal/core.h"
 #include "indicator.h"
 +#include "prov/jitter_entropy.h"
 static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
 static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
 static void fips_teardown(void *provctx)
 {
 +    FIPS_entropy_cleanup();
     OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
     ossl_prov_ctx_free(provctx);
 }
 Index: openssl-3.2.3/util/libcrypto.num
 ===================================================================
 --- openssl-3.2.3.orig/util/libcrypto.num
 +++ openssl-3.2.3/util/libcrypto.num
@@ -5539,3 +5539,5 @@ BIO_ADDR_copy
 ossl_safe_getenv                        ?	3_2_0	EXIST::FUNCTION:
 ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
 +FIPS_entropy_init                       ?	3_1_4   EXIST::FUNCTION:
 +FIPS_entropy_cleanup                    ?	3_1_4   EXIST::FUNCTION:
 Index: openssl-3.2.3/Configure
 ===================================================================
 --- openssl-3.2.3.orig/Configure
 +++ openssl-3.2.3/Configure
@@ -469,6 +469,7 @@ my @disablables = (
     "gost",
     "http",
     "idea",
 +    "jitterentropy",
     "ktls",
     "legacy",
     "loadereng",
@@ -573,6 +574,7 @@ our %disabled = ( # "what"         => "c
                   "external-tests"      => "default",
                   "fuzz-afl"            => "default",
                   "fuzz-libfuzzer"      => "default",
 +                  "jitterentropy"       => "default",
                   "ktls"                => "default",
                   "md2"                 => "default",
                   "msan"                => "default",
@@ -801,7 +803,7 @@ my %cmdvars = ();               # Stores
 my %unsupported_options = ();
 my %deprecated_options = ();
 # If you change this, update apps/version.c
 -my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
 +my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy);
 my @seed_sources = ();
 while (@argvcopy)
         {
@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) {
 if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
     delete $disabled{'egd'};
 }
 +if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) {
 +    delete $disabled{'jitterentropy'};
 +}
 if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
     warn <<_____ if scalar(@seed_sources) == 1;
 Index: openssl-3.2.3/crypto/info.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/info.c
 +++ openssl-3.2.3/crypto/info.c
@@ -15,6 +15,9 @@
 #include "internal/e_os.h"
 #include "buildinf.h"
 +# include <stdio.h>
 +# include <jitterentropy.h>
 +
 #if defined(__arm__) || defined(__arm) || defined(__aarch64__)
 # include "arm_arch.h"
 # define CPU_INFO_STR_LEN 128
@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
             OPENSSL_strlcat(seeds, ")", sizeof(seeds));                 \
         } while (0)
 +        /* In FIPS mode, only jitterentropy is used for seeding and
 +         * reseeding the primary DRBG.
 +         */
 +        if (EVP_default_properties_is_fips_enabled(NULL)) {
 +            char jent_version_string[32];
 +            sprintf(jent_version_string, "jitterentropy (%d)", jent_version());
 +            add_seeds_string(jent_version_string);
 +        } else {
 #ifdef OPENSSL_RAND_SEED_NONE
         add_seeds_string("none");
 #endif
@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
 #ifdef OPENSSL_RAND_SEED_OS
         add_seeds_string("os-specific");
 #endif
 +        }
         seed_sources = seeds;
     }
     return 1;
 Index: openssl-3.2.3/INSTALL.md
 ===================================================================
 --- openssl-3.2.3.orig/INSTALL.md
 +++ openssl-3.2.3/INSTALL.md
@@ -511,6 +511,12 @@ if provided by the CPU.
 Use librandom (not implemented yet).
 This source is ignored by the FIPS provider.
 +### jitterentropy
 +
 +Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library)
 +dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed
 +the primary DRBG.
 +
 ### none
 Disable automatic seeding.  This is the default on some operating systems where
--- a/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
+++ b/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
@@ -1,196 +0,0 @@
 From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001
 From: Joerg Schmidbauer <jschmidb@de.ibm.com>
 Date: Thu, 29 Feb 2024 12:50:05 +0100
 Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements
 On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
 can be enhanced by using additional modifier bits. This allows the application
 to omit initializing the ICV, but also affects the internal processing of the
 instructions. Performance is mostly gained when processing short messages.
 The new CPACF feature is backwards compatible with older machines, i.e. the new
 modifier bits are ignored on older machines. However, to save the ICV
 initialization, the application must detect the MSA level and omit the ICV
 initialization only if this feature is supported.
 Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/25235)
 ---
 crypto/s390x_arch.h                           |  3 ++
 crypto/s390xcpuid.pl                          |  4 +--
 crypto/sha/sha3.c                             |  8 +++++-
 providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++----
 4 files changed, 34 insertions(+), 9 deletions(-)
 Index: openssl-3.2.3/crypto/s390x_arch.h
 ===================================================================
 --- openssl-3.2.3.orig/crypto/s390x_arch.h
 +++ openssl-3.2.3/crypto/s390x_arch.h
@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex;
 # define S390X_KMA_LAAD         0x200
 # define S390X_KMA_HS           0x400
 # define S390X_KDSA_D           0x80
 +# define S390X_KIMD_NIP         0x8000
 +# define S390X_KLMD_DUFOP       0x4000
 +# define S390X_KLMD_NIP         0x8000
 # define S390X_KLMD_PS          0x100
 # define S390X_KMAC_IKP         0x8000
 # define S390X_KMAC_IIMP        0x4000
 Index: openssl-3.2.3/crypto/s390xcpuid.pl
 ===================================================================
 --- openssl-3.2.3.orig/crypto/s390xcpuid.pl
 +++ openssl-3.2.3/crypto/s390xcpuid.pl
@@ -308,7 +308,7 @@ s390x_kimd:
 	llgfr	%r0,$fc
 	lgr	%r1,$param
 -	.long	0xb93e0002	# kimd %r0,%r2
 +	.long	0xb93e8002	# kimd %r0,%r2[,M3]
 	brc	1,.-4		# pay attention to "partial completion"
 	br	$ra
@@ -329,7 +329,7 @@ s390x_klmd:
 	llgfr	%r0,$fc
 	l${g}	%r1,$stdframe($sp)
 -	.long	0xb93f0042	# klmd %r4,%r2
 +	.long	0xb93f8042	# klmd %r4,%r2[,M3]
 	brc	1,.-4		# pay attention to "partial completion"
 	br	$ra
 Index: openssl-3.2.3/crypto/sha/sha3.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/sha/sha3.c
 +++ openssl-3.2.3/crypto/sha/sha3.c
@@ -8,13 +8,19 @@
  */
 #include <string.h>
 +#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
 +# include "crypto/s390x_arch.h"
 +#endif
 #include "internal/sha3.h"
 void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
 void ossl_sha3_reset(KECCAK1600_CTX *ctx)
 {
 -    memset(ctx->A, 0, sizeof(ctx->A));
 +#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
 +    if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12)))
 +#endif
 +        memset(ctx->A, 0, sizeof(ctx->A));
     ctx->bufsz = 0;
     ctx->xof_state = XOF_STATE_INIT;
 }
 Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
 +++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc
 {
     KECCAK1600_CTX *ctx = vctx;
     size_t rem = len % ctx->block_size;
 +    unsigned int fc;
     if (!(ctx->xof_state == XOF_STATE_INIT ||
           ctx->xof_state == XOF_STATE_ABSORB))
         return 0;
 +    fc = ctx->pad;
 +    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
     ctx->xof_state = XOF_STATE_ABSORB;
 -    s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
 +    s390x_kimd(inp, len - rem, fc, ctx->A);
     return rem;
 }
 static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen)
 {
     KECCAK1600_CTX *ctx = vctx;
 +    unsigned int fc;
     if (!ossl_prov_is_running())
         return 0;
     if (!(ctx->xof_state == XOF_STATE_INIT ||
           ctx->xof_state == XOF_STATE_ABSORB))
         return 0;
 +    fc = ctx->pad | S390X_KLMD_DUFOP;
 +    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
     ctx->xof_state = XOF_STATE_FINAL;
 -    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
 +    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A);
     memcpy(out, ctx->A, outlen);
     return 1;
 }
@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx,
 static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
 {
     KECCAK1600_CTX *ctx = vctx;
 +    unsigned int fc;
     if (!ossl_prov_is_running())
         return 0;
     if (!(ctx->xof_state == XOF_STATE_INIT ||
           ctx->xof_state == XOF_STATE_ABSORB))
         return 0;
 +    fc = ctx->pad | S390X_KLMD_DUFOP;
 +    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
     ctx->xof_state = XOF_STATE_FINAL;
 -    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
 +    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
     return 1;
 }
@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct
     size_t bsz = ctx->block_size;
     size_t num = ctx->bufsz;
     size_t needed = outlen;
 +    unsigned int fc;
     if (!ossl_prov_is_running())
         return 0;
     if (!(ctx->xof_state == XOF_STATE_INIT ||
           ctx->xof_state == XOF_STATE_ABSORB))
         return 0;
 +    fc = ctx->pad;
 +    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
     ctx->xof_state = XOF_STATE_FINAL;
     if (outlen == 0)
         return 1;
     memset(ctx->buf + num, 0, bsz - num);
     ctx->buf[num] = padding;
     ctx->buf[bsz - 1] |= 0x80;
 -    s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
 +    s390x_kimd(ctx->buf, bsz, fc, ctx->A);
     num = needed > bsz ? bsz : needed;
     memcpy(out, ctx->A, num);
     needed -= num;
     if (needed > 0)
 -        s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A);
 +        s390x_klmd(NULL, 0, out + bsz, needed,
 +                   ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A);
     return 1;
 }
@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v
 {
     KECCAK1600_CTX *ctx = vctx;
     size_t len;
 +    unsigned int fc;
     if (!ossl_prov_is_running())
         return 0;
@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v
         memset(ctx->buf + ctx->bufsz, 0, len);
         ctx->buf[ctx->bufsz] = padding;
         ctx->buf[ctx->block_size - 1] |= 0x80;
 -        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
 +        fc = ctx->pad;
 +        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
 +        s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A);
         ctx->bufsz = 0;
         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
     }
--- a/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
+++ b/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
@@ -1,160 +0,0 @@
 commit 94898923538f686b74b6ddef34571f804d9b3811
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 15:40:47 2023 +0200
    Support EVP_DigestSqueeze() for in the digest provider for s390x.
    The new EVP_DigestSqueeze() API requires changes to all keccak-based
    digest provider implementations. Update the s390x-part of the SHA3
    digest provider.
    Squeeze for SHA3 is not supported, so add an empty function pointer
    (NULL).
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
 index f691273baf..2fd0f928e7 100644
 --- a/providers/implementations/digests/sha3_prov.c
 +++ b/providers/implementations/digests/sha3_prov.c
@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
     return 1;
 }
 +static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
 +{
 +    KECCAK1600_CTX *ctx = vctx;
 +    size_t len;
 +
 +    if (!ossl_prov_is_running())
 +        return 0;
 +    if (ctx->xof_state == XOF_STATE_FINAL)
 +        return 0;
 +    /*
 +     * On the first squeeze call, finish the absorb process (incl. padding).
 +     */
 +    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
 +        ctx->xof_state = XOF_STATE_SQUEEZE;
 +        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
 +        ctx->bufsz = outlen % ctx->block_size;
 +        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
 +        return 1;
 +    }
 +    ctx->xof_state = XOF_STATE_SQUEEZE;
 +    if (ctx->bufsz != 0) {
 +        len = ctx->block_size - ctx->bufsz;
 +        if (outlen < len)
 +            len = outlen;
 +        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
 +        out += len;
 +        outlen -= len;
 +        ctx->bufsz += len;
 +        if (ctx->bufsz == ctx->block_size)
 +            ctx->bufsz = 0;
 +    }
 +    if (outlen == 0)
 +        return 1;
 +    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
 +    ctx->bufsz = outlen % ctx->block_size;
 +
 +    return 1;
 +}
 +
 static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
                                int padding)
 {
@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen)
     return s390x_keccakc_final(vctx, out, outlen, 0x04);
 }
 +static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen,
 +                                 int padding)
 +{
 +    KECCAK1600_CTX *ctx = vctx;
 +    size_t len;
 +
 +    if (!ossl_prov_is_running())
 +        return 0;
 +    if (ctx->xof_state == XOF_STATE_FINAL)
 +        return 0;
 +    /*
 +     * On the first squeeze call, finish the absorb process
 +     * by adding the trailing padding and then doing
 +     * a final absorb.
 +     */
 +    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
 +        len = ctx->block_size - ctx->bufsz;
 +        memset(ctx->buf + ctx->bufsz, 0, len);
 +        ctx->buf[ctx->bufsz] = padding;
 +        ctx->buf[ctx->block_size - 1] |= 0x80;
 +        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
 +        ctx->bufsz = 0;
 +        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
 +    }
 +    if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) {
 +        len = ctx->block_size - ctx->bufsz;
 +        if (outlen < len)
 +            len = outlen;
 +        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
 +        out += len;
 +        outlen -= len;
 +        ctx->bufsz += len;
 +        if (ctx->bufsz == ctx->block_size)
 +            ctx->bufsz = 0;
 +    }
 +    ctx->xof_state = XOF_STATE_SQUEEZE;
 +    if (outlen == 0)
 +        return 1;
 +    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
 +    ctx->bufsz = outlen % ctx->block_size;
 +
 +    return 1;
 +}
 +
 +static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen)
 +{
 +     return s390x_keccakc_squeeze(vctx, out, outlen, 0x01);
 +}
 +
 +static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen)
 +{
 +     return s390x_keccakc_squeeze(vctx, out, outlen, 0x04);
 +}
 +
 static PROV_SHA3_METHOD sha3_s390x_md =
 {
     s390x_sha3_absorb,
 -    s390x_sha3_final
 +    s390x_sha3_final,
 +    NULL,
 };
 static PROV_SHA3_METHOD keccak_s390x_md =
 {
     s390x_sha3_absorb,
     s390x_keccak_final,
 +    s390x_keccak_squeeze,
 };
 static PROV_SHA3_METHOD shake_s390x_md =
 {
     s390x_sha3_absorb,
 -    s390x_shake_final
 +    s390x_shake_final,
 +    s390x_shake_squeeze,
 };
 static PROV_SHA3_METHOD kmac_s390x_md =
 {
     s390x_sha3_absorb,
 -    s390x_kmac_final
 +    s390x_kmac_final,
 +    s390x_kmac_squeeze,
 };
 # define SHAKE_SET_MD(uname, typ)                                              \
--- a/openssl-3-support-multiple-sha3_squeeze_s390x.patch
+++ b/openssl-3-support-multiple-sha3_squeeze_s390x.patch
@@ -1,46 +0,0 @@
 commit bff62480333680463c82e88fdc67ed5ec14a0017
 Author: Holger Dengler <dengler@linux.ibm.com>
 Date:   Wed Sep 27 11:18:18 2023 +0200
    Support multiple calls of low level SHA3_squeeze() for s390x.
    The low level SHA3_Squeeze() function needed to change slightly so
    that it can handle multiple squeezes. Support this on s390x
    architecture as well.
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Todd Short <todd.short@me.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22221)
 diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl
 index 86233c7e38..7d5ebde117 100755
 --- a/crypto/sha/asm/keccak1600-s390x.pl
 +++ b/crypto/sha/asm/keccak1600-s390x.pl
@@ -472,7 +472,7 @@ SHA3_absorb:
 .size	SHA3_absorb,.-SHA3_absorb
 ___
 }
 -{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5));
 +{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6));
 $code.=<<___;
 .globl	SHA3_squeeze
@@ -484,6 +484,7 @@ SHA3_squeeze:
 	lghi	%r14,8
 	st${g}	$bsz,5*$SIZE_T($sp)
 	la	%r1,0($A_flat)
 +	cijne	$next,0,.Lnext_block
 	j	.Loop_squeeze
@@ -501,6 +502,7 @@ SHA3_squeeze:
 	brct	$bsz,.Loop_squeeze	# bsz--
 +.Lnext_block:
 	stm${g}	$out,$len,3*$SIZE_T($sp)
 	bras	%r14,.LKeccakF1600
 	lm${g}	$out,$bsz,3*$SIZE_T($sp)
--- a/openssl-3-use-include-directive.patch
+++ b/openssl-3-use-include-directive.patch
@@ -1,35 +0,0 @@
 ---
 apps/openssl.cnf |   13 +++++++++++++
 1 file changed, 13 insertions(+)
 Index: openssl-3.1.4/apps/openssl.cnf
 ===================================================================
 --- openssl-3.1.4.orig/apps/openssl.cnf
 +++ openssl-3.1.4/apps/openssl.cnf
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
 # Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 +[ oid_section ]
 # Extra OBJECT IDENTIFIER info:
 # oid_file       = $ENV::HOME/.oid
 oid_section = new_oids
@@ -47,6 +48,18 @@ providers = provider_sect
 # Load default TLS policy configuration
 ssl_conf = ssl_module
 +engines = engine_section
 +
 +[ engine_section ]
 +
 +# This include will look through the directory that will contain the
 +# engine declarations for any engines provided by other packages.
 +.include /etc/ssl/engines3.d
 +
 +# This include will look through the directory that will contain the
 +# definitions of the engines declared in the engine section.
 +.include /etc/ssl/engdef3.d
 +
 # Uncomment the sections that start with ## below to enable the legacy provider.
 # Loading the legacy provider enables support for the following algorithms:
 # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
--- a/openssl-3.1.4.tar.gz
+++ b/openssl-3.1.4.tar.gz
--- a/openssl-3.1.4.tar.gz.asc
+++ b/openssl-3.1.4.tar.gz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
 efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
 U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
 ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
 hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
 NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
 0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
 h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
 MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
 UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
 FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
 5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
 =EH33
 -----END PGP SIGNATURE-----
--- a/openssl-3.1.7.tar.gz
+++ b/openssl-3.1.7.tar.gz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:053a31fa80cf4aebe1068c987d2ef1e44ce418881427c4464751ae800c31d06c
 size 15684836
--- a/openssl-3.1.7.tar.gz.asc
+++ b/openssl-3.1.7.tar.gz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXB9UACgkQIWCU39DL
 ge/wjg/+MwugS9yaSCXXeqfRDYphyyblQ915j30Zo4kOdxr/ZBkrrzExxQaAN9tC
 NR+w33NPmiQQk8MPKKx3dcOZ3giHv7uGlBbo8fHihoUJ5cM9jDLd0UnqSUKU6C7h
 mK0BcGBj+Y5Sj2wH0NLPbFgfqbk2rbFRyDDoszj/ZahdE/dr1m1W8vI+FFqqqLjO
 hc4J26Dn/oTA1FWgXhIAPQDjG/sUy2waF1Q/nelVkeCwrL5modcW8CXGiwZa5Wan
 93cAgk0VUVq20FGQLVVxhGJ9wMGv48nS/hJKugJci1CFqX1eLc5NrbDah3sejGpA
 9ZgNoguolbxVe+pFDF+Qj5tLM34+ONI4m2wqtKNAA9UN/W2NuQxatDlHYU2u718C
 YpiEodIuNz5ktGAtHAe0fI36rvMJGy/6nKuzMXNF+QmbFzWhtnQRXJuC6uY7dIOa
 QHHYmKboVJCb9Ak2gSuTEJvov8HFnlCRzzXBEN2sP6Xd86flERRcMH41VtEu0u2c
 wB54o5+9l/7PQ3TOSdNUD6JakjraE05KMHB0KwEUIvAEMceaIrp1q6BnVrEzRjdV
 WMsagkvHiv4dUP8lT1DpCEhq7jHyzvHtFrrQq+SAHITgnYiENF6K89w2QLkqoK33
 Co/eerwMazO3+qxASYz7pFODPyVAsTIWvuWAJ6CmtubJBinjVnM=
 =Z8CX
 -----END PGP SIGNATURE-----
--- a/openssl-3.2.4.tar.gz
+++ b/openssl-3.2.4.tar.gz
--- a/openssl-3.2.4.tar.gz.asc
+++ b/openssl-3.2.4.tar.gz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYbgACgkQIWCU39DL
 ge+LMhAAmVXO6X5r3P5P8czf4kT8jFp9xRkp+jlzLZ7+Vt0GOc+8JZRJ/Fmi4fsD
 6nMScDzpJAv/KxOsRCC3l+Fz7eIRWvf+qeSTQggCYAlUF+3Y9qXbnOcCj+8/HPYa
 bAXq7S4hFi3T7NXFyOOx38KxUuhNpcC/tUvMEmYoR8HTm0n1Utf/h/IC9IVoc7at
 raUOo2qTZqwMNFue8fXC7lj6wL81MRD3TYOjePNZAKe2tuPCLoyR+sN8twVbNOLH
 9TDwMZLeCRaLebL9x14knhUOT4+/gsTGH84KS56Ry0YYSDGc2u+58HRaGFBbAEId
 hy4DYrYMCRlcSofPYlzMaFAZ3PSar+6ZPvvEl+OrOzY9DPoXzj0gXQ/NCWqJu9lg
 EQvE6/TnuhXEUxO25eWnIXGBWcmJtECut/rY1sV9OZwaOUPxDWZTxkDuv1dNDqug
 EmrfJHM7KdYVwy7JONReF0ODnNIVAa4HoAZ0EF3K3oySA5KmbA3YkkDGo5aqhpAD
 LZu4+fEmemq1fsEjAxdAk2Vmx4YUElcHEoQGQxSdPlIgl/z/KQ6ONuYoGIgXUXH8
 omXxceapMLP3DkHEpFxOYACCderAxDsZAjgFxM2Rlvp8afCq/C2wFYFDERU9XNIS
 SIc4N+NAoDAxSk6ScGSzORO78lFIGzBIX3pLSCCIezGCyfeHtYo=
 =HqP/
 -----END PGP SIGNATURE-----
--- a/openssl-3.5.0.tar.gz
+++ b/openssl-3.5.0.tar.gz
--- a/openssl-3.5.0.tar.gz.asc
+++ b/openssl-3.5.0.tar.gz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmf1ITQACgkQIWCU39DL
 ge+kyhAAjicxaMPBhcQqgnp3RyZhf4hOwVEzkUu3ouEjdIccz8NMxwV4Kf298ivL
 DHF/0HZQuHzIjcO/vQLLG66XCeiS0bDDIxEj457iYDr/lbWvGOqKgH+e5u7fo4iG
 f3aRZ/ACVuFXQ9LWjtR0M15HGJ/fKCCJQgIFwZ103tz4ptO6PBtUFK3PNGUpVjbV
 00oJ0msl2NDwrKpymVNKp9gXva7RfzIggPDl6MC80m54T7aruXhqur4dxkcyD+pa
 WmYKd4659jhCHRlXGZzz8XcLUsa3gQzP8W2RIqMZY8hdaaGnPEZY942s7KwRsdq0
 Blr54GBTpK8TLAUfBuFkFejS5bSbGsCGgAt9lP8ZkscRiG5tGdBYV/KUcOD7a1Xa
 VnsLlePtWlJGAWZt54JhQz5/dQtI51xJmhzbcHB5mTtDY0SZ7EnHNgTo1UY4cZZd
 sI3QhEgCOEh9UCMBQrxpaR9+chFaTd4hlYfbJAZgfI6XZyx8uSvngl3K/22anJmR
 Js1q8sE0G4hbtaSM5YecdX+RAMAwfujwqDY6BEM032kAO9eGe0PEnCRC8b23bRxF
 Vqmuwv7VpUMxCjo0k5GUC4Bj502r3H9ArPTVTI/E9Elhrc2jGfrU6bPdMmaz3qAi
 nKMjtRtsg81LwSlxg2ypi2L+liv6md2QkaQswMS6k+JGRaR5sVc=
 =pAni
 -----END PGP SIGNATURE-----
--- a/openssl-3.5.1.tar.gz
+++ b/openssl-3.5.1.tar.gz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:529043b15cffa5f36077a4d0af83f3de399807181d607441d734196d889b641f
 size 53158817
--- a/openssl-3.5.1.tar.gz.asc
+++ b/openssl-3.5.1.tar.gz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmhjzLwACgkQIWCU39DL
 ge9rsA/5AXAEDd+2yayepyZHDamxMh9cMI8DcFnXG1NoxBgCh1P7DmdzGVRTbf8L
 V7dF063z86ebR/eIbT6QzYD+zfBd1pVMVlMe6S2/ZI+dDtJizaDdmExHsJeAJ/p/
 OeJ+ksM44eQcr0N2IUmUScr95/fZR3ED2HpAs224wMcbufe6PJUrbmyBbnPqw/Nf
 SHekc5xWAgoNT3tKKZxkjABmP8uSNtWsdn8QQuZyc7sB9Z/j5UuA/Oay7eVpQ5D8
 EiTQ1P+3u78wV/0Nqb3iDhgqShr7h7b9APgMUxQsNbvKVtoZI/7miskDz/dyNoqv
 FF9+oAhoRyC8XSQF1Td7HLLvsqqF31+iQdou5gmnrsoB6QLWEOBvfI+zOI7BckLj
 dZsa/oW6Rz1m12l5jqzorYrVYtbNfUJ7tunYMZOBnffK/VomE8XqmZuUVP+bQdZh
 zE+tLMBrIHb+h8MP3JnYsRzaYr1sN7lbLx5/7Gh1o1jpvzy57D628vbSWnbLoJuu
 l2ZjDNMAcKvcKba283lrV+Vm5aL4m/x4flsjeNiufTX50Ckzyd6U1L5Xq2wyHLuh
 kHIeO2UW9WeNud8UY5mYOBBbwHyh/9yWXphgEtxS2aSvKEIUkQ1V89e5U0Fu3pjU
 anJLQLYDc66CXfj82PK0Wq765bxIDnsRMggwgGh84U5eCvZWmMk=
 =nHMj
 -----END PGP SIGNATURE-----
--- a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
+++ b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
@@ -1,911 +0,0 @@
 From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Thu, 11 Aug 2022 09:27:12 +0200
 Subject: KDF: Add FIPS indicators
 FIPS requires a number of restrictions on the parameters of the various
 key derivation functions implemented in OpenSSL. The KDFs that use
 digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
 C.C). Additionally, some application-specific KDFs have further
 restrictions defined in SP 800-135r1.
 Generally, all KDFs shall use a key-derivation key length of at least
 112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
 to generate and output length of less than 112 bits will also set the
 indicator to unapproved.
 Add explicit indicators to all KDFs usable in FIPS mode except for
 PBKDF2 (which has its specific FIPS limits already implemented). The
 indicator can be queried using EVP_KDF_CTX_get_params() after setting
 the required parameters and keys for the KDF.
 Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
 truncated variants -224 and -384) and SHA3 (-256 and -512, and the
 truncated versions -224 and -384), as well as SHAKE-128 and -256.
 The SHAKE functions are generally not allowed in KDFs. For the rest, the
 support matrix is:
 KDF         | SHA-1 | SHA-2 | SHA-2 truncated  | SHA-3 | SHA-3 truncated
 ==========================================================================
 KBKDF        |   x   |   x   |         x        |   x   |     x
 HKDF         |   x   |   x   |         x        |   x   |     x
 TLS1PRF      |       | SHA-{256,384,512} only   |       |
 SSHKDF       |   x   |   x   |         x        |       |
 SSKDF        |   x   |   x   |         x        |   x   |     x
 X9.63KDF     |       |   x   |         x        |   x   |     x
 X9.42-ASN1   |   x   |   x   |         x        |   x   |     x
 TLS1.3PRF    |       | SHA-{256,384} only       |       |
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 Resolves: rhbz#2160733 rhbz#2164763
 Related: rhbz#2114772 rhbz#2141695
 ---
 include/crypto/evp.h                      |   7 ++
 include/openssl/kdf.h                     |   4 +
 providers/implementations/kdfs/hkdf.c     | 100 +++++++++++++++++++++-
 providers/implementations/kdfs/kbkdf.c    |  82 ++++++++++++++++--
 providers/implementations/kdfs/sshkdf.c   |  75 +++++++++++++++-
 providers/implementations/kdfs/sskdf.c    | 100 +++++++++++++++++++++-
 providers/implementations/kdfs/tls1_prf.c |  74 +++++++++++++++-
 providers/implementations/kdfs/x942kdf.c  |  66 +++++++++++++-
 util/perl/OpenSSL/paramnames.pm           |   1 +
 9 files changed, 487 insertions(+), 22 deletions(-)
 diff --git a/include/crypto/evp.h b/include/crypto/evp.h
 index e70d8e9e84..76fb990de4 100644
 --- a/include/crypto/evp.h
 +++ b/include/crypto/evp.h
@@ -219,6 +219,13 @@ struct evp_mac_st {
     OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
 };
 +#ifdef FIPS_MODULE
 +/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
 + * Additional Keys from a Cryptographic Key, "[t]he length of the
 + * key-derivation key [i.e., the input key] shall be at least 112 bits". */
 +# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
 +#endif
 +
 struct evp_kdf_st {
     OSSL_PROVIDER *prov;
     int name_id;
 diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
 index 0983230a48..86171635ea 100644
 --- a/include/openssl/kdf.h
 +++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
 # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
 +# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0
 +# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED     1
 +# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
 +
 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
 #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
 #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
 diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
 index dfa7786bde..f01e40ff5a 100644
 --- a/providers/implementations/kdfs/hkdf.c
 +++ b/providers/implementations/kdfs/hkdf.c
@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
 static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
 static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
 +static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
 static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
 static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
@@ -85,6 +86,10 @@ typedef struct {
     size_t data_len;
     unsigned char *info;
     size_t info_len;
 +    int is_tls13;
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } KDF_HKDF;
 static void *kdf_hkdf_new(void *provctx)
@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
         return 0;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     switch (ctx->mode) {
     case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
     default:
@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
 {
     KDF_HKDF *ctx = (KDF_HKDF *)vctx;
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
         size_t sz = kdf_hkdf_size(ctx);
 +        any_valid = 1;
         if (sz == 0)
             return 0;
         return OSSL_PARAM_set_size_t(p, sz);
     }
     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
 +        any_valid = 1;
         if (ctx->info == NULL || ctx->info_len == 0) {
             p->return_size = 0;
             return 1;
         }
         return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
     }
 -    return -2;
 +#ifdef FIPS_MODULE
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
 +            != NULL) {
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +        const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        if (ctx->is_tls13) {
 +            if (md != NULL
 +                    && !EVP_MD_is_a(md, "SHA2-256")
 +                    && !EVP_MD_is_a(md, "SHA2-384")) {
 +                /* Implementation Guidance for FIPS 140-3 and the Cryptographic
 +                 * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
 +                 * key derivation function documented in Section 7.1 of RFC
 +                 * 8446. This is considered an approved CVL because the
 +                 * underlying functions performed within the TLS 1.3 KDF map to
 +                 * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
 +                 * Option #3), SP 800-56Crev2, and SP 800-108."
 +                 *
 +                 * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
 +                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +        } else {
 +            if (md != NULL
 +                    && (EVP_MD_is_a(md, "SHAKE-128") ||
 +                        EVP_MD_is_a(md, "SHAKE-256"))) {
 +                /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
 +                 * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
 +                 * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
 +                 * extendable-output functions may only be used as the
 +                 * standalone algorithms." */
 +                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +        }
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif /* defined(FIPS_MODULE) */
 +
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
     return ret;
 }
 +static void *kdf_tls1_3_new(void *provctx)
 +{
 +    KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
 +
 +    if (hkdf != NULL)
 +        hkdf->is_tls13 = 1;
 +
 +    return hkdf;
 +}
 +
 +
 static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
                              const OSSL_PARAM params[])
 {
@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
         return 0;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     switch (ctx->mode) {
     default:
         return 0;
@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
 }
 const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
 -    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
 +    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
 diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
 index a542f84dfa..6b6dfb94ac 100644
 --- a/providers/implementations/kdfs/kbkdf.c
 +++ b/providers/implementations/kdfs/kbkdf.c
@@ -59,6 +59,9 @@ typedef struct {
     kbkdf_mode mode;
     EVP_MAC_CTX *ctx_init;
 +    /* HMAC digest algorithm, if any; used to compute FIPS indicator */
 +    PROV_DIGEST digest;
 +
     /* Names are lowercased versions of those found in SP800-108. */
     int r;
     unsigned char *ki;
@@ -73,6 +76,9 @@ typedef struct {
     int use_l;
     int is_kmac;
     int use_separator;
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } KBKDF;
 /* Definitions needed for typechecking. */
@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
     void *provctx = ctx->provctx;
     EVP_MAC_CTX_free(ctx->ctx_init);
 +    ossl_prov_digest_reset(&ctx->digest);
     OPENSSL_clear_free(ctx->context, ctx->context_len);
     OPENSSL_clear_free(ctx->label, ctx->label_len);
     OPENSSL_clear_free(ctx->ki, ctx->ki_len);
@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
         goto done;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
     if (h == 0)
         goto done;
@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
         }
     }
 +    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
 +        return 0;
 +
     p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
     if (p != NULL
         && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
 static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
     p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
 -    if (p == NULL)
 +    if (p != NULL) {
 +        any_valid = 1;
 +
 +        /* KBKDF can produce results as large as you like. */
 +        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
 +            return 0;
 +    }
 +
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        KBKDF *ctx = (KBKDF *)vctx;
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
 +         * extendable-output functions may only be used as the standalone
 +         * algorithms." Note that the digest is only used when the MAC
 +         * algorithm is HMAC. */
 +        if (ctx->ctx_init != NULL
 +                && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
 +            const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
 +            if (md != NULL
 +                    && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
 +                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +        }
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif
 +
 +    if (!any_valid)
         return -2;
 -    /* KBKDF can produce results as large as you like. */
 -    return OSSL_PARAM_set_size_t(p, SIZE_MAX);
 +    return 1;
 }
 static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
                                                    ossl_unused void *provctx)
 {
 -    static const OSSL_PARAM known_gettable_ctx_params[] =
 -        { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
 +    static const OSSL_PARAM known_gettable_ctx_params[] = {
 +        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
 +        OSSL_PARAM_END
 +    };
     return known_gettable_ctx_params;
 }
 diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
 index c592ba72f1..4a52b38266 100644
 --- a/providers/implementations/kdfs/sshkdf.c
 +++ b/providers/implementations/kdfs/sshkdf.c
@@ -48,6 +48,9 @@ typedef struct {
     char type; /* X */
     unsigned char *session_id;
     size_t session_id_len;
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } KDF_SSHKDF;
 static void *kdf_sshkdf_new(void *provctx)
@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
         return 0;
     }
 +
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     return SSHKDF(md, ctx->key, ctx->key_len,
                   ctx->xcghash, ctx->xcghash_len,
                   ctx->session_id, ctx->session_id_len,
@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
 static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
 -    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 -        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
 -    return -2;
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
 +        any_valid = 1;
 +
 +        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
 +            return 0;
 +    }
 +
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        KDF_SSHKDF *ctx = vctx;
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
 +         * extendable-output functions may only be used as the standalone
 +         * algorithms."
 +         *
 +         * Additionally, SP 800-135r1 section 5.2 specifies that the hash
 +         * function used in SSHKDF "is one of the hash functions specified in
 +         * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
 +         * */
 +        if (ctx->digest.md != NULL
 +            && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
 +            && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
 +            && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
 +            && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
 +            && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +        }
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif
 +
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
 diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
 index eb54972e1c..23865cd70f 100644
 --- a/providers/implementations/kdfs/sskdf.c
 +++ b/providers/implementations/kdfs/sskdf.c
@@ -64,6 +64,10 @@ typedef struct {
     size_t salt_len;
     size_t out_len; /* optional KMAC parameter */
     int is_kmac;
 +    int is_x963kdf;
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } KDF_SSKDF;
 #define SSKDF_MAX_INLEN (1<<30)
@@ -73,6 +77,7 @@ typedef struct {
 static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
 static OSSL_FUNC_kdf_newctx_fn sskdf_new;
 +static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
 static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
 static OSSL_FUNC_kdf_freectx_fn sskdf_free;
 static OSSL_FUNC_kdf_reset_fn sskdf_reset;
@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
     return ctx;
 }
 +static void *x963kdf_new(void *provctx)
 +{
 +    KDF_SSKDF *ctx = sskdf_new(provctx);
 +
 +    if (ctx)
 +        ctx->is_x963kdf = 1;
 +
 +    return ctx;
 +}
 +
 static void sskdf_reset(void *vctx)
 {
     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
     }
     md = ossl_prov_digest_md(&ctx->digest);
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     if (ctx->macctx != NULL) {
         /* H(x) = KMAC or H(x) = HMAC */
         int ret;
@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
         return 0;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
 +
     return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
                           ctx->info, ctx->info_len, 1, key, keylen);
 }
@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
 +
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
 +        any_valid = 1;
 +
 +        if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
 +            return 0;
 +    }
 -    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 -        return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
 -    return -2;
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
 +         * extendable-output functions may only be used as the standalone
 +         * algorithms." */
 +        if (ctx->macctx == NULL
 +                || (ctx->macctx != NULL &&
 +                    EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
 +            if (ctx->digest.md != NULL
 +                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
 +                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
 +                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +
 +            /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
 +             * should only be used for 80-bit key agreement, but FIPS 140-3
 +             * requires a security strength of 112 bits, so SHA-1 cannot be
 +             * used with X9.63. See the discussion in
 +             * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
 +             */
 +            if (ctx->is_x963kdf
 +                    && ctx->digest.md != NULL
 +                    && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
 +                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +        }
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif
 +
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
 };
 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
 -    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
 +    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
 diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
 index a4d64b9352..f6782a6ca2 100644
 --- a/providers/implementations/kdfs/tls1_prf.c
 +++ b/providers/implementations/kdfs/tls1_prf.c
@@ -93,6 +93,13 @@ typedef struct {
     /* Buffer of concatenated seed data */
     unsigned char seed[TLS1_PRF_MAXBUF];
     size_t seedlen;
 +
 +    /* MAC digest algorithm; used to compute FIPS indicator */
 +    PROV_DIGEST digest;
 +
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } TLS1_PRF;
 static void *kdf_tls1_prf_new(void *provctx)
@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
     EVP_MAC_CTX_free(ctx->P_sha1);
     OPENSSL_clear_free(ctx->sec, ctx->seclen);
     OPENSSL_cleanse(ctx->seed, ctx->seedlen);
 +    ossl_prov_digest_reset(&ctx->digest);
     memset(ctx, 0, sizeof(*ctx));
     ctx->provctx = provctx;
 }
@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
     /*
      * The seed buffer is prepended with a label.
@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
         }
     }
 +    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
 +        return 0;
 +
     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
         OPENSSL_clear_free(ctx->sec, ctx->seclen);
         ctx->sec = NULL;
@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
 static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     OSSL_PARAM *p;
 +#ifdef FIPS_MODULE
 +    TLS1_PRF *ctx = vctx;
 +#endif /* defined(FIPS_MODULE) */
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
 +
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
 +        any_valid = 1;
 +
 +        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
 +            return 0;
 +    }
 +
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
 +         * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
 +        if (ctx->digest.md != NULL
 +                && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
 +                && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
 +                && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +        }
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif
 -    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 -        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
 -    return -2;
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
 diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
 index b1bc6f7e1b..8173fc2cc7 100644
 --- a/providers/implementations/kdfs/x942kdf.c
 +++ b/providers/implementations/kdfs/x942kdf.c
@@ -13,11 +13,13 @@
 #include <openssl/core_dispatch.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 +#include <openssl/kdf.h>
 #include <openssl/params.h>
 #include <openssl/proverr.h>
 #include "internal/packet.h"
 #include "internal/der.h"
 #include "internal/nelem.h"
 +#include "crypto/evp.h"
 #include "prov/provider_ctx.h"
 #include "prov/providercommon.h"
 #include "prov/implementations.h"
@@ -47,6 +50,9 @@ typedef struct {
     const unsigned char *cek_oid;
     size_t cek_oid_len;
     int use_keybits;
 +#ifdef FIPS_MODULE
 +    int fips_indicator;
 +#endif /* defined(FIPS_MODULE) */
 } KDF_X942;
 /*
@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
         return 0;
     }
 +#ifdef FIPS_MODULE
 +    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
 +        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +#endif /* defined(FIPS_MODULE) */
     ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
                            der, der_len, ctr, key, keylen);
     OPENSSL_free(der);
@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     KDF_X942 *ctx = (KDF_X942 *)vctx;
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
 -    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 -        return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
 -    return -2;
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
 +        any_valid = 1;
 +
 +        if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
 +            return 0;
 +    }
 +
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        any_valid = 1;
 +
 +        /* According to NIST Special Publication 800-131Ar2, Section 8:
 +         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
 +         * the key-derivation key [i.e., the input key] shall be at least 112
 +         * bits". */
 +        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Verification Program, Section D.B and NIST Special Publication
 +         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
 +         * strength < 112 bits is legacy use only, so all derived keys should
 +         * be longer than that. If a derived key has ever been shorter than
 +         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
 +         * should also set the returned FIPS indicator to unapproved. */
 +        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +
 +        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
 +         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
 +         * extendable-output functions may only be used as the standalone
 +         * algorithms." */
 +        if (ctx->digest.md != NULL
 +                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
 +                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +        }
 +
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +    }
 +#endif
 +
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
 diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
 index 70f7c50fe4..6618122417 100644
 --- a/util/perl/OpenSSL/paramnames.pm
 +++ b/util/perl/OpenSSL/paramnames.pm
@@ -183,6 +183,7 @@ my %params = (
     'KDF_PARAM_X942_SUPP_PUBINFO' =>    "supp-pubinfo",
     'KDF_PARAM_X942_SUPP_PRIVINFO' =>   "supp-privinfo",
     'KDF_PARAM_X942_USE_KEYBITS' =>     "use-keybits",
 +    'KDF_PARAM_SUSE_FIPS_INDICATOR' =>     "suse-fips-indicator",
     'KDF_PARAM_HMACDRBG_ENTROPY' =>     "entropy",
     'KDF_PARAM_HMACDRBG_NONCE' =>       "nonce",
     'KDF_PARAM_THREADS' =>        "threads",                # uint32_t
 -- 
 2.39.2
--- a/openssl-Add_support_for_Windows_CA_certificate_store.patch
+++ b/openssl-Add_support_for_Windows_CA_certificate_store.patch
@@ -1,743 +0,0 @@
 From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
 From: Hugo Landau <hlandau@openssl.org>
 Date: Fri, 8 Apr 2022 13:10:52 +0100
 Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
 env
 Fixes #18068.
 ---
 CHANGES.md                                               |   21 
 Configure                                                |    7 
 crypto/x509/by_dir.c                                     |   17 
 crypto/x509/by_store.c                                   |   14 
 crypto/x509/x509_def.c                                   |   15 
 doc/build.info                                           |    6 
 doc/man3/X509_get_default_cert_file.pod                  |  113 +++++
 include/internal/cryptlib.h                              |   11 
 include/internal/e_os.h                                  |    2 
 include/openssl/x509.h.in                                |    3 
 providers/implementations/include/prov/implementations.h |    1 
 providers/implementations/storemgmt/build.info           |    3 
 providers/implementations/storemgmt/winstore_store.c     |  327 +++++++++++++++
 providers/stores.inc                                     |    3 
 util/libcrypto.num                                       |    3 
 util/missingcrypto.txt                                   |    4 
 16 files changed, 536 insertions(+), 14 deletions(-)
 --- a/CHANGES.md
 +++ b/CHANGES.md
@@ -24,6 +24,27 @@ OpenSSL 3.1
 ### Changes between 3.1.0 and 3.1.1 [30 May 2023]
 + * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
 +   `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
 +   `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
 +   paths which are searched for root certificates.
 +
 +   The existing `SSL_CERT_DIR` environment variable is deprecated.
 +   `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
 +   list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
 +   `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
 +   directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
 +   for the purposes of determining root certificate stores.
 +
 +   *Hugo Landau*
 +
 + * Support for loading root certificates from the Windows certificate store
 +   has been added. The support is in the form of a store which recognises the
 +   URI string of `org.openssl.winstore://`. This store is enabled by default and
 +   can be disabled using the new compile-time option `no-winstore`.
 +
 +   *Hugo Landau*
 +
  * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
    OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
 --- a/Configure
 +++ b/Configure
@@ -420,6 +420,7 @@ my @disablables = (
     "cached-fetch",
     "camellia",
     "capieng",
 +    "winstore",
     "cast",
     "chacha",
     "cmac",
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
     }
 }
 +unless ($disabled{winstore}) {
 +    unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
 +        disable('not-windows', 'winstore');
 +    }
 +}
 +
 push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
 # Get the extra flags used when building shared libraries and modules.  We
 --- a/crypto/x509/by_dir.c
 +++ b/crypto/x509/by_dir.c
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
 -            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
 +            /* If SSL_CERT_PATH is provided and non-empty, use that. */
 +            const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
 -            if (dir)
 -                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
 -            else
 -                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
 -                                   X509_FILETYPE_PEM);
 +            /* Fallback to SSL_CERT_DIR. */
 +            if (dir == NULL)
 +                dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
 +
 +            /* Fallback to built-in default. */
 +            if (dir == NULL)
 +                dir = X509_get_default_cert_dir();
 +
 +            ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             if (!ret) {
                 ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
             }
 --- a/crypto/x509/by_store.c
 +++ b/crypto/x509/by_store.c
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
 {
     switch (cmd) {
     case X509_L_ADD_STORE:
 -        /* If no URI is given, use the default cert dir as default URI */
 +        /* First try the newer default cert URI envvar. */
 +        if (argp == NULL)
 +            argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
 +
 +        /* If not set, see if we have a URI in the older cert dir envvar. */
         if (argp == NULL)
             argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
 +
 +        /* Fallback to default store URI. */
         if (argp == NULL)
 -            argp = X509_get_default_cert_dir();
 +            argp = X509_get_default_cert_uri();
 +
 +        /* No point adding an empty URI. */
 +        if (!*argp)
 +            return 1;
         {
             STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
 --- a/crypto/x509/x509_def.c
 +++ b/crypto/x509/x509_def.c
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
     return X509_CERT_AREA;
 }
 +const char *X509_get_default_cert_uri(void)
 +{
 +    return X509_CERT_URI;
 +}
 +
 const char *X509_get_default_cert_dir(void)
 {
     return X509_CERT_DIR;
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
     return X509_CERT_FILE;
 }
 +const char *X509_get_default_cert_uri_env(void)
 +{
 +    return X509_CERT_URI_EVP;
 +}
 +
 +const char *X509_get_default_cert_path_env(void)
 +{
 +    return X509_CERT_PATH_EVP;
 +}
 +
 const char *X509_get_default_cert_dir_env(void)
 {
     return X509_CERT_DIR_EVP;
 --- a/doc/build.info
 +++ b/doc/build.info
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
 GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
 DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
 GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
 +DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
 +GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
 +DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
 +GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
 DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
 GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
 DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
 html/man3/X509_get0_notBefore.html \
 html/man3/X509_get0_signature.html \
 html/man3/X509_get0_uids.html \
 +html/man3/X509_get_default_cert_file.html \
 html/man3/X509_get_extension_flags.html \
 html/man3/X509_get_pubkey.html \
 html/man3/X509_get_serialNumber.html \
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
 man/man3/X509_get0_notBefore.3 \
 man/man3/X509_get0_signature.3 \
 man/man3/X509_get0_uids.3 \
 +man/man3/X509_get_default_cert_file.3 \
 man/man3/X509_get_extension_flags.3 \
 man/man3/X509_get_pubkey.3 \
 man/man3/X509_get_serialNumber.3 \
 --- /dev/null
 +++ b/doc/man3/X509_get_default_cert_file.pod
@@ -0,0 +1,113 @@
 +=pod
 +
 +=head1 NAME
 +
 +X509_get_default_cert_file, X509_get_default_cert_file_env,
 +X509_get_default_cert_path_env,
 +X509_get_default_cert_dir, X509_get_default_cert_dir_env,
 +X509_get_default_cert_uri, X509_get_default_cert_uri_env -
 +retrieve default locations for trusted CA certificates
 +
 +=head1 SYNOPSIS
 +
 + #include <openssl/x509.h>
 +
 + const char *X509_get_default_cert_file(void);
 + const char *X509_get_default_cert_dir(void);
 + const char *X509_get_default_cert_uri(void);
 +
 + const char *X509_get_default_cert_file_env(void);
 + const char *X509_get_default_cert_path_env(void);
 + const char *X509_get_default_cert_dir_env(void);
 + const char *X509_get_default_cert_uri_env(void);
 +
 +=head1 DESCRIPTION
 +
 +The X509_get_default_cert_file() function returns the default path
 +to a file containing trusted CA certificates. OpenSSL will use this as
 +the default path when it is asked to load trusted CA certificates
 +from a file and no other path is specified. If the file exists, CA certificates
 +are loaded from the file.
 +
 +The X509_get_default_cert_dir() function returns a default delimeter-separated
 +list of paths to a directories containing trusted CA certificates named in the
 +hashed format. OpenSSL will use this as the default list of paths when it is
 +asked to load trusted CA certificates from a directory and no other path is
 +specified. If a given directory in the list exists, OpenSSL attempts to lookup
 +CA certificates in this directory by calculating a filename based on a hash of
 +the certificate's subject name.
 +
 +The X509_get_default_cert_uri() function returns the default URI for a
 +certificate store accessed programmatically via an OpenSSL provider. If there is
 +no default store applicable to the system for which OpenSSL was compiled, this
 +returns an empty string.
 +
 +X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
 +environment variable names which are recommended to specify nondefault values to
 +be used instead of the values returned by X509_get_default_cert_file() and
 +X509_get_default_cert_uri() respectively. The values returned by the latter
 +functions are not affected by these environment variables; you must check for
 +these environment variables yourself, using these functions to retrieve the
 +correct environment variable names. If an environment variable is not set, the
 +value returned by the corresponding function above should be used.
 +
 +X509_get_default_cert_path_env() returns the environment variable name which is
 +recommended to specify a nondefault value to be used instead of the value
 +returned by X509_get_default_cert_dir(). This environment variable supercedes
 +the deprecated environment variable whose name is returned by
 +X509_get_default_cert_dir_env(). This environment variable was deprecated as its
 +contents can be interpreted ambiguously; see NOTES.
 +
 +By default, OpenSSL uses the path list specified in the environment variable
 +whose name is returned by X509_get_default_cert_path_env() if it is set;
 +otherwise, it uses the path list specified in the environment variable whose
 +name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
 +uses the value returned by X509_get_default_cert_dir()).
 +
 +=head1 NOTES
 +
 +X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
 +X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
 +release, store URIs were expressed via the environment variable returned by
 +X509_get_default_cert_dir_env(); this environment variable could be used to
 +specify either a list of directories or a store URI. This creates an ambiguity
 +in which the environment variable returned by X509_get_default_cert_dir_env() is
 +interpreted both as a list of directories and as a store URI.
 +
 +This usage and the environment variable returned by
 +X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
 +the environment variable returned by X509_get_default_cert_uri_env(), and to
 +specify a list of directories, use the environment variable returned by
 +X509_get_default_cert_path_env().
 +
 +=head1 RETURN VALUES
 +
 +These functions return pointers to constant strings with static storage
 +duration.
 +
 +=head1 SEE ALSO
 +
 +L<X509_LOOKUP(3)>,
 +L<SSL_CTX_set_default_verify_file(3)>,
 +L<SSL_CTX_set_default_verify_dir(3)>,
 +L<SSL_CTX_set_default_verify_store(3)>,
 +L<SSL_CTX_load_verify_file(3)>,
 +L<SSL_CTX_load_verify_dir(3)>,
 +L<SSL_CTX_load_verify_store(3)>,
 +L<SSL_CTX_load_verify_locations(3)>
 +
 +=head1 HISTORY
 +
 +X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
 +X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
 +
 +=head1 COPYRIGHT
 +
 +Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 +
 +Licensed under the Apache License 2.0 (the "License").  You may not use
 +this file except in compliance with the License.  You can obtain a copy
 +in the file LICENSE in the source distribution or at
 +L<https://www.openssl.org/source/license.html>.
 +
 +=cut
 --- a/include/internal/cryptlib.h
 +++ b/include/internal/cryptlib.h
@@ -13,6 +13,8 @@
 # include <stdlib.h>
 # include <string.h>
 +# include "openssl/configuration.h"
 +# include "internal/e_os.h" /* ossl_inline in many files */
 # ifdef OPENSSL_USE_APPLINK
 #  define BIO_FLAGS_UPLINK_INTERNAL 0x8000
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
 #  define CTLOG_FILE              "OSSL$DATAROOT:[000000]ct_log_list.cnf"
 # endif
 +#ifndef OPENSSL_NO_WINSTORE
 +# define X509_CERT_URI            "org.openssl.winstore://"
 +#else
 +# define X509_CERT_URI            ""
 +#endif
 +
 +# define X509_CERT_URI_EVP        "SSL_CERT_URI"
 +# define X509_CERT_PATH_EVP       "SSL_CERT_PATH"
 # define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 # define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 # define CTLOG_FILE_EVP           "CTLOG_FILE"
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
 # endif
     return path[0] == '/';
 }
 -
 #endif
 --- a/include/internal/e_os.h
 +++ b/include/internal/e_os.h
@@ -249,7 +249,7 @@ FILE *__iob_func();
 /***********************************************/
 # if defined(OPENSSL_SYS_WINDOWS)
 -#  if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
 +#  if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
 #   define open _open
 #   define fdopen _fdopen
 #   define close _close
 --- a/include/openssl/x509.h.in
 +++ b/include/openssl/x509.h.in
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
 const char *X509_get_default_cert_area(void);
 +const char *X509_get_default_cert_uri(void);
 const char *X509_get_default_cert_dir(void);
 const char *X509_get_default_cert_file(void);
 +const char *X509_get_default_cert_uri_env(void);
 +const char *X509_get_default_cert_path_env(void);
 const char *X509_get_default_cert_dir_env(void);
 const char *X509_get_default_cert_file_env(void);
 const char *X509_get_default_private_dir(void);
 --- a/providers/implementations/include/prov/implementations.h
 +++ b/providers/implementations/include/prov/implementations.h
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
 extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
 extern const OSSL_DISPATCH ossl_file_store_functions[];
 +extern const OSSL_DISPATCH ossl_winstore_store_functions[];
 --- a/providers/implementations/storemgmt/build.info
 +++ b/providers/implementations/storemgmt/build.info
@@ -4,3 +4,6 @@
 $STORE_GOAL=../../libdefault.a
 SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
 +IF[{- !$disabled{winstore} -}]
 +    SOURCE[$STORE_GOAL]=winstore_store.c
 +ENDIF
 --- /dev/null
 +++ b/providers/implementations/storemgmt/winstore_store.c
@@ -0,0 +1,327 @@
 +/*
 + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 + *
 + * Licensed under the Apache License 2.0 (the "License").  You may not use
 + * this file except in compliance with the License.  You can obtain a copy
 + * in the file LICENSE in the source distribution or at
 + * https://www.openssl.org/source/license.html
 + */
 +#include <openssl/store.h>
 +#include <openssl/core_dispatch.h>
 +#include <openssl/core_names.h>
 +#include <openssl/core_object.h>
 +#include <openssl/bio.h>
 +#include <openssl/err.h>
 +#include <openssl/params.h>
 +#include <openssl/decoder.h>
 +#include <openssl/proverr.h>
 +#include <openssl/store.h>       /* The OSSL_STORE_INFO type numbers */
 +#include "internal/cryptlib.h"
 +#include "internal/o_dir.h"
 +#include "crypto/decoder.h"
 +#include "crypto/ctype.h"        /* ossl_isdigit() */
 +#include "prov/implementations.h"
 +#include "prov/bio.h"
 +#include "file_store_local.h"
 +
 +#include <wincrypt.h>
 +
 +enum {
 +    STATE_IDLE,
 +    STATE_READ,
 +    STATE_EOF,
 +};
 +
 +struct winstore_ctx_st {
 +    void                   *provctx;
 +    char                   *propq;
 +    unsigned char          *subject;
 +    size_t                  subject_len;
 +
 +    HCERTSTORE              win_store;
 +    const CERT_CONTEXT     *win_ctx;
 +    int                     state;
 +
 +    OSSL_DECODER_CTX       *dctx;
 +};
 +
 +static void winstore_win_reset(struct winstore_ctx_st *ctx)
 +{
 +    if (ctx->win_ctx != NULL) {
 +        CertFreeCertificateContext(ctx->win_ctx);
 +        ctx->win_ctx = NULL;
 +    }
 +
 +    ctx->state = STATE_IDLE;
 +}
 +
 +static void winstore_win_advance(struct winstore_ctx_st *ctx)
 +{
 +    CERT_NAME_BLOB name = {0};
 +
 +    if (ctx->state == STATE_EOF)
 +        return;
 +
 +    name.cbData = ctx->subject_len;
 +    name.pbData = ctx->subject;
 +
 +    ctx->win_ctx = (name.cbData == 0 ? NULL :
 +        CertFindCertificateInStore(ctx->win_store,
 +                                   X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 +                                   0, CERT_FIND_SUBJECT_NAME,
 +                                   &name, ctx->win_ctx));
 +
 +    ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
 +}
 +
 +static void *winstore_open(void *provctx, const char *uri)
 +{
 +    struct winstore_ctx_st *ctx = NULL;
 +
 +    if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
 +        return NULL;
 +
 +    ctx = OPENSSL_zalloc(sizeof(*ctx));
 +    if (ctx == NULL)
 +        return NULL;
 +
 +    ctx->provctx    = provctx;
 +    ctx->win_store  = CertOpenSystemStoreW(0, L"ROOT");
 +    if (ctx->win_store == NULL) {
 +        OPENSSL_free(ctx);
 +        return NULL;
 +    }
 +
 +    winstore_win_reset(ctx);
 +    return ctx;
 +}
 +
 +static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
 +{
 +    return NULL; /* not supported */
 +}
 +
 +static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
 +{
 +    static const OSSL_PARAM known_settable_ctx_params[] = {
 +        OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
 +        OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
 +        OSSL_PARAM_END
 +    };
 +    return known_settable_ctx_params;
 +}
 +
 +static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
 +{
 +    struct winstore_ctx_st *ctx = loaderctx;
 +    const OSSL_PARAM *p;
 +    int do_reset = 0;
 +
 +    if (params == NULL)
 +        return 1;
 +
 +    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
 +    if (p != NULL) {
 +        do_reset = 1;
 +        OPENSSL_free(ctx->propq);
 +        ctx->propq = NULL;
 +        if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
 +            return 0;
 +    }
 +
 +    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
 +    if (p != NULL) {
 +        const unsigned char *der = NULL;
 +        size_t der_len = 0;
 +
 +        if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
 +            return 0;
 +
 +        do_reset = 1;
 +
 +        OPENSSL_free(ctx->subject);
 +
 +        ctx->subject = OPENSSL_malloc(der_len);
 +        if (ctx->subject == NULL) {
 +            ctx->subject_len = 0;
 +            return 0;
 +        }
 +
 +        ctx->subject_len = der_len;
 +        memcpy(ctx->subject, der, der_len);
 +    }
 +
 +    if (do_reset) {
 +        winstore_win_reset(ctx);
 +        winstore_win_advance(ctx);
 +    }
 +
 +    return 1;
 +}
 +
 +struct load_data_st {
 +    OSSL_CALLBACK  *object_cb;
 +    void           *object_cbarg;
 +};
 +
 +static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
 +                           const OSSL_PARAM *params, void *construct_data)
 +{
 +    struct load_data_st *data = construct_data;
 +    return data->object_cb(params, data->object_cbarg);
 +}
 +
 +static void load_cleanup(void *construct_data)
 +{
 +    /* No-op. */
 +}
 +
 +static int setup_decoder(struct winstore_ctx_st *ctx)
 +{
 +    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
 +    const OSSL_ALGORITHM *to_algo = NULL;
 +
 +    if (ctx->dctx != NULL)
 +        return 1;
 +
 +    ctx->dctx = OSSL_DECODER_CTX_new();
 +    if (ctx->dctx == NULL) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
 +        return 0;
 +    }
 +
 +    if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +        goto err;
 +    }
 +
 +    if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +        goto err;
 +    }
 +
 +    for (to_algo = ossl_any_to_obj_algorithm;
 +         to_algo->algorithm_names != NULL;
 +         to_algo++) {
 +        OSSL_DECODER *to_obj = NULL;
 +        OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
 +
 +        /*
 +         * Create the internal last resort decoder implementation
 +         * together with a "decoder instance".
 +         * The decoder doesn't need any identification or to be
 +         * attached to any provider, since it's only used locally.
 +         */
 +        to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
 +        if (to_obj != NULL)
 +            to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
 +
 +        OSSL_DECODER_free(to_obj);
 +        if (to_obj_inst == NULL)
 +            goto err;
 +
 +        if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
 +                                               to_obj_inst)) {
 +            ossl_decoder_instance_free(to_obj_inst);
 +            ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +            goto err;
 +        }
 +    }
 +
 +    if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +        goto err;
 +    }
 +
 +    if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +        goto err;
 +    }
 +
 +    if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
 +        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
 +        goto err;
 +    }
 +
 +    return 1;
 +
 +err:
 +    OSSL_DECODER_CTX_free(ctx->dctx);
 +    ctx->dctx = NULL;
 +    return 0;
 +}
 +
 +static int winstore_load_using(struct winstore_ctx_st *ctx,
 +                               OSSL_CALLBACK *object_cb, void *object_cbarg,
 +                               OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
 +                               const void *der, size_t der_len)
 +{
 +    struct load_data_st data;
 +    const unsigned char *der_ = der;
 +    size_t der_len_ = der_len;
 +
 +    if (setup_decoder(ctx) == 0)
 +        return 0;
 +
 +    data.object_cb      = object_cb;
 +    data.object_cbarg   = object_cbarg;
 +
 +    OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
 +    OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
 +
 +    if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
 +        return 0;
 +
 +    return 1;
 +}
 +
 +static int winstore_load(void *loaderctx,
 +                         OSSL_CALLBACK *object_cb, void *object_cbarg,
 +                         OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
 +{
 +    int ret = 0;
 +    struct winstore_ctx_st *ctx = loaderctx;
 +
 +    if (ctx->state != STATE_READ)
 +        return 0;
 +
 +    ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
 +                              ctx->win_ctx->pbCertEncoded,
 +                              ctx->win_ctx->cbCertEncoded);
 +
 +    if (ret == 1)
 +        winstore_win_advance(ctx);
 +
 +    return ret;
 +}
 +
 +static int winstore_eof(void *loaderctx)
 +{
 +    struct winstore_ctx_st *ctx = loaderctx;
 +
 +    return ctx->state != STATE_READ;
 +}
 +
 +static int winstore_close(void *loaderctx)
 +{
 +    struct winstore_ctx_st *ctx = loaderctx;
 +
 +    winstore_win_reset(ctx);
 +    CertCloseStore(ctx->win_store, 0);
 +    OSSL_DECODER_CTX_free(ctx->dctx);
 +    OPENSSL_free(ctx->propq);
 +    OPENSSL_free(ctx->subject);
 +    OPENSSL_free(ctx);
 +    return 1;
 +}
 +
 +const OSSL_DISPATCH ossl_winstore_store_functions[] = {
 +    { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
 +    { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
 +    { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
 +    { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
 +    { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
 +    { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
 +    { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
 +    { 0, NULL },
 +};
 --- a/providers/stores.inc
 +++ b/providers/stores.inc
@@ -12,3 +12,6 @@
 #endif
 STORE("file", "yes", ossl_file_store_functions)
 +#ifndef OPENSSL_NO_WINSTORE
 +STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
 +#endif
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
 EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
 BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
 OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
 +X509_get_default_cert_uri               ?	3_1_0	EXIST::FUNCTION:
 +X509_get_default_cert_uri_env           ?	3_1_0	EXIST::FUNCTION:
 +X509_get_default_cert_path_env          ?	3_1_0	EXIST::FUNCTION:
 ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 --- a/util/missingcrypto.txt
 +++ b/util/missingcrypto.txt
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
 X509_get1_email(3)
 X509_get1_ocsp(3)
 X509_get_default_cert_area(3)
 -X509_get_default_cert_dir(3)
 -X509_get_default_cert_dir_env(3)
 -X509_get_default_cert_file(3)
 -X509_get_default_cert_file_env(3)
 X509_get_default_private_dir(3)
 X509_get_pubkey_parameters(3)
 X509_get_signature_type(3)
--- a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
+++ b/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
@@ -1,217 +0,0 @@
 From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Tue, 1 Mar 2022 15:44:18 +0100
 Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
 NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
 in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
 on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
 to 2.
 On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
 level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
 we want the legacy crypto policy to allow SHA-1 in TLS, the only option
 to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
 SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
 allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
 will allow SHA-1 in OpenSSL 3).
 The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
 rh-allow-sha1-signatures will default to yes in Fedora (according to our
 current plans including until F38), and the security level in the
 DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
 default configuration.
 Related: rhbz#2055796
 Related: rhbz#2070977
 ---
 crypto/x509/x509_vfy.c        | 20 ++++++++++-
 doc/man5/config.pod           |  7 ++++
 ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------
 test/recipes/25-test_verify.t |  4 +--
 4 files changed, 82 insertions(+), 16 deletions(-)
 Index: openssl-3.1.4/crypto/x509/x509_vfy.c
 ===================================================================
 --- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
 +++ openssl-3.1.4/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
 #include <openssl/objects.h>
 #include <openssl/core_names.h>
 #include "internal/dane.h"
 +#include "internal/sslconf.h"
 #include "crypto/x509.h"
 #include "x509_local.h"
@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
 {
     int secbits = -1;
     int level = ctx->param->auth_level;
 +    int nid;
 +    OSSL_LIB_CTX *libctx = NULL;
     if (level <= 0)
         return 1;
     if (level > NUM_AUTH_LEVELS)
         level = NUM_AUTH_LEVELS;
 -    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
 +    if (ctx->libctx)
 +        libctx = ctx->libctx;
 +    else if (cert->libctx)
 +        libctx = cert->libctx;
 +    else
 +        libctx = OSSL_LIB_CTX_get0_global_default();
 +
 +    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
         return 0;
 +    if ((nid == NID_sha1 || nid == NID_md5_sha1)
 +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
 +            && ctx->param->auth_level < 2)
 +        /* When rh-allow-sha1-signatures = yes and security level <= 1,
 +         * explicitly allow SHA1 for backwards compatibility. Also allow
 +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
 +        return 1;
 +
     return secbits >= minbits_table[level - 1];
 }
 Index: openssl-3.1.4/doc/man5/config.pod
 ===================================================================
 --- openssl-3.1.4.orig/doc/man5/config.pod
 +++ openssl-3.1.4/doc/man5/config.pod
@@ -317,6 +317,13 @@ this option is set to B<no>.  Because TL
 pseudorandom function (PRF) to derive key material, disabling
 B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
 +Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
 +algorithms that use SHA1 in security level 1, despite the definition of
 +security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
 +This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
 +Fedora without requiring to set the security level to 0, which would include
 +further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
 +
 This is a downstream specific option, and normally it should be set up via crypto-policies.
 =item B<fips_mode> (deprecated)
 Index: openssl-3.1.4/ssl/t1_lib.c
 ===================================================================
 --- openssl-3.1.4.orig/ssl/t1_lib.c
 +++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
 #include <openssl/bn.h>
 #include <openssl/provider.h>
 #include <openssl/param_build.h>
 +#include "crypto/x509.h"
 #include "internal/sslconf.h"
 #include "internal/nelem.h"
 #include "internal/sizes.h"
@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
         return 0;
     }
 -    /*
 -     * Make sure security callback allows algorithm. For historical
 -     * reasons we have to pass the sigalg as a two byte char array.
 -     */
 -    sigalgstr[0] = (sig >> 8) & 0xff;
 -    sigalgstr[1] = sig & 0xff;
 -    secbits = sigalg_security_bits(s->ctx, lu);
 -    if (secbits == 0 ||
 -        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
 -                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
 -                      (void *)sigalgstr)) {
 -        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
 -        return 0;
 +
 +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
 +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
 +            && SSL_get_security_level(s) < 2) {
 +        /* When rh-allow-sha1-signatures = yes and security level <= 1,
 +         * explicitly allow SHA1 for backwards compatibility. Also allow
 +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
 +    } else {
 +        /*
 +         * Make sure security callback allows algorithm. For historical
 +         * reasons we have to pass the sigalg as a two byte char array.
 +         */
 +        sigalgstr[0] = (sig >> 8) & 0xff;
 +        sigalgstr[1] = sig & 0xff;
 +        secbits = sigalg_security_bits(s->ctx, lu);
 +        if (secbits == 0 ||
 +            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
 +                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
 +                          (void *)sigalgstr)) {
 +            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
 +            return 0;
 +        }
     }
     /* Store the sigalg the peer uses */
     s->s3.tmp.peer_sigalg = lu;
@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
         }
     }
 +    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
 +            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
 +            && SSL_get_security_level(s) < 2) {
 +        /* When rh-allow-sha1-signatures = yes and security level <= 1,
 +         * explicitly allow SHA1 for backwards compatibility. Also allow
 +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
 +        return 1;
 +    }
 +
     /* Finally see if security callback allows it */
     secbits = sigalg_security_bits(s->ctx, lu);
     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
 {
     /* Lookup signature algorithm digest */
     int secbits, nid, pknid;
 +    OSSL_LIB_CTX *libctx = NULL;
 +
     /* Don't check signature if self signed */
     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
         return 1;
@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
     /* If digest NID not defined use signature NID */
     if (nid == NID_undef)
         nid = pknid;
 +
 +    if (x && x->libctx)
 +        libctx = x->libctx;
 +    else if (ctx && ctx->libctx)
 +        libctx = ctx->libctx;
 +    else if (s && s->ctx && s->ctx->libctx)
 +        libctx = s->ctx->libctx;
 +    else
 +        libctx = OSSL_LIB_CTX_get0_global_default();
 +
 +    if ((nid == NID_sha1 || nid == NID_md5_sha1)
 +            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
 +            && ((s != NULL && SSL_get_security_level(s) < 2)
 +                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
 +            ))
 +        /* When rh-allow-sha1-signatures = yes and security level <= 1,
 +         * explicitly allow SHA1 for backwards compatibility. Also allow
 +         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
 +        return 1;
 +
     if (s)
         return ssl_security(s, op, secbits, nid, x);
     else
 Index: openssl-3.1.4/test/recipes/25-test_verify.t
 ===================================================================
 --- openssl-3.1.4.orig/test/recipes/25-test_verify.t
 +++ openssl-3.1.4/test/recipes/25-test_verify.t
@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
     "CA with PSS signature using SHA256");
 -ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
 -    "Reject PSS signature using SHA1 and auth level 1");
 +ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
 +    "Reject PSS signature using SHA1 and auth level 2");
 ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
     "PSS signature using SHA256 and auth level 2");
--- a/openssl-CVE-2023-50782.patch
+++ b/openssl-CVE-2023-50782.patch
--- a/openssl-CVE-2023-5678.patch
+++ b/openssl-CVE-2023-5678.patch
@@ -1,172 +0,0 @@
 From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
 From: Richard Levitte <levitte@openssl.org>
 Date: Fri, 20 Oct 2023 09:18:19 +0200
 Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
 We already check for an excessively large P in DH_generate_key(), but not in
 DH_check_pub_key(), and none of them check for an excessively large Q.
 This change adds all the missing excessive size checks of P and Q.
 It's to be noted that behaviours surrounding excessively sized P and Q
 differ.  DH_check() raises an error on the excessively sized P, but only
 sets a flag for the excessively sized Q.  This behaviour is mimicked in
 DH_check_pub_key().
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/22518)
 ---
 crypto/dh/dh_check.c    | 12 ++++++++++++
 crypto/dh/dh_err.c      |  3 ++-
 crypto/dh/dh_key.c      | 12 ++++++++++++
 crypto/err/openssl.txt  |  1 +
 include/crypto/dherr.h  |  2 +-
 include/openssl/dh.h    |  6 +++---
 include/openssl/dherr.h |  3 ++-
 7 files changed, 33 insertions(+), 6 deletions(-)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index 7ba2beae7fd6b..e20eb62081c5e 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
  */
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
 +    /* Don't do any checks at all with an excessively large modulus */
 +    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
 +        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
 +        return 0;
 +    }
 +
 +    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
 +        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
 +        return 1;
 +    }
 +
     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
 }
 diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
 index 4152397426cc9..f76ac0dd1463f 100644
 --- a/crypto/dh/dh_err.c
 +++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
     "parameter encoding error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
 +    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
     "unable to check generator"},
 diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
 index d84ea99241b9e..afc49f5cdc87d 100644
 --- a/crypto/dh/dh_key.c
 +++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         goto err;
     }
 +    if (dh->params.q != NULL
 +        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
 +        goto err;
 +    }
 +
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
         return 0;
     }
 +    if (dh->params.q != NULL
 +        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
 +        return 0;
 +    }
 +
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
 diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
 index a1e6bbb617fcb..69e4f61aa1801 100644
 --- a/crypto/err/openssl.txt
 +++ b/crypto/err/openssl.txt
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
 DH_R_NO_PRIVATE_VALUE:100:no private value
 DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
 DH_R_PEER_KEY_ERROR:111:peer key error
 +DH_R_Q_TOO_LARGE:130:q too large
 DH_R_SHARED_INFO_ERROR:113:shared info error
 DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
 DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
 diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
 index bb24d131eb887..519327f795742 100644
 --- a/include/crypto/dherr.h
 +++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
 diff --git a/include/openssl/dh.h b/include/openssl/dh.h
 index 8bc17448a0817..f1c0ed06b375a 100644
 --- a/include/openssl/dh.h
 +++ b/include/openssl/dh.h
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_GENERATOR_3          3
 #   define DH_GENERATOR_5          5
 -/* DH_check error codes */
 +/* DH_check error codes, some of them shared with DH_check_pub_key */
 /*
  * NB: These values must align with the equivalently named macros in
  * internal/ffc.h.
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
 #   define DH_NOT_SUITABLE_GENERATOR       0x08
 #   define DH_CHECK_Q_NOT_PRIME            0x10
 -#   define DH_CHECK_INVALID_Q_VALUE        0x20
 +#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
 #   define DH_CHECK_INVALID_J_VALUE        0x40
 #   define DH_MODULUS_TOO_SMALL            0x80
 -#   define DH_MODULUS_TOO_LARGE            0x100
 +#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
 /* DH_check_pub_key error codes */
 #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
 diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
 index 5d2a762a96f8c..074a70145f9f5 100644
 --- a/include/openssl/dherr.h
 +++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -50,6 +50,7 @@
 #  define DH_R_NO_PRIVATE_VALUE                            100
 #  define DH_R_PARAMETER_ENCODING_ERROR                    105
 #  define DH_R_PEER_KEY_ERROR                              111
 +#  define DH_R_Q_TOO_LARGE                                 130
 #  define DH_R_SHARED_INFO_ERROR                           113
 #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
--- a/openssl-CVE-2023-6129.patch
+++ b/openssl-CVE-2023-6129.patch
@@ -1,109 +0,0 @@
 From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rmclure@linux.ibm.com>
 Date: Thu, 4 Jan 2024 10:25:50 +0100
 Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
 Fixes CVE-2023-6129
 The POLY1305 MAC (message authentication code) implementation in OpenSSL for
 PowerPC CPUs saves the the contents of vector registers in different order
 than they are restored. Thus the contents of some of these vector registers
 is corrupted when returning to the caller. The vulnerable code is used only
 on newer PowerPC processors supporting the PowerISA 2.07 instructions.
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23200)
 (cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
 ---
 crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
 1 file changed, 21 insertions(+), 21 deletions(-)
 diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
 index 9f86134d923fb..2e601bb9c24be 100755
 --- a/crypto/poly1305/asm/poly1305-ppc.pl
 +++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -744,7 +744,7 @@
 my $LOCALS= 6*$SIZE_T;
 my $VSXFRAME = $LOCALS + 6*$SIZE_T;
    $VSXFRAME += 128;	# local variables
 -   $VSXFRAME += 13*16;	# v20-v31 offload
 +   $VSXFRAME += 12*16;	# v20-v31 offload
 my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@
 	addi	r11,r11,32
 	stvx	v22,r10,$sp
 	addi	r10,r10,32
 -	stvx	v23,r10,$sp
 -	addi	r10,r10,32
 -	stvx	v24,r11,$sp
 +	stvx	v23,r11,$sp
 	addi	r11,r11,32
 -	stvx	v25,r10,$sp
 +	stvx	v24,r10,$sp
 	addi	r10,r10,32
 +	stvx	v25,r11,$sp
 +	addi	r11,r11,32
 	stvx	v26,r10,$sp
 	addi	r10,r10,32
 	stvx	v27,r11,$sp
@@ -1153,12 +1153,12 @@
 	addi	r11,r11,32
 	stvx	v22,r10,$sp
 	addi	r10,r10,32
 -	stvx	v23,r10,$sp
 -	addi	r10,r10,32
 -	stvx	v24,r11,$sp
 +	stvx	v23,r11,$sp
 	addi	r11,r11,32
 -	stvx	v25,r10,$sp
 +	stvx	v24,r10,$sp
 	addi	r10,r10,32
 +	stvx	v25,r11,$sp
 +	addi	r11,r11,32
 	stvx	v26,r10,$sp
 	addi	r10,r10,32
 	stvx	v27,r11,$sp
@@ -1899,26 +1899,26 @@
 	mtspr	256,r12				# restore vrsave
 	lvx	v20,r10,$sp
 	addi	r10,r10,32
 -	lvx	v21,r10,$sp
 -	addi	r10,r10,32
 -	lvx	v22,r11,$sp
 +	lvx	v21,r11,$sp
 	addi	r11,r11,32
 -	lvx	v23,r10,$sp
 +	lvx	v22,r10,$sp
 	addi	r10,r10,32
 -	lvx	v24,r11,$sp
 +	lvx	v23,r11,$sp
 	addi	r11,r11,32
 -	lvx	v25,r10,$sp
 +	lvx	v24,r10,$sp
 	addi	r10,r10,32
 -	lvx	v26,r11,$sp
 +	lvx	v25,r11,$sp
 	addi	r11,r11,32
 -	lvx	v27,r10,$sp
 +	lvx	v26,r10,$sp
 	addi	r10,r10,32
 -	lvx	v28,r11,$sp
 +	lvx	v27,r11,$sp
 	addi	r11,r11,32
 -	lvx	v29,r10,$sp
 +	lvx	v28,r10,$sp
 	addi	r10,r10,32
 -	lvx	v30,r11,$sp
 -	lvx	v31,r10,$sp
 +	lvx	v29,r11,$sp
 +	addi	r11,r11,32
 +	lvx	v30,r10,$sp
 +	lvx	v31,r11,$sp
 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)
--- a/openssl-CVE-2023-6237.patch
+++ b/openssl-CVE-2023-6237.patch
@@ -1,122 +0,0 @@
 From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Fri, 22 Dec 2023 16:25:56 +0100
 Subject: [PATCH] Limit the execution time of RSA public key check
 Fixes CVE-2023-6237
 If a large and incorrect RSA public key is checked with
 EVP_PKEY_public_check() the computation could take very long time
 due to no limit being applied to the RSA public key size and
 unnecessarily high number of Miller-Rabin algorithm rounds
 used for non-primality check of the modulus.
 Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
 will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
 Also the number of Miller-Rabin rounds was set to 5.
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23243)
 (cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
 ---
 crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
 test/recipes/91-test_pkey_check.t             |  2 +-
 .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
 3 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
 diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
 index fc8f19b48770b..bcbdd24fb8199 100644
 --- a/crypto/rsa/rsa_sp800_56b_check.c
 +++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
         return 0;
     nbits = BN_num_bits(rsa->n);
 +    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
 +        return 0;
 +    }
 +
 #ifdef FIPS_MODULE
     /*
      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
         goto err;
     }
 -    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
 +    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
 +    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
 #ifdef FIPS_MODULE
     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
 #else
 diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
 index dc7cc64533af2..f8088df14d36c 100644
 --- a/test/recipes/91-test_pkey_check.t
 +++ b/test/recipes/91-test_pkey_check.t
@@ -70,7 +70,7 @@ push(@positive_tests, (
     "dhpkey.pem"
     )) unless disabled("dh");
 -my @negative_pubtests = ();
 +my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
 push(@negative_pubtests, (
     "dsapub_noparam.der"
 diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
 new file mode 100644
 index 0000000000000..9a2eaedaf1b22
 --- /dev/null
 +++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
 +-----BEGIN PUBLIC KEY-----
 +MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
 +B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
 +gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
 +GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
 +XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
 +b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
 +gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
 +TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
 +vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
 +V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
 +/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
 +SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
 +PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
 +Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
 +C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
 +xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
 +F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
 +aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
 +nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
 +R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
 +kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
 +mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
 +AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
 +f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
 +ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
 +UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
 +wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
 +fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
 +y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
 +Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
 +HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
 +eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
 +EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
 +chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
 +4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
 +gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
 +A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
 +FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
 +26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
 +xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
 +pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
 +k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
 +2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
 +Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
 +77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
 +AQAB
 +-----END PUBLIC KEY-----
--- a/openssl-CVE-2024-0727.patch
+++ b/openssl-CVE-2024-0727.patch
@@ -1,120 +0,0 @@
 From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 19 Jan 2024 11:28:58 +0000
 Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
 PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
 optional and can be NULL even if the "type" is a valid value. OpenSSL
 was not properly accounting for this and a NULL dereference can occur
 causing a crash.
 CVE-2024-0727
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23362)
 (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
 ---
 crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
 crypto/pkcs12/p12_mutl.c |  5 +++++
 crypto/pkcs12/p12_npas.c |  5 +++--
 crypto/pkcs7/pk7_mime.c  |  7 +++++--
 4 files changed, 31 insertions(+), 4 deletions(-)
 diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
 index 6fd4184af5a52..80ce31b3bca66 100644
 --- a/crypto/pkcs12/p12_add.c
 +++ b/crypto/pkcs12/p12_add.c
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +
 +    if (p7->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
 {
     if (!PKCS7_type_is_encrypted(p7))
         return NULL;
 +
 +    if (p7->d.encrypted == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
                                    pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +
 +    if (p12->authsafes->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     p7s = ASN1_item_unpack(p12->authsafes->d.data,
                            ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
     if (p7s != NULL) {
 diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
 index 67a885a45f89e..68ff54d0e90ee 100644
 --- a/crypto/pkcs12/p12_mutl.c
 +++ b/crypto/pkcs12/p12_mutl.c
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         return 0;
     }
 +    if (p12->authsafes->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return 0;
 +    }
 +
     salt = p12->mac->salt->data;
     saltlen = p12->mac->salt->length;
     if (p12->mac->iter == NULL)
 diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
 index 62230bc6187ff..1e5b5495991a4 100644
 --- a/crypto/pkcs12/p12_npas.c
 +++ b/crypto/pkcs12/p12_npas.c
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
             bags = PKCS12_unpack_p7data(p7);
         } else if (bagnid == NID_pkcs7_encrypted) {
             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
 -            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
 -                         &pbe_nid, &pbe_iter, &pbe_saltlen))
 +            if (p7->d.encrypted == NULL
 +                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
 +                                &pbe_nid, &pbe_iter, &pbe_saltlen))
                 goto err;
         } else {
             continue;
 diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
 index 49a0da5f819c4..8228315eeaa3a 100644
 --- a/crypto/pkcs7/pk7_mime.c
 +++ b/crypto/pkcs7/pk7_mime.c
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
     int ctype_nid = OBJ_obj2nid(p7->type);
     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
 -    if (ctype_nid == NID_pkcs7_signed)
 +    if (ctype_nid == NID_pkcs7_signed) {
 +        if (p7->d.sign == NULL)
 +            return 0;
         mdalgs = p7->d.sign->md_algs;
 -    else
 +    } else {
         mdalgs = NULL;
 +    }
     flags ^= SMIME_OLDMIME;
--- a/openssl-CVE-2024-2511.patch
+++ b/openssl-CVE-2024-2511.patch
@@ -1,116 +0,0 @@
 From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Tue, 5 Mar 2024 15:43:53 +0000
 Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
 In TLSv1.3 we create a new session object for each ticket that we send.
 We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
 use then the new session will be added to the session cache. However, if
 early data is not in use (and therefore anti-replay protection is being
 used), then multiple threads could be resuming from the same session
 simultaneously. If this happens and a problem occurs on one of the threads,
 then the original session object could be marked as not_resumable. When we
 duplicate the session object this not_resumable status gets copied into the
 new session object. The new session object is then added to the session
 cache even though it is not_resumable.
 Subsequently, another bug means that the session_id_length is set to 0 for
 sessions that are marked as not_resumable - even though that session is
 still in the cache. Once this happens the session can never be removed from
 the cache. When that object gets to be the session cache tail object the
 cache never shrinks again and grows indefinitely.
 CVE-2024-2511
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24044)
 ---
 ssl/ssl_lib.c            |  5 +++--
 ssl/ssl_sess.c           | 28 ++++++++++++++++++++++------
 ssl/statem/statem_srvr.c |  5 ++---
 3 files changed, 27 insertions(+), 11 deletions(-)
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 index b5cc4af2f0302..e747b7f90aa71 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
     /*
      * If the session_id_length is 0, we are not supposed to cache it, and it
 -     * would be rather hard to do anyway :-)
 +     * would be rather hard to do anyway :-). Also if the session has already
 +     * been marked as not_resumable we should not cache it for later reuse.
      */
 -    if (s->session->session_id_length == 0)
 +    if (s->session->session_id_length == 0 || s->session->not_resumable)
         return;
     /*
 diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
 index bf84e792251b8..241cf43c46296 100644
 --- a/ssl/ssl_sess.c
 +++ b/ssl/ssl_sess.c
@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
     return ss;
 }
 -SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
 -{
 -    return ssl_session_dup(src, 1);
 -}
 -
 /*
  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
  * ticket == 0 then no ticket information is duplicated, otherwise it is.
  */
 -SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
 +static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
 {
     SSL_SESSION *dest;
@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
     return NULL;
 }
 +SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
 +{
 +    return ssl_session_dup_intern(src, 1);
 +}
 +
 +/*
 + * Used internally when duplicating a session which might be already shared.
 + * We will have resumed the original session. Subsequently we might have marked
 + * it as non-resumable (e.g. in another thread) - but this copy should be ok to
 + * resume from.
 + */
 +SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
 +{
 +    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
 +
 +    if (sess != NULL)
 +        sess->not_resumable = 0;
 +
 +    return sess;
 +}
 +
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
 {
     if (len)
 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
 index 5d59d53563ed8..8e493176f658e 100644
 --- a/ssl/statem/statem_srvr.c
 +++ b/ssl/statem/statem_srvr.c
@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
      * so the following won't overwrite an ID that we're supposed
      * to send back.
      */
 -    if (s->session->not_resumable ||
 -        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
 -         && !s->hit))
 +    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
 +            && !s->hit)
         s->session->session_id_length = 0;
     if (usetls13) {
--- a/openssl-CVE-2024-41996.patch
+++ b/openssl-CVE-2024-41996.patch
@@ -1,41 +0,0 @@
 From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Mon, 5 Aug 2024 17:54:14 +0200
 Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
 safe-prime groups
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The partial validation is fully sufficient to check the key validity.
 Thanks to Szilárd Pfeiffer for reporting the issue.
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 (Merged from https://github.com/openssl/openssl/pull/25088)
 ---
 providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
 index 82c3093b122c2..ebdce767102ee 100644
 --- a/providers/implementations/keymgmt/dh_kmgmt.c
 +++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
     if (pub_key == NULL)
         return 0;
 -    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
 -    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
 -        && ossl_dh_is_named_safe_prime_group(dh))
 +    /*
 +     * The partial test is only valid for named group's with q = (p - 1) / 2
 +     * but for that case it is also fully sufficient to check the key validity.
 +     */
 +    if (ossl_dh_is_named_safe_prime_group(dh))
         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
     return DH_check_pub_key_ex(dh, pub_key);
--- a/openssl-CVE-2024-4603.patch
+++ b/openssl-CVE-2024-4603.patch
@@ -1,199 +0,0 @@
 From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Wed, 8 May 2024 15:23:45 +0200
 Subject: [PATCH] Check DSA parameters for excessive sizes before validating
 This avoids overly long computation of various validation
 checks.
 Fixes CVE-2024-4603
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 (Merged from https://github.com/openssl/openssl/pull/24346)
 (cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
 ---
 CHANGES.md                                    | 17 ++++++
 crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
 .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
 3 files changed, 114 insertions(+), 4 deletions(-)
 create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
 Index: openssl-3.1.4/crypto/dsa/dsa_check.c
 ===================================================================
 --- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
 +++ openssl-3.1.4/crypto/dsa/dsa_check.c
@@ -19,8 +19,34 @@
 #include "dsa_local.h"
 #include "crypto/dsa.h"
 +static int dsa_precheck_params(const DSA *dsa, int *ret)
 +{
 +    if (dsa->params.p == NULL || dsa->params.q == NULL) {
 +        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
 +        *ret = FFC_CHECK_INVALID_PQ;
 +        return 0;
 +    }
 +
 +    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
 +        *ret = FFC_CHECK_INVALID_PQ;
 +        return 0;
 +    }
 +
 +    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
 +        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
 +        *ret = FFC_CHECK_INVALID_PQ;
 +        return 0;
 +    }
 +
 +    return 1;
 +}
 +
 int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
 {
 +    if (!dsa_precheck_params(dsa, ret))
 +        return 0;
 +
     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
                                                FFC_PARAM_TYPE_DSA, ret);
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
  */
 int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
 {
 +    if (!dsa_precheck_params(dsa, ret))
 +        return 0;
 +
     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
            && *ret == 0;
 }
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
  */
 int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
 {
 +    if (!dsa_precheck_params(dsa, ret))
 +        return 0;
 +
     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
            && *ret == 0;
 }
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
 {
     *ret = 0;
 -    return (dsa->params.q != NULL
 -            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
 +    if (!dsa_precheck_params(dsa, ret))
 +        return 0;
 +
 +    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
 }
 /*
@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
     BN_CTX *ctx = NULL;
     BIGNUM *pub_key = NULL;
 -    if (dsa->params.p == NULL
 -        || dsa->params.g == NULL
 +    if (!dsa_precheck_params(dsa, &ret))
 +        return 0;
 +
 +    if (dsa->params.g == NULL
         || dsa->priv_key == NULL
         || dsa->pub_key == NULL)
         return 0;
 Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
 ===================================================================
 --- /dev/null
 +++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
@@ -0,0 +1,57 @@
 +-----BEGIN DSA PARAMETERS-----
 +MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
 +p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
 +XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
 +x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
 +oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
 +dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
 +Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
 +pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
 +P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
 +hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
 +UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
 +koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
 +TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
 +RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
 +4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
 +c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
 +cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
 +DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
 +Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
 +rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
 +PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
 +UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
 +5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
 +wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
 +R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
 +xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
 +0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
 +uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
 +9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
 +TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
 +gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
 +ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
 +R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
 +F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
 +SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
 ++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
 +UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
 +fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
 +qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
 +B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
 +hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
 +4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
 +vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
 +k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
 +i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
 +9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
 +ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
 +Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
 +KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
 +x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
 +XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
 +YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
 +ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
 +4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
 +vKuje86bePD6kD/LH3wmkA==
 +-----END DSA PARAMETERS-----
 Index: openssl-3.1.4/CHANGES.md
 ===================================================================
 --- openssl-3.1.4.orig/CHANGES.md
 +++ openssl-3.1.4/CHANGES.md
@@ -22,6 +22,23 @@ OpenSSL Releases
 OpenSSL 3.1
 -----------
 + * Fixed an issue where checking excessively long DSA keys or parameters may
 +   be very slow.
 +
 +   Applications that use the functions EVP_PKEY_param_check() or
 +   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
 +   experience long delays. Where the key or parameters that are being checked
 +   have been obtained from an untrusted source this may lead to a Denial of
 +   Service.
 +
 +   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
 +   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
 +   reason.
 +
 +   ([CVE-2024-4603])
 +
 +   *Tomáš Mráz*
 +
 ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
  * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
--- a/openssl-CVE-2024-4741.patch
+++ b/openssl-CVE-2024-4741.patch
@@ -1,28 +0,0 @@
@@ -, +, @@ 
 ---
 ssl/record/methods/tls_common.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 --- openssl-3.0.8/ssl/record/ssl3_buffer.c	
 +++ openssl-3.0.8/ssl/record/ssl3_buffer.c	
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
         OPENSSL_cleanse(b->buf, b->len);
     OPENSSL_free(b->buf);
     b->buf = NULL;
 +    s->rlayer.packet = NULL;
 +    s->rlayer.packet_length = 0;
     return 1;
 }
 --- openssl-3.0.8/ssl/record/rec_layer_s3.c	
 +++ openssl-3.0.8/ssl/record/rec_layer_s3.c	
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
         s->rlayer.packet_length = 0;
         /* ... now we can act as if 'extend' was set */
     }
 +    if (!ossl_assert(s->rlayer.packet != NULL)) {
 +        /* does not happen */
 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
 +        return -1;
 +    }
     len = s->rlayer.packet_length;
     pkt = rb->buf + align;
--- a/openssl-CVE-2024-5535.patch
+++ b/openssl-CVE-2024-5535.patch
@@ -1,326 +0,0 @@
 From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 31 May 2024 11:14:33 +0100
 Subject: [PATCH] Fix SSL_select_next_proto
 Ensure that the provided client list is non-NULL and starts with a valid
 entry. When called from the ALPN callback the client list should already
 have been validated by OpenSSL so this should not cause a problem. When
 called from the NPN callback the client list is locally configured and
 will not have already been validated. Therefore SSL_select_next_proto
 should not assume that it is correctly formatted.
 We implement stricter checking of the client protocol list. We also do the
 same for the server list while we are about it.
 CVE-2024-5535
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24718)
 ---
 ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
 1 file changed, 40 insertions(+), 23 deletions(-)
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 index 5493d9b9c7..f218dcf1db 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                           unsigned int server_len,
                           const unsigned char *client, unsigned int client_len)
 {
 -    unsigned int i, j;
 -    const unsigned char *result;
 -    int status = OPENSSL_NPN_UNSUPPORTED;
 +    PACKET cpkt, csubpkt, spkt, ssubpkt;
 +
 +    if (!PACKET_buf_init(&cpkt, client, client_len)
 +            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
 +            || PACKET_remaining(&csubpkt) == 0) {
 +        *out = NULL;
 +        *outlen = 0;
 +        return OPENSSL_NPN_NO_OVERLAP;
 +    }
 +
 +    /*
 +     * Set the default opportunistic protocol. Will be overwritten if we find
 +     * a match.
 +     */
 +    *out = (unsigned char *)PACKET_data(&csubpkt);
 +    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
     /*
      * For each protocol in server preference order, see if we support it.
      */
 -    for (i = 0; i < server_len;) {
 -        for (j = 0; j < client_len;) {
 -            if (server[i] == client[j] &&
 -                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
 -                /* We found a match */
 -                result = &server[i];
 -                status = OPENSSL_NPN_NEGOTIATED;
 -                goto found;
 +    if (PACKET_buf_init(&spkt, server, server_len)) {
 +        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
 +            if (PACKET_remaining(&ssubpkt) == 0)
 +                continue; /* Invalid - ignore it */
 +            if (PACKET_buf_init(&cpkt, client, client_len)) {
 +                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
 +                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
 +                                     PACKET_remaining(&ssubpkt))) {
 +                        /* We found a match */
 +                        *out = (unsigned char *)PACKET_data(&ssubpkt);
 +                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
 +                        return OPENSSL_NPN_NEGOTIATED;
 +                    }
 +                }
 +                /* Ignore spurious trailing bytes in the client list */
 +            } else {
 +                /* This should never happen */
 +                return OPENSSL_NPN_NO_OVERLAP;
             }
 -            j += client[j];
 -            j++;
         }
 -        i += server[i];
 -        i++;
 +        /* Ignore spurious trailing bytes in the server list */
     }
 -    /* There's no overlap between our protocols and the server's list. */
 -    result = client;
 -    status = OPENSSL_NPN_NO_OVERLAP;
 -
 - found:
 -    *out = (unsigned char *)result + 1;
 -    *outlen = result[0];
 -    return status;
 +    /*
 +     * There's no overlap between our protocols and the server's list. We use
 +     * the default opportunistic protocol selected earlier
 +     */
 +    return OPENSSL_NPN_NO_OVERLAP;
 }
 #ifndef OPENSSL_NO_NEXTPROTONEG
 -- 
 2.45.2
 From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 31 May 2024 11:18:27 +0100
 Subject: [PATCH] More correctly handle a selected_len of 0 when
 processing NPN
 In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
 the selected_len is 0 we should fail. Previously this would fail with an
 internal_error alert because calling OPENSSL_malloc(selected_len) will
 return NULL when selected_len is 0. We make this error detection more
 explicit and return a handshake failure alert.
 Follow on from CVE-2024-5535
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24718)
 ---
 ssl/statem/extensions_clnt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
 index 842be0722b..a07dc62e9a 100644
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                                   PACKET_data(pkt),
                                   PACKET_remaining(pkt),
                                   s->ctx->ext.npn_select_cb_arg) !=
 -             SSL_TLSEXT_ERR_OK) {
 +                                  SSL_TLSEXT_ERR_OK
 +            || selected_len == 0) {
         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
         return 0;
     }
 -- 
 2.45.2
 From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 31 May 2024 11:46:38 +0100
 Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
 We clarify the input preconditions and the expected behaviour in the event
 of no overlap.
 Follow on from CVE-2024-5535
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24718)
 ---
 doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)
 diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
 index 102e657851..a29557dd91 100644
 --- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
 +++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
 SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
 set the list of protocols available to be negotiated. The B<protos> must be in
 protocol-list format, described below. The length of B<protos> is specified in
 -B<protos_len>.
 +B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
 +protocols and no ALPN extension will be sent to the server.
 SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
 server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
 described below. The first item in the B<server>, B<server_len> list that
 matches an item in the B<client>, B<client_len> list is selected, and returned
 in B<out>, B<outlen>. The B<out> value will point into either B<server> or
 -B<client>, so it should be copied immediately. If no match is found, the first
 -item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
 -function can also be used in the NPN callback.
 +B<client>, so it should be copied immediately. The client list must include at
 +least one valid (nonempty) protocol entry in the list.
 +
 +The SSL_select_next_proto() helper function can be useful from either the ALPN
 +callback or the NPN callback (described below). If no match is found, the first
 +item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
 +B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
 +the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
 +must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
 +SSL_select_next_proto().
 SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
 client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
 The length of the protocol name must be written into B<outlen>. The
 server's advertised protocols are provided in B<in> and B<inlen>. The
 callback can assume that B<in> is syntactically valid. The client must
 -select a protocol. It is fatal to the connection if this callback returns
 -a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
 -set via SSL_CTX_set_next_proto_select_cb().
 +select a protocol (although it may be an empty, zero length protocol). It is
 +fatal to the connection if this callback returns a value other than
 +B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
 +parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
 SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
 when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
 =item OPENSSL_NPN_NO_OVERLAP
 No match was found. The first item in B<client>, B<client_len> is returned in
 -B<out>, B<outlen>.
 +B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
 +B<client> is invalid).
 =back
 -- 
 2.45.2
 From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 21 Jun 2024 10:41:55 +0100
 Subject: [PATCH] Correct return values for
 tls_construct_stoc_next_proto_neg
 Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
 rather than EXT_RETURN_SENT. This actually makes no difference at all to
 the current control flow since this return value is ignored in this case
 anyway. But lets make it correct anyway.
 Follow on from CVE-2024-5535
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24718)
 ---
 ssl/statem/extensions_srvr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
 index 4ea085e1a1..2da880450f 100644
 --- a/ssl/statem/extensions_srvr.c
 +++ b/ssl/statem/extensions_srvr.c
@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
             return EXT_RETURN_FAIL;
         }
         s->s3.npn_seen = 1;
 +        return EXT_RETURN_SENT;
     }
 -    return EXT_RETURN_SENT;
 +    return EXT_RETURN_NOT_SENT;
 }
 #endif
 -- 
 2.45.2
 From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 21 Jun 2024 11:51:54 +0100
 Subject: [PATCH] Add ALPN validation in the client
 The ALPN protocol selected by the server must be one that we originally
 advertised. We should verify that it is.
 Follow on from CVE-2024-5535
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24718)
 ---
 ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
 index a07dc62e9a..b21ccf9273 100644
 --- a/ssl/statem/extensions_clnt.c
 +++ b/ssl/statem/extensions_clnt.c
@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                         size_t chainidx)
 {
     size_t len;
 +    PACKET confpkt, protpkt;
 +    int valid = 0;
     /* We must have requested it. */
     if (!s->s3.alpn_sent) {
@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
         return 0;
     }
 +
 +    /* It must be a protocol that we sent */
 +    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
 +        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
 +        return 0;
 +    }
 +    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
 +        if (PACKET_remaining(&protpkt) != len)
 +            continue;
 +        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
 +            /* Valid protocol found */
 +            valid = 1;
 +            break;
 +        }
 +    }
 +
 +    if (!valid) {
 +        /* The protocol sent from the server does not match one we advertised */
 +        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
 +        return 0;
 +    }
 +
     OPENSSL_free(s->s3.alpn_selected);
     s->s3.alpn_selected = OPENSSL_malloc(len);
     if (s->s3.alpn_selected == NULL) {
 -- 
 2.45.2
--- a/openssl-CVE-2024-6119.patch
+++ b/openssl-CVE-2024-6119.patch
@@ -1,255 +0,0 @@
 commit 97ebe37033e8884f4cca5544a74376633c665e11
 Author: Viktor Dukhovni <viktor@openssl.org>
 Date:   Wed Jun 19 21:04:11 2024 +1000
    Avoid type errors in EAI-related name check logic.
    The incorrectly typed data is read only, used in a compare operation, so
    neither remote code execution, nor memory content disclosure were possible.
    However, applications performing certificate name checks were vulnerable to
    denial of service.
    The GENERAL_TYPE data type is a union, and we must take care to access the
    correct member, based on `gen->type`, not all the member fields have the same
    structure, and a segfault is possible if the wrong member field is read.
    The code in question was lightly refactored with the intent to make it more
    obviously correct.
    CVE-2024-6119
    (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
 diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
 index 1a18174995..a09414c972 100644
 --- a/crypto/x509/v3_utl.c
 +++ b/crypto/x509/v3_utl.c
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
             ASN1_STRING *cstr;
             gen = sk_GENERAL_NAME_value(gens, i);
 -            if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
 -                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
 -                    NID_id_on_SmtpUTF8Mailbox) {
 -                    san_present = 1;
 -
 -                    /*
 -                     * If it is not a UTF8String then that is unexpected and we
 -                     * treat it as no match
 -                     */
 -                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
 -                        cstr = gen->d.otherName->value->value.utf8string;
 -
 -                        /* Positive on success, negative on error! */
 -                        if ((rv = do_check_string(cstr, 0, equal, flags,
 -                                                chk, chklen, peername)) != 0)
 -                            break;
 -                    }
 -                } else
 +            switch (gen->type) {
 +            default:
 +                continue;
 +            case GEN_OTHERNAME:
 +		switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
 +                default:
                     continue;
 -            } else {
 -                if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
 +                case NID_id_on_SmtpUTF8Mailbox:
 +                    /*-
 +                     * https://datatracker.ietf.org/doc/html/rfc8398#section-3
 +                     *
 +                     *   Due to name constraint compatibility reasons described
 +                     *   in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
 +                     *   be used unless the local-part of the email address
 +                     *   contains non-ASCII characters. When the local-part is
 +                     *   ASCII, rfc822Name subjectAltName MUST be used instead
 +                     *   of SmtpUTF8Mailbox. This is compatible with legacy
 +                     *   software that supports only rfc822Name (and not
 +                     *   SmtpUTF8Mailbox). [...]
 +                     *
 +                     *   SmtpUTF8Mailbox is encoded as UTF8String.
 +                     *
 +                     * If it is not a UTF8String then that is unexpected, and
 +                     * we ignore the invalid SAN (neither set san_present nor
 +                     * consider it a candidate for equality).  This does mean
 +                     * that the subject CN may be considered, as would be the
 +                     * case when the malformed SmtpUtf8Mailbox SAN is instead
 +                     * simply absent.
 +                     *
 +                     * When CN-ID matching is not desirable, applications can
 +                     * choose to turn it off, doing so is at this time a best
 +                     * practice.
 +                     */
 +                    if (check_type != GEN_EMAIL
 +                        || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
 +                        continue;
 +                    alt_type = 0;
 +                    cstr = gen->d.otherName->value->value.utf8string;
 +                    break;
 +                }
 +                break;
 +            case GEN_EMAIL:
 +                if (check_type != GEN_EMAIL)
                     continue;
 -            }
 -            san_present = 1;
 -            if (check_type == GEN_EMAIL)
                 cstr = gen->d.rfc822Name;
 -            else if (check_type == GEN_DNS)
 +                break;
 +            case GEN_DNS:
 +                if (check_type != GEN_DNS)
 +                    continue;
                 cstr = gen->d.dNSName;
 -            else
 +                break;
 +            case GEN_IPADD:
 +                if (check_type != GEN_IPADD)
 +                    continue;
                 cstr = gen->d.iPAddress;
 +                break;
 +            }
 +            san_present = 1;
             /* Positive on success, negative on error! */
             if ((rv = do_check_string(cstr, alt_type, equal, flags,
                                       chk, chklen, peername)) != 0)
 diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
 index 522982ddfb..e18735d89a 100644
 --- a/test/recipes/25-test_eai_data.t
 +++ b/test/recipes/25-test_eai_data.t
@@ -21,16 +21,18 @@ setup("test_eai_data");
 #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
 #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
 -plan tests => 12;
 +plan tests => 16;
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 my $folder = "test/recipes/25-test_eai_data";
 my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
 my $utf8_pem  = srctop_file($folder, "utf8_leaf.pem");
 +my $kdc_pem   = srctop_file($folder, "kdc-cert.pem");
 my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
 my $utf8_chain_pem  = srctop_file($folder, "utf8_chain.pem");
 +my $kdc_chain_pem  = srctop_file($folder, "kdc-root-cert.pem");
 my $out;
 my $outcnt = 0;
@@ -56,10 +58,18 @@ SKIP: {
 ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
 ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
 +ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
 +# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
 +ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
 +# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
 +ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
 +# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
 +ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
 +
 #Check that we get the expected failure return code
 with({ exit_checker => sub { return shift == 2; } },
      sub {
 diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
 new file mode 100644
 index 0000000000..e8a2c6f55d
 --- /dev/null
 +++ b/test/recipes/25-test_eai_data/kdc-cert.pem
@@ -0,0 +1,21 @@
 +-----BEGIN CERTIFICATE-----
 +MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
 +MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
 +RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
 +6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
 +BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
 +vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
 +Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
 +7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
 +3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
 +te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
 +AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
 +RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
 +ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
 +T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
 +iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
 +UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
 +El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
 +0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
 +oDQ9fKfUOAmUFth2/R/eGA==
 +-----END CERTIFICATE-----
 diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
 new file mode 100644
 index 0000000000..a74c96bf31
 --- /dev/null
 +++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
@@ -0,0 +1,16 @@
 +-----BEGIN CERTIFICATE-----
 +MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
 +b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
 +DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
 +61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
 +qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
 +MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
 +dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
 +3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
 +pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
 +lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
 +Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
 +KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
 +7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
 +vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
 +-----END CERTIFICATE-----
 diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
 new file mode 100755
 index 0000000000..7a8dbc719f
 --- /dev/null
 +++ b/test/recipes/25-test_eai_data/kdc.sh
@@ -0,0 +1,41 @@
 +#! /usr/bin/env bash
 +
 +# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
 +# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
 +# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
 +# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
 +# should likewise lead to ASAN issues with email name checks.
 +
 +rm -f root-key.pem root-cert.pem
 +openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
 +        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
 +
 +exts=$(
 +    printf "%s\n%s\n%s\n%s = " \
 +        "subjectKeyIdentifier = hash" \
 +        "authorityKeyIdentifier = keyid" \
 +        "basicConstraints = CA:false" \
 +        "subjectAltName"
 +    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
 +    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
 +    printf "%s, " "email:joe@example.com"
 +    printf "%s\n" "DNS:mx1.example.com"
 +    printf "[kdc_princ_name]\n"
 +    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
 +    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
 +    printf "[kdc_principal_seq]\n"
 +    printf "name_type = EXP:0, INTEGER:1\n"
 +    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
 +    printf "[kdc_principal_components]\n"
 +    printf "princ1 = GeneralString:krbtgt\n"
 +    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
 +    )
 +
 +printf "%s\n" "$exts"
 +
 +openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
 +    -subj "/CN=TEST.EXAMPLE" |
 +    openssl x509 -req -out kdc-cert.pem \
 +        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
 +        -set_serial 2 -days 36524 \
 +        -extfile <(printf "%s\n" "$exts")
--- a/openssl-CVE-2024-9143.patch
+++ b/openssl-CVE-2024-9143.patch
@@ -1,198 +0,0 @@
 From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
 From: Viktor Dukhovni <viktor@openssl.org>
 Date: Thu, 19 Sep 2024 01:02:40 +1000
 Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
 The BN_GF2m_poly2arr() function converts characteristic-2 field
 (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
 to a compact array with just the exponents of the non-zero terms.
 These polynomials are then used in BN_GF2m_mod_arr() to perform modular
 reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
 polynomial must have a non-zero constant term (i.e. the array has `0` as
 its final element).
 Internally, callers of BN_GF2m_poly2arr() did not verify that
 precondition, and binary EC curve parameters with an invalid polynomial
 could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
 The precondition is always true for polynomials that arise from the
 standard form of EC parameters for characteristic-two fields (X9.62).
 See the "Finite Field Identification" section of:
    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
 The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
 basis X9.62 forms.
 This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
 the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
 Additionally, the return value is made unambiguous when there is not
 enough space to also pad the array with a final `-1` sentinel value.
 The return value is now always the number of elements (including the
 final `-1`) that would be filled when the output array is sufficiently
 large.  Previously the same count was returned both when the array has
 just enough room for the final `-1` and when it had only enough space
 for non-sentinel values.
 Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
 degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
 CPU exhausition attacks via excessively large inputs.
 The above issues do not arise in processing X.509 certificates.  These
 generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
 disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
 constraint only after the certificate is decoded, but, even if explicit
 parameters are specified, they are in X9.62 form, which cannot represent
 problem values as noted above.
 Initially reported as oss-fuzz issue 71623.
 A closely related issue was earlier reported in
 <https://github.com/openssl/openssl/issues/19826>.
 Severity: Low, CVE-2024-9143
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/25639)
 (cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
 ---
 crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
 test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 8 deletions(-)
 diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
 index c811ae82d6b15..bcc66613cc14d 100644
 --- a/crypto/bn/bn_gf2m.c
 +++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
 #include "bn_local.h"
 #ifndef OPENSSL_NO_EC2M
 +# include <openssl/ec.h>
 /*
  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 /*
  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
  * x^i) into an array of integers corresponding to the bits with non-zero
 - * coefficient.  Array is terminated with -1. Up to max elements of the array
 - * will be filled.  Return value is total number of array elements that would
 - * be filled if array was large enough.
 + * coefficient.  The array is intended to be suitable for use with
 + * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
 + * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
 + *
 + * Given sufficient room, the array is terminated with -1.  Up to max elements
 + * of the array will be filled.
 + *
 + * The return value is total number of array elements that would be filled if
 + * array was large enough, including the terminating `-1`.  It is `0` when `a`
 + * is not odd or the constant term is zero contrary to requirement.
 + *
 + * The return value is also `0` when the leading exponent exceeds
 + * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
  */
 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
 {
     int i, j, k = 0;
     BN_ULONG mask;
 -    if (BN_is_zero(a))
 +    if (!BN_is_odd(a))
         return 0;
     for (i = a->top - 1; i >= 0; i--) {
@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
         }
     }
 -    if (k < max) {
 +    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
 +        return 0;
 +
 +    if (k < max)
         p[k] = -1;
 -        k++;
 -    }
 -    return k;
 +    return k + 1;
 }
 /*
 diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
 index 8c2cd05631696..02cfd4e9d8858 100644
 --- a/test/ec_internal_test.c
 +++ b/test/ec_internal_test.c
@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
 }
 #ifndef OPENSSL_NO_EC2M
 +/* Test that decoding of invalid GF2m field parameters fails. */
 +static int ec2m_field_sanity(void)
 +{
 +    int ret = 0;
 +    BN_CTX *ctx = BN_CTX_new();
 +    BIGNUM *p, *a, *b;
 +    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
 +
 +    TEST_info("Testing GF2m hardening\n");
 +
 +    BN_CTX_start(ctx);
 +    p = BN_CTX_get(ctx);
 +    a = BN_CTX_get(ctx);
 +    if (!TEST_ptr(b = BN_CTX_get(ctx))
 +        || !TEST_true(BN_one(a))
 +        || !TEST_true(BN_one(b)))
 +        goto out;
 +
 +    /* Even pentanomial value should be rejected */
 +    if (!TEST_true(BN_set_word(p, 0xf2)))
 +        goto out;
 +    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
 +        TEST_error("Zero constant term accepted in GF2m polynomial");
 +
 +    /* Odd hexanomial should also be rejected */
 +    if (!TEST_true(BN_set_word(p, 0xf3)))
 +        goto out;
 +    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
 +        TEST_error("Hexanomial accepted as GF2m polynomial");
 +
 +    /* Excessive polynomial degree should also be rejected */
 +    if (!TEST_true(BN_set_word(p, 0x71))
 +        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
 +        goto out;
 +    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
 +        TEST_error("GF2m polynomial degree > %d accepted",
 +                   OPENSSL_ECC_MAX_FIELD_BITS);
 +
 +    ret = group1 == NULL && group2 == NULL && group3 == NULL;
 +
 + out:
 +    EC_GROUP_free(group1);
 +    EC_GROUP_free(group2);
 +    EC_GROUP_free(group3);
 +    BN_CTX_end(ctx);
 +    BN_CTX_free(ctx);
 +
 +    return ret;
 +}
 +
 /* test EC_GF2m_simple_method directly */
 static int field_tests_ec2_simple(void)
 {
@@ -443,6 +493,7 @@ int setup_tests(void)
     ADD_TEST(field_tests_ecp_simple);
     ADD_TEST(field_tests_ecp_mont);
 #ifndef OPENSSL_NO_EC2M
 +    ADD_TEST(ec2m_field_sanity);
     ADD_TEST(field_tests_ec2_simple);
 #endif
     ADD_ALL_TESTS(field_tests_default, crv_len);
--- a/openssl-CVE-2025-4575.patch
+++ b/openssl-CVE-2025-4575.patch
@@ -1,61 +0,0 @@
 From 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Tue, 20 May 2025 16:34:10 +0200
 Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
 of rejection
 Fixes CVE-2025-4575
 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 (Merged from https://github.com/openssl/openssl/pull/27672)
 Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
 ---
 apps/x509.c                 |  2 +-
 test/recipes/25-test_x509.t | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)
 Index: openssl-3.5.0/apps/x509.c
 ===================================================================
 --- openssl-3.5.0.orig/apps/x509.c
 +++ openssl-3.5.0/apps/x509.c
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
                            prog, opt_arg());
                 goto opthelp;
             }
 -            if (!sk_ASN1_OBJECT_push(trust, objtmp))
 +            if (!sk_ASN1_OBJECT_push(reject, objtmp))
                 goto end;
             trustout = 1;
             break;
 Index: openssl-3.5.0/test/recipes/25-test_x509.t
 ===================================================================
 --- openssl-3.5.0.orig/test/recipes/25-test_x509.t
 +++ openssl-3.5.0/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
 setup("test_x509");
 -plan tests => 134;
 +plan tests => 138;
 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "
 && run(app(["openssl", "verify", "-no_check_time",
             "-trusted", $ca, "-partial_chain", $caout])));
 +# test trust decoration
 +ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
 +            "-out", "ca-trusted.pem"])));
 +cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
 +              1, 'trusted use - E-mail Protection');
 +ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
 +            "-out", "ca-rejected.pem"])));
 +cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
 +              1, 'rejected use - E-mail Protection');
 +
 subtest 'x509 -- x.509 v1 certificate' => sub {
     tconversion( -type => 'x509', -prefix => 'x509v1',
                  -in => srctop_file("test", "testx509.pem") );
--- a/openssl-DEFAULT_SUSE_cipher.patch
+++ b/openssl-DEFAULT_SUSE_cipher.patch
@@ -1,64 +0,0 @@
 Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
 ===================================================================
 --- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
 +++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
      */
     ok = 1;
     rule_p = rule_str;
 -    if (strncmp(rule_str, "DEFAULT", 7) == 0) {
 +    if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
 +        ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
 +                                        &head, &tail, ca_list, c);
 +        rule_p += 12;
 +        if (*rule_p == ':')
 +            rule_p++;
 +    }
 +    else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
         ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
                                         &head, &tail, ca_list, c);
         rule_p += 7;
 Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
 ===================================================================
 --- /dev/null
 +++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
@@ -0,0 +1,23 @@
 +#! /usr/bin/env perl
 +
 +use strict;
 +use warnings;
 +
 +use OpenSSL::Test qw/:DEFAULT/;
 +use OpenSSL::Test::Utils;
 +
 +setup("test_default_ciphersuites");
 +
 +plan tests => 6;
 +
 +my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
 +
 +foreach my $cipherlist (@cipher_suites) {
 +  ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
 +     "openssl ciphers works with ciphersuite $cipherlist");
 +  ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
 +         "$cipherlist shouldn't contain MD5, DES or RC4\n");
 +  ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
 +         "$cipherlist should contain TLSv1.3 ciphers\n");
 +}
 +
 Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
 ===================================================================
 --- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
 +++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
@@ -189,6 +189,11 @@ extern "C" {
  */
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
 +#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
 +    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
 +    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
 +    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
 +    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
 /*
  * This is the default set of TLSv1.3 ciphersuites
  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
--- a/openssl-Disable-default-provider-for-test-suite.patch
+++ b/openssl-Disable-default-provider-for-test-suite.patch
@@ -1,19 +0,0 @@
 Index: openssl-3.1.4/apps/openssl.cnf
 ===================================================================
 --- openssl-3.1.4.orig/apps/openssl.cnf
 +++ openssl-3.1.4/apps/openssl.cnf
@@ -70,11 +70,11 @@ engines = engine_section
 # to side-channel attacks and as such have been deprecated.
 [provider_sect]
 -default = default_sect
 +##default = default_sect
 ##legacy = legacy_sect
 -[default_sect]
 -activate = 1
 +##[default_sect]
 +##activate = 1
 ##[legacy_sect]
 ##activate = 1
--- a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
+++ b/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch
@@ -1,28 +0,0 @@
 From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
 From: "fangming.fang" <fangming.fang@arm.com>
 Date: Thu, 7 Dec 2023 06:17:51 +0000
 Subject: [PATCH] Enable BTI feature for md5 on aarch64
 Fixes: #22959
 ---
 crypto/md5/asm/md5-aarch64.pl | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
 index 3200a0fa9bff0..5a8608069691d 100755
 --- a/crypto/md5/asm/md5-aarch64.pl
 +++ b/crypto/md5/asm/md5-aarch64.pl
@@ -28,10 +28,13 @@
 *STDOUT=*OUT;
 $code .= <<EOF;
 +#include "arm_arch.h"
 +
 .text
 .globl  ossl_md5_block_asm_data_order
 .type   ossl_md5_block_asm_data_order,\@function
 ossl_md5_block_asm_data_order:
 +        AARCH64_VALID_CALL_TARGET
         // Save all callee-saved registers
         stp     x19,x20,[sp,#-80]!
         stp     x21,x22,[sp,#16]
--- a/openssl-FIPS-140-3-DRBG.patch
+++ b/openssl-FIPS-140-3-DRBG.patch
@@ -1,137 +0,0 @@
 Index: openssl-3.2.3/crypto/rand/prov_seed.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/rand/prov_seed.c
 +++ openssl-3.2.3/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
     size_t entropy_available;
     RAND_POOL *pool;
 -    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
 +    /*
 +     * OpenSSL still implements an internal entropy pool of
 +     * some size that is hashed to get seed data.
 +     * Note that this is a conditioning step for which SP800-90C requires
 +     * 64 additional bits from the entropy source to claim the requested
 +     * amount of entropy.
 +     */
 +    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
     if (pool == NULL) {
         ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
         return 0;
 Index: openssl-3.2.3/crypto/rand/rand_lib.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/rand/rand_lib.c
 +++ openssl-3.2.3/crypto/rand/rand_lib.c
@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB
         return ret;
     }
 -#ifndef FIPS_MODULE
 -    if (dgbl->seed == NULL) {
 -        ERR_set_mark();
 -        dgbl->seed = rand_new_seed(ctx);
 -        ERR_pop_to_mark();
 -    }
 -#endif
 -
 -    ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
 +    ret = dgbl->primary = rand_new_drbg(ctx, NULL,
                                         PRIMARY_RESEED_INTERVAL,
                                         PRIMARY_RESEED_TIME_INTERVAL, 1);
     /*
 Index: openssl-3.2.3/providers/implementations/rands/crngt.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/rands/crngt.c
 +++ openssl-3.2.3/providers/implementations/rands/crngt.c
@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
      * to the nearest byte.  If the entropy is of less than full quality,
      * the amount required should be scaled up appropriately here.
      */
 -    bytes_needed = (entropy + 7) / 8;
 +    /*
 +     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
 +     * + 128 bits during initial seeding
 +     */
 +    bytes_needed = (entropy + 128 + 7) / 8;
     if (bytes_needed < min_len)
         bytes_needed = min_len;
     if (bytes_needed > max_len)
 Index: openssl-3.2.3/providers/implementations/rands/drbg.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/rands/drbg.c
 +++ openssl-3.2.3/providers/implementations/rands/drbg.c
@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke
 #endif
     }
 +#ifdef FIPS_MODULE
 +    prediction_resistance = 1;
 +#endif
     /* Reseed using our sources in addition */
     entropylen = get_entropy(drbg, &entropy, drbg->strength,
                              drbg->min_entropylen, drbg->max_entropylen,
@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
             reseed_required = 1;
     }
     if (drbg->parent != NULL
 -            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
 +            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
 +#ifdef FIPS_MODULE
 +        /* SUSE patches provide chain reseeding when necessary so just sync counters*/
 +        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
 +#else
         reseed_required = 1;
 +#endif
 +        }
     if (reseed_required || prediction_resistance) {
         if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
 Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h
 +++ openssl-3.2.3/providers/implementations/rands/drbg_local.h
@@ -38,7 +38,7 @@
  *
  * The value is in bytes.
  */
 -#define CRNGT_BUFSIZ    16
 +#define CRNGT_BUFSIZ   32
 /*
  * Maximum input size for the DRBG (entropy, nonce, personalization string)
 Index: openssl-3.2.3/providers/implementations/rands/seed_src.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c
 +++ openssl-3.2.3/providers/implementations/rands/seed_src.c
@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
         return 0;
     }
 -    pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
 +    /*
 +     * OpenSSL still implements an internal entropy pool of
 +     * some size that is hashed to get seed data.
 +     * Note that this is a conditioning step for which SP800-90C requires
 +     * 64 additional bits from the entropy source to claim the requested
 +     * amount of entropy.
 +     */
 +    pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
     if (pool == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
         return 0;
@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
     size_t i;
     RAND_POOL *pool;
 -    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
 +    /*
 +     * OpenSSL still implements an internal entropy pool of
 +     * some size that is hashed to get seed data.
 +     * Note that this is a conditioning step for which SP800-90C requires
 +     * 64 additional bits from the entropy source to claim the requested
 +     * amount of entropy.
 +     */
 +    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
     if (pool == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
         return 0;
--- a/openssl-FIPS-140-3-zeroization.patch
+++ b/openssl-FIPS-140-3-zeroization.patch
@@ -1,81 +0,0 @@
 Index: openssl-3.2.3/crypto/ec/ec_lib.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/ec/ec_lib.c
 +++ openssl-3.2.3/crypto/ec/ec_lib.c
@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
 void EC_POINT_free(EC_POINT *point)
 {
 +#ifdef FIPS_MODULE
 +    EC_POINT_clear_free(point);
 +#else
     if (point == NULL)
         return;
     if (point->meth->point_finish != 0)
         point->meth->point_finish(point);
     OPENSSL_free(point);
 +#endif
 }
 void EC_POINT_clear_free(EC_POINT *point)
 Index: openssl-3.2.3/crypto/ffc/ffc_params.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/ffc/ffc_params.c
 +++ openssl-3.2.3/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
 void ossl_ffc_params_cleanup(FFC_PARAMS *params)
 {
 -    BN_free(params->p);
 -    BN_free(params->q);
 -    BN_free(params->g);
 -    BN_free(params->j);
 +    BN_clear_free(params->p);
 +    BN_clear_free(params->q);
 +    BN_clear_free(params->g);
 +    BN_clear_free(params->j);
     OPENSSL_free(params->seed);
     ossl_ffc_params_init(params);
 }
 Index: openssl-3.2.3/crypto/rsa/rsa_lib.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c
 +++ openssl-3.2.3/crypto/rsa/rsa_lib.c
@@ -159,8 +159,8 @@ void RSA_free(RSA *r)
     CRYPTO_THREAD_lock_free(r->lock);
     CRYPTO_FREE_REF(&r->references);
 -    BN_free(r->n);
 -    BN_free(r->e);
 +    BN_clear_free(r->n);
 +    BN_clear_free(r->e);
     BN_clear_free(r->d);
     BN_clear_free(r->p);
     BN_clear_free(r->q);
 Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c
 +++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c
@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)
     void *provctx = ctx->provctx;
     ossl_prov_digest_reset(&ctx->digest);
 -    OPENSSL_free(ctx->salt);
 +    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
     OPENSSL_free(ctx->prefix);
     OPENSSL_free(ctx->label);
     OPENSSL_clear_free(ctx->data, ctx->data_len);
 Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
 +++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct
 static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
 {
     ossl_prov_digest_reset(&ctx->digest);
 -    OPENSSL_free(ctx->salt);
 +    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
     OPENSSL_clear_free(ctx->pass, ctx->pass_len);
     memset(ctx, 0, sizeof(*ctx));
 }
--- a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch
+++ b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch
@@ -1,108 +0,0 @@
 From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Thu, 17 Nov 2022 18:08:24 +0100
 Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
 NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
 specifies key lengths < 112 bytes are disallowed for HMAC generation and
 are legacy use for HMAC verification.
 Add an explicit indicator that will mark shorter key lengths as
 unsupported. The indicator can be queries from the EVP_MAC_CTX object
 using EVP_MAC_CTX_get_params() with the
  OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR
 parameter.
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 include/crypto/evp.h                       |  7 +++++++
 include/openssl/evp.h                      |  3 +++
 providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
 4 files changed, 28 insertions(+)
 Index: openssl-3.2.3/include/crypto/evp.h
 ===================================================================
 --- openssl-3.2.3.orig/include/crypto/evp.h
 +++ openssl-3.2.3/include/crypto/evp.h
@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
 const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
 const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
 +#ifdef FIPS_MODULE
 +/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
 + * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
 + * HMAC verification. */
 +# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
 +#endif
 +
 struct evp_mac_st {
     OSSL_PROVIDER *prov;
     int name_id;
 Index: openssl-3.2.3/include/openssl/evp.h
 ===================================================================
 --- openssl-3.2.3.orig/include/openssl/evp.h
 +++ openssl-3.2.3/include/openssl/evp.h
@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
                             void *arg);
 /* MAC stuff */
 +# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0
 +# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED     1
 +# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
 EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
                        const char *properties);
 Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c
 +++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c
@@ -23,6 +23,8 @@
 #include "internal/ssl3_cbc.h"
 +#include "crypto/evp.h"
 +
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
 #include "prov/provider_util.h"
@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns
 static const OSSL_PARAM known_gettable_ctx_params[] = {
     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +    OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
     OSSL_PARAM_END
 };
 static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma
             && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
         return 0;
 +#ifdef FIPS_MODULE
 +    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) {
 +        int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED;
 +        /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
 +         * specifies key lengths < 112 bytes are disallowed for HMAC generation
 +         * and legacy use for HMAC verification. */
 +        if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
 +            fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +        return OSSL_PARAM_set_int(p, fips_indicator);
 +    }
 +#endif /* defined(FIPS_MODULE) */
 +
     return 1;
 }
 Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
 ===================================================================
 --- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
 +++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -143,6 +143,7 @@ my %params = (
     'MAC_PARAM_SIZE' =>             "size",                     # size_t
     'MAC_PARAM_BLOCK_SIZE' =>       "block-size",               # size_t
     'MAC_PARAM_TLS_DATA_SIZE' =>    "tls-data-size",            # size_t
 +    'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",   # size_t
 # KDF / PRF parameters
     'KDF_PARAM_SECRET' =>       "secret",                   # octet string
--- a/openssl-FIPS-Mark-SHA1-as-nonapproved.patch
+++ b/openssl-FIPS-Mark-SHA1-as-nonapproved.patch
@@ -1,25 +0,0 @@
 Index: openssl-3.2.4/providers/fips/fipsprov.c
 ===================================================================
 --- openssl-3.2.4.orig/providers/fips/fipsprov.c
 +++ openssl-3.2.4/providers/fips/fipsprov.c
@@ -278,7 +278,7 @@ static int fips_self_test(void *provctx)
  */
 static const OSSL_ALGORITHM fips_digests[] = {
     /* Our primary name:NiST name[:our older names] */
 -    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
 +    { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
     { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
     { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
     { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
@@ -355,9 +355,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
     ALG(PROV_NAMES_AES_256_WRAP_PAD_INV, ossl_aes256wrappadinv_functions),
     ALG(PROV_NAMES_AES_192_WRAP_PAD_INV, ossl_aes192wrappadinv_functions),
     ALG(PROV_NAMES_AES_128_WRAP_PAD_INV, ossl_aes128wrappadinv_functions),
 -    ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
 +    UNAPPROVED_ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
          ossl_cipher_capable_aes_cbc_hmac_sha1),
 -    ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
 +    UNAPPROVED_ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
          ossl_cipher_capable_aes_cbc_hmac_sha1),
     ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA256, ossl_aes128cbc_hmac_sha256_functions,
          ossl_cipher_capable_aes_cbc_hmac_sha256),
--- a/openssl-FIPS-Use-FFDHE2048-in-self-test.patch
+++ b/openssl-FIPS-Use-FFDHE2048-in-self-test.patch
@@ -1,378 +0,0 @@
 From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Fri, 22 Jul 2022 17:51:16 +0200
 Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
 1 file changed, 172 insertions(+), 170 deletions(-)
 diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
 index a29cc650b5..1b5623833f 100644
 --- a/providers/fips/self_test_data.inc
 +++ b/providers/fips/self_test_data.inc
@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
 #ifndef OPENSSL_NO_DH
 /* DH KAT */
 +/* RFC7919 FFDHE2048 p */
 static const unsigned char dh_p[] = {
 -    0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
 -    0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
 -    0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
 -    0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
 -    0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
 -    0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
 -    0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
 -    0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
 -    0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
 -    0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
 -    0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
 -    0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
 -    0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
 -    0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
 -    0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
 -    0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
 -    0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
 -    0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
 -    0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
 -    0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
 -    0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
 -    0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
 -    0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
 -    0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
 -    0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
 -    0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
 -    0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
 -    0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
 -    0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
 -    0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
 -    0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
 -    0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
 -};
 +    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 +    0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
 +    0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
 +    0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
 +    0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
 +    0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
 +    0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
 +    0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
 +    0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
 +    0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
 +    0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
 +    0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
 +    0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
 +    0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
 +    0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
 +    0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
 +    0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
 +    0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
 +    0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
 +    0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
 +    0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
 +    0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
 +    0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
 +    0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
 +    0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
 +    0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
 +    0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
 +    0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
 +    0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
 +    0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
 +    0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
 +    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
 +};
 +/* RFC7919 FFDHE2048 q */
 static const unsigned char dh_q[] = {
 -    0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
 -    0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
 -    0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
 -    0x11, 0xac, 0xb5, 0x7d
 -};
 +    0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 +    0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
 +    0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
 +    0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
 +    0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
 +    0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
 +    0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
 +    0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
 +    0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
 +    0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
 +    0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
 +    0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
 +    0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
 +    0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
 +    0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
 +    0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
 +    0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
 +    0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
 +    0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
 +    0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
 +    0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
 +    0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
 +    0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
 +    0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
 +    0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
 +    0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
 +    0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
 +    0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
 +    0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
 +    0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
 +    0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
 +    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
 +};
 +/* RFC7919 FFDHE2048 g */
 static const unsigned char dh_g[] = {
 -    0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
 -    0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
 -    0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
 -    0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
 -    0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
 -    0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
 -    0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
 -    0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
 -    0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
 -    0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
 -    0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
 -    0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
 -    0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
 -    0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
 -    0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
 -    0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
 -    0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
 -    0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
 -    0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
 -    0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
 -    0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
 -    0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
 -    0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
 -    0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
 -    0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
 -    0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
 -    0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
 -    0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
 -    0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
 -    0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
 -    0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
 -    0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
 +    0x02
 };
 static const unsigned char dh_priv[] = {
 -    0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
 -    0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
 -    0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
 -    0x40, 0xb8, 0xfc, 0xe6
 +    0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
 +    0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
 +    0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
 +    0x6c, 0xdc, 0x5d, 0x6e, 0x94
 };
 static const unsigned char dh_pub[] = {
 -    0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
 -    0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
 -    0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
 -    0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
 -    0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
 -    0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
 -    0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
 -    0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
 -    0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
 -    0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
 -    0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
 -    0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
 -    0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
 -    0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
 -    0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
 -    0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
 -    0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
 -    0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
 -    0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
 -    0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
 -    0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
 -    0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
 -    0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
 -    0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
 -    0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
 -    0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
 -    0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
 -    0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
 -    0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
 -    0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
 -    0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
 -    0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
 +    0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
 +    0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
 +    0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
 +    0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
 +    0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
 +    0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
 +    0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
 +    0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
 +    0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
 +    0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
 +    0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
 +    0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
 +    0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
 +    0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
 +    0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
 +    0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
 +    0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
 +    0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
 +    0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
 +    0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
 +    0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
 +    0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
 +    0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
 +    0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
 +    0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
 +    0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
 +    0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
 +    0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
 +    0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
 +    0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
 +    0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
 +    0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
 +    0x32
 };
 static const unsigned char dh_peer_pub[] = {
 -    0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
 -    0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
 -    0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
 -    0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
 -    0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
 -    0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
 -    0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
 -    0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
 -    0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
 -    0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
 -    0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
 -    0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
 -    0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
 -    0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
 -    0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
 -    0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
 -    0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
 -    0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
 -    0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
 -    0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
 -    0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
 -    0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
 -    0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
 -    0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
 -    0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
 -    0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
 -    0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
 -    0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
 -    0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
 -    0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
 -    0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
 -    0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
 +    0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
 +    0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
 +    0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
 +    0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
 +    0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
 +    0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
 +    0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
 +    0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
 +    0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
 +    0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
 +    0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
 +    0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
 +    0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
 +    0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
 +    0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
 +    0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
 +    0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
 +    0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
 +    0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
 +    0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
 +    0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
 +    0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
 +    0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
 +    0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
 +    0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
 +    0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
 +    0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
 +    0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
 +    0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
 +    0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
 +    0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
 +    0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
 +    0x64
 };
 static const unsigned char dh_secret_expected[] = {
 -    0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
 -    0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
 -    0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
 -    0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
 -    0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
 -    0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
 -    0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
 -    0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
 -    0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
 -    0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
 -    0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
 -    0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
 -    0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
 -    0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
 -    0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
 -    0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
 -    0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
 -    0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
 -    0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
 -    0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
 -    0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
 -    0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
 -    0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
 -    0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
 -    0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
 -    0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
 -    0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
 -    0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
 -    0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
 -    0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
 -    0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
 -    0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
 +    0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
 +    0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
 +    0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
 +    0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
 +    0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
 +    0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
 +    0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
 +    0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
 +    0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
 +    0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
 +    0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
 +    0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
 +    0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
 +    0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
 +    0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
 +    0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
 +    0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
 +    0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
 +    0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
 +    0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
 +    0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
 +    0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
 +    0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
 +    0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
 +    0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
 +    0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
 +    0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
 +    0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
 +    0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
 +    0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
 +    0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
 +    0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
 };
 static const ST_KAT_PARAM dh_group[] = {
 -- 
 2.35.3
--- a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
+++ b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
@@ -1,312 +0,0 @@
 From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 6 Mar 2024 19:17:16 +0100
 Subject: [PATCH 28/49] 
 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 Patch-id: 74
 Patch-status: |
    # [PATCH 29/46]
    # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
 From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
 ---
 crypto/evp/m_sigver.c           | 54 ++++++++++++++++++++++++++++-----
 providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
 2 files changed, 73 insertions(+), 24 deletions(-)
 Index: openssl-3.2.3/crypto/evp/m_sigver.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/evp/m_sigver.c
 +++ openssl-3.2.3/crypto/evp/m_sigver.c
@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const
     ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
     return 0;
 }
 +#endif /* !defined(FIPS_MODULE) */
 /*
  * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
         reinit = 0;
         if (e == NULL)
             ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
 +#ifndef FIPS_MODULE
         else
             ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
 +#endif /* !defined(FIPS_MODULE) */
     }
     if (ctx->pctx == NULL)
         return 0;
@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
     locpctx = ctx->pctx;
     ERR_set_mark();
 +#ifndef FIPS_MODULE
     if (evp_pkey_ctx_is_legacy(locpctx))
         goto legacy;
 +#endif /* !defined(FIPS_MODULE) */
     /* do not reinitialize if pkey is set or operation is different */
     if (reinit
@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
             signature =
                 evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
                                               supported_sig, locpctx->propquery);
 +#ifndef FIPS_MODULE
             if (signature == NULL)
                 goto legacy;
 +#endif /* !defined(FIPS_MODULE) */
             break;
         }
         if (signature == NULL)
@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
             ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
             if (ctx->fetched_digest != NULL) {
                 ctx->digest = ctx->reqdigest = ctx->fetched_digest;
 +#ifndef FIPS_MODULE
             } else {
                 /* legacy engine support : remove the mark when this is deleted */
                 ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
                     ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
                     goto err;
                 }
 +#endif /* !defined(FIPS_MODULE) */
             }
             (void)ERR_pop_to_mark();
         }
     }
 +#ifndef FIPS_MODULE
     if (ctx->reqdigest != NULL
             && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
             && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
             goto err;
         }
     }
 +#endif /* !defined(FIPS_MODULE) */
     if (ver) {
         if (signature->digest_verify_init == NULL) {
@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
     EVP_KEYMGMT_free(tmp_keymgmt);
     return 0;
 +#ifndef FIPS_MODULE
  legacy:
     /*
      * If we don't have the full support we need with provided methods,
@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
         ctx->pctx->flag_call_digest_custom = 1;
     ret = 1;
 +#endif /* !defined(FIPS_MODULE) */
  end:
 #ifndef FIPS_MODULE
@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
     return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
                           NULL);
 }
 -#endif /* FIPS_MDOE */
 int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
 {
@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
     return EVP_DigestUpdate(ctx, data, dsize);
 }
 -#ifndef FIPS_MODULE
 int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                         size_t *siglen)
 {
 -    int sctx = 0, r = 0;
 -    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
 +    int r = 0;
 +#ifndef FIPS_MODULE
 +    int sctx = 0;
 +    EVP_PKEY_CTX *dctx = NULL;
 +#endif /* !defined(FIPS_MODULE) */
 +    EVP_PKEY_CTX *pctx = ctx->pctx;
     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
 +#ifndef FIPS_MODULE
     if (pctx == NULL
             || pctx->operation != EVP_PKEY_OP_SIGNCTX
             || pctx->op.sig.algctx == NULL
             || pctx->op.sig.signature == NULL)
         goto legacy;
 +#endif /* !defined(FIPS_MODULE) */
 +#ifndef FIPS_MODULE
     if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
         /* try dup */
         dctx = EVP_PKEY_CTX_dup(pctx);
@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
     else
         EVP_PKEY_CTX_free(dctx);
     return r;
 +#else
 +    r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
 +                                                  sigret, siglen,
 +                                                  sigret == NULL ? 0 : *siglen);
 +    return r;
 +#endif /* !defined(FIPS_MODULE) */
 +#ifndef FIPS_MODULE
  legacy:
     if (pctx == NULL || pctx->pmeth == NULL) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
         }
     }
     return 1;
 +#endif /* !defined(FIPS_MODULE) */
 }
 int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
 int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
                           size_t siglen)
 {
 -    unsigned char md[EVP_MAX_MD_SIZE];
     int r = 0;
 +#ifndef FIPS_MODULE
 +    unsigned char md[EVP_MAX_MD_SIZE];
     unsigned int mdlen = 0;
     int vctx = 0;
 -    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
 +    EVP_PKEY_CTX *dctx = NULL;
 +#endif /* !defined(FIPS_MODULE) */
 +    EVP_PKEY_CTX *pctx = ctx->pctx;
     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
         return 0;
     }
 +#ifndef FIPS_MODULE
     if (pctx == NULL
             || pctx->operation != EVP_PKEY_OP_VERIFYCTX
             || pctx->op.sig.algctx == NULL
             || pctx->op.sig.signature == NULL)
         goto legacy;
 +#endif /* !defined(FIPS_MODULE) */
 +#ifndef FIPS_MODULE
     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
         /* try dup */
         dctx = EVP_PKEY_CTX_dup(pctx);
@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
     else
         EVP_PKEY_CTX_free(dctx);
     return r;
 +#else
 +    r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
 +                                                    sig, siglen);
 +    return r;
 +#endif /* !defined(FIPS_MODULE) */
 +#ifndef FIPS_MODULE
  legacy:
     if (pctx == NULL || pctx->pmeth == NULL) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
     if (vctx || !r)
         return r;
     return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
 +#endif /* !defined(FIPS_MODULE) */
 }
 int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
         return -1;
     return EVP_DigestVerifyFinal(ctx, sigret, siglen);
 }
 -#endif /* FIPS_MODULE */
 Index: openssl-3.2.3/providers/fips/self_test_kats.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/fips/self_test_kats.c
 +++ openssl-3.2.3/providers/fips/self_test_kats.c
@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S
     int ret = 0;
     OSSL_PARAM *params = NULL, *params_sig = NULL;
     OSSL_PARAM_BLD *bld = NULL;
 +    EVP_MD *md = NULL;
 +    EVP_MD_CTX *ctx = NULL;
     EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
     EVP_PKEY *pkey = NULL;
 -    unsigned char sig[256];
     BN_CTX *bnctx = NULL;
 +    const char *msg = "Hello World!";
 +    unsigned char sig[256];
     size_t siglen = sizeof(sig);
     static const unsigned char dgst[] = {
         0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S
         || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
         goto err;
 -    /* Create a EVP_PKEY_CTX to use for the signing operation */
 -    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
 -    if (sctx == NULL
 -        || EVP_PKEY_sign_init(sctx) <= 0)
 -        goto err;
 -
 -    /* set signature parameters */
 -    if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
 -                                         t->mdalgorithm,
 -                                         strlen(t->mdalgorithm) + 1))
 -        goto err;
 +    /* Create a EVP_MD_CTX to use for the signature operation, assign signature
 +     * parameters and sign */
     params_sig = OSSL_PARAM_BLD_to_param(bld);
 -    if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
 +    md = EVP_MD_fetch(libctx, "SHA256", NULL);
 +    ctx = EVP_MD_CTX_new();
 +    if (md == NULL || ctx == NULL)
 +        goto err;
 +    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
 +    if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
 +        || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
 +        || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
 +        || EVP_MD_CTX_reset(ctx) <= 0)
         goto err;
 -    if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
 -        || EVP_PKEY_verify_init(sctx) <= 0
 +    /* sctx is not freed automatically inside the FIPS module */
 +    EVP_PKEY_CTX_free(sctx);
 +    sctx = NULL;
 +
 +    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
 +    if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
         || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
         goto err;
@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S
         goto err;
     OSSL_SELF_TEST_oncorrupt_byte(st, sig);
 -    if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
 +    if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
         goto err;
     ret = 1;
 err:
     BN_CTX_free(bnctx);
     EVP_PKEY_free(pkey);
 -    EVP_PKEY_CTX_free(kctx);
 +    EVP_MD_free(md);
 +    EVP_MD_CTX_free(ctx);
 +    /* sctx is not freed automatically inside the FIPS module */
     EVP_PKEY_CTX_free(sctx);
 +    EVP_PKEY_CTX_free(kctx);
     OSSL_PARAM_free(params);
     OSSL_PARAM_free(params_sig);
     OSSL_PARAM_BLD_free(bld);
--- a/openssl-FIPS-enforce-security-checks-during-initialization.patch
+++ b/openssl-FIPS-enforce-security-checks-during-initialization.patch
@@ -1,22 +0,0 @@
 Index: openssl-3.1.4/providers/fips/fipsprov.c
 ===================================================================
 --- openssl-3.1.4.orig/providers/fips/fipsprov.c
 +++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
         return NULL;
     init_fips_option(&fgbl->fips_security_checks, 1);
     init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
 -    init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
 +    init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */
     return fgbl;
 }
@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO
     if (fgbl->field.option != NULL) {                                       \
         if (strcmp(fgbl->field.option, "1") == 0)                           \
             fgbl->field.enabled = 1;                                        \
 -        else if (strcmp(fgbl->field.option, "0") == 0)                      \
 -            fgbl->field.enabled = 0;                                        \
         else                                                                \
             goto err;                                                       \
     }
--- a/openssl-FIPS-release_num_in_version_string.patch
+++ b/openssl-FIPS-release_num_in_version_string.patch
@@ -1,27 +0,0 @@
 Index: openssl-3.1.4/providers/fips/fipsprov.c
 ===================================================================
 --- openssl-3.1.4.orig/providers/fips/fipsprov.c
 +++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
 static int fips_get_params(void *provctx, OSSL_PARAM params[])
 {
 +#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
     OSSL_PARAM *p;
     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--- a/openssl-FIPS-services-minimize.patch
+++ b/openssl-FIPS-services-minimize.patch
@@ -1,782 +0,0 @@
 From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 6 Mar 2024 19:17:15 +0100
 Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
 Patch-name: 0045-FIPS-services-minimize.patch
 Patch-id: 45
 Patch-status: |
    # # Minimize fips services
 From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
 ---
 apps/ecparam.c                                |  7 +++
 apps/req.c                                    |  2 +-
 providers/common/capabilities.c               |  2 +-
 providers/fips/fipsprov.c                     | 44 +++++++++++--------
 providers/fips/self_test_data.inc             |  9 +++-
 providers/implementations/signature/rsa_sig.c | 26 +++++++++++
 ssl/ssl_ciph.c                                |  3 ++
 test/acvp_test.c                              |  2 +
 test/endecode_test.c                          |  4 ++
 test/evp_libctx_test.c                        |  9 +++-
 test/recipes/15-test_gendsa.t                 |  2 +-
 test/recipes/20-test_cli_fips.t               |  3 +-
 test/recipes/30-test_evp.t                    | 20 ++++-----
 .../30-test_evp_data/evpmac_common.txt        | 22 ++++++++++
 test/recipes/80-test_cms.t                    | 22 +++++-----
 test/recipes/80-test_ssl_old.t                |  2 +-
 16 files changed, 128 insertions(+), 51 deletions(-)
 Index: openssl-3.2.3/apps/ecparam.c
 ===================================================================
 --- openssl-3.2.3.orig/apps/ecparam.c
 +++ openssl-3.2.3/apps/ecparam.c
@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
         const char *comment = curves[n].comment;
         const char *sname = OBJ_nid2sn(curves[n].nid);
 +        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
 +            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
 +            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
 +            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
 +            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
 +            continue;
 +
         if (comment == NULL)
             comment = "CURVE DESCRIPTION NOT AVAILABLE";
         if (sname == NULL)
 Index: openssl-3.2.3/apps/req.c
 ===================================================================
 --- openssl-3.2.3.orig/apps/req.c
 +++ openssl-3.2.3/apps/req.c
@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
 #ifndef OPENSSL_NO_DES
 -    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
 +    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
 #endif
     opt_set_unknown_name("digest");
 Index: openssl-3.2.3/providers/common/capabilities.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/common/capabilities.c
 +++ openssl-3.2.3/providers/common/capabilities.c
@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list
     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
 -#  endif
     TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
     TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
 +#  endif
 #  ifndef FIPS_MODULE
     TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
     TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
 Index: openssl-3.2.3/providers/fips/fipsprov.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/fips/fipsprov.c
 +++ openssl-3.2.3/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
 static int fips_get_params(void *provctx, OSSL_PARAM params[])
 {
 +#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
     OSSL_PARAM *p;
     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
 -    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
 +    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
         return 0;
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests
      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
      * KMAC128 and KMAC256.
      */
 -    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
 +    /* We don't certify KECCAK in our FIPS provider */
 +    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
       ossl_keccak_kmac_128_functions },
     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
 -      ossl_keccak_kmac_256_functions },
 +      ossl_keccak_kmac_256_functions }, */
     { NULL, NULL, NULL }
 };
@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
          ossl_cipher_capable_aes_cbc_hmac_sha256),
 #ifndef OPENSSL_NO_DES
 -    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
 -    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
 +    /* We don't certify 3DES in our FIPS provider */
 +    /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
 +    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
 #endif  /* OPENSSL_NO_DES */
     { { NULL, NULL, NULL }, NULL }
 };
@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[]
 #endif
     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
 -    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
 -    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
 +    /* We don't certify KMAC in our FIPS provider */
 +    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
 +    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
     { NULL, NULL, NULL }
 };
@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch
 #ifndef OPENSSL_NO_EC
     { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
 # ifndef OPENSSL_NO_ECX
 -    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
 -    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
 +    /* We don't certify Edwards curves in our FIPS provider */
 +    /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
 +    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
 # endif
 #endif
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch
 static const OSSL_ALGORITHM fips_signature[] = {
 #ifndef OPENSSL_NO_DSA
 -    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
 +    /* We don't certify DSA in our FIPS provider */
 +    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
 #endif
     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
 #ifndef OPENSSL_NO_EC
 # ifndef OPENSSL_NO_ECX
 -    { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
 +    /* We don't certify Edwards curves in our FIPS provider */
 +    /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
       ossl_ed25519_signature_functions },
 -    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
 +    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
 # endif
     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
 #endif
@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt
       PROV_DESCS_DHX },
 #endif
 #ifndef OPENSSL_NO_DSA
 -    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
 -      PROV_DESCS_DSA },
 +    /* We don't certify DSA in our FIPS provider */
 +    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
 +      PROV_DESCS_DSA }, */
 #endif
     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
       PROV_DESCS_RSA },
@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt
     { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
       PROV_DESCS_EC },
 # ifndef OPENSSL_NO_ECX
 -    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
 +    /* We don't certify Edwards curves in our FIPS provider */
 +    /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
       PROV_DESCS_X25519 },
     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
       PROV_DESCS_X448 },
     { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
       PROV_DESCS_ED25519 },
     { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
 -      PROV_DESCS_ED448 },
 +      PROV_DESCS_ED448 }, */
 # endif
 #endif
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
 Index: openssl-3.2.3/providers/fips/self_test_data.inc
 ===================================================================
 --- openssl-3.2.3.orig/providers/fips/self_test_data.inc
 +++ openssl-3.2.3/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest
 /*- CIPHER TEST DATA */
 /* DES3 test data */
 +#if 0
 static const unsigned char des_ede3_cbc_pt[] = {
     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_
     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
 };
 -
 +#endif
 /* AES-256 GCM test data */
 static const unsigned char aes_256_gcm_key[] = {
     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
 # endif /* OPENSSL_NO_EC2M */
 #endif /* OPENSSL_NO_EC */
 -#ifndef OPENSSL_NO_DSA
 /* dsa 2048 */
 +#if 0
 +#ifndef OPENSSL_NO_DSA
 static const unsigned char dsa_p[] = {
     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
     ST_KAT_PARAM_END()
 };
 #endif /* OPENSSL_NO_DSA */
 +#endif
 /* Hash DRBG inputs for signature KATs */
 static const unsigned char sig_kat_entropyin[] = {
@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
     },
 # endif
 #endif /* OPENSSL_NO_EC */
 +#if 0
 #ifndef OPENSSL_NO_DSA
     {
         OSSL_SELF_TEST_DESC_SIGN_DSA,
@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
         ITM(dsa_expected_sig)
     },
 #endif /* OPENSSL_NO_DSA */
 +#endif
 };
 static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
 Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
 +++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     int ret;
 +# ifdef FIPS_MODULE
 +    size_t rsabits = RSA_bits(prsactx->rsa);
 +
 +    if (rsabits < 2048) {
 +        if (rsabits != 1024
 +            && rsabits != 1280
 +            && rsabits != 1536
 +            && rsabits != 1792) {
 +            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
 +            return 0;
 +        }
 +    }
 +# endif
     if (!ossl_prov_is_running())
         return 0;
@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     size_t rslen;
 +# ifdef FIPS_MODULE
 +    size_t rsabits = RSA_bits(prsactx->rsa);
 +
 +    if (rsabits < 2048) {
 +        if (rsabits != 1024
 +            && rsabits != 1280
 +            && rsabits != 1536
 +            && rsabits != 1792) {
 +            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
 +            return 0;
 +        }
 +    }
 +# endif
     if (!ossl_prov_is_running())
         return 0;
 Index: openssl-3.2.3/ssl/ssl_ciph.c
 ===================================================================
 --- openssl-3.2.3.orig/ssl/ssl_ciph.c
 +++ openssl-3.2.3/ssl/ssl_ciph.c
@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
     ctx->disabled_mkey_mask = 0;
     ctx->disabled_auth_mask = 0;
 +    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
 +        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
 +
     /*
      * We ignore any errors from the fetches below. They are expected to fail
      * if these algorithms are not available.
 Index: openssl-3.2.3/test/acvp_test.c
 ===================================================================
 --- openssl-3.2.3.orig/test/acvp_test.c
 +++ openssl-3.2.3/test/acvp_test.c
@@ -1478,6 +1478,7 @@ int setup_tests(void)
                   OSSL_NELEM(dh_safe_prime_keyver_data));
 #endif /* OPENSSL_NO_DH */
 +#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */
 #ifndef OPENSSL_NO_DSA
     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
     ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
@@ -1485,6 +1486,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
 #endif /* OPENSSL_NO_DSA */
 +#endif
 #ifndef OPENSSL_NO_EC
     ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
 Index: openssl-3.2.3/test/endecode_test.c
 ===================================================================
 --- openssl-3.2.3.orig/test/endecode_test.c
 +++ openssl-3.2.3/test/endecode_test.c
@@ -1424,6 +1424,7 @@ int setup_tests(void)
          * so no legacy tests.
          */
 #endif
 +    if (is_fips == 0) {
 #ifndef OPENSSL_NO_DSA
         ADD_TEST_SUITE(DSA);
         ADD_TEST_SUITE_PARAMS(DSA);
@@ -1434,6 +1435,7 @@ int setup_tests(void)
         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
 # endif
 #endif
 +    }
 #ifndef OPENSSL_NO_EC
         ADD_TEST_SUITE(EC);
         ADD_TEST_SUITE_PARAMS(EC);
@@ -1454,10 +1456,12 @@ int setup_tests(void)
             ADD_TEST_SUITE(SM2);
         }
 # endif
 +    if (is_fips == 0) {
         ADD_TEST_SUITE(ED25519);
         ADD_TEST_SUITE(ED448);
         ADD_TEST_SUITE(X25519);
         ADD_TEST_SUITE(X448);
 +    }
         /*
          * ED25519, ED448, X25519 and X448 have no support for
          * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
 Index: openssl-3.2.3/test/evp_libctx_test.c
 ===================================================================
 --- openssl-3.2.3.orig/test/evp_libctx_test.c
 +++ openssl-3.2.3/test/evp_libctx_test.c
@@ -21,6 +21,7 @@
  */
 #include "internal/deprecated.h"
 #include <assert.h>
 +#include <string.h>
 #include <openssl/evp.h>
 #include <openssl/provider.h>
 #include <openssl/dsa.h>
@@ -726,7 +727,9 @@ int setup_tests(void)
         return 0;
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
 -    ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
 +    if (strcmp(prov_name, "fips") != 0) {
 +        ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
 +    }
 #endif
 #ifndef OPENSSL_NO_DH
     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
@@ -746,7 +749,9 @@ int setup_tests(void)
     ADD_TEST(kem_invalid_keytype);
 #endif
 #ifndef OPENSSL_NO_DES
 -    ADD_TEST(test_cipher_tdes_randkey);
 +    if (strcmp(prov_name, "fips") != 0) {
 +        ADD_TEST(test_cipher_tdes_randkey);
 +    }
 #endif
     return 1;
 }
 Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t
 +++ openssl-3.2.3/test/recipes/15-test_gendsa.t
@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
 plan skip_all => "This test is unsupported in a no-dsa build"
     if disabled("dsa");
 -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 +my $no_fips = 1;
 plan tests =>
     ($no_fips ? 0 : 2)          # FIPS related tests
 Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t
 +++ openssl-3.2.3/test/recipes/20-test_cli_fips.t
@@ -278,8 +278,7 @@ SKIP: {
 }
 SKIP : {
 -    skip "FIPS DSA tests because of no dsa in this build", 1
 -        if disabled("dsa");
 +    skip "FIPS DSA tests because of no dsa in this build", 1;
     subtest DSA => sub {
         my $testtext_prefix = 'DSA';
 Index: openssl-3.2.3/test/recipes/30-test_evp.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/30-test_evp.t
 +++ openssl-3.2.3/test/recipes/30-test_evp.t
@@ -46,10 +46,8 @@ my @files = qw(
                 evpciph_aes_cts.txt
                 evpciph_aes_wrap.txt
                 evpciph_aes_stitched.txt
 -                evpciph_des3_common.txt
                 evpkdf_hkdf.txt
                 evpkdf_kbkdf_counter.txt
 -                evpkdf_kbkdf_kmac.txt
                 evpkdf_pbkdf1.txt
                 evpkdf_pbkdf2.txt
                 evpkdf_ss.txt
@@ -70,15 +68,6 @@ push @files, qw(
                 evppkey_dh.txt
                ) unless $no_dh;
 push @files, qw(
 -                evpkdf_x942_des.txt
 -                evpmac_cmac_des.txt
 -               ) unless $no_des;
 -push @files, qw(evppkey_dsa.txt) unless $no_dsa;
 -push @files, qw(
 -                evppkey_ecx.txt
 -                evppkey_mismatch_ecx.txt
 -               ) unless $no_ecx;
 -push @files, qw(
                 evppkey_ecc.txt
                 evppkey_ecdh.txt
                 evppkey_ecdsa.txt
@@ -97,6 +86,7 @@ my @defltfiles = qw(
                      evpciph_cast5.txt
                      evpciph_chacha.txt
                      evpciph_des.txt
 +                     evpciph_des3_common.txt
                      evpciph_idea.txt
                      evpciph_rc2.txt
                      evpciph_rc4.txt
@@ -121,13 +111,19 @@ my @defltfiles = qw(
                      evpmd_whirlpool.txt
                      evppbe_scrypt.txt
                      evppbe_pkcs12.txt
 +                     evpkdf_kbkdf_kmac.txt
                      evppkey_kdf_scrypt.txt
                      evppkey_kdf_tls1_prf.txt
                      evppkey_rsa.txt
                     );
 +push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
 +push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
 +push @defltfiles, qw(
 +                evpkdf_x942_des.txt
 +                evpmac_cmac_des.txt
 +               ) unless $no_des;
 push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
 push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
 -push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
 push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
 push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
 push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
 Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt
 +++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
 Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
 Result = MAC_INIT_ERROR
 +Availablein = default
 Title = KMAC Tests (From NIST)
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
@@ -373,12 +374,14 @@ Ctrl = xof:0
 OutputSize = 32
 BlockSize = 168
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
 Custom = "My Tagged Application"
 Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
 Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
 Ctrl = size:32
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
 OutputSize = 64
 BlockSize = 136
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
 Custom = ""
 Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -409,12 +415,14 @@ Ctrl = size:64
 Title = KMAC XOF Tests (From NIST)
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
 Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
 XOF = 1
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
 Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
 XOF = 1
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584
 XOF = 1
 Ctrl = size:32
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
 Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
 XOF = 1
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -444,6 +455,7 @@ Custom = ""
 Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
 XOF = 1
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -454,6 +466,7 @@ XOF = 1
 Title = KMAC long customisation string (from NIST ACVP)
 +Availablein = default
 MAC = KMAC256
 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -464,12 +477,14 @@ XOF = 1
 Title = KMAC XOF Tests via ctrl (From NIST)
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
 Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
 Ctrl = xof:1
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
 Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
 Ctrl = xof:1
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584
 Ctrl = xof:1
 Ctrl = size:32
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 00010203
@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
 Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
 Ctrl = xof:1
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -499,6 +517,7 @@ Custom = ""
 Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
 Ctrl = xof:1
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -509,6 +528,7 @@ Ctrl = xof:1
 Title = KMAC long customisation string via ctrl (from NIST ACVP)
 +Availablein = default
 MAC = KMAC256
 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
@@ -519,6 +539,7 @@ Ctrl = xof:1
 Title = KMAC long customisation string negative test
 +Availablein = default
 MAC = KMAC128
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
 Title = KMAC output is too large
 +Availablein = default
 MAC = KMAC256
 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
 Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
 Index: openssl-3.2.3/test/recipes/80-test_cms.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/80-test_cms.t
 +++ openssl-3.2.3/test/recipes/80-test_cms.t
@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed content DER format, DSA key",
 +    [ "signed content DER format, DSA key, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed detached content DER format, DSA key",
 +    [ "signed detached content DER format, DSA key, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed detached content DER format, add RSA signer (with DSA existing)",
 +    [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed content test streaming BER format, DSA key",
 +    [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-nodetach", "-stream",
         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
 +    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-nodetach", "-stream",
         "-signer", $smrsa1,
@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
 +    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-noattr", "-nodetach", "-stream",
         "-signer", $smrsa1,
@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
       \&zero_compare
     ],
 -    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
 +    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
         "-signer", $smrsa1,
         "-signer", catfile($smdir, "smrsa2.pem"),
@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
       \&final_compare
     ],
 -    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
 +    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
         "-signer", $smrsa1,
         "-signer", catfile($smdir, "smrsa2.pem"),
@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
 my @smime_cms_tests = (
 -    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
 +    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
         "-nodetach", "-keyid",
         "-signer", $smrsa1,
@@ -263,7 +263,7 @@ my @smime_cms_tests = (
       \&final_compare
     ],
 -    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
 +    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
         "-signer", $smrsa1,
         "-signer", catfile($smdir, "smrsa2.pem"),
@@ -373,7 +373,7 @@ my @smime_cms_tests = (
       \&final_compare
     ],
 -    [ "encrypted content test streaming PEM format, triple DES key",
 +    [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
         "-stream", "-out", "{output}.cms" ],
 Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
 +++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
@@ -436,7 +436,7 @@ sub testssl {
         my @exkeys = ();
         my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
 -        if (!$no_dsa) {
 +        if (!$no_dsa && $provider ne "fips") {
             push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
         }
--- a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
+++ b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
@@ -1,113 +0,0 @@
 From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
 From: Clemens Lang <cllang@redhat.com>
 Date: Thu, 17 Nov 2022 19:33:02 +0100
 Subject: [PATCH] signature: Add indicator for PSS salt length
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
 5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the
 salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
 the hash function output block (in bytes)."
 It is not exactly clear from this text whether hLen refers to the
 message digest or the hash function used for the mask generation
 function MGF1. PKCS#1 v2.1 suggests it is the former:
 | Typical salt lengths in octets are hLen (the length of the output of
 | the hash function Hash) and 0. In both cases the security of
 | RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
 | Bellare and Rogaway [4] give a tight lower bound for the security of
 | the original RSA-PSS scheme, which corresponds roughly to the former
 | case, while Coron [12] gives a lower bound for the related Full Domain
 | Hashing scheme, which corresponds roughly to the latter case. In [13]
 | Coron provides a general treatment with various salt lengths ranging
 | from 0 to hLen; see [27] for discussion. See also [31], which adapts
 | the security proofs in [4][13] to address the differences between the
 | original and the present version of RSA-PSS as listed in Note 1 above.
 Since OpenSSL defaults to creating signatures with the maximum salt
 length, blocking the use of longer salts would probably lead to
 significant problems in practice. Instead, introduce an explicit
 indicator that can be obtained from the EVP_PKEY_CTX object using
 EVP_PKEY_CTX_get_params() with the
  OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR
 parameter.
 We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
 Dmitry Belyavskiy <dbelyavs@redhat.com>
 Signed-off-by: Clemens Lang <cllang@redhat.com>
 ---
 include/openssl/evp.h                         |  4 ++++
 providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
 util/perl/OpenSSL/paramnames.pm               | 23 ++++++++++---------
 3 files changed, 37 insertions(+), 11 deletions(-)
 Index: openssl-3.2.3/include/openssl/evp.h
 ===================================================================
 --- openssl-3.2.3.orig/include/openssl/evp.h
 +++ openssl-3.2.3/include/openssl/evp.h
@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
 __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
                               int *outl);
 +# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0
 +# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED     1
 +# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
 +
 __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
                          EVP_PKEY *pkey);
 __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
 Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
 ===================================================================
 --- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
 +++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs
         }
     }
 +#ifdef FIPS_MODULE
 +    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR);
 +    if (p != NULL) {
 +        int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED;
 +        if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
 +            if (prsactx->md == NULL) {
 +                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED;
 +            } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
 +                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +            }
 +        } else if (prsactx->pad_mode == RSA_NO_PADDING) {
 +            if (prsactx->md == NULL) /* Should always be the case */
 +                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 +        }
 +        return OSSL_PARAM_set_int(p, fips_indicator);
 +    }
 +#endif
 +
     return 1;
 }
@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
 +#ifdef FIPS_MODULE
 +    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif
     OSSL_PARAM_END
 };
 Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
 ===================================================================
 --- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
 +++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
@@ -386,6 +386,7 @@ my %params = (
     'SIGNATURE_PARAM_MGF1_PROPERTIES' =>    '*PKEY_PARAM_MGF1_PROPERTIES',
     'SIGNATURE_PARAM_DIGEST_SIZE' =>        '*PKEY_PARAM_DIGEST_SIZE',
     'SIGNATURE_PARAM_NONCE_TYPE' =>         "nonce-type",
 +    'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",
     'SIGNATURE_PARAM_INSTANCE' =>           "instance",
     'SIGNATURE_PARAM_CONTEXT_STRING' =>     "context-string",
--- a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
+++ b/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch
@@ -1,309 +0,0 @@
 From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
 From: Todd Short <todd.short@me.com>
 Date: Thu, 1 Feb 2024 23:09:38 -0500
 Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
 Fix #23448
 `EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
 Fix the setting of the parameter in the params code.
 Update the TLS_PRF code to also use the params code.
 Add tests.
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23456)
 (cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
 ---
 crypto/evp/pmeth_lib.c                        | 65 ++++++++++++++++++-
 providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
 providers/implementations/kdfs/hkdf.c         |  8 +++
 test/pkey_meth_kdf_test.c                     | 53 +++++++++++----
 4 files changed, 156 insertions(+), 12 deletions(-)
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
 index ba1971c..d0eeaf7 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
     return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
 }
 +static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
 +                                          const char *param, int op, int ctrl,
 +                                          const unsigned char *data,
 +                                          int datalen)
 +{
 +    OSSL_PARAM os_params[2];
 +    unsigned char *info = NULL;
 +    size_t info_len = 0;
 +    size_t info_alloc = 0;
 +    int ret = 0;
 +
 +    if (ctx == NULL || (ctx->operation & op) == 0) {
 +        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
 +        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
 +        return -2;
 +    }
 +
 +    /* Code below to be removed when legacy support is dropped. */
 +    if (fallback)
 +        return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
 +    /* end of legacy support */
 +
 +    if (datalen < 0) {
 +        ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
 +        return 0;
 +    }
 +
 +    /* Get the original value length */
 +    os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
 +    os_params[1] = OSSL_PARAM_construct_end();
 +
 +    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
 +        return 0;
 +
 +    /* Older provider that doesn't support getting this parameter */
 +    if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
 +        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
 +
 +    info_alloc = os_params[0].return_size + datalen;
 +    if (info_alloc == 0)
 +        return 0;
 +    info = OPENSSL_zalloc(info_alloc);
 +    if (info == NULL)
 +        return 0;
 +    info_len = os_params[0].return_size;
 +
 +    os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
 +
 +    /* if we have data, then go get it */
 +    if (info_len > 0) {
 +        if (!EVP_PKEY_CTX_get_params(ctx, os_params))
 +            goto error;
 +    }
 +
 +    /* Copy the input data */
 +    memcpy(&info[info_len], data, datalen);
 +    ret = EVP_PKEY_CTX_set_params(ctx, os_params);
 +
 + error:
 +    OPENSSL_clear_free(info, info_alloc);
 +    return ret;
 +}
 +
 int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
                                       const unsigned char *sec, int seclen)
 {
@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
 int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
                                       const unsigned char *info, int infolen)
 {
 -    return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
 +    return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
                                           OSSL_KDF_PARAM_INFO,
                                           EVP_PKEY_OP_DERIVE,
                                           EVP_PKEY_CTRL_HKDF_INFO,
 diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
 index 527a866..4bc8102 100644
 --- a/providers/implementations/exchange/kdf_exch.c
 +++ b/providers/implementations/exchange/kdf_exch.c
@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
 static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
 static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
 static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
 +static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
 static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
 static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
 static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
 +static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
 +static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
 +static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
 typedef struct {
     void *provctx;
@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
     return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
 }
 +static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
 +{
 +    PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
 +
 +    return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
 +}
 +
 static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
                                                  void *provctx,
                                                  const char *kdfname)
@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
 KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
 KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
 +static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
 +                                                 void *provctx,
 +                                                 const char *kdfname)
 +{
 +    EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
 +                                 NULL);
 +    const OSSL_PARAM *params;
 +
 +    if (kdf == NULL)
 +        return NULL;
 +
 +    params = EVP_KDF_gettable_ctx_params(kdf);
 +    EVP_KDF_free(kdf);
 +
 +    return params;
 +}
 +
 +#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
 +    static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
 +                                                                  void *provctx) \
 +    { \
 +        return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
 +    }
 +
 +KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
 +KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
 +KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
 +
 #define KDF_KEYEXCH_FUNCTIONS(funcname) \
     const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
         { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
         { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
         { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
         { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
 +        { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
         { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
         (void (*)(void))kdf_##funcname##_settable_ctx_params }, \
 +        { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
 +        (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
         { 0, NULL } \
     };
 diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
 index daa619b..dd65a2a 100644
 --- a/providers/implementations/kdfs/hkdf.c
 +++ b/providers/implementations/kdfs/hkdf.c
@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
             return 0;
         return OSSL_PARAM_set_size_t(p, sz);
     }
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
 +        if (ctx->info == NULL || ctx->info_len == 0) {
 +            p->return_size = 0;
 +            return 1;
 +        }
 +        return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
 +    }
     return -2;
 }
@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
 diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
 index f816d24..c09e2f3 100644
 --- a/test/pkey_meth_kdf_test.c
 +++ b/test/pkey_meth_kdf_test.c
@@ -16,7 +16,7 @@
 #include <openssl/kdf.h>
 #include "testutil.h"
 -static int test_kdf_tls1_prf(void)
 +static int test_kdf_tls1_prf(int index)
 {
     int ret = 0;
     EVP_PKEY_CTX *pctx;
@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
         TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
         goto err;
     }
 -    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
 -                                        (unsigned char *)"seed", 4) <= 0) {
 -        TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
 -        goto err;
 +    if (index == 0) {
 +        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
 +                                            (unsigned char *)"seed", 4) <= 0) {
 +            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
 +            goto err;
 +        }
 +    } else {
 +        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
 +                                            (unsigned char *)"se", 2) <= 0) {
 +            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
 +            goto err;
 +        }
 +        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
 +                                            (unsigned char *)"ed", 2) <= 0) {
 +            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
 +            goto err;
 +        }
     }
     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
         TEST_error("EVP_PKEY_derive");
@@ -65,7 +78,7 @@ err:
     return ret;
 }
 -static int test_kdf_hkdf(void)
 +static int test_kdf_hkdf(int index)
 {
     int ret = 0;
     EVP_PKEY_CTX *pctx;
@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
         TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
         goto err;
     }
 -    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
 +    if (index == 0) {
 +        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
             <= 0) {
 -        TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
 -        goto err;
 +            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
 +            goto err;
 +        }
 +    } else {
 +        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
 +            <= 0) {
 +            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
 +            goto err;
 +        }
 +        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
 +            <= 0) {
 +            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
 +            goto err;
 +        }
     }
     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
         TEST_error("EVP_PKEY_derive");
@@ -195,8 +221,13 @@ err:
 int setup_tests(void)
 {
 -    ADD_TEST(test_kdf_tls1_prf);
 -    ADD_TEST(test_kdf_hkdf);
 +    int tests = 1;
 +
 +    if (fips_provider_version_ge(NULL, 3, 3, 1))
 +        tests = 2;
 +
 +    ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
 +    ADD_ALL_TESTS(test_kdf_hkdf, tests);
 #ifndef OPENSSL_NO_SCRYPT
     ADD_TEST(test_kdf_scrypt);
 #endif
 -- 
 2.45.1
--- a/openssl-Fix-P384-on-P8-targets.patch
+++ b/openssl-Fix-P384-on-P8-targets.patch
@@ -1,125 +0,0 @@
 From a72f753cc5a43e58087358317975f6be46c15e01 Mon Sep 17 00:00:00 2001
 From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
 Date: Thu, 17 Apr 2025 08:51:53 -0500
 Subject: [PATCH] Fix P-384 curve on lower-than-P9 PPC64 targets
 The change adding an asm implementation of p384_felem_reduce incorrectly
 uses the accelerated version on both targets that support the intrinsics
 *and* targets that don't, instead of falling back to the generics on older
 targets.  This results in crashes when trying to use P-384 on < Power9.
 Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com>
 Closes: #27350
 Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC")
 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/27429)
 (cherry picked from commit 29864f2b0f1046177e8048a5b17440893d3f9425)
 ---
 crypto/ec/ecp_nistp384.c | 54 ++++++++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 21 deletions(-)
 diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
 index 2ceb94fe33b7e..9d682f5a02cce 100644
 --- a/crypto/ec/ecp_nistp384.c
 +++ b/crypto/ec/ecp_nistp384.c
@@ -684,6 +684,22 @@ static void felem_reduce_ref(felem out, const widefelem in)
         out[i] = acc[i];
 }
 +static ossl_inline void felem_square_reduce_ref(felem out, const felem in)
 +{
 +    widefelem tmp;
 +
 +    felem_square_ref(tmp, in);
 +    felem_reduce_ref(out, tmp);
 +}
 +
 +static ossl_inline void felem_mul_reduce_ref(felem out, const felem in1, const felem in2)
 +{
 +    widefelem tmp;
 +
 +    felem_mul_ref(tmp, in1, in2);
 +    felem_reduce_ref(out, tmp);
 +}
 +
 #if defined(ECP_NISTP384_ASM)
 static void felem_square_wrapper(widefelem out, const felem in);
 static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2);
@@ -695,10 +711,18 @@ static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
 static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
 +static void (*felem_square_reduce_p)(felem out, const felem in) =
 +    felem_square_reduce_ref;
 +static void (*felem_mul_reduce_p)(felem out, const felem in1, const felem in2) =
 +    felem_mul_reduce_ref;
 +
 void p384_felem_square(widefelem out, const felem in);
 void p384_felem_mul(widefelem out, const felem in1, const felem in2);
 void p384_felem_reduce(felem out, const widefelem in);
 +void p384_felem_square_reduce(felem out, const felem in);
 +void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
 +
 # if defined(_ARCH_PPC64)
 #  include "crypto/ppc_arch.h"
 # endif
@@ -710,6 +734,8 @@ static void felem_select(void)
         felem_square_p = p384_felem_square;
         felem_mul_p = p384_felem_mul;
         felem_reduce_p = p384_felem_reduce;
 +        felem_square_reduce_p = p384_felem_square_reduce;
 +        felem_mul_reduce_p = p384_felem_mul_reduce;
         return;
     }
@@ -718,7 +744,9 @@ static void felem_select(void)
     /* Default */
     felem_square_p = felem_square_ref;
     felem_mul_p = felem_mul_ref;
 -    felem_reduce_p = p384_felem_reduce;
 +    felem_reduce_p = felem_reduce_ref;
 +    felem_square_reduce_p = felem_square_reduce_ref;
 +    felem_mul_reduce_p = felem_mul_reduce_ref;
 }
 static void felem_square_wrapper(widefelem out, const felem in)
@@ -737,31 +765,15 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
 # define felem_mul felem_mul_p
 # define felem_reduce felem_reduce_p
 -void p384_felem_square_reduce(felem out, const felem in);
 -void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
 -
 -# define felem_square_reduce p384_felem_square_reduce
 -# define felem_mul_reduce p384_felem_mul_reduce
 +# define felem_square_reduce felem_square_reduce_p
 +# define felem_mul_reduce felem_mul_reduce_p
 #else
 # define felem_square felem_square_ref
 # define felem_mul felem_mul_ref
 # define felem_reduce felem_reduce_ref
 -static ossl_inline void felem_square_reduce(felem out, const felem in)
 -{
 -    widefelem tmp;
 -
 -    felem_square(tmp, in);
 -    felem_reduce(out, tmp);
 -}
 -
 -static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2)
 -{
 -    widefelem tmp;
 -
 -    felem_mul(tmp, in1, in2);
 -    felem_reduce(out, tmp);
 -}
 +# define felem_square_reduce felem_square_reduce_ref
 +# define felem_mul_reduce felem_mul_reduce_ref
 #endif
 /*-
--- a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
+++ b/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch
@@ -1,94 +0,0 @@
 From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
 From: trinity-1686a <trinity@deuxfleurs.fr>
 Date: Mon, 15 Apr 2024 11:13:14 +0200
 Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
 Fixes #24130
 The regression was introduced in PR #23456.
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24141)
 (cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
 ---
 crypto/evp/pmeth_lib.c |  2 ++
 test/evp_extra_test.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
 index d0eeaf7..bce1ebc 100644
 --- a/crypto/evp/pmeth_lib.c
 +++ b/crypto/evp/pmeth_lib.c
@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
     if (datalen < 0) {
         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
         return 0;
 +    } else if (datalen == 0) {
 +        return 1;
     }
     /* Get the original value length */
 diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
 index 9b3bee7..22121ce 100644
 --- a/test/evp_extra_test.c
 +++ b/test/evp_extra_test.c
@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
     return ret;
 }
 +static int test_empty_salt_info_HKDF(void)
 +{
 +    EVP_PKEY_CTX *pctx;
 +    unsigned char out[20];
 +    size_t outlen;
 +    int ret = 0;
 +    unsigned char salt[] = "";
 +    unsigned char key[] = "012345678901234567890123456789";
 +    unsigned char info[] = "";
 +    const unsigned char expected[] = {
 +	0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
 +	0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
 +    };
 +    size_t expectedlen = sizeof(expected);
 +
 +    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
 +        goto done;
 +
 +    outlen = sizeof(out);
 +    memset(out, 0, outlen);
 +
 +    if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
 +            || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
 +            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
 +                                                        sizeof(salt) - 1), 0)
 +            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
 +                                                       sizeof(key) - 1), 0)
 +            || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
 +                                                        sizeof(info) - 1), 0)
 +            || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
 +            || !TEST_mem_eq(out, outlen, expected, expectedlen))
 +        goto done;
 +
 +    ret = 1;
 +
 + done:
 +    EVP_PKEY_CTX_free(pctx);
 +
 +    return ret;
 +}
 +
 #ifndef OPENSSL_NO_EC
 static int test_X509_PUBKEY_inplace(void)
 {
@@ -5166,6 +5207,7 @@ int setup_tests(void)
 #endif
     ADD_TEST(test_HKDF);
     ADD_TEST(test_emptyikm_HKDF);
 +    ADD_TEST(test_empty_salt_info_HKDF);
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_X509_PUBKEY_inplace);
     ADD_TEST(test_X509_PUBKEY_dup);
 -- 
 2.45.1
--- a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
+++ b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
@@ -1,495 +0,0 @@
 From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
 From: Danny Tsen <dtsen@linux.ibm.com>
 Date: Tue, 22 Aug 2023 15:58:53 -0400
 Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
 instruction
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21812)
 ---
 crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
 1 file changed, 95 insertions(+), 50 deletions(-)
 diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
 index 60cf86f52aed2..38b9405a283b7 100755
 --- a/crypto/aes/asm/aesp8-ppc.pl
 +++ b/crypto/aes/asm/aesp8-ppc.pl
@@ -99,11 +99,12 @@
 .long	0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000	?rev
 .long	0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c	?rev
 .long	0,0,0,0						?asis
 +.long	0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
 Lconsts:
 	mflr	r0
 	bcl	20,31,\$+4
 	mflr	$ptr	 #vvvvv "distance between . and rcon
 -	addi	$ptr,$ptr,-0x48
 +	addi	$ptr,$ptr,-0x58
 	mtlr	r0
 	blr
 	.long	0
@@ -2405,7 +2406,7 @@ ()
 my $key_=$key2;
 my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
     $x00=0 if ($flavour =~ /osx/);
 -my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5 )=map("v$_",(0..5));
 +my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5)=map("v$_",(0..5));
 my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
 my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
 my $rndkey0="v23";	# v24-v25 rotating buffer for first found keys
@@ -2460,6 +2461,18 @@ ()
 	li		$x70,0x70
 	mtspr		256,r0
 +	# Reverse eighty7 to 0x010101..87
 +	xxlor		2, 32+$eighty7, 32+$eighty7
 +	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
 +	xxlor		1, 32+$eighty7, 32+$eighty7
 +
 +	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
 +	mr		$x70, r6
 +	bl		Lconsts
 +	lxvw4x		0, $x40, r6		# load XOR contents
 +	mr		r6, $x70
 +	li		$x70,0x70
 +
 	subi		$rounds,$rounds,3	# -4 in total
 	lvx		$rndkey0,$x00,$key1	# load key schedule
@@ -2502,69 +2515,77 @@ ()
 	?vperm		v31,v31,$twk5,$keyperm
 	lvx		v25,$x10,$key_		# pre-load round[2]
 +	# Switch to use the following codes with 0x010101..87 to generate tweak.
 +	#     eighty7 = 0x010101..87
 +	# vsrab		tmp, tweak, seven	# next tweak value, right shift 7 bits
 +	# vand		tmp, tmp, eighty7	# last byte with carry
 +	# vaddubm	tweak, tweak, tweak	# left shift 1 bit (x2)
 +	# xxlor		vsx, 0, 0
 +	# vpermxor	tweak, tweak, tmp, vsx
 +
 	 vperm		$in0,$inout,$inptail,$inpperm
 	 subi		$inp,$inp,31		# undo "caller"
 	vxor		$twk0,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out0,$in0,$twk0
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in1, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in1
 	 lvx_u		$in1,$x10,$inp
 	vxor		$twk1,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in1,$in1,$in1,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out1,$in1,$twk1
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in2, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in2
 	 lvx_u		$in2,$x20,$inp
 	 andi.		$taillen,$len,15
 	vxor		$twk2,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in2,$in2,$in2,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out2,$in2,$twk2
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in3, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in3
 	 lvx_u		$in3,$x30,$inp
 	 sub		$len,$len,$taillen
 	vxor		$twk3,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in3,$in3,$in3,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out3,$in3,$twk3
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in4, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in4
 	 lvx_u		$in4,$x40,$inp
 	 subi		$len,$len,0x60
 	vxor		$twk4,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in4,$in4,$in4,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out4,$in4,$twk4
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in5, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in5
 	 lvx_u		$in5,$x50,$inp
 	 addi		$inp,$inp,0x60
 	vxor		$twk5,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in5,$in5,$in5,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out5,$in5,$twk5
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in0, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in0
 	vxor		v31,v31,$rndkey0
 	mtctr		$rounds
@@ -2590,6 +2611,8 @@ ()
 	lvx		v25,$x10,$key_		# round[4]
 	bdnz		Loop_xts_enc6x
 +	xxlor		32+$eighty7, 1, 1		# 0x010101..87
 +
 	subic		$len,$len,96		# $len-=96
 	 vxor		$in0,$twk0,v31		# xor with last round key
 	vcipher		$out0,$out0,v24
@@ -2599,7 +2622,6 @@ ()
 	 vaddubm	$tweak,$tweak,$tweak
 	vcipher		$out2,$out2,v24
 	vcipher		$out3,$out3,v24
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipher		$out4,$out4,v24
 	vcipher		$out5,$out5,v24
@@ -2607,7 +2629,8 @@ ()
 	 vand		$tmp,$tmp,$eighty7
 	vcipher		$out0,$out0,v25
 	vcipher		$out1,$out1,v25
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in1, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in1
 	vcipher		$out2,$out2,v25
 	vcipher		$out3,$out3,v25
 	 vxor		$in1,$twk1,v31
@@ -2618,13 +2641,13 @@ ()
 	and		r0,r0,$len
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipher		$out0,$out0,v26
 	vcipher		$out1,$out1,v26
 	 vand		$tmp,$tmp,$eighty7
 	vcipher		$out2,$out2,v26
 	vcipher		$out3,$out3,v26
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in2, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in2
 	vcipher		$out4,$out4,v26
 	vcipher		$out5,$out5,v26
@@ -2638,7 +2661,6 @@ ()
 	 vaddubm	$tweak,$tweak,$tweak
 	vcipher		$out0,$out0,v27
 	vcipher		$out1,$out1,v27
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipher		$out2,$out2,v27
 	vcipher		$out3,$out3,v27
 	 vand		$tmp,$tmp,$eighty7
@@ -2646,7 +2668,8 @@ ()
 	vcipher		$out5,$out5,v27
 	addi		$key_,$sp,$FRAME+15	# rewind $key_
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in3, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in3
 	vcipher		$out0,$out0,v28
 	vcipher		$out1,$out1,v28
 	 vxor		$in3,$twk3,v31
@@ -2655,7 +2678,6 @@ ()
 	vcipher		$out2,$out2,v28
 	vcipher		$out3,$out3,v28
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipher		$out4,$out4,v28
 	vcipher		$out5,$out5,v28
 	lvx		v24,$x00,$key_		# re-pre-load round[1]
@@ -2663,7 +2685,8 @@ ()
 	vcipher		$out0,$out0,v29
 	vcipher		$out1,$out1,v29
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in4, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in4
 	vcipher		$out2,$out2,v29
 	vcipher		$out3,$out3,v29
 	 vxor		$in4,$twk4,v31
@@ -2673,14 +2696,14 @@ ()
 	vcipher		$out5,$out5,v29
 	lvx		v25,$x10,$key_		# re-pre-load round[2]
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipher		$out0,$out0,v30
 	vcipher		$out1,$out1,v30
 	 vand		$tmp,$tmp,$eighty7
 	vcipher		$out2,$out2,v30
 	vcipher		$out3,$out3,v30
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in5, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in5
 	vcipher		$out4,$out4,v30
 	vcipher		$out5,$out5,v30
 	 vxor		$in5,$twk5,v31
@@ -2690,7 +2713,6 @@ ()
 	vcipherlast	$out0,$out0,$in0
 	 lvx_u		$in0,$x00,$inp		# load next input block
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vcipherlast	$out1,$out1,$in1
 	 lvx_u		$in1,$x10,$inp
 	vcipherlast	$out2,$out2,$in2
@@ -2703,7 +2725,10 @@ ()
 	vcipherlast	$out4,$out4,$in4
 	 le?vperm	$in2,$in2,$in2,$leperm
 	 lvx_u		$in4,$x40,$inp
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		10, 32+$in0, 32+$in0
 +	 xxlor		32+$in0, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in0
 +	 xxlor		32+$in0, 10, 10
 	vcipherlast	$tmp,$out5,$in5		# last block might be needed
 						# in stealing mode
 	 le?vperm	$in3,$in3,$in3,$leperm
@@ -2736,6 +2761,8 @@ ()
 	mtctr		$rounds
 	beq		Loop_xts_enc6x		# did $len-=96 borrow?
 +	xxlor		32+$eighty7, 2, 2		# 0x870101..01
 +
 	addic.		$len,$len,0x60
 	beq		Lxts_enc6x_zero
 	cmpwi		$len,0x20
@@ -3112,6 +3139,18 @@ ()
 	li		$x70,0x70
 	mtspr		256,r0
 +	# Reverse eighty7 to 0x010101..87
 +	xxlor		2, 32+$eighty7, 32+$eighty7
 +	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
 +	xxlor		1, 32+$eighty7, 32+$eighty7
 +
 +	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
 +	mr		$x70, r6
 +	bl		Lconsts
 +	lxvw4x		0, $x40, r6		# load XOR contents
 +	mr		r6, $x70
 +	li		$x70,0x70
 +
 	subi		$rounds,$rounds,3	# -4 in total
 	lvx		$rndkey0,$x00,$key1	# load key schedule
@@ -3159,64 +3198,64 @@ ()
 	vxor		$twk0,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out0,$in0,$twk0
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in1, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in1
 	 lvx_u		$in1,$x10,$inp
 	vxor		$twk1,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in1,$in1,$in1,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out1,$in1,$twk1
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in2, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in2
 	 lvx_u		$in2,$x20,$inp
 	 andi.		$taillen,$len,15
 	vxor		$twk2,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in2,$in2,$in2,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out2,$in2,$twk2
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in3, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in3
 	 lvx_u		$in3,$x30,$inp
 	 sub		$len,$len,$taillen
 	vxor		$twk3,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in3,$in3,$in3,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out3,$in3,$twk3
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in4, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in4
 	 lvx_u		$in4,$x40,$inp
 	 subi		$len,$len,0x60
 	vxor		$twk4,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in4,$in4,$in4,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out4,$in4,$twk4
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in5, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in5
 	 lvx_u		$in5,$x50,$inp
 	 addi		$inp,$inp,0x60
 	vxor		$twk5,$tweak,$rndkey0
 	vsrab		$tmp,$tweak,$seven	# next tweak value
 	vaddubm		$tweak,$tweak,$tweak
 -	vsldoi		$tmp,$tmp,$tmp,15
 	 le?vperm	$in5,$in5,$in5,$leperm
 	vand		$tmp,$tmp,$eighty7
 	 vxor		$out5,$in5,$twk5
 -	vxor		$tweak,$tweak,$tmp
 +	xxlor		32+$in0, 0, 0
 +	vpermxor	$tweak, $tweak, $tmp, $in0
 	vxor		v31,v31,$rndkey0
 	mtctr		$rounds
@@ -3242,6 +3281,8 @@ ()
 	lvx		v25,$x10,$key_		# round[4]
 	bdnz		Loop_xts_dec6x
 +	xxlor		32+$eighty7, 1, 1
 +
 	subic		$len,$len,96		# $len-=96
 	 vxor		$in0,$twk0,v31		# xor with last round key
 	vncipher	$out0,$out0,v24
@@ -3251,7 +3292,6 @@ ()
 	 vaddubm	$tweak,$tweak,$tweak
 	vncipher	$out2,$out2,v24
 	vncipher	$out3,$out3,v24
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipher	$out4,$out4,v24
 	vncipher	$out5,$out5,v24
@@ -3259,7 +3299,8 @@ ()
 	 vand		$tmp,$tmp,$eighty7
 	vncipher	$out0,$out0,v25
 	vncipher	$out1,$out1,v25
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in1, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in1
 	vncipher	$out2,$out2,v25
 	vncipher	$out3,$out3,v25
 	 vxor		$in1,$twk1,v31
@@ -3270,13 +3311,13 @@ ()
 	and		r0,r0,$len
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipher	$out0,$out0,v26
 	vncipher	$out1,$out1,v26
 	 vand		$tmp,$tmp,$eighty7
 	vncipher	$out2,$out2,v26
 	vncipher	$out3,$out3,v26
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in2, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in2
 	vncipher	$out4,$out4,v26
 	vncipher	$out5,$out5,v26
@@ -3290,7 +3331,6 @@ ()
 	 vaddubm	$tweak,$tweak,$tweak
 	vncipher	$out0,$out0,v27
 	vncipher	$out1,$out1,v27
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipher	$out2,$out2,v27
 	vncipher	$out3,$out3,v27
 	 vand		$tmp,$tmp,$eighty7
@@ -3298,7 +3338,8 @@ ()
 	vncipher	$out5,$out5,v27
 	addi		$key_,$sp,$FRAME+15	# rewind $key_
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in3, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in3
 	vncipher	$out0,$out0,v28
 	vncipher	$out1,$out1,v28
 	 vxor		$in3,$twk3,v31
@@ -3307,7 +3348,6 @@ ()
 	vncipher	$out2,$out2,v28
 	vncipher	$out3,$out3,v28
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipher	$out4,$out4,v28
 	vncipher	$out5,$out5,v28
 	lvx		v24,$x00,$key_		# re-pre-load round[1]
@@ -3315,7 +3355,8 @@ ()
 	vncipher	$out0,$out0,v29
 	vncipher	$out1,$out1,v29
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in4, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in4
 	vncipher	$out2,$out2,v29
 	vncipher	$out3,$out3,v29
 	 vxor		$in4,$twk4,v31
@@ -3325,14 +3366,14 @@ ()
 	vncipher	$out5,$out5,v29
 	lvx		v25,$x10,$key_		# re-pre-load round[2]
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipher	$out0,$out0,v30
 	vncipher	$out1,$out1,v30
 	 vand		$tmp,$tmp,$eighty7
 	vncipher	$out2,$out2,v30
 	vncipher	$out3,$out3,v30
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		32+$in5, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in5
 	vncipher	$out4,$out4,v30
 	vncipher	$out5,$out5,v30
 	 vxor		$in5,$twk5,v31
@@ -3342,7 +3383,6 @@ ()
 	vncipherlast	$out0,$out0,$in0
 	 lvx_u		$in0,$x00,$inp		# load next input block
 	 vaddubm	$tweak,$tweak,$tweak
 -	 vsldoi		$tmp,$tmp,$tmp,15
 	vncipherlast	$out1,$out1,$in1
 	 lvx_u		$in1,$x10,$inp
 	vncipherlast	$out2,$out2,$in2
@@ -3355,7 +3395,10 @@ ()
 	vncipherlast	$out4,$out4,$in4
 	 le?vperm	$in2,$in2,$in2,$leperm
 	 lvx_u		$in4,$x40,$inp
 -	 vxor		$tweak,$tweak,$tmp
 +	 xxlor		10, 32+$in0, 32+$in0
 +	 xxlor		32+$in0, 0, 0
 +	 vpermxor	$tweak, $tweak, $tmp, $in0
 +	 xxlor		32+$in0, 10, 10
 	vncipherlast	$out5,$out5,$in5
 	 le?vperm	$in3,$in3,$in3,$leperm
 	 lvx_u		$in5,$x50,$inp
@@ -3386,6 +3429,8 @@ ()
 	mtctr		$rounds
 	beq		Loop_xts_dec6x		# did $len-=96 borrow?
 +	xxlor		32+$eighty7, 2, 2
 +
 	addic.		$len,$len,0x60
 	beq		Lxts_dec6x_zero
 	cmpwi		$len,0x20
--- a/openssl-Remove-EC-curves.patch
+++ b/openssl-Remove-EC-curves.patch
@@ -1,267 +0,0 @@
 From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
 From: Dmitry Belyavskiy <dbelyavs@redhat.com>
 Date: Mon, 21 Aug 2023 11:46:40 +0200
 Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
 Patch-name: 0011-Remove-EC-curves.patch
 Patch-id: 11
 Patch-status: |
    # remove unsupported EC curves
 ---
 apps/speed.c                 |  8 +---
 crypto/evp/ec_support.c      | 87 ------------------------------------
 test/acvp_test.inc           |  9 ----
 test/ecdsatest.h             | 17 -------
 test/recipes/15-test_genec.t | 27 -----------
 5 files changed, 1 insertion(+), 147 deletions(-)
 Index: openssl-3.2.3/apps/speed.c
 ===================================================================
 --- openssl-3.2.3.orig/apps/speed.c
 +++ openssl-3.2.3/apps/speed.c
@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1];
 #endif /* OPENSSL_NO_DH */
 enum ec_curves_t {
 -    R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
 +    R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
 #ifndef OPENSSL_NO_EC2M
     R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
     R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
@@ -411,8 +411,6 @@ enum ec_curves_t {
 };
 /* list of ecdsa curves */
 static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
 -    {"ecdsap160", R_EC_P160},
 -    {"ecdsap192", R_EC_P192},
     {"ecdsap224", R_EC_P224},
     {"ecdsap256", R_EC_P256},
     {"ecdsap384", R_EC_P384},
@@ -445,8 +443,6 @@ enum {
 };
 /* list of ecdh curves, extension of |ecdsa_choices| list above */
 static const OPT_PAIR ecdh_choices[EC_NUM] = {
 -    {"ecdhp160", R_EC_P160},
 -    {"ecdhp192", R_EC_P192},
     {"ecdhp224", R_EC_P224},
     {"ecdhp256", R_EC_P256},
     {"ecdhp384", R_EC_P384},
@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv)
      */
     static const EC_CURVE ec_curves[EC_NUM] = {
         /* Prime Curves */
 -        {"secp160r1", NID_secp160r1, 160},
 -        {"nistp192", NID_X9_62_prime192v1, 192},
         {"nistp224", NID_secp224r1, 224},
         {"nistp256", NID_X9_62_prime256v1, 256},
         {"nistp384", NID_secp384r1, 384},
 Index: openssl-3.2.3/crypto/evp/ec_support.c
 ===================================================================
 --- openssl-3.2.3.orig/crypto/evp/ec_support.c
 +++ openssl-3.2.3/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
 static const EC_NAME2NID curve_list[] = {
     /* prime field curves */
     /* secg curves */
 -    {"secp112r1", NID_secp112r1 },
 -    {"secp112r2", NID_secp112r2 },
 -    {"secp128r1", NID_secp128r1 },
 -    {"secp128r2", NID_secp128r2 },
 -    {"secp160k1", NID_secp160k1 },
 -    {"secp160r1", NID_secp160r1 },
 -    {"secp160r2", NID_secp160r2 },
 -    {"secp192k1", NID_secp192k1 },
 -    {"secp224k1", NID_secp224k1 },
     {"secp224r1", NID_secp224r1 },
     {"secp256k1", NID_secp256k1 },
     {"secp384r1", NID_secp384r1 },
     {"secp521r1", NID_secp521r1 },
     /* X9.62 curves */
 -    {"prime192v1", NID_X9_62_prime192v1 },
 -    {"prime192v2", NID_X9_62_prime192v2 },
 -    {"prime192v3", NID_X9_62_prime192v3 },
 -    {"prime239v1", NID_X9_62_prime239v1 },
 -    {"prime239v2", NID_X9_62_prime239v2 },
 -    {"prime239v3", NID_X9_62_prime239v3 },
     {"prime256v1", NID_X9_62_prime256v1 },
     /* characteristic two field curves */
     /* NIST/SECG curves */
 -    {"sect113r1", NID_sect113r1 },
 -    {"sect113r2", NID_sect113r2 },
 -    {"sect131r1", NID_sect131r1 },
 -    {"sect131r2", NID_sect131r2 },
 -    {"sect163k1", NID_sect163k1 },
 -    {"sect163r1", NID_sect163r1 },
 -    {"sect163r2", NID_sect163r2 },
 -    {"sect193r1", NID_sect193r1 },
 -    {"sect193r2", NID_sect193r2 },
 -    {"sect233k1", NID_sect233k1 },
 -    {"sect233r1", NID_sect233r1 },
 -    {"sect239k1", NID_sect239k1 },
 -    {"sect283k1", NID_sect283k1 },
 -    {"sect283r1", NID_sect283r1 },
 -    {"sect409k1", NID_sect409k1 },
 -    {"sect409r1", NID_sect409r1 },
 -    {"sect571k1", NID_sect571k1 },
 -    {"sect571r1", NID_sect571r1 },
 -    /* X9.62 curves */
 -    {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
 -    {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
 -    {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
 -    {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
 -    {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
 -    {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
 -    {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
 -    {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
 -    {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
 -    {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
 -    {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
 -    {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
 -    {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
 -    {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
 -    {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
 -    {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
 -    /*
 -     * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
 -     * from X9.62]
 -     */
 -    {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
 -    {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
 -    {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
 -    {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
 -    {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
 -    {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
 -    {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
 -    {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
 -    {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
 -    {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
 -    {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
 -    /* IPSec curves */
 -    {"Oakley-EC2N-3", NID_ipsec3 },
 -    {"Oakley-EC2N-4", NID_ipsec4 },
     /* brainpool curves */
 -    {"brainpoolP160r1", NID_brainpoolP160r1 },
 -    {"brainpoolP160t1", NID_brainpoolP160t1 },
 -    {"brainpoolP192r1", NID_brainpoolP192r1 },
 -    {"brainpoolP192t1", NID_brainpoolP192t1 },
 -    {"brainpoolP224r1", NID_brainpoolP224r1 },
 -    {"brainpoolP224t1", NID_brainpoolP224t1 },
     {"brainpoolP256r1", NID_brainpoolP256r1 },
     {"brainpoolP256t1", NID_brainpoolP256t1 },
     {"brainpoolP320r1", NID_brainpoolP320r1 },
@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n
 /* Functions to translate between common NIST curve names and NIDs */
 static const EC_NAME2NID nist_curves[] = {
 -    {"B-163", NID_sect163r2},
 -    {"B-233", NID_sect233r1},
 -    {"B-283", NID_sect283r1},
 -    {"B-409", NID_sect409r1},
 -    {"B-571", NID_sect571r1},
 -    {"K-163", NID_sect163k1},
 -    {"K-233", NID_sect233k1},
 -    {"K-283", NID_sect283k1},
 -    {"K-409", NID_sect409k1},
 -    {"K-571", NID_sect571k1},
 -    {"P-192", NID_X9_62_prime192v1},
     {"P-224", NID_secp224r1},
     {"P-256", NID_X9_62_prime256v1},
     {"P-384", NID_secp384r1},
 Index: openssl-3.2.3/test/acvp_test.inc
 ===================================================================
 --- openssl-3.2.3.orig/test/acvp_test.inc
 +++ openssl-3.2.3/test/acvp_test.inc
@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_
 };
 static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
     {
 -        "SHA-1",
 -        "P-192",
 -        ITM(ecdsa_sigver_msg0),
 -        ITM(ecdsa_sigver_pub0),
 -        ITM(ecdsa_sigver_r0),
 -        ITM(ecdsa_sigver_s0),
 -        PASS,
 -    },
 -    {
         "SHA2-512",
         "P-521",
         ITM(ecdsa_sigver_msg1),
 Index: openssl-3.2.3/test/ecdsatest.h
 ===================================================================
 --- openssl-3.2.3.orig/test/ecdsatest.h
 +++ openssl-3.2.3/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
 } ecdsa_cavs_kat_t;
 static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
 -    /* prime KATs from X9.62 */
 -    {NID_X9_62_prime192v1, NID_sha1,
 -     "616263",                  /* "abc" */
 -     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
 -     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
 -     "5ca5c0d69716dfcb3474373902",
 -     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
 -     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
 -     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
 -    {NID_X9_62_prime239v1, NID_sha1,
 -     "616263",                  /* "abc" */
 -     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
 -     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
 -     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
 -     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
 -     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
 -     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
     /* prime KATs from NIST CAVP */
     {NID_secp224r1, NID_sha224,
      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
 Index: openssl-3.2.3/test/recipes/15-test_genec.t
 ===================================================================
 --- openssl-3.2.3.orig/test/recipes/15-test_genec.t
 +++ openssl-3.2.3/test/recipes/15-test_genec.t
@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport
     if disabled("ec");
 my @prime_curves = qw(
 -    secp112r1
 -    secp112r2
 -    secp128r1
 -    secp128r2
 -    secp160k1
 -    secp160r1
 -    secp160r2
 -    secp192k1
 -    secp224k1
     secp224r1
     secp256k1
     secp384r1
     secp521r1
 -    prime192v1
 -    prime192v2
 -    prime192v3
 -    prime239v1
 -    prime239v2
 -    prime239v3
     prime256v1
 -    wap-wsg-idm-ecid-wtls6
 -    wap-wsg-idm-ecid-wtls7
 -    wap-wsg-idm-ecid-wtls8
 -    wap-wsg-idm-ecid-wtls9
 -    wap-wsg-idm-ecid-wtls12
 -    brainpoolP160r1
 -    brainpoolP160t1
 -    brainpoolP192r1
 -    brainpoolP192t1
 -    brainpoolP224r1
 -    brainpoolP224t1
     brainpoolP256r1
     brainpoolP256t1
     brainpoolP320r1
@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
     if !disabled("sm2");
 my @curve_aliases = qw(
 -    P-192
     P-224
     P-256
     P-384
--- a/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
+++ b/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
@@ -1,171 +0,0 @@
 Subject: [PATCH] Revert "Improve FIPS RSA keygen performance."
 This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5.
 ---
 crypto/bn/bn_prime.c         | 11 --------
 crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------
 include/crypto/bn.h          |  2 --
 3 files changed, 8 insertions(+), 54 deletions(-)
 diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
 index 79776f1ce5..ddd31a0252 100644
 --- a/crypto/bn/bn_prime.c
 +++ b/crypto/bn/bn_prime.c
@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
     return bn_is_prime_int(w, checks, ctx, do_trial_division, cb);
 }
 -/*
 - * Use this only for key generation.
 - * It always uses trial division. The number of checks
 - * (MR rounds) passed in is used without being clamped to a minimum value.
 - */
 -int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
 -                                  BN_GENCB *cb)
 -{
 -    return bn_is_prime_int(w, checks, ctx, 1, cb);
 -}
 -
 int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb)
 {
     return ossl_bn_check_prime(p, 0, ctx, 1, cb);
 diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c
 index e9f0d4038c..8a7b2ecf2f 100644
 --- a/crypto/bn/bn_rsa_fips186_4.c
 +++ b/crypto/bn/bn_rsa_fips186_4.c
@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = {
     BN_FLG_STATIC_DATA
 };
 -/*
 - * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
 - * required for generation of RSA aux primes (p1, p2, q1 and q2).
 - */
 -static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits)
 -{
 -    if (nbits >= 4096)
 -        return 44;
 -    if (nbits >= 3072)
 -        return 41;
 -    if (nbits >= 2048)
 -        return 38;
 -    return 0; /* Error */
 -}
 -
 -/*
 - * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
 - * required for generation of RSA primes (p and q)
 - */
 -static int bn_rsa_fips186_5_prime_MR_rounds(int nbits)
 -{
 -    if (nbits >= 3072)
 -        return 4;
 -    if (nbits >= 2048)
 -        return 5;
 -    return 0; /* Error */
 -}
 -
 /*
  * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2".
  * (FIPS 186-5 has an entry for >= 4096 bits).
@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
  *     Xp1 The passed in starting point to find a probably prime.
  *     p1 The returned probable prime (first odd integer >= Xp1)
  *     ctx A BN_CTX object.
 - *     rounds The number of Miller Rabin rounds
  *     cb An optional BIGNUM callback.
  * Returns: 1 on success otherwise it returns 0.
  */
 static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
                                                 BIGNUM *p1, BN_CTX *ctx,
 -                                                int rounds,
                                                 BN_GENCB *cb)
 {
     int ret = 0;
@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
         i++;
         BN_GENCB_call(cb, 0, i);
         /* MR test with trial division */
 -        tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb);
 +        tmp = BN_check_prime(p1, ctx, cb);
         if (tmp > 0)
             break;
         if (tmp < 0)
@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
 {
     int ret = 0;
     BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL;
 -    int bitlen, rounds;
 +    int bitlen;
     if (p == NULL || Xpout == NULL)
         return 0;
@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
     bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen);
     if (bitlen == 0)
         goto err;
 -    rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen);
     /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */
     if (Xp1 == NULL) {
@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
     }
     /* (Steps 4.2/5.2) - find first auxiliary probable primes */
 -    if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
 -            || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
 +    if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb)
 +            || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb))
         goto err;
     /* (Table B.1) auxiliary prime Max length check */
     if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >=
@@ -274,11 +243,11 @@ err:
  */
 int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
                                        const BIGNUM *r1, const BIGNUM *r2,
 -                                       int nlen, const BIGNUM *e,
 -                                       BN_CTX *ctx, BN_GENCB *cb)
 +                                       int nlen, const BIGNUM *e, BN_CTX *ctx,
 +                                       BN_GENCB *cb)
 {
     int ret = 0;
 -    int i, imax, rounds;
 +    int i, imax;
     int bits = nlen >> 1;
     BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2;
     BIGNUM *base, *range;
@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
      * The number has been updated to 20 * nlen/2 as used in
      * FIPS186-5 Appendix B.9 Step 9.
      */
 -    rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen);
     imax = 20 * bits; /* max = 20/2 * nbits */
     for (;;) {
         if (Xin == NULL) {
@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
             if (BN_copy(y1, Y) == NULL
                     || !BN_sub_word(y1, 1))
                 goto err;
 -
             if (BN_are_coprime(y1, e, ctx)) {
 -                int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb);
 +                int rv = BN_check_prime(Y, ctx, cb);
                 if (rv > 0)
                     goto end;
 diff --git a/include/crypto/bn.h b/include/crypto/bn.h
 index 4d11e0e4b1..cf69bea848 100644
 --- a/include/crypto/bn.h
 +++ b/include/crypto/bn.h
@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
                                   BN_GENCB *cb, int enhanced, int *status);
 -int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
 -                                  BN_GENCB *cb);
 const BIGNUM *ossl_bn_get0_small_factors(void);
 -- 
 2.44.0
--- a/openssl-crypto-policies-support.patch
+++ b/openssl-crypto-policies-support.patch
@@ -1,35 +0,0 @@
 Add default section to load crypto-policies configuration for TLS.
 It needs to be reverted before running tests.
 ---
 apps/openssl.cnf | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)
 Index: openssl-3.2.0/apps/openssl.cnf
 ===================================================================
 --- openssl-3.2.0.orig/apps/openssl.cnf
 +++ openssl-3.2.0/apps/openssl.cnf
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
 [openssl_init]
 providers = provider_sect
 +# Load default TLS policy configuration
 +ssl_conf = ssl_module
 # List of providers to load
 [provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
 [default_sect]
 # activate = 1
 +[ ssl_module ]
 +
 +system_default = crypto_policy
 +
 +[ crypto_policy ]
 +
 +.include = /etc/crypto-policies/back-ends/opensslcnf.config
 ####################################################################
 [ ca ]
--- a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
+++ b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
--- a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
+++ b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
@@ -1,65 +0,0 @@
 From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rohanmclure@linux.ibm.com>
 Date: Fri, 23 Jun 2023 16:41:48 +1000
 Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
 wrappers
 Runtime selection of implementations for felem_{square,mul} depends on
 felem_{square,mul}_wrapper functions, which overwrite function points in
 a similar design to that of .plt.got sections used by program loaders
 during dynamic linking.
 There's no reason why these functions need to have external linkage.
 Mark static.
 Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
 Reviewed-by: Todd Short <todd.short@me.com>
 (Merged from https://github.com/openssl/openssl/pull/21471)
 ---
 crypto/ec/ecp_nistp521.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
 index 97815cac1f13..32a9268ecf17 100644
 --- a/crypto/ec/ecp_nistp521.c
 +++ b/crypto/ec/ecp_nistp521.c
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
 }
 #if defined(ECP_NISTP521_ASM)
 -void felem_square_wrapper(largefelem out, const felem in);
 -void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
 +static void felem_square_wrapper(largefelem out, const felem in);
 +static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
 static void (*felem_square_p)(largefelem out, const felem in) =
     felem_square_wrapper;
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
 #  include "crypto/ppc_arch.h"
 # endif
 -void felem_select(void)
 +static void felem_select(void)
 {
 # if defined(_ARCH_PPC64)
     if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
@@ -707,13 +707,13 @@ void felem_select(void)
     felem_mul_p = felem_mul_ref;
 }
 -void felem_square_wrapper(largefelem out, const felem in)
 +static void felem_square_wrapper(largefelem out, const felem in)
 {
     felem_select();
     felem_square_p(out, in);
 }
 -void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
 +static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
 {
     felem_select();
     felem_mul_p(out, in1, in2);
--- a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
+++ b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
@@ -1,428 +0,0 @@
 From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rohanmclure@linux.ibm.com>
 Date: Wed, 31 May 2023 14:32:26 +1000
 Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
 Add an assembly implementation of felem_{square,mul}, which will be
 implemented whenever Altivec support is present and the core implements
 ISA 3.0 (Power 9) or greater.
 Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
 Reviewed-by: Todd Short <todd.short@me.com>
 (Merged from https://github.com/openssl/openssl/pull/21471)
 ---
 crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
 crypto/ec/build.info                |   6 +-
 crypto/ec/ecp_nistp384.c            |   9 +
 3 files changed, 368 insertions(+), 2 deletions(-)
 create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
 diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
 new file mode 100755
 index 000000000000..3f86b391af69
 --- /dev/null
 +++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -0,0 +1,355 @@
 +#! /usr/bin/env perl
 +# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
 +#
 +# Licensed under the Apache License 2.0 (the "License").  You may not use
 +# this file except in compliance with the License.  You can obtain a copy
 +# in the file LICENSE in the source distribution or at
 +# https://www.openssl.org/source/license.html
 +#
 +# ====================================================================
 +# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
 +# project.
 +# ====================================================================
 +#
 +# p384 lower-level primitives for PPC64 using vector instructions.
 +#
 +
 +use strict;
 +use warnings;
 +
 +my $flavour = shift;
 +my $output = "";
 +while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
 +if (!$output) {
 +    $output = "-";
 +}
 +
 +my ($xlate, $dir);
 +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
 +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
 +die "can't locate ppc-xlate.pl";
 +
 +open OUT,"| \"$^X\" $xlate $flavour $output";
 +*STDOUT=*OUT;
 +
 +my $code = "";
 +
 +my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
 +
 +my $vzero = "v32";
 +
 +sub startproc($)
 +{
 +    my ($name) = @_;
 +
 +    $code.=<<___;
 +    .globl ${name}
 +    .align 5
 +${name}:
 +
 +___
 +}
 +
 +sub endproc($)
 +{
 +    my ($name) = @_;
 +
 +    $code.=<<___;
 +    blr
 +        .size ${name},.-${name}
 +
 +___
 +}
 +
 +
 +sub push_vrs($$)
 +{
 +    my ($min, $max) = @_;
 +
 +    my $count = $max - $min + 1;
 +
 +    $code.=<<___;
 +    mr      $savesp,$sp
 +    stdu        $sp,-16*`$count+1`($sp)
 +
 +___
 +        for (my $i = $min; $i <= $max; $i++) {
 +            my $mult = $max - $i + 1;
 +            $code.=<<___;
 +    stxv        $i,-16*$mult($savesp)
 +___
 +
 +    }
 +
 +    $code.=<<___;
 +
 +___
 +}
 +
 +sub pop_vrs($$)
 +{
 +    my ($min, $max) = @_;
 +
 +    $code.=<<___;
 +    ld      $savesp,0($sp)
 +___
 +    for (my $i = $min; $i <= $max; $i++) {
 +        my $mult = $max - $i + 1;
 +        $code.=<<___;
 +    lxv     $i,-16*$mult($savesp)
 +___
 +    }
 +
 +    $code.=<<___;
 +    mr      $sp,$savesp
 +
 +___
 +}
 +
 +sub load_vrs($$)
 +{
 +    my ($pointer, $reg_list) = @_;
 +
 +    for (my $i = 0; $i <= 6; $i++) {
 +        my $offset = $i * 8;
 +        $code.=<<___;
 +    lxsd        $reg_list->[$i],$offset($pointer)
 +___
 +    }
 +
 +    $code.=<<___;
 +
 +___
 +}
 +
 +sub store_vrs($$)
 +{
 +    my ($pointer, $reg_list) = @_;
 +
 +    for (my $i = 0; $i <= 12; $i++) {
 +        my $offset = $i * 16;
 +        $code.=<<___;
 +    stxv        $reg_list->[$i],$offset($pointer)
 +___
 +    }
 +
 +    $code.=<<___;
 +
 +___
 +}
 +
 +$code.=<<___;
 +.machine    "any"
 +.text
 +
 +___
 +
 +{
 +    # mul/square common
 +    my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
 +    my ($zero, $one) = ("r8", "r9");
 +    my $out = "v51";
 +
 +    {
 +        #
 +        # p384_felem_mul
 +        #
 +
 +        my ($in1p, $in2p) = ("r4", "r5");
 +        my @in1 = map("v$_",(44..50));
 +        my @in2 = map("v$_",(35..41));
 +
 +        startproc("p384_felem_mul");
 +
 +        push_vrs(52, 63);
 +
 +        $code.=<<___;
 +    vspltisw    $vzero,0
 +
 +___
 +
 +        load_vrs($in1p, \@in1);
 +        load_vrs($in2p, \@in2);
 +
 +        $code.=<<___;
 +    vmsumudm    $out,$in1[0],$in2[0],$vzero
 +    stxv        $out,0($outp)
 +
 +    xxpermdi    $t1,$in1[0],$in1[1],0b00
 +    xxpermdi    $t2,$in2[1],$in2[0],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    stxv        $out,16($outp)
 +
 +    xxpermdi    $t2,$in2[2],$in2[1],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$in1[2],$in2[0],$out
 +    stxv        $out,32($outp)
 +
 +    xxpermdi    $t2,$in2[1],$in2[0],0b00
 +    xxpermdi    $t3,$in1[2],$in1[3],0b00
 +    xxpermdi    $t4,$in2[3],$in2[2],0b00
 +    vmsumudm    $out,$t1,$t4,$vzero
 +    vmsumudm    $out,$t3,$t2,$out
 +    stxv        $out,48($outp)
 +
 +    xxpermdi    $t2,$in2[4],$in2[3],0b00
 +    xxpermdi    $t4,$in2[2],$in2[1],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$t3,$t4,$out
 +    vmsumudm    $out,$in1[4],$in2[0],$out
 +    stxv        $out,64($outp)
 +
 +    xxpermdi    $t2,$in2[5],$in2[4],0b00
 +    xxpermdi    $t4,$in2[3],$in2[2],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$t3,$t4,$out
 +    xxpermdi    $t4,$in2[1],$in2[0],0b00
 +    xxpermdi    $t1,$in1[4],$in1[5],0b00
 +    vmsumudm    $out,$t1,$t4,$out
 +    stxv        $out,80($outp)
 +
 +    xxpermdi    $t1,$in1[0],$in1[1],0b00
 +    xxpermdi    $t2,$in2[6],$in2[5],0b00
 +    xxpermdi    $t4,$in2[4],$in2[3],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$t3,$t4,$out
 +    xxpermdi    $t2,$in2[2],$in2[1],0b00
 +    xxpermdi    $t1,$in1[4],$in1[5],0b00
 +    vmsumudm    $out,$t1,$t2,$out
 +    vmsumudm    $out,$in1[6],$in2[0],$out
 +    stxv        $out,96($outp)
 +
 +    xxpermdi    $t1,$in1[1],$in1[2],0b00
 +    xxpermdi    $t2,$in2[6],$in2[5],0b00
 +    xxpermdi    $t3,$in1[3],$in1[4],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$t3,$t4,$out
 +    xxpermdi    $t3,$in2[2],$in2[1],0b00
 +    xxpermdi    $t1,$in1[5],$in1[6],0b00
 +    vmsumudm    $out,$t1,$t3,$out
 +    stxv        $out,112($outp)
 +
 +    xxpermdi    $t1,$in1[2],$in1[3],0b00
 +    xxpermdi    $t3,$in1[4],$in1[5],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$t3,$t4,$out
 +    vmsumudm    $out,$in1[6],$in2[2],$out
 +    stxv        $out,128($outp)
 +
 +    xxpermdi    $t1,$in1[3],$in1[4],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    xxpermdi    $t1,$in1[5],$in1[6],0b00
 +    vmsumudm    $out,$t1,$t4,$out
 +    stxv        $out,144($outp)
 +
 +    vmsumudm    $out,$t3,$t2,$vzero
 +    vmsumudm    $out,$in1[6],$in2[4],$out
 +    stxv        $out,160($outp)
 +
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    stxv        $out,176($outp)
 +
 +    vmsumudm    $out,$in1[6],$in2[6],$vzero
 +    stxv        $out,192($outp)
 +___
 +
 +        endproc("p384_felem_mul");
 +    }
 +
 +    {
 +        #
 +        # p384_felem_square
 +        #
 +
 +        my ($inp) = ("r4");
 +        my @in = map("v$_",(44..50));
 +        my @inx2 = map("v$_",(35..41));
 +
 +        startproc("p384_felem_square");
 +
 +        push_vrs(52, 63);
 +
 +        $code.=<<___;
 +    vspltisw    $vzero,0
 +
 +___
 +
 +        load_vrs($inp, \@in);
 +
 +        $code.=<<___;
 +    li        $zero,0
 +    li        $one,1
 +    mtvsrdd        $t1,$one,$zero
 +___
 +
 +        for (my $i = 0; $i <= 6; $i++) {
 +            $code.=<<___;
 +    vsld        $inx2[$i],$in[$i],$t1
 +___
 +        }
 +
 +        $code.=<<___;
 +    vmsumudm    $out,$in[0],$in[0],$vzero
 +    stxv        $out,0($outp)
 +
 +    vmsumudm    $out,$in[0],$inx2[1],$vzero
 +    stxv        $out,16($outp)
 +
 +    vmsumudm    $out,$in[0],$inx2[2],$vzero
 +    vmsumudm    $out,$in[1],$in[1],$out
 +    stxv        $out,32($outp)
 +
 +    xxpermdi    $t1,$in[0],$in[1],0b00
 +    xxpermdi    $t2,$inx2[3],$inx2[2],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    stxv        $out,48($outp)
 +
 +    xxpermdi    $t4,$inx2[4],$inx2[3],0b00
 +    vmsumudm    $out,$t1,$t4,$vzero
 +    vmsumudm    $out,$in[2],$in[2],$out
 +    stxv        $out,64($outp)
 +
 +    xxpermdi    $t2,$inx2[5],$inx2[4],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$in[2],$inx2[3],$out
 +    stxv        $out,80($outp)
 +
 +    xxpermdi    $t2,$inx2[6],$inx2[5],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$in[2],$inx2[4],$out
 +    vmsumudm    $out,$in[3],$in[3],$out
 +    stxv        $out,96($outp)
 +
 +    xxpermdi    $t3,$in[1],$in[2],0b00
 +    vmsumudm    $out,$t3,$t2,$vzero
 +    vmsumudm    $out,$in[3],$inx2[4],$out
 +    stxv        $out,112($outp)
 +
 +    xxpermdi    $t1,$in[2],$in[3],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    vmsumudm    $out,$in[4],$in[4],$out
 +    stxv        $out,128($outp)
 +
 +    xxpermdi    $t1,$in[3],$in[4],0b00
 +    vmsumudm    $out,$t1,$t2,$vzero
 +    stxv        $out,144($outp)
 +
 +    vmsumudm    $out,$in[4],$inx2[6],$vzero
 +    vmsumudm    $out,$in[5],$in[5],$out
 +    stxv        $out,160($outp)
 +
 +    vmsumudm    $out,$in[5],$inx2[6],$vzero
 +    stxv        $out,176($outp)
 +
 +    vmsumudm    $out,$in[6],$in[6],$vzero
 +    stxv        $out,192($outp)
 +___
 +
 +        endproc("p384_felem_square");
 +    }
 +}
 +
 +$code =~ s/\`([^\`]*)\`/eval $1/gem;
 +print $code;
 +close STDOUT or die "error closing STDOUT: $!";
 diff --git a/crypto/ec/build.info b/crypto/ec/build.info
 index 1fa60a1deddd..4077bead7bdb 100644
 --- a/crypto/ec/build.info
 +++ b/crypto/ec/build.info
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
   $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
   $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
   IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
 -    $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
 -    $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
 +    $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
 +    $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
 +    INCLUDE[ecp_nistp384.o]=..
     INCLUDE[ecp_nistp521.o]=..
   ENDIF
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
 INCLUDE[ecp_nistz256-armv8.o]=..
 GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
 +GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
 GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
 GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
 diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
 index a0559487ed4e..14f9530d07c6 100644
 --- a/crypto/ec/ecp_nistp384.c
 +++ b/crypto/ec/ecp_nistp384.c
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
 static void felem_select(void)
 {
 +# if defined(_ARCH_PPC64)
 +    if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
 +        felem_square_p = p384_felem_square;
 +        felem_mul_p = p384_felem_mul;
 +
 +        return;
 +    }
 +# endif
 +
     /* Default */
     felem_square_p = felem_square_ref;
     felem_mul_p = felem_mul_ref;
--- a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
+++ b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
@@ -1,76 +0,0 @@
 From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rohanmclure@linux.ibm.com>
 Date: Tue, 15 Aug 2023 15:20:20 +1000
 Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
 Substitutions in the felem_reduce() method feature unecessary
 parentheses, remove them.
 Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21749)
 ---
 crypto/ec/ecp_nistp384.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
 index 14f9530d07c6..ff68f9cc7ad0 100644
 --- a/crypto/ec/ecp_nistp384.c
 +++ b/crypto/ec/ecp_nistp384.c
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[7] += in[12] >> 8;
     acc[6] += (in[12] & 0xff) << 48;
     acc[6] -= in[12] >> 16;
 -    acc[5] -= ((in[12] & 0xffff) << 40);
 +    acc[5] -= (in[12] & 0xffff) << 40;
     acc[6] += in[12] >> 48;
     acc[5] += (in[12] & 0xffffffffffff) << 8;
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[6] += in[11] >> 8;
     acc[5] += (in[11] & 0xff) << 48;
     acc[5] -= in[11] >> 16;
 -    acc[4] -= ((in[11] & 0xffff) << 40);
 +    acc[4] -= (in[11] & 0xffff) << 40;
     acc[5] += in[11] >> 48;
     acc[4] += (in[11] & 0xffffffffffff) << 8;
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[5] += in[10] >> 8;
     acc[4] += (in[10] & 0xff) << 48;
     acc[4] -= in[10] >> 16;
 -    acc[3] -= ((in[10] & 0xffff) << 40);
 +    acc[3] -= (in[10] & 0xffff) << 40;
     acc[4] += in[10] >> 48;
     acc[3] += (in[10] & 0xffffffffffff) << 8;
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[4] += in[9] >> 8;
     acc[3] += (in[9] & 0xff) << 48;
     acc[3] -= in[9] >> 16;
 -    acc[2] -= ((in[9] & 0xffff) << 40);
 +    acc[2] -= (in[9] & 0xffff) << 40;
     acc[3] += in[9] >> 48;
     acc[2] += (in[9] & 0xffffffffffff) << 8;
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[3] += acc[8] >> 8;
     acc[2] += (acc[8] & 0xff) << 48;
     acc[2] -= acc[8] >> 16;
 -    acc[1] -= ((acc[8] & 0xffff) << 40);
 +    acc[1] -= (acc[8] & 0xffff) << 40;
     acc[2] += acc[8] >> 48;
     acc[1] += (acc[8] & 0xffffffffffff) << 8;
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
     acc[2] += acc[7] >> 8;
     acc[1] += (acc[7] & 0xff) << 48;
     acc[1] -= acc[7] >> 16;
 -    acc[0] -= ((acc[7] & 0xffff) << 40);
 +    acc[0] -= (acc[7] & 0xffff) << 40;
     acc[1] += acc[7] >> 48;
     acc[0] += (acc[7] & 0xffffffffffff) << 8;
--- a/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+++ b/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
@@ -1,75 +0,0 @@
 From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
 From: Dmitry Belyavskiy <dbelyavs@redhat.com>
 Date: Mon, 21 Aug 2023 16:12:33 +0200
 Subject: [PATCH 46/48] 
 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
 Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
 Patch-id: 112
 ---
 providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 3 deletions(-)
 diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
 index 11820d1e69..bae2238ab5 100644
 --- a/providers/implementations/kdfs/pbkdf2.c
 +++ b/providers/implementations/kdfs/pbkdf2.c
@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
 static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
 +#ifdef FIPS_MODULE
 +    KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
 +#endif /* defined(FIPS_MODULE) */
     OSSL_PARAM *p;
 +    int any_valid = 0; /* set to 1 when at least one parameter was valid */
 +
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
 +        any_valid = 1;
 +
 +        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
 +            return 0;
 +    }
 +
 +#ifdef FIPS_MODULE
 +    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
 +            != NULL) {
 +        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
 +
 +        /* The lower_bound_checks parameter enables checks required by FIPS. If
 +         * those checks are disabled, the PBKDF2 implementation will also
 +         * support non-approved parameters (e.g., salt lengths < 16 bytes, see
 +         * NIST SP 800-132 section 5.1). */
 +        if (!ctx->lower_bound_checks)
 +            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
 -    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
 -        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
 -    return -2;
 +        if (!OSSL_PARAM_set_int(p, fips_indicator))
 +            return 0;
 +
 +        any_valid = 1;
 +    }
 +#endif /* defined(FIPS_MODULE) */
 +
 +    if (!any_valid)
 +        return -2;
 +
 +    return 1;
 }
 static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
 {
     static const OSSL_PARAM known_gettable_ctx_params[] = {
         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
 +#ifdef FIPS_MODULE
 +        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
 +#endif /* defined(FIPS_MODULE) */
         OSSL_PARAM_END
     };
     return known_gettable_ctx_params;
 -- 
 2.41.0
--- a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
+++ b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
@@ -1,96 +0,0 @@
 From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rohanmclure@linux.ibm.com>
 Date: Wed, 16 Aug 2023 16:52:47 +1000
 Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
 Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
 VSX enabled systems make extensive use of renaming, and so writebacks in
 felem_{mul,square}() can be reordered for best cache effects.
 Remove stack allocations. This in turn fixes unmatched push/pops in
 felem_{mul,square}().
 Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21749)
 ---
 crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
 1 file changed, 49 deletions(-)
 diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
 index 3f86b391af69..28f4168e5218 100755
 --- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
 +++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -62,51 +62,6 @@ ($)
 ___
 }
 -
 -sub push_vrs($$)
 -{
 -    my ($min, $max) = @_;
 -
 -    my $count = $max - $min + 1;
 -
 -    $code.=<<___;
 -    mr      $savesp,$sp
 -    stdu        $sp,-16*`$count+1`($sp)
 -
 -___
 -        for (my $i = $min; $i <= $max; $i++) {
 -            my $mult = $max - $i + 1;
 -            $code.=<<___;
 -    stxv        $i,-16*$mult($savesp)
 -___
 -
 -    }
 -
 -    $code.=<<___;
 -
 -___
 -}
 -
 -sub pop_vrs($$)
 -{
 -    my ($min, $max) = @_;
 -
 -    $code.=<<___;
 -    ld      $savesp,0($sp)
 -___
 -    for (my $i = $min; $i <= $max; $i++) {
 -        my $mult = $max - $i + 1;
 -        $code.=<<___;
 -    lxv     $i,-16*$mult($savesp)
 -___
 -    }
 -
 -    $code.=<<___;
 -    mr      $sp,$savesp
 -
 -___
 -}
 -
 sub load_vrs($$)
 {
     my ($pointer, $reg_list) = @_;
@@ -162,8 +117,6 @@ ($$)
         startproc("p384_felem_mul");
 -        push_vrs(52, 63);
 -
         $code.=<<___;
     vspltisw    $vzero,0
@@ -268,8 +221,6 @@ ($$)
         startproc("p384_felem_square");
 -        push_vrs(52, 63);
 -
         $code.=<<___;
     vspltisw    $vzero,0
--- a/openssl-rh-allow-sha1-signatures.patch
+++ b/openssl-rh-allow-sha1-signatures.patch
@@ -1,54 +0,0 @@
 Index: openssl-3.5.0/crypto/evp/evp_cnf.c
 ===================================================================
 --- openssl-3.5.0.orig/crypto/evp/evp_cnf.c
 +++ openssl-3.5.0/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
 #include <stdio.h>
 #include <openssl/crypto.h>
 #include "internal/cryptlib.h"
 +#include "internal/sslconf.h"
 #include <openssl/conf.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -57,6 +58,15 @@ static int alg_module_init(CONF_IMODULE
                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
                 return 0;
             }
 +	} else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
 +            int m;
 +
 +            /* Detailed error already reported. */
 +            if (!X509V3_get_value_bool(oval, &m))
 +                return 0;
 +
 +            /* NO-OP */
 +
         } else {
             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
                            "name=%s, value=%s", oval->name, oval->value);
 Index: openssl-3.5.0/doc/man5/config.pod
 ===================================================================
 --- openssl-3.5.0.orig/doc/man5/config.pod
 +++ openssl-3.5.0/doc/man5/config.pod
@@ -315,6 +315,21 @@ Within the algorithm properties section,
 The value may be anything that is acceptable as a property query
 string for EVP_set_default_properties().
 +=item B<rh-allow-sha1-signatures> (NOOP)
 +
 +The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
 +it behaves as if it was set to B<yes>.
 +
 +When set to B<no>, any attempt to create or verify a signature with a SHA1
 +digest will fail.  To test whether your software will work with future versions
 +of OpenSSL, set this option to B<no>.  This setting also affects TLS, where
 +signature algorithms that use SHA1 as digest will no longer be supported if
 +this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
 +pseudorandom function (PRF) to derive key material, disabling
 +B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
 +
 +This option is not implemented in this build.
 +
 =item B<fips_mode> (deprecated)
 The value is a boolean that can be B<yes> or B<no>.  If the value is
--- a/reproducible.patch
+++ b/reproducible.patch
@@ -1,929 +0,0 @@
 commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf
 Author: trigpolynom <trigpolynom@gmail.com>
 Date:   Tue Oct 17 22:44:45 2023 -0400
    aes-gcm-avx512.pl: fix non-reproducibility issue
    Replace the random suffix with a counter, to make the
    build reproducible.
    Fixes #20954
    Reviewed-by: Richard Levitte <levitte@openssl.org>
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
    Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
    Reviewed-by: Hugo Landau <hlandau@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/22415)
 diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl
 index afd2af941a..9f9124373b 100644
 --- a/crypto/modes/asm/aes-gcm-avx512.pl
 +++ b/crypto/modes/asm/aes-gcm-avx512.pl
@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
 # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
 +# ; Counter used for assembly label generation
 +my $label_count = 0;
 +
 # ; This implementation follows the convention: for non-leaf functions (they
 # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
 # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)].  This
@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable    = (16 * 6);          #  ; (Htable) Precomputed table (a
 # ;;; Helper functions
 # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 -# ; Generates "random" local labels
 -sub random_string() {
 -  my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
 -  my $length = 15;
 -  my $str;
 -  map { $str .= $chars[rand(33)] } 1 .. $length;
 -  return $str;
 -}
 -
 sub BYTE {
   my ($reg) = @_;
   if ($reg =~ /%r[abcd]x/i) {
@@ -417,7 +411,7 @@ ___
 sub EPILOG {
   my ($hkeys_storage_on_stack, $payload_len) = @_;
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
@@ -425,13 +419,13 @@ sub EPILOG {
     # ; were stored in the local frame storage
     $code .= <<___;
         cmpq              \$`16*16`,$payload_len
 -        jbe               .Lskip_hkeys_cleanup_${rndsuffix}
 +        jbe               .Lskip_hkeys_cleanup_${label_suffix}
         vpxor             %xmm0,%xmm0,%xmm0
 ___
     for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
       $code .= "vmovdqa64         %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
     }
 -    $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
 +    $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n";
   }
   if ($CLEAR_SCRATCH_REGISTERS) {
@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack {
     && $HKEYS_RANGE ne "first32"
     && $HKEYS_RANGE ne "last32");
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         test              $HKEYS_READY,$HKEYS_READY
 -        jnz               .L_skip_hkeys_precomputation_${rndsuffix}
 +        jnz               .L_skip_hkeys_precomputation_${label_suffix}
 ___
   if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
@@ -615,7 +609,7 @@ ___
     }
   }
 -  $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
 +  $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n";
 }
 # ;; =============================================================================
@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH {
   my $SHFMSK = $ZT13;
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         mov               $A_IN,$T1      # ; T1 = AAD
         mov               $A_LEN,$T2     # ; T2 = aadLen
         or                $T2,$T2
 -        jz                .L_CALC_AAD_done_${rndsuffix}
 +        jz                .L_CALC_AAD_done_${label_suffix}
         xor               $HKEYS_READY,$HKEYS_READY
         vmovdqa64         SHUF_MASK(%rip),$SHFMSK
 -.L_get_AAD_loop48x16_${rndsuffix}:
 +.L_get_AAD_loop48x16_${label_suffix}:
         cmp               \$`(48*16)`,$T2
 -        jl                .L_exit_AAD_loop48x16_${rndsuffix}
 +        jl                .L_exit_AAD_loop48x16_${label_suffix}
 ___
   $code .= <<___;
@@ -1499,15 +1493,15 @@ ___
   $code .= <<___;
         sub               \$`(48*16)`,$T2
 -        je                .L_CALC_AAD_done_${rndsuffix}
 +        je                .L_CALC_AAD_done_${label_suffix}
         add               \$`(48*16)`,$T1
 -        jmp               .L_get_AAD_loop48x16_${rndsuffix}
 +        jmp               .L_get_AAD_loop48x16_${label_suffix}
 -.L_exit_AAD_loop48x16_${rndsuffix}:
 +.L_exit_AAD_loop48x16_${label_suffix}:
         # ; Less than 48x16 bytes remaining
         cmp               \$`(32*16)`,$T2
 -        jl                .L_less_than_32x16_${rndsuffix}
 +        jl                .L_less_than_32x16_${label_suffix}
 ___
   $code .= <<___;
@@ -1556,14 +1550,14 @@ ___
   $code .= <<___;
         sub               \$`(32*16)`,$T2
 -        je                .L_CALC_AAD_done_${rndsuffix}
 +        je                .L_CALC_AAD_done_${label_suffix}
         add               \$`(32*16)`,$T1
 -        jmp               .L_less_than_16x16_${rndsuffix}
 +        jmp               .L_less_than_16x16_${label_suffix}
 -.L_less_than_32x16_${rndsuffix}:
 +.L_less_than_32x16_${label_suffix}:
         cmp               \$`(16*16)`,$T2
 -        jl                .L_less_than_16x16_${rndsuffix}
 +        jl                .L_less_than_16x16_${label_suffix}
         # ; Get next 16 blocks
         vmovdqu64         `64*0`($T1),$ZT1
         vmovdqu64         `64*1`($T1),$ZT2
@@ -1588,11 +1582,11 @@ ___
   $code .= <<___;
         sub               \$`(16*16)`,$T2
 -        je                .L_CALC_AAD_done_${rndsuffix}
 +        je                .L_CALC_AAD_done_${label_suffix}
         add               \$`(16*16)`,$T1
         # ; Less than 16x16 bytes remaining
 -.L_less_than_16x16_${rndsuffix}:
 +.L_less_than_16x16_${label_suffix}:
         # ;; prep mask source address
         lea               byte64_len_to_mask_table(%rip),$T3
         lea               ($T3,$T2,8),$T3
@@ -1601,28 +1595,28 @@ ___
         add               \$15,@{[DWORD($T2)]}
         shr               \$4,@{[DWORD($T2)]}
         cmp               \$2,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_1_${rndsuffix}
 -        je                .L_AAD_blocks_2_${rndsuffix}
 +        jb                .L_AAD_blocks_1_${label_suffix}
 +        je                .L_AAD_blocks_2_${label_suffix}
         cmp               \$4,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_3_${rndsuffix}
 -        je                .L_AAD_blocks_4_${rndsuffix}
 +        jb                .L_AAD_blocks_3_${label_suffix}
 +        je                .L_AAD_blocks_4_${label_suffix}
         cmp               \$6,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_5_${rndsuffix}
 -        je                .L_AAD_blocks_6_${rndsuffix}
 +        jb                .L_AAD_blocks_5_${label_suffix}
 +        je                .L_AAD_blocks_6_${label_suffix}
         cmp               \$8,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_7_${rndsuffix}
 -        je                .L_AAD_blocks_8_${rndsuffix}
 +        jb                .L_AAD_blocks_7_${label_suffix}
 +        je                .L_AAD_blocks_8_${label_suffix}
         cmp               \$10,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_9_${rndsuffix}
 -        je                .L_AAD_blocks_10_${rndsuffix}
 +        jb                .L_AAD_blocks_9_${label_suffix}
 +        je                .L_AAD_blocks_10_${label_suffix}
         cmp               \$12,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_11_${rndsuffix}
 -        je                .L_AAD_blocks_12_${rndsuffix}
 +        jb                .L_AAD_blocks_11_${label_suffix}
 +        je                .L_AAD_blocks_12_${label_suffix}
         cmp               \$14,@{[DWORD($T2)]}
 -        jb                .L_AAD_blocks_13_${rndsuffix}
 -        je                .L_AAD_blocks_14_${rndsuffix}
 +        jb                .L_AAD_blocks_13_${label_suffix}
 +        je                .L_AAD_blocks_14_${label_suffix}
         cmp               \$15,@{[DWORD($T2)]}
 -        je                .L_AAD_blocks_15_${rndsuffix}
 +        je                .L_AAD_blocks_15_${label_suffix}
 ___
   # ;; fall through for 16 blocks
@@ -1635,7 +1629,7 @@ ___
   # ;; - jump to reduction code
   for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
 -    $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
 +    $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n";
     if ($aad_blocks > 12) {
       $code .= "sub               \$`12*16*8`, $T3\n";
     } elsif ($aad_blocks > 8) {
@@ -1656,11 +1650,11 @@ ___
     if ($aad_blocks > 1) {
       # ;; fall through to CALC_AAD_done in 1 block case
 -      $code .= "jmp           .L_CALC_AAD_done_${rndsuffix}\n";
 +      $code .= "jmp           .L_CALC_AAD_done_${label_suffix}\n";
     }
   }
 -  $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
 +  $code .= ".L_CALC_AAD_done_${label_suffix}:\n";
   # ;; result in AAD_HASH
 }
@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK {
   my $IA1    = $GPTMP2;
   my $IA2    = $GPTMP0;
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
         mov             ($PBLOCK_LEN),$LENGTH
         or              $LENGTH,$LENGTH
 -        je              .L_partial_block_done_${rndsuffix}         #  ;Leave Macro if no partial blocks
 +        je              .L_partial_block_done_${label_suffix}         #  ;Leave Macro if no partial blocks
 ___
   &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
@@ -1755,9 +1749,9 @@ ___
   }
   $code .= <<___;
         sub               \$16,$IA1
 -        jge               .L_no_extra_mask_${rndsuffix}
 +        jge               .L_no_extra_mask_${label_suffix}
         sub               $IA1,$IA0
 -.L_no_extra_mask_${rndsuffix}:
 +.L_no_extra_mask_${label_suffix}:
         # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
         # ;; - mask out bottom $LENGTH bytes of $XTMP1
         # ;; sizeof(SHIFT_MASK) == 16 bytes
@@ -1781,7 +1775,7 @@ ___
   }
   $code .= <<___;
         cmp               \$0,$IA1
 -        jl                .L_partial_incomplete_${rndsuffix}
 +        jl                .L_partial_incomplete_${label_suffix}
 ___
   # ;; GHASH computation for the last <16 Byte block
@@ -1793,9 +1787,9 @@ ___
         mov               $LENGTH,$IA0
         mov               \$16,$LENGTH
         sub               $IA0,$LENGTH
 -        jmp               .L_enc_dec_done_${rndsuffix}
 +        jmp               .L_enc_dec_done_${label_suffix}
 -.L_partial_incomplete_${rndsuffix}:
 +.L_partial_incomplete_${label_suffix}:
 ___
   if ($win64) {
     $code .= <<___;
@@ -1808,7 +1802,7 @@ ___
   $code .= <<___;
         mov               $PLAIN_CIPH_LEN,$LENGTH
 -.L_enc_dec_done_${rndsuffix}:
 +.L_enc_dec_done_${label_suffix}:
         # ;; output encrypted Bytes
         lea               byte_len_to_mask_table(%rip),$IA0
@@ -1826,7 +1820,7 @@ ___
   $code .= <<___;
         mov               $CIPH_PLAIN_OUT,$IA0
         vmovdqu8          $XTMP1,($IA0){$MASKREG}
 -.L_partial_block_done_${rndsuffix}:
 +.L_partial_block_done_${label_suffix}:
 ___
 }
@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
   my $GM              = $_[23];    # [in] ZMM with mid prodcut part
   my $GL              = $_[24];    # [in] ZMM with lo product part
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
   # ;;; - Hash all but the last partial block of data
@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
         # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
         # ;;      This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
         cmp               \$16,$LENGTH
 -        jl                .L_small_initial_partial_block_${rndsuffix}
 +        jl                .L_small_initial_partial_block_${label_suffix}
         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
         # ;;; Handle a full length final block - encrypt and hash all blocks
@@ -2056,11 +2050,11 @@ ___
       &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
         $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
     }
 -    $code .= "jmp           .L_small_initial_compute_done_${rndsuffix}\n";
 +    $code .= "jmp           .L_small_initial_compute_done_${label_suffix}\n";
   }
   $code .= <<___;
 -.L_small_initial_partial_block_${rndsuffix}:
 +.L_small_initial_partial_block_${label_suffix}:
         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
         # ;;; Handle ghash for a <16B final block
@@ -2125,7 +2119,7 @@ ___
         # ;; a partial block of data, so xor that into the hash.
         vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
         # ;; The result is in $HASH_IN_OUT
 -        jmp               .L_after_reduction_${rndsuffix}
 +        jmp               .L_after_reduction_${label_suffix}
 ___
   }
@@ -2133,7 +2127,7 @@ ___
   # ;;; After GHASH reduction
   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 -  $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
 +  $code .= ".L_small_initial_compute_done_${label_suffix}:\n";
   # ;; If using init/update/finalize, we need to xor any partial block data
   # ;; into the hash.
@@ -2144,13 +2138,13 @@ ___
       $code .= <<___;
         # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
         or                $LENGTH,$LENGTH
 -        je                .L_after_reduction_${rndsuffix}
 +        je                .L_after_reduction_${label_suffix}
 ___
     }
     $code .= "vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
   }
 -  $code .= ".L_after_reduction_${rndsuffix}:\n";
 +  $code .= ".L_after_reduction_${label_suffix}:\n";
   # ;; Final hash is now in HASH_IN_OUT
 }
@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N {
   die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
     if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   my $GH1H = $HASH_IN_OUT;
@@ -2326,16 +2320,16 @@ ___
   $code .= <<___;
         cmp               \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
 -        jae               .L_16_blocks_overflow_${rndsuffix}
 +        jae               .L_16_blocks_overflow_${label_suffix}
 ___
   &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
     $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07,     $B08_11,    $B12_15,    $CTR_BE,
     $B00_03,     $B04_07,  $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
   $code .= <<___;
 -        jmp               .L_16_blocks_ok_${rndsuffix}
 +        jmp               .L_16_blocks_ok_${label_suffix}
 -.L_16_blocks_overflow_${rndsuffix}:
 +.L_16_blocks_overflow_${label_suffix}:
         vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
         vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
 ___
@@ -2355,7 +2349,7 @@ ___
     $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
     $B04_07,     $B08_11,   $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
   $code .= <<___;
 -.L_16_blocks_ok_${rndsuffix}:
 +.L_16_blocks_ok_${label_suffix}:
         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
         # ;; - pre-load constants
@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST {
   my $MASKREG            = $_[44];    # [clobbered] mask register
   my $PBLOCK_LEN         = $_[45];    # [in] partial block length
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
         add               \$15,@{[DWORD($IA0)]}
         shr               \$4,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_0_${rndsuffix}
 +        je                .L_last_num_blocks_is_0_${label_suffix}
         cmp               \$8,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_8_${rndsuffix}
 -        jb                .L_last_num_blocks_is_7_1_${rndsuffix}
 +        je                .L_last_num_blocks_is_8_${label_suffix}
 +        jb                .L_last_num_blocks_is_7_1_${label_suffix}
         cmp               \$12,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_12_${rndsuffix}
 -        jb                .L_last_num_blocks_is_11_9_${rndsuffix}
 +        je                .L_last_num_blocks_is_12_${label_suffix}
 +        jb                .L_last_num_blocks_is_11_9_${label_suffix}
         # ;; 16, 15, 14 or 13
         cmp               \$15,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_15_${rndsuffix}
 -        ja                .L_last_num_blocks_is_16_${rndsuffix}
 +        je                .L_last_num_blocks_is_15_${label_suffix}
 +        ja                .L_last_num_blocks_is_16_${label_suffix}
         cmp               \$14,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_14_${rndsuffix}
 -        jmp               .L_last_num_blocks_is_13_${rndsuffix}
 +        je                .L_last_num_blocks_is_14_${label_suffix}
 +        jmp               .L_last_num_blocks_is_13_${label_suffix}
 -.L_last_num_blocks_is_11_9_${rndsuffix}:
 +.L_last_num_blocks_is_11_9_${label_suffix}:
         # ;; 11, 10 or 9
         cmp               \$10,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_10_${rndsuffix}
 -        ja                .L_last_num_blocks_is_11_${rndsuffix}
 -        jmp               .L_last_num_blocks_is_9_${rndsuffix}
 +        je                .L_last_num_blocks_is_10_${label_suffix}
 +        ja                .L_last_num_blocks_is_11_${label_suffix}
 +        jmp               .L_last_num_blocks_is_9_${label_suffix}
 -.L_last_num_blocks_is_7_1_${rndsuffix}:
 +.L_last_num_blocks_is_7_1_${label_suffix}:
         cmp               \$4,@{[DWORD($IA0)]}
 -        je                .L_last_num_blocks_is_4_${rndsuffix}
 -        jb                .L_last_num_blocks_is_3_1_${rndsuffix}
 +        je                .L_last_num_blocks_is_4_${label_suffix}
 +        jb                .L_last_num_blocks_is_3_1_${label_suffix}
         # ;; 7, 6 or 5
         cmp               \$6,@{[DWORD($IA0)]}
 -        ja                .L_last_num_blocks_is_7_${rndsuffix}
 -        je                .L_last_num_blocks_is_6_${rndsuffix}
 -        jmp               .L_last_num_blocks_is_5_${rndsuffix}
 +        ja                .L_last_num_blocks_is_7_${label_suffix}
 +        je                .L_last_num_blocks_is_6_${label_suffix}
 +        jmp               .L_last_num_blocks_is_5_${label_suffix}
 -.L_last_num_blocks_is_3_1_${rndsuffix}:
 +.L_last_num_blocks_is_3_1_${label_suffix}:
         # ;; 3, 2 or 1
         cmp               \$2,@{[DWORD($IA0)]}
 -        ja                .L_last_num_blocks_is_3_${rndsuffix}
 -        je                .L_last_num_blocks_is_2_${rndsuffix}
 +        ja                .L_last_num_blocks_is_3_${label_suffix}
 +        je                .L_last_num_blocks_is_2_${label_suffix}
 ___
   # ;; fall through for `jmp .L_last_num_blocks_is_1`
@@ -2859,7 +2853,7 @@ ___
   # ;; Use rep to generate different block size variants
   # ;; - one block size has to be the first one
   for my $num_blocks (1 .. 16) {
 -    $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
 +    $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n";
     &GHASH_16_ENCRYPT_N_GHASH_N(
       $AES_KEYS,   $GCM128_CTX,  $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET,
       $LENGTH,     $CTR_BE,      $CTR_CHECK,      $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
@@ -2872,10 +2866,10 @@ ___
       $ENC_DEC,    $HASH_IN_OUT, $IA0,            $IA1,            $MASKREG,
       $num_blocks, $PBLOCK_LEN);
 -    $code .= "jmp           .L_last_blocks_done_${rndsuffix}\n";
 +    $code .= "jmp           .L_last_blocks_done_${label_suffix}\n";
   }
 -  $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
 +  $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n";
   # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
   # ;; - convert mid into end_reduce
@@ -2891,7 +2885,7 @@ ___
     $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
     $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
 -  $code .= ".L_last_blocks_done_${rndsuffix}:\n";
 +  $code .= ".L_last_blocks_done_${label_suffix}:\n";
 }
 # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
   my $GHDAT1 = $ZT21;
   my $GHDAT2 = $ZT22;
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
   # ;; prepare counter blocks
   $code .= <<___;
         cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
 -        jae               .L_16_blocks_overflow_${rndsuffix}
 +        jae               .L_16_blocks_overflow_${label_suffix}
         vpaddd            $ADDBE_1234,$CTR_BE,$B00_03
         vpaddd            $ADDBE_4x4,$B00_03,$B04_07
         vpaddd            $ADDBE_4x4,$B04_07,$B08_11
         vpaddd            $ADDBE_4x4,$B08_11,$B12_15
 -        jmp               .L_16_blocks_ok_${rndsuffix}
 -.L_16_blocks_overflow_${rndsuffix}:
 +        jmp               .L_16_blocks_ok_${label_suffix}
 +.L_16_blocks_overflow_${label_suffix}:
         vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
         vmovdqa64         ddq_add_4444(%rip),$B12_15
         vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
         vpshufb           $SHFMSK,$B04_07,$B04_07
         vpshufb           $SHFMSK,$B08_11,$B08_11
         vpshufb           $SHFMSK,$B12_15,$B12_15
 -.L_16_blocks_ok_${rndsuffix}:
 +.L_16_blocks_ok_${label_suffix}:
 ___
   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK {
   my $XMM0    = $_[1];    # ; [in/out]
   my $GPR1    = $_[2];    # ; [clobbered]
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         # ; load number of rounds from AES_KEY structure (offset in bytes is
         # ; size of the |rd_key| buffer)
         mov             `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
         cmp             \$9,@{[DWORD($GPR1)]}
 -        je              .Laes_128_${rndsuffix}
 +        je              .Laes_128_${label_suffix}
         cmp             \$11,@{[DWORD($GPR1)]}
 -        je              .Laes_192_${rndsuffix}
 +        je              .Laes_192_${label_suffix}
         cmp             \$13,@{[DWORD($GPR1)]}
 -        je              .Laes_256_${rndsuffix}
 -        jmp             .Lexit_aes_${rndsuffix}
 +        je              .Laes_256_${label_suffix}
 +        jmp             .Lexit_aes_${label_suffix}
 ___
   for my $keylen (sort keys %aes_rounds) {
     my $nr = $aes_rounds{$keylen};
     $code .= <<___;
 .align 32
 -.Laes_${keylen}_${rndsuffix}:
 +.Laes_${keylen}_${label_suffix}:
 ___
     $code .= "vpxorq          `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
     for (my $i = 1; $i <= $nr; $i++) {
@@ -3364,10 +3358,10 @@ ___
     }
     $code .= <<___;
         vaesenclast     `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
 -        jmp .Lexit_aes_${rndsuffix}
 +        jmp .Lexit_aes_${label_suffix}
 ___
   }
 -  $code .= ".Lexit_aes_${rndsuffix}:\n\n";
 +  $code .= ".Lexit_aes_${label_suffix}:\n\n";
 }
 sub CALC_J0 {
@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL {
   my $SHUFMASK       = $_[29];    # [in] ZMM with BE/LE shuffle mask
   my $PBLOCK_LEN     = $_[30];    # [in] partial block length
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         cmp               \$8,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_8_${rndsuffix}
 -        jl                .L_small_initial_num_blocks_is_7_1_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_8_${label_suffix}
 +        jl                .L_small_initial_num_blocks_is_7_1_${label_suffix}
         cmp               \$12,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_12_${rndsuffix}
 -        jl                .L_small_initial_num_blocks_is_11_9_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_12_${label_suffix}
 +        jl                .L_small_initial_num_blocks_is_11_9_${label_suffix}
         # ;; 16, 15, 14 or 13
         cmp               \$16,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_16_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_16_${label_suffix}
         cmp               \$15,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_15_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_15_${label_suffix}
         cmp               \$14,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_14_${rndsuffix}
 -        jmp               .L_small_initial_num_blocks_is_13_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_14_${label_suffix}
 +        jmp               .L_small_initial_num_blocks_is_13_${label_suffix}
 -.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
 +.L_small_initial_num_blocks_is_11_9_${label_suffix}:
         # ;; 11, 10 or 9
         cmp               \$11,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_11_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_11_${label_suffix}
         cmp               \$10,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_10_${rndsuffix}
 -        jmp               .L_small_initial_num_blocks_is_9_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_10_${label_suffix}
 +        jmp               .L_small_initial_num_blocks_is_9_${label_suffix}
 -.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
 +.L_small_initial_num_blocks_is_7_1_${label_suffix}:
         cmp               \$4,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_4_${rndsuffix}
 -        jl                .L_small_initial_num_blocks_is_3_1_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_4_${label_suffix}
 +        jl                .L_small_initial_num_blocks_is_3_1_${label_suffix}
         # ;; 7, 6 or 5
         cmp               \$7,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_7_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_7_${label_suffix}
         cmp               \$6,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_6_${rndsuffix}
 -        jmp               .L_small_initial_num_blocks_is_5_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_6_${label_suffix}
 +        jmp               .L_small_initial_num_blocks_is_5_${label_suffix}
 -.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
 +.L_small_initial_num_blocks_is_3_1_${label_suffix}:
         # ;; 3, 2 or 1
         cmp               \$3,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_3_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_3_${label_suffix}
         cmp               \$2,$NUM_BLOCKS
 -        je                .L_small_initial_num_blocks_is_2_${rndsuffix}
 +        je                .L_small_initial_num_blocks_is_2_${label_suffix}
         # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL {
 ___
   for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
 -    $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
 +    $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n";
     &INITIAL_BLOCKS_PARTIAL(
       $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH,   $DATA_OFFSET,
       $num_blocks, $CTR,        $HASH_IN_OUT,    $ENC_DEC,       $ZTMP0,    $ZTMP1,
@@ -3625,11 +3619,11 @@ ___
       $ZTMP14,     $IA0,        $IA1,            $MASKREG,       $SHUFMASK, $PBLOCK_LEN);
     if ($num_blocks != 16) {
 -      $code .= "jmp           .L_small_initial_blocks_encrypted_${rndsuffix}\n";
 +      $code .= "jmp           .L_small_initial_blocks_encrypted_${label_suffix}\n";
     }
   }
 -  $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
 +  $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n";
 }
 # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC {
   my $MASKREG = "%k1";
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   # ;; reduction every 48 blocks, depth 32 blocks
   # ;; @note 48 blocks is the maximum capacity of the stack frame
@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC {
   } else {
     $code .= "or                $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
   }
 -  $code .= "je            .L_enc_dec_done_${rndsuffix}\n";
 +  $code .= "je            .L_enc_dec_done_${label_suffix}\n";
   # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
   # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC {
   # ;; There may be no more data if it was consumed in the partial block.
   $code .= <<___;
         sub               $DATA_OFFSET,$LENGTH
 -        je                .L_enc_dec_done_${rndsuffix}
 +        je                .L_enc_dec_done_${label_suffix}
 ___
   $code .= <<___;
         cmp               \$`(16 * 16)`,$LENGTH
 -        jbe              .L_message_below_equal_16_blocks_${rndsuffix}
 +        jbe              .L_message_below_equal_16_blocks_${label_suffix}
         vmovdqa64         SHUF_MASK(%rip),$SHUF_MASK
         vmovdqa64         ddq_addbe_4444(%rip),$ADDBE_4x4
@@ -3815,7 +3809,7 @@ ___
   $code .= <<___;
         cmp               \$`(32 * 16)`,$LENGTH
 -        jb                .L_message_below_32_blocks_${rndsuffix}
 +        jb                .L_message_below_32_blocks_${label_suffix}
 ___
   # ;; ==== AES-CTR - next 16 blocks
@@ -3836,13 +3830,13 @@ ___
         sub               \$`(32 * 16)`,$LENGTH
         cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
 -        jb                .L_no_more_big_nblocks_${rndsuffix}
 +        jb                .L_no_more_big_nblocks_${label_suffix}
 ___
   # ;; ====
   # ;; ==== AES-CTR + GHASH - 48 blocks loop
   # ;; ====
 -  $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
 +  $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n";
   # ;; ==== AES-CTR + GHASH - 16 blocks, start
   $aesout_offset      = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -3893,15 +3887,15 @@ ___
         add               \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
         sub               \$`($big_loop_nblocks * 16)`,$LENGTH
         cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
 -        jae               .L_encrypt_big_nblocks_${rndsuffix}
 +        jae               .L_encrypt_big_nblocks_${label_suffix}
 -.L_no_more_big_nblocks_${rndsuffix}:
 +.L_no_more_big_nblocks_${label_suffix}:
         cmp               \$`(32 * 16)`,$LENGTH
 -        jae               .L_encrypt_32_blocks_${rndsuffix}
 +        jae               .L_encrypt_32_blocks_${label_suffix}
         cmp               \$`(16 * 16)`,$LENGTH
 -        jae               .L_encrypt_16_blocks_${rndsuffix}
 +        jae               .L_encrypt_16_blocks_${label_suffix}
 ___
   # ;; =====================================================
@@ -3909,7 +3903,7 @@ ___
   # ;; ==== GHASH 1 x 16 blocks
   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
   # ;; ====      then GHASH N blocks
 -  $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
 +  $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n";
   # ;; calculate offset to the right hash key
   $code .= <<___;
@@ -3937,7 +3931,7 @@ ___
     $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
 -  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
 +  $code .= "jmp           .L_ghash_done_${label_suffix}\n";
   # ;; =====================================================
   # ;; =====================================================
@@ -3946,7 +3940,7 @@ ___
   # ;; ==== GHASH 1 x 16 blocks (reduction)
   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
   # ;; ====      then GHASH N blocks
 -  $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
 +  $code .= ".L_encrypt_32_blocks_${label_suffix}:\n";
   # ;; ==== AES-CTR + GHASH - 16 blocks, start
   $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4007,7 +4001,7 @@ ___
     $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
 -  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
 +  $code .= "jmp           .L_ghash_done_${label_suffix}\n";
   # ;; =====================================================
   # ;; =====================================================
@@ -4015,7 +4009,7 @@ ___
   # ;; ==== GHASH 1 x 16 blocks
   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
   # ;; ====      then GHASH N blocks
 -  $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
 +  $code .= ".L_encrypt_16_blocks_${label_suffix}:\n";
   # ;; ==== AES-CTR + GHASH - 16 blocks, start
   $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4059,9 +4053,9 @@ ___
   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
   $code .= <<___;
 -        jmp               .L_ghash_done_${rndsuffix}
 +        jmp               .L_ghash_done_${label_suffix}
 -.L_message_below_32_blocks_${rndsuffix}:
 +.L_message_below_32_blocks_${label_suffix}:
         # ;; 32 > number of blocks > 16
         sub               \$`(16 * 16)`,$LENGTH
@@ -4094,9 +4088,9 @@ ___
   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
   $code .= <<___;
 -        jmp           .L_ghash_done_${rndsuffix}
 +        jmp           .L_ghash_done_${label_suffix}
 -.L_message_below_equal_16_blocks_${rndsuffix}:
 +.L_message_below_equal_16_blocks_${label_suffix}:
         # ;; Determine how many blocks to process
         # ;; - process one additional block if there is a partial block
         mov               @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
@@ -4113,13 +4107,13 @@ ___
   # ;; fall through to exit
 -  $code .= ".L_ghash_done_${rndsuffix}:\n";
 +  $code .= ".L_ghash_done_${label_suffix}:\n";
   # ;; save the last counter block
   $code .= "vmovdqu64         $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
   $code .= <<___;
         vmovdqu64         $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
 -.L_enc_dec_done_${rndsuffix}:
 +.L_enc_dec_done_${label_suffix}:
 ___
 }
@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 {
   my $B08_11 = $T7;
   my $B12_15 = $T8;
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   my $stack_offset = $BLK_OFFSET;
   $code .= <<___;
@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 {
         # ;; prepare counter blocks
         cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
 -        jae               .L_next_16_overflow_${rndsuffix}
 +        jae               .L_next_16_overflow_${label_suffix}
         vpaddd            $ADDBE_1234,$CTR,$B00_03
         vpaddd            $ADDBE_4x4,$B00_03,$B04_07
         vpaddd            $ADDBE_4x4,$B04_07,$B08_11
         vpaddd            $ADDBE_4x4,$B08_11,$B12_15
 -        jmp               .L_next_16_ok_${rndsuffix}
 -.L_next_16_overflow_${rndsuffix}:
 +        jmp               .L_next_16_ok_${label_suffix}
 +.L_next_16_overflow_${label_suffix}:
         vpshufb           $SHUF_MASK,$CTR,$CTR
         vmovdqa64         ddq_add_4444(%rip),$B12_15
         vpaddd            ddq_add_1234(%rip),$CTR,$B00_03
@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 {
         vpshufb           $SHUF_MASK,$B04_07,$B04_07
         vpshufb           $SHUF_MASK,$B08_11,$B08_11
         vpshufb           $SHUF_MASK,$B12_15,$B12_15
 -.L_next_16_ok_${rndsuffix}:
 +.L_next_16_ok_${label_suffix}:
         vshufi64x2        \$0b11111111,$B12_15,$B12_15,$CTR
         addb               \$16,@{[BYTE($CTR_CHECK)]}
         # ;; === load 16 blocks of data
@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE {
   my $GCM128_CTX = $_[0];
   my $PBLOCK_LEN = $_[1];
 -  my $rndsuffix = &random_string();
 +  my $label_suffix = $label_count++;
   $code .= <<___;
         vmovdqu           @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
@@ -4276,14 +4270,14 @@ ___
         # ;; Process the final partial block.
         cmp               \$0,$PBLOCK_LEN
 -        je                .L_partial_done_${rndsuffix}
 +        je                .L_partial_done_${label_suffix}
 ___
   #  ;GHASH computation for the last <16 Byte block
   &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
   $code .= <<___;
 -.L_partial_done_${rndsuffix}:
 +.L_partial_done_${label_suffix}:
         vmovq           `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
         vpinsrq         \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5    #  ; xmm5 = len(A)||len(C)
         vpsllq          \$3, %xmm5, %xmm5                                       #  ; convert bytes into bits
@@ -4297,7 +4291,7 @@ ___
         vpshufb         SHUF_MASK(%rip),%xmm4,%xmm4      # ; perform a 16Byte swap
         vpxor           %xmm4,%xmm3,%xmm3
 -.L_return_T_${rndsuffix}:
 +.L_return_T_${label_suffix}:
         vmovdqu           %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
 ___
 }