Accepting request 1297961 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1297961
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=45

openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch

@@ -1,570 +0,0 @@
-From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Wed, 18 May 2022 17:25:59 +0200
-Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
-
-For RHEL, we already disable SHA-1 signatures by default in the default
-provider, so it is unexpected that the FIPS provider would have a more
-lenient configuration in this regard. Additionally, we do not think
-continuing to accept SHA-1 signatures is a good idea due to the
-published chosen-prefix collision attacks.
-
-As a consequence, disable verification of SHA-1 signatures in the FIPS
-provider.
-
-This requires adjusting a few tests that would otherwise fail:
-- 30-test_acvp: Remove the test vectors that use SHA-1.
-- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
-  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
-  which will not run them when the FIPS provider is enabled.
-- 80-test_cms: Re-create all certificates in test/smime-certificates
-  with SHA256 signatures while keeping the same private keys. These
-  certificates were signed with SHA-1 and thus fail verification in the
-  FIPS provider.
-  Fix some other tests by explicitly running them in the default
-  provider, where SHA-1 is available.
-- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
-  the FIPS provider.
-
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- providers/implementations/signature/dsa_sig.c |  4 --
- .../implementations/signature/ecdsa_sig.c     |  4 --
- providers/implementations/signature/rsa_sig.c |  8 +--
- test/acvp_test.inc                            | 20 -------
- .../30-test_evp_data/evppkey_ecdsa.txt        |  7 +++
- .../30-test_evp_data/evppkey_rsa_common.txt   | 51 +++++++++++++++-
- test/recipes/80-test_cms.t                    |  4 +-
- test/recipes/80-test_ssl_old.t                |  4 ++
- test/smime-certs/smdh.pem                     | 18 +++---
- test/smime-certs/smdsa1.pem                   | 60 +++++++++----------
- test/smime-certs/smdsa2.pem                   | 60 +++++++++----------
- test/smime-certs/smdsa3.pem                   | 60 +++++++++----------
- test/smime-certs/smec1.pem                    | 30 +++++-----
- test/smime-certs/smec2.pem                    | 30 +++++-----
- test/smime-certs/smec3.pem                    | 30 +++++-----
- test/smime-certs/smroot.pem                   | 38 ++++++------
- test/smime-certs/smrsa1.pem                   | 38 ++++++------
- test/smime-certs/smrsa2.pem                   | 38 ++++++------
- test/smime-certs/smrsa3.pem                   | 38 ++++++------
- 19 files changed, 286 insertions(+), 256 deletions(-)
-
-Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c
-+++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c
-@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct
-         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
-         int md_nid;
-         size_t mdname_len = strlen(mdname);
--#ifdef FIPS_MODULE
--        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
--#else
-         int sha1_allowed = 0;
--#endif
-         md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
-                                                             sha1_allowed);
- 
-Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c
-+++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c
-@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX
-                        "%s could not be fetched", mdname);
-         return 0;
-     }
--#ifdef FIPS_MODULE
--    sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
--#else
-     sha1_allowed = 0;
--#endif
-     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
-                                                     sha1_allowed);
-     if (md_nid < 0) {
-Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
-+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct
-         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
-         int md_nid;
-         size_t mdname_len = strlen(mdname);
--#ifdef FIPS_MODULE
--        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
--#else
-         int sha1_allowed = 0;
--#endif
-         md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
-                                                      sha1_allowed);
- 
-@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs
- 
-     if (prsactx->md == NULL && pmdname == NULL
-         && pad_mode == RSA_PKCS1_PSS_PADDING) {
-+#ifdef FIPS_MODULE
-+        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
-+#else
-         pmdname = RSA_DEFAULT_DIGEST_NAME;
--#ifndef FIPS_MODULE
-         if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
-             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
-         }
-Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-===================================================================
---- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-+++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
- 
- Title = ECDSA tests
- 
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
- Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
- 
- # Digest too long
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF12345"
-@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
- Result = VERIFY_ERROR
- 
- # Digest too short
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF123"
-@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
- Result = VERIFY_ERROR
- 
- # Digest invalid
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1235"
-@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a
- Result = VERIFY_ERROR
- 
- # Invalid signature
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
-@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a
- Result = VERIFY_ERROR
- 
- # BER signature
-+Availablein = default
- Verify = P-256
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
- Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
- Result = VERIFY_ERROR
- 
-+Availablein = default
- Verify = P-256-PUBLIC
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
-Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-===================================================================
---- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-+++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-@@ -96,6 +96,7 @@ NDL6WCBbets=
- 
- Title = RSA tests
- 
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
-@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
- Input = "0123456789ABCDEF123456789ABC"
- Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
- 
-+Availablein = default
- VerifyRecover = RSA-2048
- Ctrl = digest:SHA1
- Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
- Output = "0123456789ABCDEF1234"
- 
- # Leading zero in the signature
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
- Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
- Result = VERIFY_ERROR
- 
-+Availablein = default
- VerifyRecover = RSA-2048
- Ctrl = digest:SHA1
- Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
- Result = KEYOP_ERROR
- 
- # Mismatched digest
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1233"
-@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547
- Result = VERIFY_ERROR
- 
- # Corrupted signature
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1233"
-@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547
- Result = VERIFY_ERROR
- 
- # parameter is not NULLt
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:sha1
- Input = "0123456789ABCDEF1234"
-@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b
- Result = VERIFY_ERROR
- 
- # embedded digest too long
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:sha1
- Input = "0123456789ABCDEF1234"
- Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
- Result = VERIFY_ERROR
- 
-+Availablein = default
- VerifyRecover = RSA-2048
- Ctrl = digest:sha1
- Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
- Result = KEYOP_ERROR
- 
- # embedded digest too short
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:sha1
- Input = "0123456789ABCDEF1234"
- Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
- Result = VERIFY_ERROR
- 
-+Availablein = default
- VerifyRecover = RSA-2048
- Ctrl = digest:sha1
- Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
- Result = KEYOP_ERROR
- 
- # Garbage after DigestInfo
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:sha1
- Input = "0123456789ABCDEF1234"
- Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
- Result = VERIFY_ERROR
- 
-+Availablein = default
- VerifyRecover = RSA-2048
- Ctrl = digest:sha1
- Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
- Result = KEYOP_ERROR
- 
- # invalid tag for parameter
-+Availablein = default
- Verify = RSA-2048
- Ctrl = digest:sha1
- Input = "0123456789ABCDEF1234"
-@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
- 
- # Verify using public key
- 
-+Availablein = default
- Verify = RSA-2048-PUBLIC
- Ctrl = digest:SHA1
- Input = "0123456789ABCDEF1234"
-@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
- Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
- 
- # Verify using salt length auto detect
-+# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256
-+Availablein = default
- Verify = RSA-2048-PUBLIC
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_pss_saltlen:auto
-@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068
- Result = VERIFY_ERROR
- 
- # Verify using default parameters, explicitly setting parameters
-+# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
-+# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked
-+# Availablein = default.
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_pss_saltlen:20
-@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123"
- Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
- 
- # Verify explicitly setting parameters "digest" salt length
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_pss_saltlen:digest
-@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123"
- Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
- 
- # Verify using salt length larger than minimum
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_pss_saltlen:30
- Input="0123456789ABCDEF0123"
- Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
- 
- # Verify using maximum salt length
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_pss_saltlen:max
- Input="0123456789ABCDEF0123"
- Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
- 
- # Attempt to change salt length below minimum
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_pss_saltlen:0
- Result = PKEY_CTRL_ERROR
-@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR
- # Attempt to change padding mode
- # Note this used to return PKEY_CTRL_INVALID
- # but it is limited because setparams only returns 0 or 1.
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = rsa_padding_mode:pkcs1
- Result = PKEY_CTRL_ERROR
- 
- # Attempt to change digest
-+Availablein = default
- Verify = RSA-PSS-DEFAULT
- Ctrl = digest:sha256
- Result = PKEY_CTRL_ERROR
- 
- # Invalid key: rejected when we try to init
-+Availablein = default
- Verify = RSA-PSS-BAD
- Result = KEYOP_INIT_ERROR
- Reason = invalid salt length
- 
- # Invalid key: rejected when we try to init
-+Availablein = default
- Verify = RSA-PSS-BAD2
- Result = KEYOP_INIT_ERROR
- Reason = invalid salt length
-@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF
- 4fINDOjP+yJJvZohNwIDAQAB
- -----END PUBLIC KEY-----
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
- Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
- Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=0652ec67bcee30f9d2699122b91c19abdba89f91
- Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=39c21c4cceda9c1adf839c744e1212a6437575ec
- Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=36dae913b77bd17cae6e7b09453d24544cebb33c
- Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
- 
-+Availablein = default
- Verify=RSA-PSS-1
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
-@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E
- 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
- -----END PUBLIC KEY-----
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
- Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=2dac956d53964748ac364d06595827c6b4f143cd
- Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
- Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
- Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
- Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
- 
-+Availablein = default
- Verify=RSA-PSS-9
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
-@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5
- BQIDAQAB
- -----END PUBLIC KEY-----
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
- Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=b503319399277fd6c1c8f1033cbf04199ea21716
- Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=50aaede8536b2c307208b275a67ae2df196c7628
- Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
- Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
- Input=fad3902c9750622a2bc672622c48270cc57d3ea8
- Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
- 
-+Availablein = default
- Verify=RSA-PSS-10
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_mgf1_md:sha1
-@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests
- 
- # FIPS tests
- 
--# Verifying with SHA1 is permitted in fips mode for older applications
-+# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode
-+Availablein = fips
- DigestVerify = SHA1
- Key = RSA-2048
- Input = "Hello "
- Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
-+Result = DIGESTVERIFYINIT_ERROR
- 
- # Verifying with a 1024 bit key is permitted in fips mode for older applications
- DigestVerify = SHA256
-Index: openssl-3.2.3/test/recipes/80-test_cms.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/80-test_cms.t
-+++ openssl-3.2.3/test/recipes/80-test_cms.t
-@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = (
-       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
-         "-certfile", $smroot,
-         "-signer", $smrsa1, "-out", "{output}.cms" ],
--      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
-+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
-         "-CAfile", $smroot, "-out", "{output}.txt" ],
-       \&final_compare
-     ],
-@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = (
-     [ "signed zero-length content S/MIME format, RSA key SHA1",
-       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
-         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
--      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
-+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
-         "-CAfile", $smroot, "-out", "{output}.txt" ],
-       \&zero_compare
-     ],
-Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
-+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
-@@ -394,6 +394,9 @@ sub testssl {
-                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
-           }
- 
-+        SKIP: {
-+          skip "SSLv3 is not supported by the FIPS provider", 4
-+              if $provider eq "fips";
-           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
-              'test sslv2/sslv3 with server authentication');
-           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
-@@ -402,6 +405,7 @@ sub testssl {
-              'test sslv2/sslv3 with both client and server authentication via BIO pair');
-           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
-              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
-+         }
- 
-         SKIP: {
-             skip "No IPv4 available on this machine", 4
-Index: openssl-3.2.3/test/acvp_test.inc
-===================================================================
---- openssl-3.2.3.orig/test/acvp_test.inc
-+++ openssl-3.2.3/test/acvp_test.inc
-@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si
-     {
-         "x931",
-         3072,
--        "SHA1",
--        ITM(rsa_sigverx931_0_msg),
--        ITM(rsa_sigverx931_0_n),
--        ITM(rsa_sigverx931_0_e),
--        ITM(rsa_sigverx931_0_sig),
--        NO_PSS_SALT_LEN,
--        PASS
--    },
--    {
--        "x931",
--        3072,
-         "SHA256",
-         ITM(rsa_sigverx931_1_msg),
-         ITM(rsa_sigverx931_1_n),

openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch

@@ -1,98 +0,0 @@
-From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Fri, 17 Feb 2023 15:31:08 +0100
-Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen
-
-Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-Verification Program, Section C.H requires guarantees about the
-uniqueness of key/iv pairs, and proposes a few approaches to ensure
-this. Provide an indicator for option 2 "The IV may be generated
-internally at its entirety randomly."
-
-Resolves: rhbz#2168289
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- include/openssl/core_names.h                  |  1 +
- include/openssl/evp.h                         |  4 +++
- .../implementations/ciphers/ciphercommon.c    |  4 +++
- .../ciphers/ciphercommon_gcm.c                | 25 +++++++++++++++++++
- 4 files changed, 34 insertions(+)
-
-Index: openssl-3.2.3/include/openssl/evp.h
-===================================================================
---- openssl-3.2.3.orig/include/openssl/evp.h
-+++ openssl-3.2.3/include/openssl/evp.h
-@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER
- void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
- int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
- 
-+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED     1
-+# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
-+
- __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-                            const unsigned char *key, const unsigned char *iv);
- __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
-Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c
-+++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c
-@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know
-     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
-     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
-     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
-+    /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
-+     * not work in ciphercommon.c because it is compiled only once into
-+     * libcommon.a */
-+    OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL),
-     OSSL_PARAM_END
- };
- const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
-Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c
-+++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c
-@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx,
-             break;
-         }
-     }
-+
-+    /* We would usually hide this under #ifdef FIPS_MODULE, but
-+     * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
-+     * not work here. */
-+    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section C.H requires guarantees about the
-+         * uniqueness of key/iv pairs, and proposes a few approaches to ensure
-+         * this. This provides an indicator for option 2 "The IV may be
-+         * generated internally at its entirety randomly." Note that one of the
-+         * conditions of this option is that "The IV length shall be at least
-+         * 96 bits (per SP 800-38D)." We do not specically check for this
-+         * condition here, because gcm_iv_generate will fail in this case. */
-+        if (ctx->enc && !ctx->iv_gen_rand)
-+            fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator)) {
-+            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
-+            return 0;
-+        }
-+    }
-+
-     return 1;
- }
- 
-Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-===================================================================
---- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
-+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-@@ -102,6 +102,7 @@ my %params = (
-     'CIPHER_PARAM_CTS_MODE' =>             "cts_mode",    # utf8_string
- # For passing the AlgorithmIdentifier parameter in DER form
-     'CIPHER_PARAM_ALGORITHM_ID_PARAMS' =>  "alg_id_param",# octet_string
-+    'CIPHER_PARAM_SUSE_FIPS_INDICATOR' =>  "suse-fips-indicator",# int
-     'CIPHER_PARAM_XTS_STANDARD' =>         "xts_standard",# utf8_string
- 
-     'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' =>  "tls1multi_maxsndfrag",# uint

openssl-3-FIPS-PCT_rsa_keygen.patch

@@ -1,28 +0,0 @@
-Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
-===================================================================
---- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
-+++ openssl-3.1.4/crypto/rsa/rsa_gen.c
-@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
- 
- #ifdef FIPS_MODULE
-     ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
--    pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
-+     /* FIPS MODE needs to always run the pairwise test. But, the
-+      * rsa_keygen_pairwise_test() PCT as self-test requirements will be
-+      * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
-+      * this PCT can be skipped here. See bsc#1221760 for more info.
-+      */
-+    pairwise_test = 0;
- #else
-     /*
-      * Only multi-prime keys or insecure keys with a small key length or a
-@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
-             rsa->dmp1 = NULL;
-             rsa->dmq1 = NULL;
-             rsa->iqmp = NULL;
-+#ifdef FIPS_MODULE
-+            abort();
-+#endif /* FIPS_MODULE */
-         }
-     }
-     return ok;

openssl-3-add-defines-CPACF-funcs.patch

@@ -1,82 +0,0 @@
-commit 518b53b139d7b4ac082ccedd401d2ee08fc66985
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Wed Jan 31 16:26:52 2024 +0100
-
-    s390x: Add defines for new CPACF functions
-    
-    Add defines for new CPACF functions codes, its required MSA levels, and
-    document how to disable these functions via the OPENSSL_s390xcap environment
-    variable.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-    
-    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/25161)
-
-diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h
-index fdc682af06..88ed866b0d 100644
---- a/crypto/s390x_arch.h
-+++ b/crypto/s390x_arch.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex;
- # define S390X_MSA5             57      /* message-security-assist-ext. 5 */
- # define S390X_MSA3             76      /* message-security-assist-ext. 3 */
- # define S390X_MSA4             77      /* message-security-assist-ext. 4 */
-+# define S390X_MSA12            86      /* message-security-assist-ext. 12 */
- # define S390X_VX               129     /* vector */
- # define S390X_VXD              134     /* vector packed decimal */
- # define S390X_VXE              135     /* vector enhancements 1 */
-@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex;
- /* km */
- # define S390X_XTS_AES_128      50
- # define S390X_XTS_AES_256      52
-+# define S390X_XTS_AES_128_MSA10 82
-+# define S390X_XTS_AES_256_MSA10 84
-+
-+/* kmac */
-+# define S390X_HMAC_SHA_224     112
-+# define S390X_HMAC_SHA_256     113
-+# define S390X_HMAC_SHA_384     114
-+# define S390X_HMAC_SHA_512     115
- 
- /* prno */
- # define S390X_SHA_512_DRNG     3
-diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
-index d7185530ec..363003d8d3 100644
---- a/doc/man3/OPENSSL_s390xcap.pod
-+++ b/doc/man3/OPENSSL_s390xcap.pod
-@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries.
-       :
-       # 76    1<<51    message-security assist extension 3
-       # 77    1<<50    message-security assist extension 4
-+      # 86    1<<41    message-security-assist extension 12
-       :
-       #129    1<<62    vector facility
-       #134    1<<57    vector packed decimal facility
-@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries.
-       # 50    1<<13    KM-XTS-AES-128
-       # 52    1<<11    KM-XTS-AES-256
-       :
-+      # 82    1<<45    KM-XTS-AES-128-MSA10
-+      # 84    1<<43    KM-XTS-AES-256-MSA10
- 
-  kmc  :
-       # 18    1<<45    KMC-AES-128
-@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries.
-       # 19    1<<44    KMAC-AES-192
-       # 20    1<<43    KMAC-AES-256
-       :
-+      # 112   1<<15    KMAC-SHA-224
-+      # 113   1<<14    KMAC-SHA-256
-+      # 114   1<<13    KMAC-SHA-384
-+      # 115   1<<12    KMAC-SHA-512
- 
-  kmctr:
-       :

openssl-3-add-hw-acceleration-hmac.patch

@@ -1,506 +0,0 @@
-commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Thu Feb 1 15:15:27 2024 +0100
-
-    s390x: Add hardware acceleration for HMAC
-    
-    The CPACF instruction KMAC provides support for accelerating the HMAC
-    algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and
-    SHA-512.
-    
-    Preliminary measurements showed performance improvements of up to a factor
-    of 2, dependent on the message size, whether chunking is used and the size
-    of the chunks.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-    
-    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/25161)
-
-Index: openssl-3.2.3/crypto/hmac/build.info
-===================================================================
---- openssl-3.2.3.orig/crypto/hmac/build.info
-+++ openssl-3.2.3/crypto/hmac/build.info
-@@ -2,5 +2,22 @@ LIBS=../../libcrypto
- 
- $COMMON=hmac.c
- 
--SOURCE[../../libcrypto]=$COMMON
--SOURCE[../../providers/libfips.a]=$COMMON
-+IF[{- !$disabled{asm} -}]
-+  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
-+    $HMACASM_s390x=hmac_s390x.c
-+    $HMACDEF_s390x=OPENSSL_HMAC_S390X
-+  ENDIF
-+
-+  # Now that we have defined all the arch specific variables, use the
-+  # appropriate ones, and define the appropriate macros
-+  IF[$HMACASM_{- $target{asm_arch} -}]
-+    $HMACASM=$HMACASM_{- $target{asm_arch} -}
-+    $HMACDEF=$HMACDEF_{- $target{asm_arch} -}
-+  ENDIF
-+ENDIF
-+
-+DEFINE[../../libcrypto]=$HMACDEF
-+DEFINE[../../providers/libfips.a]=$HMACDEF
-+
-+SOURCE[../../libcrypto]=$COMMON $HMACASM
-+SOURCE[../../providers/libfips.a]=$COMMON $HMACASM
-Index: openssl-3.2.3/crypto/hmac/hmac.c
-===================================================================
---- openssl-3.2.3.orig/crypto/hmac/hmac.c
-+++ openssl-3.2.3/crypto/hmac/hmac.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
-     if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0)
-         return 0;
- 
-+#ifdef OPENSSL_HMAC_S390X
-+    rv = s390x_HMAC_init(ctx, key, len, impl);
-+    if (rv >= 1)
-+        return rv;
-+#endif
-+
-     if (key != NULL) {
-         reset = 1;
- 
-@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns
- {
-     if (!ctx->md)
-         return 0;
-+
-+#ifdef OPENSSL_HMAC_S390X
-+    if (ctx->plat.s390x.fc)
-+        return s390x_HMAC_update(ctx, data, len);
-+#endif
-+
-     return EVP_DigestUpdate(ctx->md_ctx, data, len);
- }
- 
-@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c
-     if (!ctx->md)
-         goto err;
- 
-+#ifdef OPENSSL_HMAC_S390X
-+    if (ctx->plat.s390x.fc)
-+        return s390x_HMAC_final(ctx, md, len);
-+#endif
-+
-     if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i))
-         goto err;
-     if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx))
-@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c
-     EVP_MD_CTX_reset(ctx->o_ctx);
-     EVP_MD_CTX_reset(ctx->md_ctx);
-     ctx->md = NULL;
-+
-+#ifdef OPENSSL_HMAC_S390X
-+    s390x_HMAC_CTX_cleanup(ctx);
-+#endif
- }
- 
- void HMAC_CTX_free(HMAC_CTX *ctx)
-@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C
-     if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
-         goto err;
-     dctx->md = sctx->md;
-+
-+#ifdef OPENSSL_HMAC_S390X
-+    if (s390x_HMAC_CTX_copy(dctx, sctx) == 0)
-+        goto err;
-+#endif
-+
-     return 1;
-  err:
-     hmac_ctx_cleanup(dctx);
-Index: openssl-3.2.3/crypto/hmac/hmac_local.h
-===================================================================
---- openssl-3.2.3.orig/crypto/hmac/hmac_local.h
-+++ openssl-3.2.3/crypto/hmac/hmac_local.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -10,6 +10,10 @@
- #ifndef OSSL_CRYPTO_HMAC_LOCAL_H
- # define OSSL_CRYPTO_HMAC_LOCAL_H
- 
-+# include "internal/common.h"
-+# include "internal/numbers.h"
-+# include "openssl/sha.h"
-+
- /* The current largest case is for SHA3-224 */
- #define HMAC_MAX_MD_CBLOCK_SIZE     144
- 
-@@ -18,6 +22,45 @@ struct hmac_ctx_st {
-     EVP_MD_CTX *md_ctx;
-     EVP_MD_CTX *i_ctx;
-     EVP_MD_CTX *o_ctx;
-+
-+    /* Platform specific data */
-+    union {
-+        int dummy;
-+# ifdef OPENSSL_HMAC_S390X
-+        struct {
-+            unsigned int fc; /* 0 if not supported by kmac instruction */
-+            int blk_size;
-+            int ikp;
-+            int iimp;
-+            unsigned char *buf;
-+            size_t size; /* must be multiple of digest block size */
-+            size_t num;
-+            union {
-+                OSSL_UNION_ALIGN;
-+                struct {
-+                    uint32_t h[8];
-+                    uint64_t imbl;
-+                    unsigned char key[64];
-+                } hmac_224_256;
-+                struct {
-+                    uint64_t h[8];
-+                    uint128_t imbl;
-+                    unsigned char key[128];
-+                } hmac_384_512;
-+            } param;
-+        } s390x;
-+# endif /* OPENSSL_HMAC_S390X */
-+    } plat;
- };
- 
-+# ifdef OPENSSL_HMAC_S390X
-+#  define HMAC_S390X_BUF_NUM_BLOCKS 64
-+
-+int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl);
-+int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
-+int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
-+int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
-+int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx);
-+# endif /* OPENSSL_HMAC_S390X */
-+
- #endif
-Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c
-===================================================================
---- /dev/null
-+++ openssl-3.2.3/crypto/hmac/hmac_s390x.c
-@@ -0,0 +1,298 @@
-+/*
-+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "crypto/s390x_arch.h"
-+#include "hmac_local.h"
-+#include "openssl/obj_mac.h"
-+#include "openssl/evp.h"
-+
-+#ifdef OPENSSL_HMAC_S390X
-+
-+static int s390x_fc_from_md(const EVP_MD *md)
-+{
-+    int fc;
-+
-+    switch (EVP_MD_get_type(md)) {
-+    case NID_sha224:
-+        fc = S390X_HMAC_SHA_224;
-+        break;
-+    case NID_sha256:
-+        fc = S390X_HMAC_SHA_256;
-+        break;
-+    case NID_sha384:
-+        fc = S390X_HMAC_SHA_384;
-+        break;
-+    case NID_sha512:
-+        fc = S390X_HMAC_SHA_512;
-+        break;
-+    default:
-+        return 0;
-+    }
-+
-+    if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
-+        return 0;
-+
-+    return fc;
-+}
-+
-+static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
-+{
-+    unsigned int fc = ctx->plat.s390x.fc;
-+
-+    if (ctx->plat.s390x.ikp)
-+        fc |= S390X_KMAC_IKP;
-+
-+    if (ctx->plat.s390x.iimp)
-+        fc |= S390X_KMAC_IIMP;
-+
-+    switch (ctx->plat.s390x.fc) {
-+    case S390X_HMAC_SHA_224:
-+    case S390X_HMAC_SHA_256:
-+        ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8);
-+        break;
-+    case S390X_HMAC_SHA_384:
-+    case S390X_HMAC_SHA_512:
-+        ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8);
-+        break;
-+    default:
-+        break;
-+    }
-+
-+    s390x_kmac(in, len, fc, &ctx->plat.s390x.param);
-+
-+    ctx->plat.s390x.ikp = 1;
-+}
-+
-+int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
-+{
-+    unsigned char *key_param;
-+    unsigned int key_param_len;
-+
-+    ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md);
-+    if (ctx->plat.s390x.fc == 0)
-+        return -1; /* Not supported by kmac instruction */
-+
-+    ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
-+    if (ctx->plat.s390x.blk_size < 0)
-+        return 0;
-+
-+    if (ctx->plat.s390x.size !=
-+        (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) {
-+        OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
-+        ctx->plat.s390x.size = 0;
-+        ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size *
-+                                             HMAC_S390X_BUF_NUM_BLOCKS);
-+        if (ctx->plat.s390x.buf == NULL)
-+            return 0;
-+        ctx->plat.s390x.size = ctx->plat.s390x.blk_size *
-+            HMAC_S390X_BUF_NUM_BLOCKS;
-+    }
-+    ctx->plat.s390x.num = 0;
-+
-+    ctx->plat.s390x.ikp = 0;
-+    ctx->plat.s390x.iimp = 1;
-+
-+    switch (ctx->plat.s390x.fc) {
-+    case S390X_HMAC_SHA_224:
-+    case S390X_HMAC_SHA_256:
-+        ctx->plat.s390x.param.hmac_224_256.imbl = 0;
-+        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h,
-+                        sizeof(ctx->plat.s390x.param.hmac_224_256.h));
-+        break;
-+    case S390X_HMAC_SHA_384:
-+    case S390X_HMAC_SHA_512:
-+        ctx->plat.s390x.param.hmac_384_512.imbl = 0;
-+        OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h,
-+                        sizeof(ctx->plat.s390x.param.hmac_384_512.h));
-+        break;
-+    default:
-+        return 0;
-+    }
-+
-+    if (key != NULL) {
-+        switch (ctx->plat.s390x.fc) {
-+        case S390X_HMAC_SHA_224:
-+        case S390X_HMAC_SHA_256:
-+            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key,
-+                            sizeof(ctx->plat.s390x.param.hmac_224_256.key));
-+            key_param = ctx->plat.s390x.param.hmac_224_256.key;
-+            key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key);
-+            break;
-+        case S390X_HMAC_SHA_384:
-+        case S390X_HMAC_SHA_512:
-+            OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key,
-+                            sizeof(ctx->plat.s390x.param.hmac_384_512.key));
-+            key_param = ctx->plat.s390x.param.hmac_384_512.key;
-+            key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key);
-+            break;
-+        default:
-+            return 0;
-+        }
-+
-+        if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len))
-+            return 0;
-+
-+        if (key_len > ctx->plat.s390x.blk_size) {
-+            if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl)
-+                    || !EVP_DigestUpdate(ctx->md_ctx, key, key_len)
-+                    || !EVP_DigestFinal_ex(ctx->md_ctx, key_param,
-+                                           &key_param_len))
-+                return 0;
-+        } else {
-+            if (key_len < 0 || key_len > (int)key_param_len)
-+                return 0;
-+            memcpy(key_param, key, key_len);
-+            /* remaining key bytes already zeroed out above */
-+        }
-+    }
-+
-+    return 1;
-+}
-+
-+int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
-+{
-+    size_t remain, num;
-+
-+    if (len == 0)
-+        return 1;
-+
-+    /* buffer is full, process it now */
-+    if (ctx->plat.s390x.num == ctx->plat.s390x.size) {
-+        s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
-+
-+        ctx->plat.s390x.num = 0;
-+    }
-+
-+    remain = ctx->plat.s390x.size - ctx->plat.s390x.num;
-+    if (len > remain) {
-+        /* data does not fit into buffer */
-+        if (ctx->plat.s390x.num > 0) {
-+            /* first fill buffer and process it */
-+            memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain);
-+            ctx->plat.s390x.num += remain;
-+
-+            s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
-+
-+            ctx->plat.s390x.num = 0;
-+
-+            data += remain;
-+            len -= remain;
-+        }
-+
-+        if (!ossl_assert(ctx->plat.s390x.num == 0))
-+            return 0;
-+
-+        if (len > ctx->plat.s390x.size) {
-+            /*
-+             * remaining data is still larger than buffer, process remaining
-+             * full blocks of input directly
-+             */
-+            remain = len % ctx->plat.s390x.blk_size;
-+            num = len - remain;
-+
-+            s390x_call_kmac(ctx, data, num);
-+
-+            data += num;
-+            len -= num;
-+        }
-+    }
-+
-+    /* add remaining input data (which is < buffer size) to buffer */
-+    if (!ossl_assert(len <= ctx->plat.s390x.size))
-+        return 0;
-+
-+    if (len > 0) {
-+        memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len);
-+        ctx->plat.s390x.num += len;
-+    }
-+
-+    return 1;
-+}
-+
-+int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
-+{
-+    void *result;
-+    unsigned int res_len;
-+
-+    ctx->plat.s390x.iimp = 0; /* last block */
-+    s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num);
-+
-+    ctx->plat.s390x.num = 0;
-+
-+    switch (ctx->plat.s390x.fc) {
-+    case S390X_HMAC_SHA_224:
-+        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
-+        res_len = SHA224_DIGEST_LENGTH;
-+        break;
-+    case S390X_HMAC_SHA_256:
-+        result = &ctx->plat.s390x.param.hmac_224_256.h[0];
-+        res_len = SHA256_DIGEST_LENGTH;
-+        break;
-+    case S390X_HMAC_SHA_384:
-+        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
-+        res_len = SHA384_DIGEST_LENGTH;
-+        break;
-+    case S390X_HMAC_SHA_512:
-+        result = &ctx->plat.s390x.param.hmac_384_512.h[0];
-+        res_len = SHA512_DIGEST_LENGTH;
-+        break;
-+    default:
-+        return 0;
-+    }
-+
-+    memcpy(md, result, res_len);
-+    if (len != NULL)
-+        *len = res_len;
-+
-+    return 1;
-+}
-+
-+int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
-+{
-+    dctx->plat.s390x.fc = sctx->plat.s390x.fc;
-+    dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size;
-+    dctx->plat.s390x.ikp = sctx->plat.s390x.ikp;
-+    dctx->plat.s390x.iimp = sctx->plat.s390x.iimp;
-+
-+    memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
-+           sizeof(dctx->plat.s390x.param));
-+
-+    dctx->plat.s390x.buf = NULL;
-+    if (sctx->plat.s390x.buf != NULL) {
-+        dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,
-+                                              sctx->plat.s390x.size);
-+        if (dctx->plat.s390x.buf == NULL)
-+            return 0;
-+    }
-+
-+    dctx->plat.s390x.size = sctx->plat.s390x.size;
-+    dctx->plat.s390x.num = sctx->plat.s390x.num;
-+
-+    return 1;
-+}
-+
-+int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx)
-+{
-+    OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size);
-+    ctx->plat.s390x.buf = NULL;
-+    ctx->plat.s390x.size = 0;
-+    ctx->plat.s390x.num = 0;
-+
-+    OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param));
-+
-+    ctx->plat.s390x.blk_size = 0;
-+    ctx->plat.s390x.ikp = 0;
-+    ctx->plat.s390x.iimp = 1;
-+
-+    ctx->plat.s390x.fc = 0;
-+
-+    return 1;
-+}
-+
-+#endif
-Index: openssl-3.2.3/crypto/s390x_arch.h
-===================================================================
---- openssl-3.2.3.orig/crypto/s390x_arch.h
-+++ openssl-3.2.3/crypto/s390x_arch.h
-@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex;
- # define S390X_KMA_HS           0x400
- # define S390X_KDSA_D           0x80
- # define S390X_KLMD_PS          0x100
-+# define S390X_KMAC_IKP         0x8000
-+# define S390X_KMAC_IIMP        0x4000
-+# define S390X_KMAC_CCUP        0x2000
- 
- #endif

openssl-3-add-xof-state-handling-s3_absorb.patch

@@ -1,32 +0,0 @@
-commit 1337b50936ed190a98af1ee6601d857b42a3d296
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 21:54:34 2023 +0200
-
-    Add xof state handing for generic sha3 absorb.
-    
-    The digest life-cycle diagram specifies state transitions to `updated`
-    (aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this
-    checking to the generic sha3 absorb implementation.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void *
- {
-     KECCAK1600_CTX *ctx = vctx;
- 
-+    if (!(ctx->xof_state == XOF_STATE_INIT ||
-+          ctx->xof_state == XOF_STATE_ABSORB))
-+        return 0;
-+    ctx->xof_state = XOF_STATE_ABSORB;
-     return SHA3_absorb(ctx->A, inp, len, ctx->block_size);
- }
- 

openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch

@@ -1,90 +0,0 @@
-commit a75d62637aa165a7f37e39a3a36e2a8b089913bc
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon Aug 26 11:26:03 2024 +0200
-
-    s390x: Disable HMAC hardware acceleration when an engine is used for the digest
-    
-    The TLSProxy uses the 'ossltest' engine to produce known output for digests
-    and HMAC calls. However, when running on a s390x system that supports
-    hardware acceleration of HMAC, the engine is not used for calculating HMACs,
-    but the s390x specific HMAC implementation is used, which does produce correct
-    output, but not the known output that the engine would produce. This causes
-    some tests (i.e. test_key_share, test_sslextension, test_sslrecords,
-    test_sslvertol, and test_tlsextms) to fail.
-    
-    Disable the s390x HMAC hardware acceleration if an engine is used for the
-    digest of the HMAC calculation. This provides compatibility for engines that
-    provide digest implementations, and assume that these implementations are also
-    used when calculating an HMAC.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-    
-    Reviewed-by: Neil Horman <nhorman@openssl.org>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/25287)
-
-diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
-index 5db7e9a221..02e1cd1dd6 100644
---- a/crypto/hmac/hmac_s390x.c
-+++ b/crypto/hmac/hmac_s390x.c
-@@ -7,10 +7,16 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* We need to use some engine deprecated APIs */
-+#define OPENSSL_SUPPRESS_DEPRECATED
-+
- #include "crypto/s390x_arch.h"
- #include "hmac_local.h"
- #include "openssl/obj_mac.h"
- #include "openssl/evp.h"
-+#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
-+# include <openssl/engine.h>
-+#endif
- 
- #ifdef OPENSSL_HMAC_S390X
- 
-@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len)
-     ctx->plat.s390x.ikp = 1;
- }
- 
-+static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl)
-+{
-+# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
-+    const EVP_MD *d;
-+
-+    if (impl != NULL) {
-+        if (!ENGINE_init(impl))
-+            return 0;
-+    } else {
-+        impl = ENGINE_get_digest_engine(EVP_MD_get_type(md));
-+    }
-+
-+    if (impl == NULL)
-+        return 0;
-+
-+    d = ENGINE_get_digest(impl, EVP_MD_get_type(md));
-+    ENGINE_finish(impl);
-+
-+    if (d != NULL)
-+        return 1;
-+# endif
-+
-+    return 0;
-+}
-+
- int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
- {
-     unsigned char *key_param;
-@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl)
-     if (ctx->plat.s390x.fc == 0)
-         return -1; /* Not supported by kmac instruction */
- 
-+    if (s390x_check_engine_used(ctx->md, impl)) {
-+        ctx->plat.s390x.fc = 0;
-+        return -1; /* An engine handles the digest, disable acceleration */
-+    }
-+
-     ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md);
-     if (ctx->plat.s390x.blk_size < 0)
-         return 0;

openssl-3-fix-hmac-digest-detection-s390x.patch

@@ -1,49 +0,0 @@
-commit d5b3c0e24bc56614e92ffafdd705622beaef420a
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Wed Aug 28 14:56:33 2024 +0200
-
-    s390x: Fix HMAC digest detection
-    
-    Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
-    type. EVP_MD_get_type() does not always return the expected NID, e.g.
-    when running in the FIPS provider, EVP_MD_get_type() returns zero,
-    causing to skip the HMAC acceleration path.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-    
-    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/25304)
-
-diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
-index 8b0da0d59d..5db7e9a221 100644
---- a/crypto/hmac/hmac_s390x.c
-+++ b/crypto/hmac/hmac_s390x.c
-@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md)
- {
-     int fc;
- 
--    switch (EVP_MD_get_type(md)) {
--    case NID_sha224:
-+    if (EVP_MD_is_a(md, "SHA2-224"))
-         fc = S390X_HMAC_SHA_224;
--        break;
--    case NID_sha256:
-+    else if (EVP_MD_is_a(md, "SHA2-256"))
-         fc = S390X_HMAC_SHA_256;
--        break;
--    case NID_sha384:
-+    else if (EVP_MD_is_a(md, "SHA2-384"))
-         fc = S390X_HMAC_SHA_384;
--        break;
--    case NID_sha512:
-+    else if (EVP_MD_is_a(md, "SHA2-512"))
-         fc = S390X_HMAC_SHA_512;
--        break;
--    default:
-+    else
-         return 0;
--    }
- 
-     if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
-         return 0;

openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch

@@ -1,28 +0,0 @@
-commit 19b87d2d2b022c20dd9043c3b6d021315011b45f
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Tue Aug 20 11:35:20 2024 +0200
-
-    s390x: Fix memory leak in s390x_HMAC_CTX_copy()
-    
-    When s390x_HMAC_CTX_copy() is called, but the destination context already
-    has a buffer allocated, it is not freed before duplicating the buffer from
-    the source context.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-    
-    Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    (Merged from https://github.com/openssl/openssl/pull/25238)
-
-diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
-index 1124d9bc5d..8b0da0d59d 100644
---- a/crypto/hmac/hmac_s390x.c
-+++ b/crypto/hmac/hmac_s390x.c
-@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
-     memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param,
-            sizeof(dctx->plat.s390x.param));
- 
-+    OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size);
-     dctx->plat.s390x.buf = NULL;
-     if (sctx->plat.s390x.buf != NULL) {
-         dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf,

openssl-3-fix-quic_multistream_test.patch

@@ -1,25 +0,0 @@
-From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001
-From: "Randall S. Becker" <randall.becker@nexbridge.ca>
-Date: Mon, 20 May 2024 22:23:04 +0000
-Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for
- cooperative threading.
-
-Fixes: #24442
-
-Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
----
- test/quic_multistream_test.c | 1 +
- 1 file changed, 1 insertion(+)
-
-Index: openssl-3.2.3/test/quic_multistream_test.c
-===================================================================
---- openssl-3.2.3.orig/test/quic_multistream_test.c
-+++ openssl-3.2.3/test/quic_multistream_test.c
-@@ -2397,6 +2397,7 @@ static const struct script_op script_13_
- 
-     OP_C_ACCEPT_STREAM_WAIT (a)
-     OP_C_READ_EXPECT        (a, "foo", 3)
-+    OP_SLEEP                (10)
-     OP_C_EXPECT_FIN         (a)
-     OP_C_FREE_STREAM        (a)
- 

openssl-3-fix-s390x_sha3_absorb.patch

@@ -1,50 +0,0 @@
-From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Thu, 5 Sep 2024 08:45:29 +0200
-Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
- KIMD
-
-If the data to absorb is less than a block, then the KIMD instruction is
-called with zero bytes. This is superfluous, and causes incorrect hash
-output later on if this is the very first absorb call, i.e. when the
-xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
-the NIP flag is set in the function code for KIMD, but KIMD ignores the
-NIP flag when it is called with zero bytes to process.
-
-Skip any KIMD calls for zero length data. Also do not set the xof_state
-to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
-the next KIMD (with non-zero length data) or KLMD call will get the NIP
-flag set and will then honor it to produce correct output.
-
-Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25388)
----
- providers/implementations/digests/sha3_prov.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
-     if (!(ctx->xof_state == XOF_STATE_INIT ||
-           ctx->xof_state == XOF_STATE_ABSORB))
-         return 0;
--    fc = ctx->pad;
--    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
--    ctx->xof_state = XOF_STATE_ABSORB;
--    s390x_kimd(inp, len - rem, fc, ctx->A);
-+    if (len - rem > 0) {
-+        fc = ctx->pad;
-+        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
-+        ctx->xof_state = XOF_STATE_ABSORB;
-+        s390x_kimd(inp, len - rem, fc, ctx->A);
-+    }
-     return rem;
- }
- 

openssl-3-fix-s390x_shake_squeeze.patch

@@ -1,98 +0,0 @@
-From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Wed, 4 Sep 2024 13:42:09 +0200
-Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available
-
-On the first squeeze call, when finishing the absorb process, also set
-the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is
-available, the state buffer A has not been zeroed during initialization,
-thus we must also pass the NIP flag here. This situation can happen
-when a squeeze is performed without a preceding absorb (i.e. a SHAKE
-of the empty message).
-
-Add a test that performs a squeeze without a preceding absorb and check
-if the result is correct.
-
-Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25388)
----
- providers/implementations/digests/sha3_prov.c |  5 +++-
- test/evp_xof_test.c                           | 29 +++++++++++++++++++
- 2 files changed, 33 insertions(+), 1 deletion(-)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx,
- static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
- {
-     KECCAK1600_CTX *ctx = vctx;
-+    unsigned int fc;
-     size_t len;
- 
-     if (!ossl_prov_is_running())
-@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct
-      * On the first squeeze call, finish the absorb process (incl. padding).
-      */
-     if (ctx->xof_state != XOF_STATE_SQUEEZE) {
-+        fc = ctx->pad;
-+        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
-         ctx->xof_state = XOF_STATE_SQUEEZE;
--        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
-+        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
-         ctx->bufsz = outlen % ctx->block_size;
-         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
-         return 1;
-Index: openssl-3.2.3/test/evp_xof_test.c
-===================================================================
---- openssl-3.2.3.orig/test/evp_xof_test.c
-+++ openssl-3.2.3/test/evp_xof_test.c
-@@ -479,6 +479,34 @@ err:
-     return ret;
- }
- 
-+/* Test that a squeeze without a preceding absorb works */
-+static int shake_squeeze_no_absorb_test(void)
-+{
-+    int ret = 0;
-+    EVP_MD_CTX *ctx = NULL;
-+    unsigned char out[1000];
-+    unsigned char out2[1000];
-+    const char *alg = "SHAKE128";
-+
-+    if (!TEST_ptr(ctx = shake_setup(alg))
-+        || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))))
-+        goto err;
-+
-+    if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))
-+        || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2))
-+        || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2,
-+                                        sizeof(out2) / 2)))
-+        goto err;
-+
-+    if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out)))
-+        goto err;
-+    ret = 1;
-+
-+err:
-+    EVP_MD_CTX_free(ctx);
-+    return ret;
-+}
-+
- int setup_tests(void)
- {
-     ADD_TEST(shake_kat_test);
-@@ -488,5 +516,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests));
-     ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests));
-     ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests));
-+    ADD_TEST(shake_squeeze_no_absorb_test);
-+
-     return 1;
- }

openssl-3-fix-sha3-squeeze-ppc64.patch

@@ -1,31 +0,0 @@
-commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1
-Author: Rohan McLure <rmclure@linux.ibm.com>
-Date:   Tue Nov 14 14:14:33 2023 +1100
-
-    ppc64: Fix SHA3_squeeze
-    
-    Fix the conditional on the 'next' parameter passed into SHA3_squeeze.
-    
-    Reported-by: David Benjamin <davidben@davidben.net>
-    Signed-off-by: Rohan McLure <rmclure@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22722)
-
-diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl
-index 3f8ba817f8..fe7d6db20e 100755
---- a/crypto/sha/asm/keccak1600-ppc64.pl
-+++ b/crypto/sha/asm/keccak1600-ppc64.pl
-@@ -668,8 +668,8 @@ SHA3_squeeze:
- 	subi	$out,r4,1		; prepare for stbu
- 	mr	$len,r5
- 	mr	$bsz,r6
--	${UCMP}i r7,1                   ; r7 = 'next' argument
--	blt	.Lnext_block
-+	${UCMP}i r7,0                   ; r7 = 'next' argument
-+	bne	.Lnext_block
- 	b	.Loop_squeeze
- 
- .align	4

openssl-3-fix-state-handling-keccak_final_s390x.patch

@@ -1,32 +0,0 @@
-commit 1022131d16e30cfbf896e02419019de48e8e1149
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 15:43:18 2023 +0200
-
-    Fix state handling of keccak_final for s390x.
-    
-    The digest life-cycle state diagram has been updated for XOF. Fix the
-    state handling in s390x_keccac_final() according to the updated state
-    diagram.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
-index 34620cf95a..f691273baf 100644
---- a/providers/implementations/digests/sha3_prov.c
-+++ b/providers/implementations/digests/sha3_prov.c
-@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
- 
-     if (!ossl_prov_is_running())
-         return 0;
-+    if (!(ctx->xof_state == XOF_STATE_INIT ||
-+          ctx->xof_state == XOF_STATE_ABSORB))
-+        return 0;
-+    ctx->xof_state = XOF_STATE_FINAL;
-     if (outlen == 0)
-         return 1;
-     memset(ctx->buf + num, 0, bsz - num);

openssl-3-fix-state-handling-sha3_absorb_s390x.patch

@@ -1,32 +0,0 @@
-commit 7aa45b8bb3269e881d0378aa785ff344efdd2897
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 15:36:23 2023 +0200
-
-    Fix state handling of sha3_absorb for s390x.
-    
-    The digest life-cycle state diagram has been updated for XOF. Fix the
-    state handling in s390x_sha3_aborb() according to the updated state
-    diagram.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc
-     KECCAK1600_CTX *ctx = vctx;
-     size_t rem = len % ctx->block_size;
- 
-+    if (!(ctx->xof_state == XOF_STATE_INIT ||
-+          ctx->xof_state == XOF_STATE_ABSORB))
-+        return 0;
-+    ctx->xof_state = XOF_STATE_ABSORB;
-     s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
-     return rem;
- }

openssl-3-fix-state-handling-sha3_final_s390x.patch

@@ -1,32 +0,0 @@
-commit 017acc58f6b67d5b347db411a7a1c4e890434f42
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 15:36:59 2023 +0200
-
-    Fix state handling of sha3_final for s390x.
-    
-    The digest life-cycle state diagram has been updated for XOF. Fix the
-    state handling in s390x_sha3_final() according to the updated state
-    diagram.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx,
- 
-     if (!ossl_prov_is_running())
-         return 0;
-+    if (!(ctx->xof_state == XOF_STATE_INIT ||
-+          ctx->xof_state == XOF_STATE_ABSORB))
-+        return 0;
-+    ctx->xof_state = XOF_STATE_FINAL;
-     s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
-     memcpy(out, ctx->A, outlen);
-     return 1;

openssl-3-fix-state-handling-shake_final_s390x.patch

@@ -1,32 +0,0 @@
-commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 15:37:29 2023 +0200
-
-    Fix state handling of shake_final for s390x.
-    
-    The digest life-cycle state diagram has been updated for XOF. Fix the
-    state handling in s390x_shake_final() according to the updated state
-    diagram.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx,
- 
-     if (!ossl_prov_is_running())
-         return 0;
-+    if (!(ctx->xof_state == XOF_STATE_INIT ||
-+          ctx->xof_state == XOF_STATE_ABSORB))
-+        return 0;
-+    ctx->xof_state = XOF_STATE_FINAL;
-     s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
-     return 1;
- }

openssl-3-hw-acceleration-aes-xts-s390x.patch

@@ -1,327 +0,0 @@
-commit 9cd4051e47c8da8398f93f42f0f56750552965f4
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Tue Aug 6 14:00:49 2024 +0200
-
-    s390x: Add hardware acceleration for full AES-XTS
-    
-    The CPACF instruction KM provides support for accelerating the full
-    AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256.
-    
-    Preliminary measurements showed performance improvements of up to 50%,
-    dependent on the message size.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    Reviewed-by: Paul Dale <pauli@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/25414)
-
-diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info
-index 5eb705969f..1837070c21 100644
---- a/providers/implementations/ciphers/build.info
-+++ b/providers/implementations/ciphers/build.info
-@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}]
-   ENDIF
- ENDIF
- 
-+IF[{- !$disabled{asm} -}]
-+  IF[{- ($target{perlasm_scheme} // '') ne '31' -}]
-+    $AESXTSDEF_s390x=AES_XTS_S390X
-+  ENDIF
-+
-+  # Now that we have defined all the arch specific variables, use the
-+  # appropriate one, and define the appropriate macros
-+
-+  IF[$AESXTSDEF_{- $target{asm_arch} -}]
-+    $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -}
-+  ENDIF
-+ENDIF
-+
- # This source is common building blocks for all ciphers in all our providers.
- SOURCE[$COMMON_GOAL]=\
-         ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
-@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\
-         cipher_aes_cbc_hmac_sha.c \
-         cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \
-         cipher_cts.c
-+DEFINE[$AES_GOAL]=$AESXTSDEF
- 
- # Extra code to satisfy the FIPS and non-FIPS separation.
- # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed.
-diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
-index cce2537ea7..2287834d62 100644
---- a/providers/implementations/ciphers/cipher_aes_xts.c
-+++ b/providers/implementations/ciphers/cipher_aes_xts.c
-@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes,
-     return 1;
- }
- 
-+#ifdef AES_XTS_S390X
-+# include "cipher_aes_xts_s390x.inc"
-+#endif
-+
- /*-
-  * Provider dispatch functions
-  */
-@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen,
-                          const unsigned char *iv, size_t ivlen,
-                          const OSSL_PARAM params[])
- {
-+#ifdef AES_XTS_S390X
-+    if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1)
-+        return 1;
-+#endif
-     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1);
- }
- 
-@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                          const unsigned char *iv, size_t ivlen,
-                          const OSSL_PARAM params[])
- {
-+#ifdef AES_XTS_S390X
-+    if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1)
-+        return 1;
-+#endif
-     return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
- }
- 
-@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx)
-     if (!ossl_prov_is_running())
-         return NULL;
- 
-+#ifdef AES_XTS_S390X
-+    if (in->plat.s390x.fc)
-+        return s390x_aes_xts_dupctx(vctx);
-+#endif
-+
-     if (in->xts.key1 != NULL) {
-         if (in->xts.key1 != &in->ks1)
-             return NULL;
-@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
- {
-     PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx;
- 
-+#ifdef AES_XTS_S390X
-+    if (ctx->plat.s390x.fc)
-+        return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl);
-+#endif
-+
-     if (!ossl_prov_is_running()
-             || ctx->xts.key1 == NULL
-             || ctx->xts.key2 == NULL
-diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h
-index afc42ef444..56891ca98c 100644
---- a/providers/implementations/ciphers/cipher_aes_xts.h
-+++ b/providers/implementations/ciphers/cipher_aes_xts.h
-@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream,
-                   const AES_KEY *key1, const AES_KEY *key2,
-                   const unsigned char iv[16]));
- 
-+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-+typedef struct S390X_km_xts_params_st {
-+    unsigned char key[64];
-+    unsigned char tweak[16];
-+    unsigned char nap[16];
-+} S390X_KM_XTS_PARAMS;
-+#endif
-+
- typedef struct prov_aes_xts_ctx_st {
-     PROV_CIPHER_CTX base;      /* Must be first */
-     union {
-@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st {
-     } ks1, ks2;                /* AES key schedules to use */
-     XTS128_CONTEXT xts;
-     OSSL_xts_stream_fn stream;
-+
-+    /* Platform specific data */
-+    union {
-+        int dummy;
-+#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
-+        struct {
-+            union {
-+                OSSL_UNION_ALIGN;
-+                S390X_KM_XTS_PARAMS km;
-+            } param;
-+            size_t offset;
-+            unsigned int fc;
-+            unsigned int iv_set : 1;
-+            unsigned int key_set : 1;
-+        } s390x;
-+#endif
-+    } plat;
- } PROV_AES_XTS_CTX;
- 
- const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits);
-diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
-new file mode 100644
-index 0000000000..77341b3bbd
---- /dev/null
-+++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc
-@@ -0,0 +1,167 @@
-+/*
-+ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "crypto/s390x_arch.h"
-+
-+static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit;
-+static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit;
-+static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher;
-+static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx;
-+
-+static int s390x_aes_xts_init(void *vctx, const unsigned char *key,
-+                              size_t keylen, const unsigned char *iv,
-+                              size_t ivlen, const OSSL_PARAM params[],
-+                              unsigned int dec)
-+{
-+    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
-+    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
-+    unsigned int fc, offs;
-+
-+    switch (xctx->base.keylen) {
-+    case 128 / 8 * 2:
-+        fc = S390X_XTS_AES_128_MSA10;
-+        offs = 32;
-+        break;
-+    case 256 / 8 * 2:
-+        fc = S390X_XTS_AES_256_MSA10;
-+        offs = 0;
-+        break;
-+    default:
-+        goto not_supported;
-+    }
-+
-+    if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc)))
-+        goto not_supported;
-+
-+    if (iv != NULL) {
-+        if (ivlen != xctx->base.ivlen
-+                || ivlen > sizeof(km->tweak)) {
-+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH);
-+            return 0;
-+        }
-+        memcpy(km->tweak, iv, ivlen);
-+        xctx->plat.s390x.iv_set = 1;
-+    }
-+
-+    if (key != NULL) {
-+        if (keylen != xctx->base.keylen) {
-+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-+            return 0;
-+        }
-+        if (!aes_xts_check_keys_differ(key, keylen / 2, !dec))
-+            return 0;
-+
-+        memcpy(km->key + offs, key, keylen);
-+        xctx->plat.s390x.key_set = 1;
-+    }
-+
-+    xctx->plat.s390x.fc = fc | dec;
-+    xctx->plat.s390x.offset = offs;
-+
-+    memset(km->nap, 0, sizeof(km->nap));
-+    km->nap[0] = 0x1;
-+
-+    return aes_xts_set_ctx_params(xctx, params);
-+
-+not_supported:
-+    xctx->plat.s390x.fc = 0;
-+    xctx->plat.s390x.offset = 0;
-+    return 0;
-+}
-+
-+static int s390x_aes_xts_einit(void *vctx, const unsigned char *key,
-+                               size_t keylen, const unsigned char *iv,
-+                               size_t ivlen, const OSSL_PARAM params[])
-+{
-+    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
-+}
-+
-+static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key,
-+                               size_t keylen, const unsigned char *iv,
-+                               size_t ivlen, const OSSL_PARAM params[])
-+{
-+    return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params,
-+                              S390X_DECRYPT);
-+}
-+
-+static void *s390x_aes_xts_dupctx(void *vctx)
-+{
-+    PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx;
-+    PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in));
-+
-+    if (ret != NULL)
-+        *ret = *in;
-+
-+    return ret;
-+}
-+
-+static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl,
-+                                size_t outsize, const unsigned char *in,
-+                                size_t inl)
-+{
-+    PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
-+    S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km;
-+    unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset;
-+    unsigned int fc = xctx->plat.s390x.fc;
-+    unsigned char tmp[2][AES_BLOCK_SIZE];
-+    unsigned char nap_n1[AES_BLOCK_SIZE];
-+    unsigned char drop[AES_BLOCK_SIZE];
-+    size_t len_incomplete, len_complete;
-+
-+    if (!ossl_prov_is_running()
-+            || inl < AES_BLOCK_SIZE
-+            || in == NULL
-+            || out == NULL
-+            || !xctx->plat.s390x.iv_set
-+            || !xctx->plat.s390x.key_set)
-+        return 0;
-+
-+    /*
-+     * Impose a limit of 2^20 blocks per data unit as specified by
-+     * IEEE Std 1619-2018.  The earlier and obsolete IEEE Std 1619-2007
-+     * indicated that this was a SHOULD NOT rather than a MUST NOT.
-+     * NIST SP 800-38E mandates the same limit.
-+     */
-+    if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) {
-+        ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE);
-+        return 0;
-+    }
-+
-+    len_incomplete = inl % AES_BLOCK_SIZE;
-+    len_complete = (len_incomplete == 0) ? inl :
-+                       (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE;
-+
-+    if (len_complete > 0)
-+        s390x_km(in, len_complete, out, fc, param);
-+    if (len_incomplete == 0)
-+       goto out;
-+
-+    memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete);
-+    /* swap NAP for decrypt */
-+    if (fc & S390X_DECRYPT) {
-+        memcpy(nap_n1, km->nap, AES_BLOCK_SIZE);
-+        s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param);
-+    }
-+    s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param);
-+    if (fc & S390X_DECRYPT)
-+        memcpy(km->nap, nap_n1, AES_BLOCK_SIZE);
-+
-+    memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete,
-+           AES_BLOCK_SIZE - len_incomplete);
-+    s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param);
-+    memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete);
-+
-+    /* do not expose temporary data */
-+    OPENSSL_cleanse(tmp, sizeof(tmp));
-+out:
-+    memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE);
-+    *outl = inl;
-+
-+    return 1;
-+}

openssl-3-jitterentropy-3.4.0.patch

@@ -1,364 +0,0 @@
-Index: openssl-3.2.3/Configurations/00-base-templates.conf
-===================================================================
---- openssl-3.2.3.orig/Configurations/00-base-templates.conf
-+++ openssl-3.2.3/Configurations/00-base-templates.conf
-@@ -88,6 +88,7 @@ my %targets=(
-             sub {
-                 my @libs = ();
-                 push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
-+		push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy});
-                 if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
-                     push(@libs, "-lbrotlienc");
-                     push(@libs, "-lbrotlidec");
-Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
-===================================================================
---- /dev/null
-+++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c
-@@ -0,0 +1,97 @@
-+# include "jitterentropy.h"
-+# include "prov/jitter_entropy.h"
-+
-+struct rand_data* ec = NULL;
-+CRYPTO_RWLOCK *jent_lock = NULL;
-+int stop = 0;
-+
-+struct rand_data* FIPS_entropy_init(void)
-+{
-+    if (ec != NULL) {
-+        /* Entropy source has been initiated and collector allocated */
-+        return ec;
-+    }
-+    if (stop != 0) {
-+        /* FIPS_entropy_cleanup() already called, don't initialize it again */
-+        return NULL;
-+    }
-+    if (jent_lock == NULL) {
-+        /* Allocates a new lock to serialize access to jent library */
-+        jent_lock = CRYPTO_THREAD_lock_new();
-+        if (jent_lock == NULL) {
-+            return NULL;
-+        }
-+    }
-+    if (CRYPTO_THREAD_write_lock(jent_lock) == 0) {
-+        return NULL;
-+    }
-+    /* If the initialization is successful, the call returns with 0 */
-+    if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) {
-+        /* Allocate entropy collector */
-+        ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
-+    } else {
-+        /* abort if jitter rng fails initialization */
-+        abort();
-+    }
-+    if (ec == NULL) {
-+        /* abort if jitter rng fails initialization */
-+        abort();
-+    }
-+    CRYPTO_THREAD_unlock(jent_lock);
-+
-+    return ec;
-+}
-+
-+/*
-+ * The following error codes can be returned by jent_read_entropy_safe():
-+ *   -1  entropy_collector is NULL
-+ *   -2  RCT failed
-+ *   -3  APT failed
-+ *   -4  The timer cannot be initialized
-+ *   -5  LAG failure
-+ *   -6  RCT permanent failure
-+ *   -7  APT permanent failure
-+ *   -8  LAG permanent failure
-+ */
-+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
-+{
-+    ssize_t ent_bytes = -1;
-+
-+    /*
-+     * Order is important. We need to call FIPS_entropy_init() before we
-+     * acquire jent_lock, otherwise it can lead to deadlock. Once we have
-+     * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called
-+     * in the meantime. Then it's safe to read entropy.
-+     */
-+    if (buf != NULL
-+        && buflen != 0
-+        && FIPS_entropy_init()
-+        && CRYPTO_THREAD_write_lock(jent_lock) != 0
-+        && stop == 0) {
-+        /* Get entropy */
-+        ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
-+        if (ent_bytes < 0) {
-+            /* abort if jitter rng fails entropy gathering because health tests failed. */
-+            abort();
-+        }
-+        CRYPTO_THREAD_unlock(jent_lock);
-+    }
-+
-+    return ent_bytes;
-+}
-+
-+void FIPS_entropy_cleanup(void)
-+{
-+    if (jent_lock != NULL && stop == 0) {
-+        CRYPTO_THREAD_write_lock(jent_lock);
-+    }
-+    /* Disable re-initialization in FIPS_entropy_init() */
-+    stop = 1;
-+    /* Free entropy collector */
-+    if (ec != NULL) {
-+        jent_entropy_collector_free(ec);
-+        ec = NULL;
-+    }
-+    CRYPTO_THREAD_lock_free(jent_lock);
-+    jent_lock = NULL;
-+}
-Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c
-+++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c
-@@ -20,6 +20,7 @@
- #include "internal/dso.h"
- #include "internal/nelem.h"
- #include "prov/seeding.h"
-+#include "prov/jitter_entropy.h"
- 
- #ifdef __linux
- # include <sys/syscall.h>
-@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO
- 
-     (void)entropy_available;    /* avoid compiler warning */
- 
-+    /* Use jitter entropy in FIPS mode */
-+    if (EVP_default_properties_is_fips_enabled(NULL))
-+    {
-+        size_t bytes_needed;
-+        unsigned char *buffer;
-+        ssize_t bytes;
-+        /* Maximum allowed number of consecutive unsuccessful attempts */
-+        int attempts = 3;
-+
-+        bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
-+        while (bytes_needed != 0 && attempts-- > 0) {
-+            buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
-+            bytes = FIPS_jitter_entropy(buffer, bytes_needed);
-+            if (bytes > 0) {
-+                ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
-+                bytes_needed -= bytes;
-+                attempts = 3; /* reset counter after successful attempt */
-+            } else if (bytes < 0) {
-+                break;
-+            }
-+        }
-+        entropy_available = ossl_rand_pool_entropy_available(pool);
-+        return entropy_available;
-+    }
-+
- #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
-     {
-         size_t bytes_needed;
-Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
-===================================================================
---- /dev/null
-+++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h
-@@ -0,0 +1,17 @@
-+#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H
-+# define OSSL_PROVIDERS_JITTER_ENTROPY_H
-+
-+# include <openssl/core.h>
-+# include <openssl/types.h>
-+# include <openssl/crypto.h>
-+# include <openssl/fips.h>
-+
-+extern struct rand_data* ec;
-+extern CRYPTO_RWLOCK *jent_lock;
-+extern int stop;
-+
-+struct rand_data* FIPS_entropy_init(void);
-+ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen);
-+void FIPS_entropy_cleanup(void);
-+
-+#endif
-Index: openssl-3.2.3/providers/fips/self_test.c
-===================================================================
---- openssl-3.2.3.orig/providers/fips/self_test.c
-+++ openssl-3.2.3/providers/fips/self_test.c
-@@ -20,6 +20,7 @@
- #include "internal/tsan_assist.h"
- #include "prov/providercommon.h"
- #include "crypto/rand.h"
-+#include "prov/jitter_entropy.h"
- 
- /*
-  * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS
-@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
-         return 0;
-     }
- 
-+    if (!FIPS_entropy_init()) {
-+        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED);
-+        goto end;
-+    }
-+
-     if (st == NULL) {
-         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
-         goto end;
-Index: openssl-3.2.3/include/openssl/proverr.h
-===================================================================
---- openssl-3.2.3.orig/include/openssl/proverr.h
-+++ openssl-3.2.3/include/openssl/proverr.h
-@@ -44,6 +44,7 @@
- # define PROV_R_FAILED_TO_GET_PARAMETER                   103
- # define PROV_R_FAILED_TO_SET_PARAMETER                   104
- # define PROV_R_FAILED_TO_SIGN                            175
-+# define PROV_R_FIPS_ENTROPY_INIT_FAILED                  234
- # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR             227
- # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
- # define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
-Index: openssl-3.2.3/providers/common/provider_err.c
-===================================================================
---- openssl-3.2.3.orig/providers/common/provider_err.c
-+++ openssl-3.2.3/providers/common/provider_err.c
-@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re
-     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
-     "failed to set parameter"},
-     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
-+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED),
-+    "fips module jitter entropy init failed"},
-     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
-     "fips module conditional error"},
-     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
-Index: openssl-3.2.3/crypto/rand/build.info
-===================================================================
---- openssl-3.2.3.orig/crypto/rand/build.info
-+++ openssl-3.2.3/crypto/rand/build.info
-@@ -1,6 +1,6 @@
- LIBS=../../libcrypto
- 
--$COMMON=rand_lib.c
-+$COMMON=rand_lib.c rand_jitter_entropy.c
- $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \
-         rand_uniform.c
- 
-Index: openssl-3.2.3/providers/fips/fipsprov.c
-===================================================================
---- openssl-3.2.3.orig/providers/fips/fipsprov.c
-+++ openssl-3.2.3/providers/fips/fipsprov.c
-@@ -27,6 +27,7 @@
- #include "crypto/context.h"
- #include "internal/core.h"
- #include "indicator.h"
-+#include "prov/jitter_entropy.h"
- 
- static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
- static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
-@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM
- 
- static void fips_teardown(void *provctx)
- {
-+    FIPS_entropy_cleanup();
-     OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
-     ossl_prov_ctx_free(provctx);
- }
-Index: openssl-3.2.3/util/libcrypto.num
-===================================================================
---- openssl-3.2.3.orig/util/libcrypto.num
-+++ openssl-3.2.3/util/libcrypto.num
-@@ -5539,3 +5539,5 @@ BIO_ADDR_copy
- ossl_safe_getenv                        ?	3_2_0	EXIST::FUNCTION:
- ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
- ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
-+FIPS_entropy_init                       ?	3_1_4   EXIST::FUNCTION:
-+FIPS_entropy_cleanup                    ?	3_1_4   EXIST::FUNCTION:
-Index: openssl-3.2.3/Configure
-===================================================================
---- openssl-3.2.3.orig/Configure
-+++ openssl-3.2.3/Configure
-@@ -469,6 +469,7 @@ my @disablables = (
-     "gost",
-     "http",
-     "idea",
-+    "jitterentropy",
-     "ktls",
-     "legacy",
-     "loadereng",
-@@ -573,6 +574,7 @@ our %disabled = ( # "what"         => "c
-                   "external-tests"      => "default",
-                   "fuzz-afl"            => "default",
-                   "fuzz-libfuzzer"      => "default",
-+                  "jitterentropy"       => "default",
-                   "ktls"                => "default",
-                   "md2"                 => "default",
-                   "msan"                => "default",
-@@ -801,7 +803,7 @@ my %cmdvars = ();               # Stores
- my %unsupported_options = ();
- my %deprecated_options = ();
- # If you change this, update apps/version.c
--my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
-+my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy);
- my @seed_sources = ();
- while (@argvcopy)
-         {
-@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) {
- if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
-     delete $disabled{'egd'};
- }
-+if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) {
-+    delete $disabled{'jitterentropy'};
-+}
- if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
-     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
-     warn <<_____ if scalar(@seed_sources) == 1;
-Index: openssl-3.2.3/crypto/info.c
-===================================================================
---- openssl-3.2.3.orig/crypto/info.c
-+++ openssl-3.2.3/crypto/info.c
-@@ -15,6 +15,9 @@
- #include "internal/e_os.h"
- #include "buildinf.h"
- 
-+# include <stdio.h>
-+# include <jitterentropy.h>
-+
- #if defined(__arm__) || defined(__arm) || defined(__aarch64__)
- # include "arm_arch.h"
- # define CPU_INFO_STR_LEN 128
-@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
-             OPENSSL_strlcat(seeds, ")", sizeof(seeds));                 \
-         } while (0)
- 
-+        /* In FIPS mode, only jitterentropy is used for seeding and
-+         * reseeding the primary DRBG.
-+         */
-+        if (EVP_default_properties_is_fips_enabled(NULL)) {
-+            char jent_version_string[32];
-+            sprintf(jent_version_string, "jitterentropy (%d)", jent_version());
-+            add_seeds_string(jent_version_string);
-+        } else {
- #ifdef OPENSSL_RAND_SEED_NONE
-         add_seeds_string("none");
- #endif
-@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings
- #ifdef OPENSSL_RAND_SEED_OS
-         add_seeds_string("os-specific");
- #endif
-+        }
-         seed_sources = seeds;
-     }
-     return 1;
-Index: openssl-3.2.3/INSTALL.md
-===================================================================
---- openssl-3.2.3.orig/INSTALL.md
-+++ openssl-3.2.3/INSTALL.md
-@@ -511,6 +511,12 @@ if provided by the CPU.
- Use librandom (not implemented yet).
- This source is ignored by the FIPS provider.
- 
-+### jitterentropy
-+
-+Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library)
-+dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed
-+the primary DRBG.
-+
- ### none
- 
- Disable automatic seeding.  This is the default on some operating systems where

openssl-3-support-CPACF-sha3-shake-perf-improvement.patch

@@ -1,196 +0,0 @@
-From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001
-From: Joerg Schmidbauer <jschmidb@de.ibm.com>
-Date: Thu, 29 Feb 2024 12:50:05 +0100
-Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements
-
-On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD
-can be enhanced by using additional modifier bits. This allows the application
-to omit initializing the ICV, but also affects the internal processing of the
-instructions. Performance is mostly gained when processing short messages.
-
-The new CPACF feature is backwards compatible with older machines, i.e. the new
-modifier bits are ignored on older machines. However, to save the ICV
-initialization, the application must detect the MSA level and omit the ICV
-initialization only if this feature is supported.
-
-Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
-
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25235)
----
- crypto/s390x_arch.h                           |  3 ++
- crypto/s390xcpuid.pl                          |  4 +--
- crypto/sha/sha3.c                             |  8 +++++-
- providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++----
- 4 files changed, 34 insertions(+), 9 deletions(-)
-
-Index: openssl-3.2.3/crypto/s390x_arch.h
-===================================================================
---- openssl-3.2.3.orig/crypto/s390x_arch.h
-+++ openssl-3.2.3/crypto/s390x_arch.h
-@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex;
- # define S390X_KMA_LAAD         0x200
- # define S390X_KMA_HS           0x400
- # define S390X_KDSA_D           0x80
-+# define S390X_KIMD_NIP         0x8000
-+# define S390X_KLMD_DUFOP       0x4000
-+# define S390X_KLMD_NIP         0x8000
- # define S390X_KLMD_PS          0x100
- # define S390X_KMAC_IKP         0x8000
- # define S390X_KMAC_IIMP        0x4000
-Index: openssl-3.2.3/crypto/s390xcpuid.pl
-===================================================================
---- openssl-3.2.3.orig/crypto/s390xcpuid.pl
-+++ openssl-3.2.3/crypto/s390xcpuid.pl
-@@ -308,7 +308,7 @@ s390x_kimd:
- 	llgfr	%r0,$fc
- 	lgr	%r1,$param
- 
--	.long	0xb93e0002	# kimd %r0,%r2
-+	.long	0xb93e8002	# kimd %r0,%r2[,M3]
- 	brc	1,.-4		# pay attention to "partial completion"
- 
- 	br	$ra
-@@ -329,7 +329,7 @@ s390x_klmd:
- 	llgfr	%r0,$fc
- 	l${g}	%r1,$stdframe($sp)
- 
--	.long	0xb93f0042	# klmd %r4,%r2
-+	.long	0xb93f8042	# klmd %r4,%r2[,M3]
- 	brc	1,.-4		# pay attention to "partial completion"
- 
- 	br	$ra
-Index: openssl-3.2.3/crypto/sha/sha3.c
-===================================================================
---- openssl-3.2.3.orig/crypto/sha/sha3.c
-+++ openssl-3.2.3/crypto/sha/sha3.c
-@@ -8,13 +8,19 @@
-  */
- 
- #include <string.h>
-+#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
-+# include "crypto/s390x_arch.h"
-+#endif
- #include "internal/sha3.h"
- 
- void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next);
- 
- void ossl_sha3_reset(KECCAK1600_CTX *ctx)
- {
--    memset(ctx->A, 0, sizeof(ctx->A));
-+#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ)
-+    if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12)))
-+#endif
-+        memset(ctx->A, 0, sizeof(ctx->A));
-     ctx->bufsz = 0;
-     ctx->xof_state = XOF_STATE_INIT;
- }
-Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
-+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
-@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc
- {
-     KECCAK1600_CTX *ctx = vctx;
-     size_t rem = len % ctx->block_size;
-+    unsigned int fc;
- 
-     if (!(ctx->xof_state == XOF_STATE_INIT ||
-           ctx->xof_state == XOF_STATE_ABSORB))
-         return 0;
-+    fc = ctx->pad;
-+    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
-     ctx->xof_state = XOF_STATE_ABSORB;
--    s390x_kimd(inp, len - rem, ctx->pad, ctx->A);
-+    s390x_kimd(inp, len - rem, fc, ctx->A);
-     return rem;
- }
- 
- static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen)
- {
-     KECCAK1600_CTX *ctx = vctx;
-+    unsigned int fc;
- 
-     if (!ossl_prov_is_running())
-         return 0;
-     if (!(ctx->xof_state == XOF_STATE_INIT ||
-           ctx->xof_state == XOF_STATE_ABSORB))
-         return 0;
-+    fc = ctx->pad | S390X_KLMD_DUFOP;
-+    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
-     ctx->xof_state = XOF_STATE_FINAL;
--    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A);
-+    s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A);
-     memcpy(out, ctx->A, outlen);
-     return 1;
- }
-@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx,
- static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
- {
-     KECCAK1600_CTX *ctx = vctx;
-+    unsigned int fc;
- 
-     if (!ossl_prov_is_running())
-         return 0;
-     if (!(ctx->xof_state == XOF_STATE_INIT ||
-           ctx->xof_state == XOF_STATE_ABSORB))
-         return 0;
-+    fc = ctx->pad | S390X_KLMD_DUFOP;
-+    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0;
-     ctx->xof_state = XOF_STATE_FINAL;
--    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
-+    s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A);
-     return 1;
- }
- 
-@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct
-     size_t bsz = ctx->block_size;
-     size_t num = ctx->bufsz;
-     size_t needed = outlen;
-+    unsigned int fc;
- 
-     if (!ossl_prov_is_running())
-         return 0;
-     if (!(ctx->xof_state == XOF_STATE_INIT ||
-           ctx->xof_state == XOF_STATE_ABSORB))
-         return 0;
-+    fc = ctx->pad;
-+    fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
-     ctx->xof_state = XOF_STATE_FINAL;
-     if (outlen == 0)
-         return 1;
-     memset(ctx->buf + num, 0, bsz - num);
-     ctx->buf[num] = padding;
-     ctx->buf[bsz - 1] |= 0x80;
--    s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A);
-+    s390x_kimd(ctx->buf, bsz, fc, ctx->A);
-     num = needed > bsz ? bsz : needed;
-     memcpy(out, ctx->A, num);
-     needed -= num;
-     if (needed > 0)
--        s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A);
-+        s390x_klmd(NULL, 0, out + bsz, needed,
-+                   ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A);
- 
-     return 1;
- }
-@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v
- {
-     KECCAK1600_CTX *ctx = vctx;
-     size_t len;
-+    unsigned int fc;
- 
-     if (!ossl_prov_is_running())
-         return 0;
-@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v
-         memset(ctx->buf + ctx->bufsz, 0, len);
-         ctx->buf[ctx->bufsz] = padding;
-         ctx->buf[ctx->block_size - 1] |= 0x80;
--        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
-+        fc = ctx->pad;
-+        fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
-+        s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A);
-         ctx->bufsz = 0;
-         /* reuse ctx->bufsz to count bytes squeezed from current sponge */
-     }

openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch

@@ -1,160 +0,0 @@
-commit 94898923538f686b74b6ddef34571f804d9b3811
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 15:40:47 2023 +0200
-
-    Support EVP_DigestSqueeze() for in the digest provider for s390x.
-    
-    The new EVP_DigestSqueeze() API requires changes to all keccak-based
-    digest provider implementations. Update the s390x-part of the SHA3
-    digest provider.
-    
-    Squeeze for SHA3 is not supported, so add an empty function pointer
-    (NULL).
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
-index f691273baf..2fd0f928e7 100644
---- a/providers/implementations/digests/sha3_prov.c
-+++ b/providers/implementations/digests/sha3_prov.c
-@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen)
-     return 1;
- }
- 
-+static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen)
-+{
-+    KECCAK1600_CTX *ctx = vctx;
-+    size_t len;
-+
-+    if (!ossl_prov_is_running())
-+        return 0;
-+    if (ctx->xof_state == XOF_STATE_FINAL)
-+        return 0;
-+    /*
-+     * On the first squeeze call, finish the absorb process (incl. padding).
-+     */
-+    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
-+        ctx->xof_state = XOF_STATE_SQUEEZE;
-+        s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A);
-+        ctx->bufsz = outlen % ctx->block_size;
-+        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
-+        return 1;
-+    }
-+    ctx->xof_state = XOF_STATE_SQUEEZE;
-+    if (ctx->bufsz != 0) {
-+        len = ctx->block_size - ctx->bufsz;
-+        if (outlen < len)
-+            len = outlen;
-+        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
-+        out += len;
-+        outlen -= len;
-+        ctx->bufsz += len;
-+        if (ctx->bufsz == ctx->block_size)
-+            ctx->bufsz = 0;
-+    }
-+    if (outlen == 0)
-+        return 1;
-+    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
-+    ctx->bufsz = outlen % ctx->block_size;
-+
-+    return 1;
-+}
-+
- static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen,
-                                int padding)
- {
-@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen)
-     return s390x_keccakc_final(vctx, out, outlen, 0x04);
- }
- 
-+static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen,
-+                                 int padding)
-+{
-+    KECCAK1600_CTX *ctx = vctx;
-+    size_t len;
-+
-+    if (!ossl_prov_is_running())
-+        return 0;
-+    if (ctx->xof_state == XOF_STATE_FINAL)
-+        return 0;
-+    /*
-+     * On the first squeeze call, finish the absorb process
-+     * by adding the trailing padding and then doing
-+     * a final absorb.
-+     */
-+    if (ctx->xof_state != XOF_STATE_SQUEEZE) {
-+        len = ctx->block_size - ctx->bufsz;
-+        memset(ctx->buf + ctx->bufsz, 0, len);
-+        ctx->buf[ctx->bufsz] = padding;
-+        ctx->buf[ctx->block_size - 1] |= 0x80;
-+        s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A);
-+        ctx->bufsz = 0;
-+        /* reuse ctx->bufsz to count bytes squeezed from current sponge */
-+    }
-+    if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) {
-+        len = ctx->block_size - ctx->bufsz;
-+        if (outlen < len)
-+            len = outlen;
-+        memcpy(out, (char *)ctx->A + ctx->bufsz, len);
-+        out += len;
-+        outlen -= len;
-+        ctx->bufsz += len;
-+        if (ctx->bufsz == ctx->block_size)
-+            ctx->bufsz = 0;
-+    }
-+    ctx->xof_state = XOF_STATE_SQUEEZE;
-+    if (outlen == 0)
-+        return 1;
-+    s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A);
-+    ctx->bufsz = outlen % ctx->block_size;
-+
-+    return 1;
-+}
-+
-+static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen)
-+{
-+     return s390x_keccakc_squeeze(vctx, out, outlen, 0x01);
-+}
-+
-+static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen)
-+{
-+     return s390x_keccakc_squeeze(vctx, out, outlen, 0x04);
-+}
-+
- static PROV_SHA3_METHOD sha3_s390x_md =
- {
-     s390x_sha3_absorb,
--    s390x_sha3_final
-+    s390x_sha3_final,
-+    NULL,
- };
- 
- static PROV_SHA3_METHOD keccak_s390x_md =
- {
-     s390x_sha3_absorb,
-     s390x_keccak_final,
-+    s390x_keccak_squeeze,
- };
- 
- static PROV_SHA3_METHOD shake_s390x_md =
- {
-     s390x_sha3_absorb,
--    s390x_shake_final
-+    s390x_shake_final,
-+    s390x_shake_squeeze,
- };
- 
- static PROV_SHA3_METHOD kmac_s390x_md =
- {
-     s390x_sha3_absorb,
--    s390x_kmac_final
-+    s390x_kmac_final,
-+    s390x_kmac_squeeze,
- };
- 
- # define SHAKE_SET_MD(uname, typ)                                              \

openssl-3-support-multiple-sha3_squeeze_s390x.patch

@@ -1,46 +0,0 @@
-commit bff62480333680463c82e88fdc67ed5ec14a0017
-Author: Holger Dengler <dengler@linux.ibm.com>
-Date:   Wed Sep 27 11:18:18 2023 +0200
-
-    Support multiple calls of low level SHA3_squeeze() for s390x.
-    
-    The low level SHA3_Squeeze() function needed to change slightly so
-    that it can handle multiple squeezes. Support this on s390x
-    architecture as well.
-    
-    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-    
-    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-    Reviewed-by: Todd Short <todd.short@me.com>
-    Reviewed-by: Tomas Mraz <tomas@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22221)
-
-diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl
-index 86233c7e38..7d5ebde117 100755
---- a/crypto/sha/asm/keccak1600-s390x.pl
-+++ b/crypto/sha/asm/keccak1600-s390x.pl
-@@ -472,7 +472,7 @@ SHA3_absorb:
- .size	SHA3_absorb,.-SHA3_absorb
- ___
- }
--{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5));
-+{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6));
- 
- $code.=<<___;
- .globl	SHA3_squeeze
-@@ -484,6 +484,7 @@ SHA3_squeeze:
- 	lghi	%r14,8
- 	st${g}	$bsz,5*$SIZE_T($sp)
- 	la	%r1,0($A_flat)
-+	cijne	$next,0,.Lnext_block
- 
- 	j	.Loop_squeeze
- 
-@@ -501,6 +502,7 @@ SHA3_squeeze:
- 
- 	brct	$bsz,.Loop_squeeze	# bsz--
- 
-+.Lnext_block:
- 	stm${g}	$out,$len,3*$SIZE_T($sp)
- 	bras	%r14,.LKeccakF1600
- 	lm${g}	$out,$bsz,3*$SIZE_T($sp)

openssl-3-use-include-directive.patch

@@ -1,35 +0,0 @@
----
- apps/openssl.cnf |   13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-Index: openssl-3.1.4/apps/openssl.cnf
-===================================================================
---- openssl-3.1.4.orig/apps/openssl.cnf
-+++ openssl-3.1.4/apps/openssl.cnf
-@@ -19,6 +19,7 @@ openssl_conf = openssl_init
- # Comment out the next line to ignore configuration errors
- config_diagnostics = 1
- 
-+[ oid_section ]
- # Extra OBJECT IDENTIFIER info:
- # oid_file       = $ENV::HOME/.oid
- oid_section = new_oids
-@@ -47,6 +48,18 @@ providers = provider_sect
- # Load default TLS policy configuration
- ssl_conf = ssl_module
- 
-+engines = engine_section
-+
-+[ engine_section ]
-+
-+# This include will look through the directory that will contain the
-+# engine declarations for any engines provided by other packages.
-+.include /etc/ssl/engines3.d
-+
-+# This include will look through the directory that will contain the
-+# definitions of the engines declared in the engine section.
-+.include /etc/ssl/engdef3.d
-+
- # Uncomment the sections that start with ## below to enable the legacy provider.
- # Loading the legacy provider enables support for the following algorithms:
- # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

openssl-3.1.4.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
-efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
-U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
-ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
-hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
-NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
-0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
-h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
-MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
-UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
-FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
-5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
-=EH33
------END PGP SIGNATURE-----

openssl-3.1.7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:053a31fa80cf4aebe1068c987d2ef1e44ce418881427c4464751ae800c31d06c
-size 15684836

openssl-3.1.7.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXB9UACgkQIWCU39DL
-ge/wjg/+MwugS9yaSCXXeqfRDYphyyblQ915j30Zo4kOdxr/ZBkrrzExxQaAN9tC
-NR+w33NPmiQQk8MPKKx3dcOZ3giHv7uGlBbo8fHihoUJ5cM9jDLd0UnqSUKU6C7h
-mK0BcGBj+Y5Sj2wH0NLPbFgfqbk2rbFRyDDoszj/ZahdE/dr1m1W8vI+FFqqqLjO
-hc4J26Dn/oTA1FWgXhIAPQDjG/sUy2waF1Q/nelVkeCwrL5modcW8CXGiwZa5Wan
-93cAgk0VUVq20FGQLVVxhGJ9wMGv48nS/hJKugJci1CFqX1eLc5NrbDah3sejGpA
-9ZgNoguolbxVe+pFDF+Qj5tLM34+ONI4m2wqtKNAA9UN/W2NuQxatDlHYU2u718C
-YpiEodIuNz5ktGAtHAe0fI36rvMJGy/6nKuzMXNF+QmbFzWhtnQRXJuC6uY7dIOa
-QHHYmKboVJCb9Ak2gSuTEJvov8HFnlCRzzXBEN2sP6Xd86flERRcMH41VtEu0u2c
-wB54o5+9l/7PQ3TOSdNUD6JakjraE05KMHB0KwEUIvAEMceaIrp1q6BnVrEzRjdV
-WMsagkvHiv4dUP8lT1DpCEhq7jHyzvHtFrrQq+SAHITgnYiENF6K89w2QLkqoK33
-Co/eerwMazO3+qxASYz7pFODPyVAsTIWvuWAJ6CmtubJBinjVnM=
-=Z8CX
------END PGP SIGNATURE-----

openssl-3.2.4.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYbgACgkQIWCU39DL
-ge+LMhAAmVXO6X5r3P5P8czf4kT8jFp9xRkp+jlzLZ7+Vt0GOc+8JZRJ/Fmi4fsD
-6nMScDzpJAv/KxOsRCC3l+Fz7eIRWvf+qeSTQggCYAlUF+3Y9qXbnOcCj+8/HPYa
-bAXq7S4hFi3T7NXFyOOx38KxUuhNpcC/tUvMEmYoR8HTm0n1Utf/h/IC9IVoc7at
-raUOo2qTZqwMNFue8fXC7lj6wL81MRD3TYOjePNZAKe2tuPCLoyR+sN8twVbNOLH
-9TDwMZLeCRaLebL9x14knhUOT4+/gsTGH84KS56Ry0YYSDGc2u+58HRaGFBbAEId
-hy4DYrYMCRlcSofPYlzMaFAZ3PSar+6ZPvvEl+OrOzY9DPoXzj0gXQ/NCWqJu9lg
-EQvE6/TnuhXEUxO25eWnIXGBWcmJtECut/rY1sV9OZwaOUPxDWZTxkDuv1dNDqug
-EmrfJHM7KdYVwy7JONReF0ODnNIVAa4HoAZ0EF3K3oySA5KmbA3YkkDGo5aqhpAD
-LZu4+fEmemq1fsEjAxdAk2Vmx4YUElcHEoQGQxSdPlIgl/z/KQ6ONuYoGIgXUXH8
-omXxceapMLP3DkHEpFxOYACCderAxDsZAjgFxM2Rlvp8afCq/C2wFYFDERU9XNIS
-SIc4N+NAoDAxSk6ScGSzORO78lFIGzBIX3pLSCCIezGCyfeHtYo=
-=HqP/
------END PGP SIGNATURE-----

openssl-3.5.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmf1ITQACgkQIWCU39DL
-ge+kyhAAjicxaMPBhcQqgnp3RyZhf4hOwVEzkUu3ouEjdIccz8NMxwV4Kf298ivL
-DHF/0HZQuHzIjcO/vQLLG66XCeiS0bDDIxEj457iYDr/lbWvGOqKgH+e5u7fo4iG
-f3aRZ/ACVuFXQ9LWjtR0M15HGJ/fKCCJQgIFwZ103tz4ptO6PBtUFK3PNGUpVjbV
-00oJ0msl2NDwrKpymVNKp9gXva7RfzIggPDl6MC80m54T7aruXhqur4dxkcyD+pa
-WmYKd4659jhCHRlXGZzz8XcLUsa3gQzP8W2RIqMZY8hdaaGnPEZY942s7KwRsdq0
-Blr54GBTpK8TLAUfBuFkFejS5bSbGsCGgAt9lP8ZkscRiG5tGdBYV/KUcOD7a1Xa
-VnsLlePtWlJGAWZt54JhQz5/dQtI51xJmhzbcHB5mTtDY0SZ7EnHNgTo1UY4cZZd
-sI3QhEgCOEh9UCMBQrxpaR9+chFaTd4hlYfbJAZgfI6XZyx8uSvngl3K/22anJmR
-Js1q8sE0G4hbtaSM5YecdX+RAMAwfujwqDY6BEM032kAO9eGe0PEnCRC8b23bRxF
-Vqmuwv7VpUMxCjo0k5GUC4Bj502r3H9ArPTVTI/E9Elhrc2jGfrU6bPdMmaz3qAi
-nKMjtRtsg81LwSlxg2ypi2L+liv6md2QkaQswMS6k+JGRaR5sVc=
-=pAni
------END PGP SIGNATURE-----

openssl-3.5.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:529043b15cffa5f36077a4d0af83f3de399807181d607441d734196d889b641f
-size 53158817

openssl-3.5.1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmhjzLwACgkQIWCU39DL
-ge9rsA/5AXAEDd+2yayepyZHDamxMh9cMI8DcFnXG1NoxBgCh1P7DmdzGVRTbf8L
-V7dF063z86ebR/eIbT6QzYD+zfBd1pVMVlMe6S2/ZI+dDtJizaDdmExHsJeAJ/p/
-OeJ+ksM44eQcr0N2IUmUScr95/fZR3ED2HpAs224wMcbufe6PJUrbmyBbnPqw/Nf
-SHekc5xWAgoNT3tKKZxkjABmP8uSNtWsdn8QQuZyc7sB9Z/j5UuA/Oay7eVpQ5D8
-EiTQ1P+3u78wV/0Nqb3iDhgqShr7h7b9APgMUxQsNbvKVtoZI/7miskDz/dyNoqv
-FF9+oAhoRyC8XSQF1Td7HLLvsqqF31+iQdou5gmnrsoB6QLWEOBvfI+zOI7BckLj
-dZsa/oW6Rz1m12l5jqzorYrVYtbNfUJ7tunYMZOBnffK/VomE8XqmZuUVP+bQdZh
-zE+tLMBrIHb+h8MP3JnYsRzaYr1sN7lbLx5/7Gh1o1jpvzy57D628vbSWnbLoJuu
-l2ZjDNMAcKvcKba283lrV+Vm5aL4m/x4flsjeNiufTX50Ckzyd6U1L5Xq2wyHLuh
-kHIeO2UW9WeNud8UY5mYOBBbwHyh/9yWXphgEtxS2aSvKEIUkQ1V89e5U0Fu3pjU
-anJLQLYDc66CXfj82PK0Wq765bxIDnsRMggwgGh84U5eCvZWmMk=
-=nHMj
------END PGP SIGNATURE-----

openssl-Add-FIPS-indicator-parameter-to-HKDF.patch

@@ -1,911 +0,0 @@
-From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Thu, 11 Aug 2022 09:27:12 +0200
-Subject: KDF: Add FIPS indicators
-
-FIPS requires a number of restrictions on the parameters of the various
-key derivation functions implemented in OpenSSL. The KDFs that use
-digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG
-C.C). Additionally, some application-specific KDFs have further
-restrictions defined in SP 800-135r1.
-
-Generally, all KDFs shall use a key-derivation key length of at least
-112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF
-to generate and output length of less than 112 bits will also set the
-indicator to unapproved.
-
-Add explicit indicators to all KDFs usable in FIPS mode except for
-PBKDF2 (which has its specific FIPS limits already implemented). The
-indicator can be queried using EVP_KDF_CTX_get_params() after setting
-the required parameters and keys for the KDF.
-
-Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the
-truncated variants -224 and -384) and SHA3 (-256 and -512, and the
-truncated versions -224 and -384), as well as SHAKE-128 and -256.
-
-The SHAKE functions are generally not allowed in KDFs. For the rest, the
-support matrix is:
-
- KDF         | SHA-1 | SHA-2 | SHA-2 truncated  | SHA-3 | SHA-3 truncated
-==========================================================================
-KBKDF        |   x   |   x   |         x        |   x   |     x
-HKDF         |   x   |   x   |         x        |   x   |     x
-TLS1PRF      |       | SHA-{256,384,512} only   |       |
-SSHKDF       |   x   |   x   |         x        |       |
-SSKDF        |   x   |   x   |         x        |   x   |     x
-X9.63KDF     |       |   x   |         x        |   x   |     x
-X9.42-ASN1   |   x   |   x   |         x        |   x   |     x
-TLS1.3PRF    |       | SHA-{256,384} only       |       |
-
-Signed-off-by: Clemens Lang <cllang@redhat.com>
-Resolves: rhbz#2160733 rhbz#2164763
-Related: rhbz#2114772 rhbz#2141695
----
- include/crypto/evp.h                      |   7 ++
- include/openssl/kdf.h                     |   4 +
- providers/implementations/kdfs/hkdf.c     | 100 +++++++++++++++++++++-
- providers/implementations/kdfs/kbkdf.c    |  82 ++++++++++++++++--
- providers/implementations/kdfs/sshkdf.c   |  75 +++++++++++++++-
- providers/implementations/kdfs/sskdf.c    | 100 +++++++++++++++++++++-
- providers/implementations/kdfs/tls1_prf.c |  74 +++++++++++++++-
- providers/implementations/kdfs/x942kdf.c  |  66 +++++++++++++-
- util/perl/OpenSSL/paramnames.pm           |   1 +
- 9 files changed, 487 insertions(+), 22 deletions(-)
-
-diff --git a/include/crypto/evp.h b/include/crypto/evp.h
-index e70d8e9e84..76fb990de4 100644
---- a/include/crypto/evp.h
-+++ b/include/crypto/evp.h
-@@ -219,6 +219,13 @@ struct evp_mac_st {
-     OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
- };
- 
-+#ifdef FIPS_MODULE
-+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
-+ * Additional Keys from a Cryptographic Key, "[t]he length of the
-+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
-+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
-+#endif
-+
- struct evp_kdf_st {
-     OSSL_PROVIDER *prov;
-     int name_id;
-diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
-index 0983230a48..86171635ea 100644
---- a/include/openssl/kdf.h
-+++ b/include/openssl/kdf.h
-@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
- # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
- # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
- 
-+# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED     1
-+# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
-+
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
- #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
-diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
-index dfa7786bde..f01e40ff5a 100644
---- a/providers/implementations/kdfs/hkdf.c
-+++ b/providers/implementations/kdfs/hkdf.c
-@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
- static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
- static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
- static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
-+static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
- static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
- static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
- static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
-@@ -85,6 +86,10 @@ typedef struct {
-     size_t data_len;
-     unsigned char *info;
-     size_t info_len;
-+    int is_tls13;
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_HKDF;
- 
- static void *kdf_hkdf_new(void *provctx)
-@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
-         return 0;
-     }
- 
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     switch (ctx->mode) {
-     case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
-     default:
-@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void
- {
-     KDF_HKDF *ctx = (KDF_HKDF *)vctx;
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
- 
-     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-         size_t sz = kdf_hkdf_size(ctx);
- 
-+        any_valid = 1;
-         if (sz == 0)
-             return 0;
-         return OSSL_PARAM_set_size_t(p, sz);
-     }
-     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
-+        any_valid = 1;
-         if (ctx->info == NULL || ctx->info_len == 0) {
-             p->return_size = 0;
-             return 1;
-         }
-         return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
-     }
--    return -2;
-+#ifdef FIPS_MODULE
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
-+            != NULL) {
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+        const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        if (ctx->is_tls13) {
-+            if (md != NULL
-+                    && !EVP_MD_is_a(md, "SHA2-256")
-+                    && !EVP_MD_is_a(md, "SHA2-384")) {
-+                /* Implementation Guidance for FIPS 140-3 and the Cryptographic
-+                 * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
-+                 * key derivation function documented in Section 7.1 of RFC
-+                 * 8446. This is considered an approved CVL because the
-+                 * underlying functions performed within the TLS 1.3 KDF map to
-+                 * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
-+                 * Option #3), SP 800-56Crev2, and SP 800-108."
-+                 *
-+                 * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
-+                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+        } else {
-+            if (md != NULL
-+                    && (EVP_MD_is_a(md, "SHAKE-128") ||
-+                        EVP_MD_is_a(md, "SHAKE-256"))) {
-+                /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
-+                 * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
-+                 * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
-+                 * extendable-output functions may only be used as the
-+                 * standalone algorithms." */
-+                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+        }
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif /* defined(FIPS_MODULE) */
-+
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-         OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
-     return ret;
- }
- 
-+static void *kdf_tls1_3_new(void *provctx)
-+{
-+    KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
-+
-+    if (hkdf != NULL)
-+        hkdf->is_tls13 = 1;
-+
-+    return hkdf;
-+}
-+
-+
- static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
-                              const OSSL_PARAM params[])
- {
-@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
-         return 0;
-     }
- 
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     switch (ctx->mode) {
-     default:
-         return 0;
-@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
- }
- 
- const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
--    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
-+    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
-     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
-     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
-     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
-diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
-index a542f84dfa..6b6dfb94ac 100644
---- a/providers/implementations/kdfs/kbkdf.c
-+++ b/providers/implementations/kdfs/kbkdf.c
-@@ -59,6 +59,9 @@ typedef struct {
-     kbkdf_mode mode;
-     EVP_MAC_CTX *ctx_init;
- 
-+    /* HMAC digest algorithm, if any; used to compute FIPS indicator */
-+    PROV_DIGEST digest;
-+
-     /* Names are lowercased versions of those found in SP800-108. */
-     int r;
-     unsigned char *ki;
-@@ -73,6 +76,9 @@ typedef struct {
-     int use_l;
-     int is_kmac;
-     int use_separator;
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KBKDF;
- 
- /* Definitions needed for typechecking. */
-@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx)
-     void *provctx = ctx->provctx;
- 
-     EVP_MAC_CTX_free(ctx->ctx_init);
-+    ossl_prov_digest_reset(&ctx->digest);
-     OPENSSL_clear_free(ctx->context, ctx->context_len);
-     OPENSSL_clear_free(ctx->label, ctx->label_len);
-     OPENSSL_clear_free(ctx->ki, ctx->ki_len);
-@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
-         goto done;
-     }
- 
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
-     if (h == 0)
-         goto done;
-@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-         }
-     }
- 
-+    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
-+        return 0;
-+
-     p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
-     if (p != NULL
-         && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
-@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
- static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
- 
-     p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
--    if (p == NULL)
-+    if (p != NULL) {
-+        any_valid = 1;
-+
-+        /* KBKDF can produce results as large as you like. */
-+        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+            return 0;
-+    }
-+
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        KBKDF *ctx = (KBKDF *)vctx;
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+         * extendable-output functions may only be used as the standalone
-+         * algorithms." Note that the digest is only used when the MAC
-+         * algorithm is HMAC. */
-+        if (ctx->ctx_init != NULL
-+                && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
-+            const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
-+            if (md != NULL
-+                    && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
-+                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+        }
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif
-+
-+    if (!any_valid)
-         return -2;
- 
--    /* KBKDF can produce results as large as you like. */
--    return OSSL_PARAM_set_size_t(p, SIZE_MAX);
-+    return 1;
- }
- 
- static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
-                                                    ossl_unused void *provctx)
- {
--    static const OSSL_PARAM known_gettable_ctx_params[] =
--        { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
-+    static const OSSL_PARAM known_gettable_ctx_params[] = {
-+        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-+        OSSL_PARAM_END
-+    };
-     return known_gettable_ctx_params;
- }
- 
-diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
-index c592ba72f1..4a52b38266 100644
---- a/providers/implementations/kdfs/sshkdf.c
-+++ b/providers/implementations/kdfs/sshkdf.c
-@@ -48,6 +48,9 @@ typedef struct {
-     char type; /* X */
-     unsigned char *session_id;
-     size_t session_id_len;
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_SSHKDF;
- 
- static void *kdf_sshkdf_new(void *provctx)
-@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
-         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
-         return 0;
-     }
-+
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     return SSHKDF(md, ctx->key, ctx->key_len,
-                   ctx->xcghash, ctx->xcghash_len,
-                   ctx->session_id, ctx->session_id_len,
-@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
- static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
- 
--    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
--        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
--    return -2;
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+        any_valid = 1;
-+
-+        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+            return 0;
-+    }
-+
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        KDF_SSHKDF *ctx = vctx;
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+         * extendable-output functions may only be used as the standalone
-+         * algorithms."
-+         *
-+         * Additionally, SP 800-135r1 section 5.2 specifies that the hash
-+         * function used in SSHKDF "is one of the hash functions specified in
-+         * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
-+         * */
-+        if (ctx->digest.md != NULL
-+            && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
-+            && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
-+            && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
-+            && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
-+            && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+        }
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif
-+
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
-index eb54972e1c..23865cd70f 100644
---- a/providers/implementations/kdfs/sskdf.c
-+++ b/providers/implementations/kdfs/sskdf.c
-@@ -64,6 +64,10 @@ typedef struct {
-     size_t salt_len;
-     size_t out_len; /* optional KMAC parameter */
-     int is_kmac;
-+    int is_x963kdf;
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_SSKDF;
- 
- #define SSKDF_MAX_INLEN (1<<30)
-@@ -73,6 +77,7 @@ typedef struct {
- static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
- 
- static OSSL_FUNC_kdf_newctx_fn sskdf_new;
-+static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
- static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
- static OSSL_FUNC_kdf_freectx_fn sskdf_free;
- static OSSL_FUNC_kdf_reset_fn sskdf_reset;
-@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx)
-     return ctx;
- }
- 
-+static void *x963kdf_new(void *provctx)
-+{
-+    KDF_SSKDF *ctx = sskdf_new(provctx);
-+
-+    if (ctx)
-+        ctx->is_x963kdf = 1;
-+
-+    return ctx;
-+}
-+
- static void sskdf_reset(void *vctx)
- {
-     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
-@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
-     }
-     md = ossl_prov_digest_md(&ctx->digest);
- 
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     if (ctx->macctx != NULL) {
-         /* H(x) = KMAC or H(x) = HMAC */
-         int ret;
-@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
-         return 0;
-     }
- 
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-+
-     return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
-                           ctx->info, ctx->info_len, 1, key, keylen);
- }
-@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
-+
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+        any_valid = 1;
-+
-+        if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
-+            return 0;
-+    }
- 
--    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
--        return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
--    return -2;
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+         * extendable-output functions may only be used as the standalone
-+         * algorithms." */
-+        if (ctx->macctx == NULL
-+                || (ctx->macctx != NULL &&
-+                    EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
-+            if (ctx->digest.md != NULL
-+                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
-+                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
-+                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+
-+            /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
-+             * should only be used for 80-bit key agreement, but FIPS 140-3
-+             * requires a security strength of 112 bits, so SHA-1 cannot be
-+             * used with X9.63. See the discussion in
-+             * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
-+             */
-+            if (ctx->is_x963kdf
-+                    && ctx->digest.md != NULL
-+                    && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
-+                fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+        }
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif
-+
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
- };
- 
- const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
--    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
-+    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
-     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
-     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
-     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
-diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
-index a4d64b9352..f6782a6ca2 100644
---- a/providers/implementations/kdfs/tls1_prf.c
-+++ b/providers/implementations/kdfs/tls1_prf.c
-@@ -93,6 +93,13 @@ typedef struct {
-     /* Buffer of concatenated seed data */
-     unsigned char seed[TLS1_PRF_MAXBUF];
-     size_t seedlen;
-+
-+    /* MAC digest algorithm; used to compute FIPS indicator */
-+    PROV_DIGEST digest;
-+
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } TLS1_PRF;
- 
- static void *kdf_tls1_prf_new(void *provctx)
-@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx)
-     EVP_MAC_CTX_free(ctx->P_sha1);
-     OPENSSL_clear_free(ctx->sec, ctx->seclen);
-     OPENSSL_cleanse(ctx->seed, ctx->seedlen);
-+    ossl_prov_digest_reset(&ctx->digest);
-     memset(ctx, 0, sizeof(*ctx));
-     ctx->provctx = provctx;
- }
-@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
-         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
-         return 0;
-     }
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
- 
-     /*
-      * The seed buffer is prepended with a label.
-@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
-         }
-     }
- 
-+    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
-+        return 0;
-+
-     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
-         OPENSSL_clear_free(ctx->sec, ctx->seclen);
-         ctx->sec = NULL;
-@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
- static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-     OSSL_PARAM *p;
-+#ifdef FIPS_MODULE
-+    TLS1_PRF *ctx = vctx;
-+#endif /* defined(FIPS_MODULE) */
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
-+
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+        any_valid = 1;
-+
-+        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+            return 0;
-+    }
-+
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
-+         * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
-+        if (ctx->digest.md != NULL
-+                && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
-+                && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
-+                && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+        }
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif
- 
--    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
--        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
--    return -2;
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
-@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
-index b1bc6f7e1b..8173fc2cc7 100644
---- a/providers/implementations/kdfs/x942kdf.c
-+++ b/providers/implementations/kdfs/x942kdf.c
-@@ -13,11 +13,13 @@
- #include <openssl/core_dispatch.h>
- #include <openssl/err.h>
- #include <openssl/evp.h>
-+#include <openssl/kdf.h>
- #include <openssl/params.h>
- #include <openssl/proverr.h>
- #include "internal/packet.h"
- #include "internal/der.h"
- #include "internal/nelem.h"
-+#include "crypto/evp.h"
- #include "prov/provider_ctx.h"
- #include "prov/providercommon.h"
- #include "prov/implementations.h"
-@@ -47,6 +50,9 @@ typedef struct {
-     const unsigned char *cek_oid;
-     size_t cek_oid_len;
-     int use_keybits;
-+#ifdef FIPS_MODULE
-+    int fips_indicator;
-+#endif /* defined(FIPS_MODULE) */
- } KDF_X942;
- 
- /*
-@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
-         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
-         return 0;
-     }
-+#ifdef FIPS_MODULE
-+    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
-+        ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+#endif /* defined(FIPS_MODULE) */
-     ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
-                            der, der_len, ctr, key, keylen);
-     OPENSSL_free(der);
-@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-     KDF_X942 *ctx = (KDF_X942 *)vctx;
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
- 
--    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
--        return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
--    return -2;
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+        any_valid = 1;
-+
-+        if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
-+            return 0;
-+    }
-+
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        any_valid = 1;
-+
-+        /* According to NIST Special Publication 800-131Ar2, Section 8:
-+         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
-+         * the key-derivation key [i.e., the input key] shall be at least 112
-+         * bits". */
-+        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Verification Program, Section D.B and NIST Special Publication
-+         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
-+         * strength < 112 bits is legacy use only, so all derived keys should
-+         * be longer than that. If a derived key has ever been shorter than
-+         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
-+         * should also set the returned FIPS indicator to unapproved. */
-+        if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+
-+        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
-+         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
-+         * extendable-output functions may only be used as the standalone
-+         * algorithms." */
-+        if (ctx->digest.md != NULL
-+                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
-+                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+        }
-+
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+    }
-+#endif
-+
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
-@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
-index 70f7c50fe4..6618122417 100644
---- a/util/perl/OpenSSL/paramnames.pm
-+++ b/util/perl/OpenSSL/paramnames.pm
-@@ -183,6 +183,7 @@ my %params = (
-     'KDF_PARAM_X942_SUPP_PUBINFO' =>    "supp-pubinfo",
-     'KDF_PARAM_X942_SUPP_PRIVINFO' =>   "supp-privinfo",
-     'KDF_PARAM_X942_USE_KEYBITS' =>     "use-keybits",
-+    'KDF_PARAM_SUSE_FIPS_INDICATOR' =>     "suse-fips-indicator",
-     'KDF_PARAM_HMACDRBG_ENTROPY' =>     "entropy",
-     'KDF_PARAM_HMACDRBG_NONCE' =>       "nonce",
-     'KDF_PARAM_THREADS' =>        "threads",                # uint32_t
--- 
-2.39.2
-

openssl-Add_support_for_Windows_CA_certificate_store.patch

@@ -1,743 +0,0 @@
-From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
-From: Hugo Landau <hlandau@openssl.org>
-Date: Fri, 8 Apr 2022 13:10:52 +0100
-Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
- env
-
-Fixes #18068.
----
- CHANGES.md                                               |   21 
- Configure                                                |    7 
- crypto/x509/by_dir.c                                     |   17 
- crypto/x509/by_store.c                                   |   14 
- crypto/x509/x509_def.c                                   |   15 
- doc/build.info                                           |    6 
- doc/man3/X509_get_default_cert_file.pod                  |  113 +++++
- include/internal/cryptlib.h                              |   11 
- include/internal/e_os.h                                  |    2 
- include/openssl/x509.h.in                                |    3 
- providers/implementations/include/prov/implementations.h |    1 
- providers/implementations/storemgmt/build.info           |    3 
- providers/implementations/storemgmt/winstore_store.c     |  327 +++++++++++++++
- providers/stores.inc                                     |    3 
- util/libcrypto.num                                       |    3 
- util/missingcrypto.txt                                   |    4 
- 16 files changed, 536 insertions(+), 14 deletions(-)
-
---- a/CHANGES.md
-+++ b/CHANGES.md
-@@ -24,6 +24,27 @@ OpenSSL 3.1
- 
- ### Changes between 3.1.0 and 3.1.1 [30 May 2023]
- 
-+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
-+   `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
-+   `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
-+   paths which are searched for root certificates.
-+
-+   The existing `SSL_CERT_DIR` environment variable is deprecated.
-+   `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
-+   list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
-+   `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
-+   directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
-+   for the purposes of determining root certificate stores.
-+
-+   *Hugo Landau*
-+
-+ * Support for loading root certificates from the Windows certificate store
-+   has been added. The support is in the form of a store which recognises the
-+   URI string of `org.openssl.winstore://`. This store is enabled by default and
-+   can be disabled using the new compile-time option `no-winstore`.
-+
-+   *Hugo Landau*
-+
-  * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
-    OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
- 
---- a/Configure
-+++ b/Configure
-@@ -420,6 +420,7 @@ my @disablables = (
-     "cached-fetch",
-     "camellia",
-     "capieng",
-+    "winstore",
-     "cast",
-     "chacha",
-     "cmac",
-@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
-     }
- }
- 
-+unless ($disabled{winstore}) {
-+    unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
-+        disable('not-windows', 'winstore');
-+    }
-+}
-+
- push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
- 
- # Get the extra flags used when building shared libraries and modules.  We
---- a/crypto/x509/by_dir.c
-+++ b/crypto/x509/by_dir.c
-@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
-     switch (cmd) {
-     case X509_L_ADD_DIR:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
-+            /* If SSL_CERT_PATH is provided and non-empty, use that. */
-+            const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
- 
--            if (dir)
--                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
--            else
--                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
--                                   X509_FILETYPE_PEM);
-+            /* Fallback to SSL_CERT_DIR. */
-+            if (dir == NULL)
-+                dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
-+
-+            /* Fallback to built-in default. */
-+            if (dir == NULL)
-+                dir = X509_get_default_cert_dir();
-+
-+            ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-             if (!ret) {
-                 ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
-             }
---- a/crypto/x509/by_store.c
-+++ b/crypto/x509/by_store.c
-@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
- {
-     switch (cmd) {
-     case X509_L_ADD_STORE:
--        /* If no URI is given, use the default cert dir as default URI */
-+        /* First try the newer default cert URI envvar. */
-+        if (argp == NULL)
-+            argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
-+
-+        /* If not set, see if we have a URI in the older cert dir envvar. */
-         if (argp == NULL)
-             argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
-+
-+        /* Fallback to default store URI. */
-         if (argp == NULL)
--            argp = X509_get_default_cert_dir();
-+            argp = X509_get_default_cert_uri();
-+
-+        /* No point adding an empty URI. */
-+        if (!*argp)
-+            return 1;
- 
-         {
-             STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
---- a/crypto/x509/x509_def.c
-+++ b/crypto/x509/x509_def.c
-@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
-     return X509_CERT_AREA;
- }
- 
-+const char *X509_get_default_cert_uri(void)
-+{
-+    return X509_CERT_URI;
-+}
-+
- const char *X509_get_default_cert_dir(void)
- {
-     return X509_CERT_DIR;
-@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
-     return X509_CERT_FILE;
- }
- 
-+const char *X509_get_default_cert_uri_env(void)
-+{
-+    return X509_CERT_URI_EVP;
-+}
-+
-+const char *X509_get_default_cert_path_env(void)
-+{
-+    return X509_CERT_PATH_EVP;
-+}
-+
- const char *X509_get_default_cert_dir_env(void)
- {
-     return X509_CERT_DIR_EVP;
---- a/doc/build.info
-+++ b/doc/build.info
-@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
- GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
- DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
- GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
-+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
-+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
-+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
-+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
- DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
- GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
- DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
-@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
- html/man3/X509_get0_notBefore.html \
- html/man3/X509_get0_signature.html \
- html/man3/X509_get0_uids.html \
-+html/man3/X509_get_default_cert_file.html \
- html/man3/X509_get_extension_flags.html \
- html/man3/X509_get_pubkey.html \
- html/man3/X509_get_serialNumber.html \
-@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
- man/man3/X509_get0_notBefore.3 \
- man/man3/X509_get0_signature.3 \
- man/man3/X509_get0_uids.3 \
-+man/man3/X509_get_default_cert_file.3 \
- man/man3/X509_get_extension_flags.3 \
- man/man3/X509_get_pubkey.3 \
- man/man3/X509_get_serialNumber.3 \
---- /dev/null
-+++ b/doc/man3/X509_get_default_cert_file.pod
-@@ -0,0 +1,113 @@
-+=pod
-+
-+=head1 NAME
-+
-+X509_get_default_cert_file, X509_get_default_cert_file_env,
-+X509_get_default_cert_path_env,
-+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
-+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
-+retrieve default locations for trusted CA certificates
-+
-+=head1 SYNOPSIS
-+
-+ #include <openssl/x509.h>
-+
-+ const char *X509_get_default_cert_file(void);
-+ const char *X509_get_default_cert_dir(void);
-+ const char *X509_get_default_cert_uri(void);
-+
-+ const char *X509_get_default_cert_file_env(void);
-+ const char *X509_get_default_cert_path_env(void);
-+ const char *X509_get_default_cert_dir_env(void);
-+ const char *X509_get_default_cert_uri_env(void);
-+
-+=head1 DESCRIPTION
-+
-+The X509_get_default_cert_file() function returns the default path
-+to a file containing trusted CA certificates. OpenSSL will use this as
-+the default path when it is asked to load trusted CA certificates
-+from a file and no other path is specified. If the file exists, CA certificates
-+are loaded from the file.
-+
-+The X509_get_default_cert_dir() function returns a default delimeter-separated
-+list of paths to a directories containing trusted CA certificates named in the
-+hashed format. OpenSSL will use this as the default list of paths when it is
-+asked to load trusted CA certificates from a directory and no other path is
-+specified. If a given directory in the list exists, OpenSSL attempts to lookup
-+CA certificates in this directory by calculating a filename based on a hash of
-+the certificate's subject name.
-+
-+The X509_get_default_cert_uri() function returns the default URI for a
-+certificate store accessed programmatically via an OpenSSL provider. If there is
-+no default store applicable to the system for which OpenSSL was compiled, this
-+returns an empty string.
-+
-+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
-+environment variable names which are recommended to specify nondefault values to
-+be used instead of the values returned by X509_get_default_cert_file() and
-+X509_get_default_cert_uri() respectively. The values returned by the latter
-+functions are not affected by these environment variables; you must check for
-+these environment variables yourself, using these functions to retrieve the
-+correct environment variable names. If an environment variable is not set, the
-+value returned by the corresponding function above should be used.
-+
-+X509_get_default_cert_path_env() returns the environment variable name which is
-+recommended to specify a nondefault value to be used instead of the value
-+returned by X509_get_default_cert_dir(). This environment variable supercedes
-+the deprecated environment variable whose name is returned by
-+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
-+contents can be interpreted ambiguously; see NOTES.
-+
-+By default, OpenSSL uses the path list specified in the environment variable
-+whose name is returned by X509_get_default_cert_path_env() if it is set;
-+otherwise, it uses the path list specified in the environment variable whose
-+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
-+uses the value returned by X509_get_default_cert_dir()).
-+
-+=head1 NOTES
-+
-+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
-+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
-+release, store URIs were expressed via the environment variable returned by
-+X509_get_default_cert_dir_env(); this environment variable could be used to
-+specify either a list of directories or a store URI. This creates an ambiguity
-+in which the environment variable returned by X509_get_default_cert_dir_env() is
-+interpreted both as a list of directories and as a store URI.
-+
-+This usage and the environment variable returned by
-+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
-+the environment variable returned by X509_get_default_cert_uri_env(), and to
-+specify a list of directories, use the environment variable returned by
-+X509_get_default_cert_path_env().
-+
-+=head1 RETURN VALUES
-+
-+These functions return pointers to constant strings with static storage
-+duration.
-+
-+=head1 SEE ALSO
-+
-+L<X509_LOOKUP(3)>,
-+L<SSL_CTX_set_default_verify_file(3)>,
-+L<SSL_CTX_set_default_verify_dir(3)>,
-+L<SSL_CTX_set_default_verify_store(3)>,
-+L<SSL_CTX_load_verify_file(3)>,
-+L<SSL_CTX_load_verify_dir(3)>,
-+L<SSL_CTX_load_verify_store(3)>,
-+L<SSL_CTX_load_verify_locations(3)>
-+
-+=head1 HISTORY
-+
-+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
-+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
-+
-+=head1 COPYRIGHT
-+
-+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+
-+Licensed under the Apache License 2.0 (the "License").  You may not use
-+this file except in compliance with the License.  You can obtain a copy
-+in the file LICENSE in the source distribution or at
-+L<https://www.openssl.org/source/license.html>.
-+
-+=cut
---- a/include/internal/cryptlib.h
-+++ b/include/internal/cryptlib.h
-@@ -13,6 +13,8 @@
- 
- # include <stdlib.h>
- # include <string.h>
-+# include "openssl/configuration.h"
-+# include "internal/e_os.h" /* ossl_inline in many files */
- 
- # ifdef OPENSSL_USE_APPLINK
- #  define BIO_FLAGS_UPLINK_INTERNAL 0x8000
-@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
- #  define CTLOG_FILE              "OSSL$DATAROOT:[000000]ct_log_list.cnf"
- # endif
- 
-+#ifndef OPENSSL_NO_WINSTORE
-+# define X509_CERT_URI            "org.openssl.winstore://"
-+#else
-+# define X509_CERT_URI            ""
-+#endif
-+
-+# define X509_CERT_URI_EVP        "SSL_CERT_URI"
-+# define X509_CERT_PATH_EVP       "SSL_CERT_PATH"
- # define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
- # define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
- # define CTLOG_FILE_EVP           "CTLOG_FILE"
-@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
- # endif
-     return path[0] == '/';
- }
--
- #endif
---- a/include/internal/e_os.h
-+++ b/include/internal/e_os.h
-@@ -249,7 +249,7 @@ FILE *__iob_func();
- /***********************************************/
- 
- # if defined(OPENSSL_SYS_WINDOWS)
--#  if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
-+#  if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
- #   define open _open
- #   define fdopen _fdopen
- #   define close _close
---- a/include/openssl/x509.h.in
-+++ b/include/openssl/x509.h.in
-@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
- ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
- 
- const char *X509_get_default_cert_area(void);
-+const char *X509_get_default_cert_uri(void);
- const char *X509_get_default_cert_dir(void);
- const char *X509_get_default_cert_file(void);
-+const char *X509_get_default_cert_uri_env(void);
-+const char *X509_get_default_cert_path_env(void);
- const char *X509_get_default_cert_dir_env(void);
- const char *X509_get_default_cert_file_env(void);
- const char *X509_get_default_private_dir(void);
---- a/providers/implementations/include/prov/implementations.h
-+++ b/providers/implementations/include/prov/implementations.h
-@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
- extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
- 
- extern const OSSL_DISPATCH ossl_file_store_functions[];
-+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
---- a/providers/implementations/storemgmt/build.info
-+++ b/providers/implementations/storemgmt/build.info
-@@ -4,3 +4,6 @@
- $STORE_GOAL=../../libdefault.a
- 
- SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
-+IF[{- !$disabled{winstore} -}]
-+    SOURCE[$STORE_GOAL]=winstore_store.c
-+ENDIF
---- /dev/null
-+++ b/providers/implementations/storemgmt/winstore_store.c
-@@ -0,0 +1,327 @@
-+/*
-+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+#include <openssl/store.h>
-+#include <openssl/core_dispatch.h>
-+#include <openssl/core_names.h>
-+#include <openssl/core_object.h>
-+#include <openssl/bio.h>
-+#include <openssl/err.h>
-+#include <openssl/params.h>
-+#include <openssl/decoder.h>
-+#include <openssl/proverr.h>
-+#include <openssl/store.h>       /* The OSSL_STORE_INFO type numbers */
-+#include "internal/cryptlib.h"
-+#include "internal/o_dir.h"
-+#include "crypto/decoder.h"
-+#include "crypto/ctype.h"        /* ossl_isdigit() */
-+#include "prov/implementations.h"
-+#include "prov/bio.h"
-+#include "file_store_local.h"
-+
-+#include <wincrypt.h>
-+
-+enum {
-+    STATE_IDLE,
-+    STATE_READ,
-+    STATE_EOF,
-+};
-+
-+struct winstore_ctx_st {
-+    void                   *provctx;
-+    char                   *propq;
-+    unsigned char          *subject;
-+    size_t                  subject_len;
-+
-+    HCERTSTORE              win_store;
-+    const CERT_CONTEXT     *win_ctx;
-+    int                     state;
-+
-+    OSSL_DECODER_CTX       *dctx;
-+};
-+
-+static void winstore_win_reset(struct winstore_ctx_st *ctx)
-+{
-+    if (ctx->win_ctx != NULL) {
-+        CertFreeCertificateContext(ctx->win_ctx);
-+        ctx->win_ctx = NULL;
-+    }
-+
-+    ctx->state = STATE_IDLE;
-+}
-+
-+static void winstore_win_advance(struct winstore_ctx_st *ctx)
-+{
-+    CERT_NAME_BLOB name = {0};
-+
-+    if (ctx->state == STATE_EOF)
-+        return;
-+
-+    name.cbData = ctx->subject_len;
-+    name.pbData = ctx->subject;
-+
-+    ctx->win_ctx = (name.cbData == 0 ? NULL :
-+        CertFindCertificateInStore(ctx->win_store,
-+                                   X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-+                                   0, CERT_FIND_SUBJECT_NAME,
-+                                   &name, ctx->win_ctx));
-+
-+    ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
-+}
-+
-+static void *winstore_open(void *provctx, const char *uri)
-+{
-+    struct winstore_ctx_st *ctx = NULL;
-+
-+    if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
-+        return NULL;
-+
-+    ctx = OPENSSL_zalloc(sizeof(*ctx));
-+    if (ctx == NULL)
-+        return NULL;
-+
-+    ctx->provctx    = provctx;
-+    ctx->win_store  = CertOpenSystemStoreW(0, L"ROOT");
-+    if (ctx->win_store == NULL) {
-+        OPENSSL_free(ctx);
-+        return NULL;
-+    }
-+
-+    winstore_win_reset(ctx);
-+    return ctx;
-+}
-+
-+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
-+{
-+    return NULL; /* not supported */
-+}
-+
-+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
-+{
-+    static const OSSL_PARAM known_settable_ctx_params[] = {
-+        OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
-+        OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
-+        OSSL_PARAM_END
-+    };
-+    return known_settable_ctx_params;
-+}
-+
-+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
-+{
-+    struct winstore_ctx_st *ctx = loaderctx;
-+    const OSSL_PARAM *p;
-+    int do_reset = 0;
-+
-+    if (params == NULL)
-+        return 1;
-+
-+    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
-+    if (p != NULL) {
-+        do_reset = 1;
-+        OPENSSL_free(ctx->propq);
-+        ctx->propq = NULL;
-+        if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
-+            return 0;
-+    }
-+
-+    p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
-+    if (p != NULL) {
-+        const unsigned char *der = NULL;
-+        size_t der_len = 0;
-+
-+        if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
-+            return 0;
-+
-+        do_reset = 1;
-+
-+        OPENSSL_free(ctx->subject);
-+
-+        ctx->subject = OPENSSL_malloc(der_len);
-+        if (ctx->subject == NULL) {
-+            ctx->subject_len = 0;
-+            return 0;
-+        }
-+
-+        ctx->subject_len = der_len;
-+        memcpy(ctx->subject, der, der_len);
-+    }
-+
-+    if (do_reset) {
-+        winstore_win_reset(ctx);
-+        winstore_win_advance(ctx);
-+    }
-+
-+    return 1;
-+}
-+
-+struct load_data_st {
-+    OSSL_CALLBACK  *object_cb;
-+    void           *object_cbarg;
-+};
-+
-+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
-+                           const OSSL_PARAM *params, void *construct_data)
-+{
-+    struct load_data_st *data = construct_data;
-+    return data->object_cb(params, data->object_cbarg);
-+}
-+
-+static void load_cleanup(void *construct_data)
-+{
-+    /* No-op. */
-+}
-+
-+static int setup_decoder(struct winstore_ctx_st *ctx)
-+{
-+    OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
-+    const OSSL_ALGORITHM *to_algo = NULL;
-+
-+    if (ctx->dctx != NULL)
-+        return 1;
-+
-+    ctx->dctx = OSSL_DECODER_CTX_new();
-+    if (ctx->dctx == NULL) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
-+        return 0;
-+    }
-+
-+    if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+        goto err;
-+    }
-+
-+    if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+        goto err;
-+    }
-+
-+    for (to_algo = ossl_any_to_obj_algorithm;
-+         to_algo->algorithm_names != NULL;
-+         to_algo++) {
-+        OSSL_DECODER *to_obj = NULL;
-+        OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
-+
-+        /*
-+         * Create the internal last resort decoder implementation
-+         * together with a "decoder instance".
-+         * The decoder doesn't need any identification or to be
-+         * attached to any provider, since it's only used locally.
-+         */
-+        to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
-+        if (to_obj != NULL)
-+            to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
-+
-+        OSSL_DECODER_free(to_obj);
-+        if (to_obj_inst == NULL)
-+            goto err;
-+
-+        if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
-+                                               to_obj_inst)) {
-+            ossl_decoder_instance_free(to_obj_inst);
-+            ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+            goto err;
-+        }
-+    }
-+
-+    if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+        goto err;
-+    }
-+
-+    if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+        goto err;
-+    }
-+
-+    if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
-+        ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
-+        goto err;
-+    }
-+
-+    return 1;
-+
-+err:
-+    OSSL_DECODER_CTX_free(ctx->dctx);
-+    ctx->dctx = NULL;
-+    return 0;
-+}
-+
-+static int winstore_load_using(struct winstore_ctx_st *ctx,
-+                               OSSL_CALLBACK *object_cb, void *object_cbarg,
-+                               OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
-+                               const void *der, size_t der_len)
-+{
-+    struct load_data_st data;
-+    const unsigned char *der_ = der;
-+    size_t der_len_ = der_len;
-+
-+    if (setup_decoder(ctx) == 0)
-+        return 0;
-+
-+    data.object_cb      = object_cb;
-+    data.object_cbarg   = object_cbarg;
-+
-+    OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
-+    OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
-+
-+    if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
-+        return 0;
-+
-+    return 1;
-+}
-+
-+static int winstore_load(void *loaderctx,
-+                         OSSL_CALLBACK *object_cb, void *object_cbarg,
-+                         OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
-+{
-+    int ret = 0;
-+    struct winstore_ctx_st *ctx = loaderctx;
-+
-+    if (ctx->state != STATE_READ)
-+        return 0;
-+
-+    ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
-+                              ctx->win_ctx->pbCertEncoded,
-+                              ctx->win_ctx->cbCertEncoded);
-+
-+    if (ret == 1)
-+        winstore_win_advance(ctx);
-+
-+    return ret;
-+}
-+
-+static int winstore_eof(void *loaderctx)
-+{
-+    struct winstore_ctx_st *ctx = loaderctx;
-+
-+    return ctx->state != STATE_READ;
-+}
-+
-+static int winstore_close(void *loaderctx)
-+{
-+    struct winstore_ctx_st *ctx = loaderctx;
-+
-+    winstore_win_reset(ctx);
-+    CertCloseStore(ctx->win_store, 0);
-+    OSSL_DECODER_CTX_free(ctx->dctx);
-+    OPENSSL_free(ctx->propq);
-+    OPENSSL_free(ctx->subject);
-+    OPENSSL_free(ctx);
-+    return 1;
-+}
-+
-+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
-+    { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
-+    { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
-+    { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
-+    { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
-+    { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
-+    { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
-+    { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
-+    { 0, NULL },
-+};
---- a/providers/stores.inc
-+++ b/providers/stores.inc
-@@ -12,3 +12,6 @@
- #endif
- 
- STORE("file", "yes", ossl_file_store_functions)
-+#ifndef OPENSSL_NO_WINSTORE
-+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
-+#endif
---- a/util/libcrypto.num
-+++ b/util/libcrypto.num
-@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
- EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
- BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
- OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
-+X509_get_default_cert_uri               ?	3_1_0	EXIST::FUNCTION:
-+X509_get_default_cert_uri_env           ?	3_1_0	EXIST::FUNCTION:
-+X509_get_default_cert_path_env          ?	3_1_0	EXIST::FUNCTION:
- ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
---- a/util/missingcrypto.txt
-+++ b/util/missingcrypto.txt
-@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
- X509_get1_email(3)
- X509_get1_ocsp(3)
- X509_get_default_cert_area(3)
--X509_get_default_cert_dir(3)
--X509_get_default_cert_dir_env(3)
--X509_get_default_cert_file(3)
--X509_get_default_cert_file_env(3)
- X509_get_default_private_dir(3)
- X509_get_pubkey_parameters(3)
- X509_get_signature_type(3)

openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch

@@ -1,217 +0,0 @@
-From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Tue, 1 Mar 2022 15:44:18 +0100
-Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
-
-NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
-in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
-on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
-to 2.
-
-On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
-level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
-we want the legacy crypto policy to allow SHA-1 in TLS, the only option
-to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
-SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
-allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
-will allow SHA-1 in OpenSSL 3).
-
-The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
-rh-allow-sha1-signatures will default to yes in Fedora (according to our
-current plans including until F38), and the security level in the
-DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
-default configuration.
-
-Related: rhbz#2055796
-Related: rhbz#2070977
----
- crypto/x509/x509_vfy.c        | 20 ++++++++++-
- doc/man5/config.pod           |  7 ++++
- ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------
- test/recipes/25-test_verify.t |  4 +--
- 4 files changed, 82 insertions(+), 16 deletions(-)
-
-Index: openssl-3.1.4/crypto/x509/x509_vfy.c
-===================================================================
---- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
-+++ openssl-3.1.4/crypto/x509/x509_vfy.c
-@@ -25,6 +25,7 @@
- #include <openssl/objects.h>
- #include <openssl/core_names.h>
- #include "internal/dane.h"
-+#include "internal/sslconf.h"
- #include "crypto/x509.h"
- #include "x509_local.h"
- 
-@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
- {
-     int secbits = -1;
-     int level = ctx->param->auth_level;
-+    int nid;
-+    OSSL_LIB_CTX *libctx = NULL;
- 
-     if (level <= 0)
-         return 1;
-     if (level > NUM_AUTH_LEVELS)
-         level = NUM_AUTH_LEVELS;
- 
--    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
-+    if (ctx->libctx)
-+        libctx = ctx->libctx;
-+    else if (cert->libctx)
-+        libctx = cert->libctx;
-+    else
-+        libctx = OSSL_LIB_CTX_get0_global_default();
-+
-+    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
-         return 0;
- 
-+    if ((nid == NID_sha1 || nid == NID_md5_sha1)
-+            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
-+            && ctx->param->auth_level < 2)
-+        /* When rh-allow-sha1-signatures = yes and security level <= 1,
-+         * explicitly allow SHA1 for backwards compatibility. Also allow
-+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
-+        return 1;
-+
-     return secbits >= minbits_table[level - 1];
- }
-Index: openssl-3.1.4/doc/man5/config.pod
-===================================================================
---- openssl-3.1.4.orig/doc/man5/config.pod
-+++ openssl-3.1.4/doc/man5/config.pod
-@@ -317,6 +317,13 @@ this option is set to B<no>.  Because TL
- pseudorandom function (PRF) to derive key material, disabling
- B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
- 
-+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
-+algorithms that use SHA1 in security level 1, despite the definition of
-+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
-+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
-+Fedora without requiring to set the security level to 0, which would include
-+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
-+
- This is a downstream specific option, and normally it should be set up via crypto-policies.
- 
- =item B<fips_mode> (deprecated)
-Index: openssl-3.1.4/ssl/t1_lib.c
-===================================================================
---- openssl-3.1.4.orig/ssl/t1_lib.c
-+++ openssl-3.1.4/ssl/t1_lib.c
-@@ -20,6 +20,7 @@
- #include <openssl/bn.h>
- #include <openssl/provider.h>
- #include <openssl/param_build.h>
-+#include "crypto/x509.h"
- #include "internal/sslconf.h"
- #include "internal/nelem.h"
- #include "internal/sizes.h"
-@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
-         return 0;
-     }
--    /*
--     * Make sure security callback allows algorithm. For historical
--     * reasons we have to pass the sigalg as a two byte char array.
--     */
--    sigalgstr[0] = (sig >> 8) & 0xff;
--    sigalgstr[1] = sig & 0xff;
--    secbits = sigalg_security_bits(s->ctx, lu);
--    if (secbits == 0 ||
--        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
--                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
--                      (void *)sigalgstr)) {
--        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
--        return 0;
-+
-+    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
-+            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
-+            && SSL_get_security_level(s) < 2) {
-+        /* When rh-allow-sha1-signatures = yes and security level <= 1,
-+         * explicitly allow SHA1 for backwards compatibility. Also allow
-+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
-+    } else {
-+        /*
-+         * Make sure security callback allows algorithm. For historical
-+         * reasons we have to pass the sigalg as a two byte char array.
-+         */
-+        sigalgstr[0] = (sig >> 8) & 0xff;
-+        sigalgstr[1] = sig & 0xff;
-+        secbits = sigalg_security_bits(s->ctx, lu);
-+        if (secbits == 0 ||
-+            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
-+                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
-+                          (void *)sigalgstr)) {
-+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
-+            return 0;
-+        }
-     }
-     /* Store the sigalg the peer uses */
-     s->s3.tmp.peer_sigalg = lu;
-@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
-         }
-     }
- 
-+    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
-+            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
-+            && SSL_get_security_level(s) < 2) {
-+        /* When rh-allow-sha1-signatures = yes and security level <= 1,
-+         * explicitly allow SHA1 for backwards compatibility. Also allow
-+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
-+        return 1;
-+    }
-+
-     /* Finally see if security callback allows it */
-     secbits = sigalg_security_bits(s->ctx, lu);
-     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
-@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
- {
-     /* Lookup signature algorithm digest */
-     int secbits, nid, pknid;
-+    OSSL_LIB_CTX *libctx = NULL;
-+
-     /* Don't check signature if self signed */
-     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
-         return 1;
-@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
-     /* If digest NID not defined use signature NID */
-     if (nid == NID_undef)
-         nid = pknid;
-+
-+    if (x && x->libctx)
-+        libctx = x->libctx;
-+    else if (ctx && ctx->libctx)
-+        libctx = ctx->libctx;
-+    else if (s && s->ctx && s->ctx->libctx)
-+        libctx = s->ctx->libctx;
-+    else
-+        libctx = OSSL_LIB_CTX_get0_global_default();
-+
-+    if ((nid == NID_sha1 || nid == NID_md5_sha1)
-+            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
-+            && ((s != NULL && SSL_get_security_level(s) < 2)
-+                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
-+            ))
-+        /* When rh-allow-sha1-signatures = yes and security level <= 1,
-+         * explicitly allow SHA1 for backwards compatibility. Also allow
-+         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
-+        return 1;
-+
-     if (s)
-         return ssl_security(s, op, secbits, nid, x);
-     else
-Index: openssl-3.1.4/test/recipes/25-test_verify.t
-===================================================================
---- openssl-3.1.4.orig/test/recipes/25-test_verify.t
-+++ openssl-3.1.4/test/recipes/25-test_verify.t
-@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
- ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
-     "CA with PSS signature using SHA256");
- 
--ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
--    "Reject PSS signature using SHA1 and auth level 1");
-+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
-+    "Reject PSS signature using SHA1 and auth level 2");
- 
- ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
-     "PSS signature using SHA256 and auth level 2");

openssl-CVE-2023-5678.patch

@@ -1,172 +0,0 @@
-From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 20 Oct 2023 09:18:19 +0200
-Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
-
-We already check for an excessively large P in DH_generate_key(), but not in
-DH_check_pub_key(), and none of them check for an excessively large Q.
-
-This change adds all the missing excessive size checks of P and Q.
-
-It's to be noted that behaviours surrounding excessively sized P and Q
-differ.  DH_check() raises an error on the excessively sized P, but only
-sets a flag for the excessively sized Q.  This behaviour is mimicked in
-DH_check_pub_key().
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/22518)
----
- crypto/dh/dh_check.c    | 12 ++++++++++++
- crypto/dh/dh_err.c      |  3 ++-
- crypto/dh/dh_key.c      | 12 ++++++++++++
- crypto/err/openssl.txt  |  1 +
- include/crypto/dherr.h  |  2 +-
- include/openssl/dh.h    |  6 +++---
- include/openssl/dherr.h |  3 ++-
- 7 files changed, 33 insertions(+), 6 deletions(-)
-
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 7ba2beae7fd6b..e20eb62081c5e 100644
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
-  */
- int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
- {
-+    /* Don't do any checks at all with an excessively large modulus */
-+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
-+        return 0;
-+    }
-+
-+    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
-+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
-+        return 1;
-+    }
-+
-     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
- }
- 
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
-index 4152397426cc9..f76ac0dd1463f 100644
---- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
-     "parameter encoding error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
-+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
-     "unable to check generator"},
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index d84ea99241b9e..afc49f5cdc87d 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-         goto err;
-     }
- 
-+    if (dh->params.q != NULL
-+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
-+        goto err;
-+    }
-+
-     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
-         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
-         return 0;
-@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
-         return 0;
-     }
- 
-+    if (dh->params.q != NULL
-+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
-+        return 0;
-+    }
-+
-     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
-         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
-         return 0;
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index a1e6bbb617fcb..69e4f61aa1801 100644
---- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
- DH_R_NO_PRIVATE_VALUE:100:no private value
- DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
- DH_R_PEER_KEY_ERROR:111:peer key error
-+DH_R_Q_TOO_LARGE:130:q too large
- DH_R_SHARED_INFO_ERROR:113:shared info error
- DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
- DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
-diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
-index bb24d131eb887..519327f795742 100644
---- a/include/crypto/dherr.h
-+++ b/include/crypto/dherr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-diff --git a/include/openssl/dh.h b/include/openssl/dh.h
-index 8bc17448a0817..f1c0ed06b375a 100644
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
- #   define DH_GENERATOR_3          3
- #   define DH_GENERATOR_5          5
- 
--/* DH_check error codes */
-+/* DH_check error codes, some of them shared with DH_check_pub_key */
- /*
-  * NB: These values must align with the equivalently named macros in
-  * internal/ffc.h.
-@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
- #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
- #   define DH_NOT_SUITABLE_GENERATOR       0x08
- #   define DH_CHECK_Q_NOT_PRIME            0x10
--#   define DH_CHECK_INVALID_Q_VALUE        0x20
-+#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
- #   define DH_CHECK_INVALID_J_VALUE        0x40
- #   define DH_MODULUS_TOO_SMALL            0x80
--#   define DH_MODULUS_TOO_LARGE            0x100
-+#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
- 
- /* DH_check_pub_key error codes */
- #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
-index 5d2a762a96f8c..074a70145f9f5 100644
---- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
-- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -50,6 +50,7 @@
- #  define DH_R_NO_PRIVATE_VALUE                            100
- #  define DH_R_PARAMETER_ENCODING_ERROR                    105
- #  define DH_R_PEER_KEY_ERROR                              111
-+#  define DH_R_Q_TOO_LARGE                                 130
- #  define DH_R_SHARED_INFO_ERROR                           113
- #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
- 

openssl-CVE-2023-6129.patch

@@ -1,109 +0,0 @@
-From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rmclure@linux.ibm.com>
-Date: Thu, 4 Jan 2024 10:25:50 +0100
-Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
-
-Fixes CVE-2023-6129
-
-The POLY1305 MAC (message authentication code) implementation in OpenSSL for
-PowerPC CPUs saves the the contents of vector registers in different order
-than they are restored. Thus the contents of some of these vector registers
-is corrupted when returning to the caller. The vulnerable code is used only
-on newer PowerPC processors supporting the PowerISA 2.07 instructions.
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23200)
-
-(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
----
- crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
- 1 file changed, 21 insertions(+), 21 deletions(-)
-
-diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
-index 9f86134d923fb..2e601bb9c24be 100755
---- a/crypto/poly1305/asm/poly1305-ppc.pl
-+++ b/crypto/poly1305/asm/poly1305-ppc.pl
-@@ -744,7 +744,7 @@
- my $LOCALS= 6*$SIZE_T;
- my $VSXFRAME = $LOCALS + 6*$SIZE_T;
-    $VSXFRAME += 128;	# local variables
--   $VSXFRAME += 13*16;	# v20-v31 offload
-+   $VSXFRAME += 12*16;	# v20-v31 offload
- 
- my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
- 
-@@ -919,12 +919,12 @@
- 	addi	r11,r11,32
- 	stvx	v22,r10,$sp
- 	addi	r10,r10,32
--	stvx	v23,r10,$sp
--	addi	r10,r10,32
--	stvx	v24,r11,$sp
-+	stvx	v23,r11,$sp
- 	addi	r11,r11,32
--	stvx	v25,r10,$sp
-+	stvx	v24,r10,$sp
- 	addi	r10,r10,32
-+	stvx	v25,r11,$sp
-+	addi	r11,r11,32
- 	stvx	v26,r10,$sp
- 	addi	r10,r10,32
- 	stvx	v27,r11,$sp
-@@ -1153,12 +1153,12 @@
- 	addi	r11,r11,32
- 	stvx	v22,r10,$sp
- 	addi	r10,r10,32
--	stvx	v23,r10,$sp
--	addi	r10,r10,32
--	stvx	v24,r11,$sp
-+	stvx	v23,r11,$sp
- 	addi	r11,r11,32
--	stvx	v25,r10,$sp
-+	stvx	v24,r10,$sp
- 	addi	r10,r10,32
-+	stvx	v25,r11,$sp
-+	addi	r11,r11,32
- 	stvx	v26,r10,$sp
- 	addi	r10,r10,32
- 	stvx	v27,r11,$sp
-@@ -1899,26 +1899,26 @@
- 	mtspr	256,r12				# restore vrsave
- 	lvx	v20,r10,$sp
- 	addi	r10,r10,32
--	lvx	v21,r10,$sp
--	addi	r10,r10,32
--	lvx	v22,r11,$sp
-+	lvx	v21,r11,$sp
- 	addi	r11,r11,32
--	lvx	v23,r10,$sp
-+	lvx	v22,r10,$sp
- 	addi	r10,r10,32
--	lvx	v24,r11,$sp
-+	lvx	v23,r11,$sp
- 	addi	r11,r11,32
--	lvx	v25,r10,$sp
-+	lvx	v24,r10,$sp
- 	addi	r10,r10,32
--	lvx	v26,r11,$sp
-+	lvx	v25,r11,$sp
- 	addi	r11,r11,32
--	lvx	v27,r10,$sp
-+	lvx	v26,r10,$sp
- 	addi	r10,r10,32
--	lvx	v28,r11,$sp
-+	lvx	v27,r11,$sp
- 	addi	r11,r11,32
--	lvx	v29,r10,$sp
-+	lvx	v28,r10,$sp
- 	addi	r10,r10,32
--	lvx	v30,r11,$sp
--	lvx	v31,r10,$sp
-+	lvx	v29,r11,$sp
-+	addi	r11,r11,32
-+	lvx	v30,r10,$sp
-+	lvx	v31,r11,$sp
- 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
- 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
- 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)

openssl-CVE-2023-6237.patch

@@ -1,122 +0,0 @@
-From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 22 Dec 2023 16:25:56 +0100
-Subject: [PATCH] Limit the execution time of RSA public key check
-
-Fixes CVE-2023-6237
-
-If a large and incorrect RSA public key is checked with
-EVP_PKEY_public_check() the computation could take very long time
-due to no limit being applied to the RSA public key size and
-unnecessarily high number of Miller-Rabin algorithm rounds
-used for non-primality check of the modulus.
-
-Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
-will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
-Also the number of Miller-Rabin rounds was set to 5.
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23243)
-
-(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
----
- crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
- test/recipes/91-test_pkey_check.t             |  2 +-
- .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
- 3 files changed, 56 insertions(+), 2 deletions(-)
- create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-
-diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
-index fc8f19b48770b..bcbdd24fb8199 100644
---- a/crypto/rsa/rsa_sp800_56b_check.c
-+++ b/crypto/rsa/rsa_sp800_56b_check.c
-@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
-         return 0;
- 
-     nbits = BN_num_bits(rsa->n);
-+    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
- #ifdef FIPS_MODULE
-     /*
-      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
-@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
-         goto err;
-     }
- 
--    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
-+    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
-+    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
- #ifdef FIPS_MODULE
-     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
- #else
-diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
-index dc7cc64533af2..f8088df14d36c 100644
---- a/test/recipes/91-test_pkey_check.t
-+++ b/test/recipes/91-test_pkey_check.t
-@@ -70,7 +70,7 @@ push(@positive_tests, (
-     "dhpkey.pem"
-     )) unless disabled("dh");
- 
--my @negative_pubtests = ();
-+my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
- 
- push(@negative_pubtests, (
-     "dsapub_noparam.der"
-diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-new file mode 100644
-index 0000000000000..9a2eaedaf1b22
---- /dev/null
-+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-@@ -0,0 +1,48 @@
-+-----BEGIN PUBLIC KEY-----
-+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
-+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
-+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
-+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
-+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
-+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
-+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
-+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
-+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
-+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
-+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
-+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
-+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
-+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
-+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
-+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
-+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
-+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
-+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
-+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
-+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
-+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
-+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
-+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
-+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
-+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
-+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
-+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
-+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
-+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
-+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
-+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
-+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
-+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
-+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
-+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
-+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
-+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
-+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
-+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
-+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
-+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
-+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
-+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
-+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
-+AQAB
-+-----END PUBLIC KEY-----

openssl-CVE-2024-0727.patch

@@ -1,120 +0,0 @@
-From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 19 Jan 2024 11:28:58 +0000
-Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
-
-PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
-optional and can be NULL even if the "type" is a valid value. OpenSSL
-was not properly accounting for this and a NULL dereference can occur
-causing a crash.
-
-CVE-2024-0727
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23362)
-
-(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
----
- crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
- crypto/pkcs12/p12_mutl.c |  5 +++++
- crypto/pkcs12/p12_npas.c |  5 +++--
- crypto/pkcs7/pk7_mime.c  |  7 +++++--
- 4 files changed, 31 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
-index 6fd4184af5a52..80ce31b3bca66 100644
---- a/crypto/pkcs12/p12_add.c
-+++ b/crypto/pkcs12/p12_add.c
-@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
-         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
-         return NULL;
-     }
-+
-+    if (p7->d.data == NULL) {
-+        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
-+        return NULL;
-+    }
-+
-     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
- }
- 
-@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
- {
-     if (!PKCS7_type_is_encrypted(p7))
-         return NULL;
-+
-+    if (p7->d.encrypted == NULL) {
-+        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
-+        return NULL;
-+    }
-+
-     return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
-                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
-                                    pass, passlen,
-@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
-         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
-         return NULL;
-     }
-+
-+    if (p12->authsafes->d.data == NULL) {
-+        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
-+        return NULL;
-+    }
-+
-     p7s = ASN1_item_unpack(p12->authsafes->d.data,
-                            ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
-     if (p7s != NULL) {
-diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
-index 67a885a45f89e..68ff54d0e90ee 100644
---- a/crypto/pkcs12/p12_mutl.c
-+++ b/crypto/pkcs12/p12_mutl.c
-@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
-         return 0;
-     }
- 
-+    if (p12->authsafes->d.data == NULL) {
-+        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
-+        return 0;
-+    }
-+
-     salt = p12->mac->salt->data;
-     saltlen = p12->mac->salt->length;
-     if (p12->mac->iter == NULL)
-diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
-index 62230bc6187ff..1e5b5495991a4 100644
---- a/crypto/pkcs12/p12_npas.c
-+++ b/crypto/pkcs12/p12_npas.c
-@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
-             bags = PKCS12_unpack_p7data(p7);
-         } else if (bagnid == NID_pkcs7_encrypted) {
-             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
--            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
--                         &pbe_nid, &pbe_iter, &pbe_saltlen))
-+            if (p7->d.encrypted == NULL
-+                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
-+                                &pbe_nid, &pbe_iter, &pbe_saltlen))
-                 goto err;
-         } else {
-             continue;
-diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
-index 49a0da5f819c4..8228315eeaa3a 100644
---- a/crypto/pkcs7/pk7_mime.c
-+++ b/crypto/pkcs7/pk7_mime.c
-@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
-     int ctype_nid = OBJ_obj2nid(p7->type);
-     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
- 
--    if (ctype_nid == NID_pkcs7_signed)
-+    if (ctype_nid == NID_pkcs7_signed) {
-+        if (p7->d.sign == NULL)
-+            return 0;
-         mdalgs = p7->d.sign->md_algs;
--    else
-+    } else {
-         mdalgs = NULL;
-+    }
- 
-     flags ^= SMIME_OLDMIME;
- 

openssl-CVE-2024-2511.patch

@@ -1,116 +0,0 @@
-From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24044)
----
- ssl/ssl_lib.c            |  5 +++--
- ssl/ssl_sess.c           | 28 ++++++++++++++++++++++------
- ssl/statem/statem_srvr.c |  5 ++---
- 3 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index b5cc4af2f0302..e747b7f90aa71 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
- 
-     /*
-      * If the session_id_length is 0, we are not supposed to cache it, and it
--     * would be rather hard to do anyway :-)
-+     * would be rather hard to do anyway :-). Also if the session has already
-+     * been marked as not_resumable we should not cache it for later reuse.
-      */
--    if (s->session->session_id_length == 0)
-+    if (s->session->session_id_length == 0 || s->session->not_resumable)
-         return;
- 
-     /*
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index bf84e792251b8..241cf43c46296 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
-     return ss;
- }
- 
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
--    return ssl_session_dup(src, 1);
--}
--
- /*
-  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
-  * ticket == 0 then no ticket information is duplicated, otherwise it is.
-  */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
-     SSL_SESSION *dest;
- 
-@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-     return NULL;
- }
- 
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+    return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+    if (sess != NULL)
-+        sess->not_resumable = 0;
-+
-+    return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
-     if (len)
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index 5d59d53563ed8..8e493176f658e 100644
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
-      * so the following won't overwrite an ID that we're supposed
-      * to send back.
-      */
--    if (s->session->not_resumable ||
--        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
--         && !s->hit))
-+    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+            && !s->hit)
-         s->session->session_id_length = 0;
- 
-     if (usetls13) {

openssl-CVE-2024-41996.patch

@@ -1,41 +0,0 @@
-From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Mon, 5 Aug 2024 17:54:14 +0200
-Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
- safe-prime groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The partial validation is fully sufficient to check the key validity.
-
-Thanks to Szilárd Pfeiffer for reporting the issue.
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/25088)
----
- providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
-index 82c3093b122c2..ebdce767102ee 100644
---- a/providers/implementations/keymgmt/dh_kmgmt.c
-+++ b/providers/implementations/keymgmt/dh_kmgmt.c
-@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
-     if (pub_key == NULL)
-         return 0;
- 
--    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
--    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
--        && ossl_dh_is_named_safe_prime_group(dh))
-+    /*
-+     * The partial test is only valid for named group's with q = (p - 1) / 2
-+     * but for that case it is also fully sufficient to check the key validity.
-+     */
-+    if (ossl_dh_is_named_safe_prime_group(dh))
-         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
- 
-     return DH_check_pub_key_ex(dh, pub_key);
-

openssl-CVE-2024-4603.patch

@@ -1,199 +0,0 @@
-From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Wed, 8 May 2024 15:23:45 +0200
-Subject: [PATCH] Check DSA parameters for excessive sizes before validating
-
-This avoids overly long computation of various validation
-checks.
-
-Fixes CVE-2024-4603
-
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/24346)
-
-(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
----
- CHANGES.md                                    | 17 ++++++
- crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
- .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
- 3 files changed, 114 insertions(+), 4 deletions(-)
- create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-
-Index: openssl-3.1.4/crypto/dsa/dsa_check.c
-===================================================================
---- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
-+++ openssl-3.1.4/crypto/dsa/dsa_check.c
-@@ -19,8 +19,34 @@
- #include "dsa_local.h"
- #include "crypto/dsa.h"
- 
-+static int dsa_precheck_params(const DSA *dsa, int *ret)
-+{
-+    if (dsa->params.p == NULL || dsa->params.q == NULL) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
-+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
-+        *ret = FFC_CHECK_INVALID_PQ;
-+        return 0;
-+    }
-+
-+    return 1;
-+}
-+
- int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
-         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
-                                                FFC_PARAM_TYPE_DSA, ret);
-@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
-  */
- int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
-            && *ret == 0;
- }
-@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
-  */
- int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
- {
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
-            && *ret == 0;
- }
-@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
- {
-     *ret = 0;
- 
--    return (dsa->params.q != NULL
--            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
-+    if (!dsa_precheck_params(dsa, ret))
-+        return 0;
-+
-+    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
- }
- 
- /*
-@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
-     BN_CTX *ctx = NULL;
-     BIGNUM *pub_key = NULL;
- 
--    if (dsa->params.p == NULL
--        || dsa->params.g == NULL
-+    if (!dsa_precheck_params(dsa, &ret))
-+        return 0;
-+
-+    if (dsa->params.g == NULL
-         || dsa->priv_key == NULL
-         || dsa->pub_key == NULL)
-         return 0;
-Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-===================================================================
---- /dev/null
-+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
-@@ -0,0 +1,57 @@
-+-----BEGIN DSA PARAMETERS-----
-+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
-+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
-+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
-+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
-+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
-+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
-+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
-+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
-+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
-+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
-+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
-+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
-+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
-+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
-+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
-+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
-+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
-+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
-+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
-+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
-+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
-+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
-+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
-+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
-+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
-+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
-+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
-+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
-+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
-+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
-+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
-+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
-+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
-+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
-+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
-++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
-+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
-+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
-+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
-+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
-+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
-+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
-+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
-+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
-+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
-+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
-+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
-+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
-+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
-+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
-+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
-+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
-+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
-+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
-+vKuje86bePD6kD/LH3wmkA==
-+-----END DSA PARAMETERS-----
-Index: openssl-3.1.4/CHANGES.md
-===================================================================
---- openssl-3.1.4.orig/CHANGES.md
-+++ openssl-3.1.4/CHANGES.md
-@@ -22,6 +22,23 @@ OpenSSL Releases
- OpenSSL 3.1
- -----------
- 
-+ * Fixed an issue where checking excessively long DSA keys or parameters may
-+   be very slow.
-+
-+   Applications that use the functions EVP_PKEY_param_check() or
-+   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
-+   experience long delays. Where the key or parameters that are being checked
-+   have been obtained from an untrusted source this may lead to a Denial of
-+   Service.
-+
-+   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
-+   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
-+   reason.
-+
-+   ([CVE-2024-4603])
-+
-+   *Tomáš Mráz*
-+
- ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
- 
-  * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),

openssl-CVE-2024-4741.patch

@@ -1,28 +0,0 @@
-@@ -, +, @@ 
----
- ssl/record/methods/tls_common.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
---- openssl-3.0.8/ssl/record/ssl3_buffer.c	
-+++ openssl-3.0.8/ssl/record/ssl3_buffer.c	
-@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
-         OPENSSL_cleanse(b->buf, b->len);
-     OPENSSL_free(b->buf);
-     b->buf = NULL;
-+    s->rlayer.packet = NULL;
-+    s->rlayer.packet_length = 0;
-     return 1;
- }
---- openssl-3.0.8/ssl/record/rec_layer_s3.c	
-+++ openssl-3.0.8/ssl/record/rec_layer_s3.c	
-@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
-         s->rlayer.packet_length = 0;
-         /* ... now we can act as if 'extend' was set */
-     }
-+    if (!ossl_assert(s->rlayer.packet != NULL)) {
-+        /* does not happen */
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-+        return -1;
-+    }
- 
-     len = s->rlayer.packet_length;
-     pkt = rb->buf + align;

openssl-CVE-2024-5535.patch

@@ -1,326 +0,0 @@
-From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 5493d9b9c7..f218dcf1db 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
--- 
-2.45.2
-
-From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:18:27 +0100
-Subject: [PATCH] More correctly handle a selected_len of 0 when
- processing NPN
-
-In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
-the selected_len is 0 we should fail. Previously this would fail with an
-internal_error alert because calling OPENSSL_malloc(selected_len) will
-return NULL when selected_len is 0. We make this error detection more
-explicit and return a handshake failure alert.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- ssl/statem/extensions_clnt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index 842be0722b..a07dc62e9a 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                                   PACKET_data(pkt),
-                                   PACKET_remaining(pkt),
-                                   s->ctx->ext.npn_select_cb_arg) !=
--             SSL_TLSEXT_ERR_OK) {
-+                                  SSL_TLSEXT_ERR_OK
-+            || selected_len == 0) {
-         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
--- 
-2.45.2
-
-From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:46:38 +0100
-Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
-
-We clarify the input preconditions and the expected behaviour in the event
-of no overlap.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-index 102e657851..a29557dd91 100644
---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
-@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
- SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
- set the list of protocols available to be negotiated. The B<protos> must be in
- protocol-list format, described below. The length of B<protos> is specified in
--B<protos_len>.
-+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
-+protocols and no ALPN extension will be sent to the server.
- 
- SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
- server to select which protocol to use for the incoming connection. When B<cb>
-@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
- described below. The first item in the B<server>, B<server_len> list that
- matches an item in the B<client>, B<client_len> list is selected, and returned
- in B<out>, B<outlen>. The B<out> value will point into either B<server> or
--B<client>, so it should be copied immediately. If no match is found, the first
--item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
--function can also be used in the NPN callback.
-+B<client>, so it should be copied immediately. The client list must include at
-+least one valid (nonempty) protocol entry in the list.
-+
-+The SSL_select_next_proto() helper function can be useful from either the ALPN
-+callback or the NPN callback (described below). If no match is found, the first
-+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
-+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
-+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
-+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
-+SSL_select_next_proto().
- 
- SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
- client needs to select a protocol from the server's provided list, and a
-@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
- The length of the protocol name must be written into B<outlen>. The
- server's advertised protocols are provided in B<in> and B<inlen>. The
- callback can assume that B<in> is syntactically valid. The client must
--select a protocol. It is fatal to the connection if this callback returns
--a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
--set via SSL_CTX_set_next_proto_select_cb().
-+select a protocol (although it may be an empty, zero length protocol). It is
-+fatal to the connection if this callback returns a value other than
-+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
-+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
- 
- SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
- when a TLS server needs a list of supported protocols for Next Protocol
-@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
- =item OPENSSL_NPN_NO_OVERLAP
- 
- No match was found. The first item in B<client>, B<client_len> is returned in
--B<out>, B<outlen>.
-+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
-+B<client> is invalid).
- 
- =back
- 
--- 
-2.45.2
-
-From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 10:41:55 +0100
-Subject: [PATCH] Correct return values for
- tls_construct_stoc_next_proto_neg
-
-Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
-rather than EXT_RETURN_SENT. This actually makes no difference at all to
-the current control flow since this return value is ignored in this case
-anyway. But lets make it correct anyway.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- ssl/statem/extensions_srvr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 4ea085e1a1..2da880450f 100644
---- a/ssl/statem/extensions_srvr.c
-+++ b/ssl/statem/extensions_srvr.c
-@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
-             return EXT_RETURN_FAIL;
-         }
-         s->s3.npn_seen = 1;
-+        return EXT_RETURN_SENT;
-     }
- 
--    return EXT_RETURN_SENT;
-+    return EXT_RETURN_NOT_SENT;
- }
- #endif
- 
--- 
-2.45.2
-
-From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 21 Jun 2024 11:51:54 +0100
-Subject: [PATCH] Add ALPN validation in the client
-
-The ALPN protocol selected by the server must be one that we originally
-advertised. We should verify that it is.
-
-Follow on from CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
-index a07dc62e9a..b21ccf9273 100644
---- a/ssl/statem/extensions_clnt.c
-+++ b/ssl/statem/extensions_clnt.c
-@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-                         size_t chainidx)
- {
-     size_t len;
-+    PACKET confpkt, protpkt;
-+    int valid = 0;
- 
-     /* We must have requested it. */
-     if (!s->s3.alpn_sent) {
-@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
-         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-         return 0;
-     }
-+
-+    /* It must be a protocol that we sent */
-+    if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
-+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-+        return 0;
-+    }
-+    while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
-+        if (PACKET_remaining(&protpkt) != len)
-+            continue;
-+        if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
-+            /* Valid protocol found */
-+            valid = 1;
-+            break;
-+        }
-+    }
-+
-+    if (!valid) {
-+        /* The protocol sent from the server does not match one we advertised */
-+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-+        return 0;
-+    }
-+
-     OPENSSL_free(s->s3.alpn_selected);
-     s->s3.alpn_selected = OPENSSL_malloc(len);
-     if (s->s3.alpn_selected == NULL) {
--- 
-2.45.2
-

openssl-CVE-2024-6119.patch

@@ -1,255 +0,0 @@
-commit 97ebe37033e8884f4cca5544a74376633c665e11
-Author: Viktor Dukhovni <viktor@openssl.org>
-Date:   Wed Jun 19 21:04:11 2024 +1000
-
-    Avoid type errors in EAI-related name check logic.
-    
-    The incorrectly typed data is read only, used in a compare operation, so
-    neither remote code execution, nor memory content disclosure were possible.
-    However, applications performing certificate name checks were vulnerable to
-    denial of service.
-    
-    The GENERAL_TYPE data type is a union, and we must take care to access the
-    correct member, based on `gen->type`, not all the member fields have the same
-    structure, and a segfault is possible if the wrong member field is read.
-    
-    The code in question was lightly refactored with the intent to make it more
-    obviously correct.
-    
-    CVE-2024-6119
-    
-    (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
-
-diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
-index 1a18174995..a09414c972 100644
---- a/crypto/x509/v3_utl.c
-+++ b/crypto/x509/v3_utl.c
-@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
-             ASN1_STRING *cstr;
- 
-             gen = sk_GENERAL_NAME_value(gens, i);
--            if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
--                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
--                    NID_id_on_SmtpUTF8Mailbox) {
--                    san_present = 1;
--
--                    /*
--                     * If it is not a UTF8String then that is unexpected and we
--                     * treat it as no match
--                     */
--                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
--                        cstr = gen->d.otherName->value->value.utf8string;
--
--                        /* Positive on success, negative on error! */
--                        if ((rv = do_check_string(cstr, 0, equal, flags,
--                                                chk, chklen, peername)) != 0)
--                            break;
--                    }
--                } else
-+            switch (gen->type) {
-+            default:
-+                continue;
-+            case GEN_OTHERNAME:
-+		switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
-+                default:
-                     continue;
--            } else {
--                if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
-+                case NID_id_on_SmtpUTF8Mailbox:
-+                    /*-
-+                     * https://datatracker.ietf.org/doc/html/rfc8398#section-3
-+                     *
-+                     *   Due to name constraint compatibility reasons described
-+                     *   in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
-+                     *   be used unless the local-part of the email address
-+                     *   contains non-ASCII characters. When the local-part is
-+                     *   ASCII, rfc822Name subjectAltName MUST be used instead
-+                     *   of SmtpUTF8Mailbox. This is compatible with legacy
-+                     *   software that supports only rfc822Name (and not
-+                     *   SmtpUTF8Mailbox). [...]
-+                     *
-+                     *   SmtpUTF8Mailbox is encoded as UTF8String.
-+                     *
-+                     * If it is not a UTF8String then that is unexpected, and
-+                     * we ignore the invalid SAN (neither set san_present nor
-+                     * consider it a candidate for equality).  This does mean
-+                     * that the subject CN may be considered, as would be the
-+                     * case when the malformed SmtpUtf8Mailbox SAN is instead
-+                     * simply absent.
-+                     *
-+                     * When CN-ID matching is not desirable, applications can
-+                     * choose to turn it off, doing so is at this time a best
-+                     * practice.
-+                     */
-+                    if (check_type != GEN_EMAIL
-+                        || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
-+                        continue;
-+                    alt_type = 0;
-+                    cstr = gen->d.otherName->value->value.utf8string;
-+                    break;
-+                }
-+                break;
-+            case GEN_EMAIL:
-+                if (check_type != GEN_EMAIL)
-                     continue;
--            }
--            san_present = 1;
--            if (check_type == GEN_EMAIL)
-                 cstr = gen->d.rfc822Name;
--            else if (check_type == GEN_DNS)
-+                break;
-+            case GEN_DNS:
-+                if (check_type != GEN_DNS)
-+                    continue;
-                 cstr = gen->d.dNSName;
--            else
-+                break;
-+            case GEN_IPADD:
-+                if (check_type != GEN_IPADD)
-+                    continue;
-                 cstr = gen->d.iPAddress;
-+                break;
-+            }
-+            san_present = 1;
-             /* Positive on success, negative on error! */
-             if ((rv = do_check_string(cstr, alt_type, equal, flags,
-                                       chk, chklen, peername)) != 0)
-diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
-index 522982ddfb..e18735d89a 100644
---- a/test/recipes/25-test_eai_data.t
-+++ b/test/recipes/25-test_eai_data.t
-@@ -21,16 +21,18 @@ setup("test_eai_data");
- #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
- #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
- 
--plan tests => 12;
-+plan tests => 16;
- 
- require_ok(srctop_file('test','recipes','tconversion.pl'));
- my $folder = "test/recipes/25-test_eai_data";
- 
- my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
- my $utf8_pem  = srctop_file($folder, "utf8_leaf.pem");
-+my $kdc_pem   = srctop_file($folder, "kdc-cert.pem");
- 
- my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
- my $utf8_chain_pem  = srctop_file($folder, "utf8_chain.pem");
-+my $kdc_chain_pem  = srctop_file($folder, "kdc-root-cert.pem");
- 
- my $out;
- my $outcnt = 0;
-@@ -56,10 +58,18 @@ SKIP: {
- 
- ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
- ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
- 
- ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
- ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
- 
-+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
-+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
-+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
-+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
-+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
-+
- #Check that we get the expected failure return code
- with({ exit_checker => sub { return shift == 2; } },
-      sub {
-diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
-new file mode 100644
-index 0000000000..e8a2c6f55d
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
-@@ -0,0 +1,21 @@
-+-----BEGIN CERTIFICATE-----
-+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
-+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
-+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
-+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
-+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
-+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
-+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
-+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
-+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
-+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
-+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
-+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
-+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
-+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
-+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
-+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
-+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
-+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
-+oDQ9fKfUOAmUFth2/R/eGA==
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
-new file mode 100644
-index 0000000000..a74c96bf31
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
-@@ -0,0 +1,16 @@
-+-----BEGIN CERTIFICATE-----
-+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
-+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
-+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
-+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
-+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
-+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
-+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
-+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
-+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
-+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
-+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
-+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
-+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
-+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
-+-----END CERTIFICATE-----
-diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
-new file mode 100755
-index 0000000000..7a8dbc719f
---- /dev/null
-+++ b/test/recipes/25-test_eai_data/kdc.sh
-@@ -0,0 +1,41 @@
-+#! /usr/bin/env bash
-+
-+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
-+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
-+# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
-+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
-+# should likewise lead to ASAN issues with email name checks.
-+
-+rm -f root-key.pem root-cert.pem
-+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
-+        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
-+
-+exts=$(
-+    printf "%s\n%s\n%s\n%s = " \
-+        "subjectKeyIdentifier = hash" \
-+        "authorityKeyIdentifier = keyid" \
-+        "basicConstraints = CA:false" \
-+        "subjectAltName"
-+    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
-+    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
-+    printf "%s, " "email:joe@example.com"
-+    printf "%s\n" "DNS:mx1.example.com"
-+    printf "[kdc_princ_name]\n"
-+    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
-+    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
-+    printf "[kdc_principal_seq]\n"
-+    printf "name_type = EXP:0, INTEGER:1\n"
-+    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
-+    printf "[kdc_principal_components]\n"
-+    printf "princ1 = GeneralString:krbtgt\n"
-+    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
-+    )
-+
-+printf "%s\n" "$exts"
-+
-+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
-+    -subj "/CN=TEST.EXAMPLE" |
-+    openssl x509 -req -out kdc-cert.pem \
-+        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
-+        -set_serial 2 -days 36524 \
-+        -extfile <(printf "%s\n" "$exts")

openssl-CVE-2024-9143.patch

@@ -1,198 +0,0 @@
-From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@openssl.org>
-Date: Thu, 19 Sep 2024 01:02:40 +1000
-Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
-
-The BN_GF2m_poly2arr() function converts characteristic-2 field
-(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
-to a compact array with just the exponents of the non-zero terms.
-
-These polynomials are then used in BN_GF2m_mod_arr() to perform modular
-reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
-polynomial must have a non-zero constant term (i.e. the array has `0` as
-its final element).
-
-Internally, callers of BN_GF2m_poly2arr() did not verify that
-precondition, and binary EC curve parameters with an invalid polynomial
-could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
-
-The precondition is always true for polynomials that arise from the
-standard form of EC parameters for characteristic-two fields (X9.62).
-See the "Finite Field Identification" section of:
-
-    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
-
-The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
-basis X9.62 forms.
-
-This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
-the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
-
-Additionally, the return value is made unambiguous when there is not
-enough space to also pad the array with a final `-1` sentinel value.
-The return value is now always the number of elements (including the
-final `-1`) that would be filled when the output array is sufficiently
-large.  Previously the same count was returned both when the array has
-just enough room for the final `-1` and when it had only enough space
-for non-sentinel values.
-
-Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
-degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
-CPU exhausition attacks via excessively large inputs.
-
-The above issues do not arise in processing X.509 certificates.  These
-generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
-disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
-constraint only after the certificate is decoded, but, even if explicit
-parameters are specified, they are in X9.62 form, which cannot represent
-problem values as noted above.
-
-Initially reported as oss-fuzz issue 71623.
-
-A closely related issue was earlier reported in
-<https://github.com/openssl/openssl/issues/19826>.
-
-Severity: Low, CVE-2024-9143
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25639)
-
-(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
----
- crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
- test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
-index c811ae82d6b15..bcc66613cc14d 100644
---- a/crypto/bn/bn_gf2m.c
-+++ b/crypto/bn/bn_gf2m.c
-@@ -15,6 +15,7 @@
- #include "bn_local.h"
- 
- #ifndef OPENSSL_NO_EC2M
-+# include <openssl/ec.h>
- 
- /*
-  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
-@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- /*
-  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
-  * x^i) into an array of integers corresponding to the bits with non-zero
-- * coefficient.  Array is terminated with -1. Up to max elements of the array
-- * will be filled.  Return value is total number of array elements that would
-- * be filled if array was large enough.
-+ * coefficient.  The array is intended to be suitable for use with
-+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
-+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
-+ *
-+ * Given sufficient room, the array is terminated with -1.  Up to max elements
-+ * of the array will be filled.
-+ *
-+ * The return value is total number of array elements that would be filled if
-+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
-+ * is not odd or the constant term is zero contrary to requirement.
-+ *
-+ * The return value is also `0` when the leading exponent exceeds
-+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
-  */
- int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
- {
-     int i, j, k = 0;
-     BN_ULONG mask;
- 
--    if (BN_is_zero(a))
-+    if (!BN_is_odd(a))
-         return 0;
- 
-     for (i = a->top - 1; i >= 0; i--) {
-@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
-         }
-     }
- 
--    if (k < max) {
-+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
-+        return 0;
-+
-+    if (k < max)
-         p[k] = -1;
--        k++;
--    }
- 
--    return k;
-+    return k + 1;
- }
- 
- /*
-diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
-index 8c2cd05631696..02cfd4e9d8858 100644
---- a/test/ec_internal_test.c
-+++ b/test/ec_internal_test.c
-@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
- }
- 
- #ifndef OPENSSL_NO_EC2M
-+/* Test that decoding of invalid GF2m field parameters fails. */
-+static int ec2m_field_sanity(void)
-+{
-+    int ret = 0;
-+    BN_CTX *ctx = BN_CTX_new();
-+    BIGNUM *p, *a, *b;
-+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
-+
-+    TEST_info("Testing GF2m hardening\n");
-+
-+    BN_CTX_start(ctx);
-+    p = BN_CTX_get(ctx);
-+    a = BN_CTX_get(ctx);
-+    if (!TEST_ptr(b = BN_CTX_get(ctx))
-+        || !TEST_true(BN_one(a))
-+        || !TEST_true(BN_one(b)))
-+        goto out;
-+
-+    /* Even pentanomial value should be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf2)))
-+        goto out;
-+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Zero constant term accepted in GF2m polynomial");
-+
-+    /* Odd hexanomial should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf3)))
-+        goto out;
-+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Hexanomial accepted as GF2m polynomial");
-+
-+    /* Excessive polynomial degree should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0x71))
-+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
-+        goto out;
-+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("GF2m polynomial degree > %d accepted",
-+                   OPENSSL_ECC_MAX_FIELD_BITS);
-+
-+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
-+
-+ out:
-+    EC_GROUP_free(group1);
-+    EC_GROUP_free(group2);
-+    EC_GROUP_free(group3);
-+    BN_CTX_end(ctx);
-+    BN_CTX_free(ctx);
-+
-+    return ret;
-+}
-+
- /* test EC_GF2m_simple_method directly */
- static int field_tests_ec2_simple(void)
- {
-@@ -443,6 +493,7 @@ int setup_tests(void)
-     ADD_TEST(field_tests_ecp_simple);
-     ADD_TEST(field_tests_ecp_mont);
- #ifndef OPENSSL_NO_EC2M
-+    ADD_TEST(ec2m_field_sanity);
-     ADD_TEST(field_tests_ec2_simple);
- #endif
-     ADD_ALL_TESTS(field_tests_default, crv_len);

openssl-CVE-2025-4575.patch

@@ -1,61 +0,0 @@
-From 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 20 May 2025 16:34:10 +0200
-Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
- of rejection
-
-Fixes CVE-2025-4575
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/27672)
-
-Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
----
- apps/x509.c                 |  2 +-
- test/recipes/25-test_x509.t | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-Index: openssl-3.5.0/apps/x509.c
-===================================================================
---- openssl-3.5.0.orig/apps/x509.c
-+++ openssl-3.5.0/apps/x509.c
-@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
-                            prog, opt_arg());
-                 goto opthelp;
-             }
--            if (!sk_ASN1_OBJECT_push(trust, objtmp))
-+            if (!sk_ASN1_OBJECT_push(reject, objtmp))
-                 goto end;
-             trustout = 1;
-             break;
-Index: openssl-3.5.0/test/recipes/25-test_x509.t
-===================================================================
---- openssl-3.5.0.orig/test/recipes/25-test_x509.t
-+++ openssl-3.5.0/test/recipes/25-test_x509.t
-@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_fil
- 
- setup("test_x509");
- 
--plan tests => 134;
-+plan tests => 138;
- 
- # Prevent MSys2 filename munging for arguments that look like file paths but
- # aren't
-@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "
- && run(app(["openssl", "verify", "-no_check_time",
-             "-trusted", $ca, "-partial_chain", $caout])));
- 
-+# test trust decoration
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
-+            "-out", "ca-trusted.pem"])));
-+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
-+              1, 'trusted use - E-mail Protection');
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
-+            "-out", "ca-rejected.pem"])));
-+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
-+              1, 'rejected use - E-mail Protection');
-+
- subtest 'x509 -- x.509 v1 certificate' => sub {
-     tconversion( -type => 'x509', -prefix => 'x509v1',
-                  -in => srctop_file("test", "testx509.pem") );

openssl-DEFAULT_SUSE_cipher.patch

@@ -1,64 +0,0 @@
-Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
-===================================================================
---- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
-+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
-@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
-      */
-     ok = 1;
-     rule_p = rule_str;
--    if (strncmp(rule_str, "DEFAULT", 7) == 0) {
-+    if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
-+        ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
-+                                        &head, &tail, ca_list, c);
-+        rule_p += 12;
-+        if (*rule_p == ':')
-+            rule_p++;
-+    }
-+    else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
-         ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
-                                         &head, &tail, ca_list, c);
-         rule_p += 7;
-Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
-===================================================================
---- /dev/null
-+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
-@@ -0,0 +1,23 @@
-+#! /usr/bin/env perl
-+
-+use strict;
-+use warnings;
-+
-+use OpenSSL::Test qw/:DEFAULT/;
-+use OpenSSL::Test::Utils;
-+
-+setup("test_default_ciphersuites");
-+
-+plan tests => 6;
-+
-+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
-+
-+foreach my $cipherlist (@cipher_suites) {
-+  ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
-+     "openssl ciphers works with ciphersuite $cipherlist");
-+  ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
-+         "$cipherlist shouldn't contain MD5, DES or RC4\n");
-+  ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
-+         "$cipherlist should contain TLSv1.3 ciphers\n");
-+}
-+
-Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
-===================================================================
---- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
-+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
-@@ -189,6 +189,11 @@ extern "C" {
-  */
- # ifndef OPENSSL_NO_DEPRECATED_3_0
- #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-+#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
-+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
-+    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
-+    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
-+    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
- /*
-  * This is the default set of TLSv1.3 ciphersuites
-  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()

openssl-Disable-default-provider-for-test-suite.patch

@@ -1,19 +0,0 @@
-Index: openssl-3.1.4/apps/openssl.cnf
-===================================================================
---- openssl-3.1.4.orig/apps/openssl.cnf
-+++ openssl-3.1.4/apps/openssl.cnf
-@@ -70,11 +70,11 @@ engines = engine_section
- # to side-channel attacks and as such have been deprecated.
- 
- [provider_sect]
--default = default_sect
-+##default = default_sect
- ##legacy = legacy_sect
- 
--[default_sect]
--activate = 1
-+##[default_sect]
-+##activate = 1
- 
- ##[legacy_sect]
- ##activate = 1

openssl-Enable-BTI-feature-for-md5-on-aarch64.patch

@@ -1,28 +0,0 @@
-From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
-From: "fangming.fang" <fangming.fang@arm.com>
-Date: Thu, 7 Dec 2023 06:17:51 +0000
-Subject: [PATCH] Enable BTI feature for md5 on aarch64
-
-Fixes: #22959
----
- crypto/md5/asm/md5-aarch64.pl | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
-index 3200a0fa9bff0..5a8608069691d 100755
---- a/crypto/md5/asm/md5-aarch64.pl
-+++ b/crypto/md5/asm/md5-aarch64.pl
-@@ -28,10 +28,13 @@
- *STDOUT=*OUT;
- 
- $code .= <<EOF;
-+#include "arm_arch.h"
-+
- .text
- .globl  ossl_md5_block_asm_data_order
- .type   ossl_md5_block_asm_data_order,\@function
- ossl_md5_block_asm_data_order:
-+        AARCH64_VALID_CALL_TARGET
-         // Save all callee-saved registers
-         stp     x19,x20,[sp,#-80]!
-         stp     x21,x22,[sp,#16]

openssl-FIPS-140-3-DRBG.patch

@@ -1,137 +0,0 @@
-Index: openssl-3.2.3/crypto/rand/prov_seed.c
-===================================================================
---- openssl-3.2.3.orig/crypto/rand/prov_seed.c
-+++ openssl-3.2.3/crypto/rand/prov_seed.c
-@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused
-     size_t entropy_available;
-     RAND_POOL *pool;
- 
--    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
-+    /*
-+     * OpenSSL still implements an internal entropy pool of
-+     * some size that is hashed to get seed data.
-+     * Note that this is a conditioning step for which SP800-90C requires
-+     * 64 additional bits from the entropy source to claim the requested
-+     * amount of entropy.
-+     */
-+    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
-     if (pool == NULL) {
-         ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
-         return 0;
-Index: openssl-3.2.3/crypto/rand/rand_lib.c
-===================================================================
---- openssl-3.2.3.orig/crypto/rand/rand_lib.c
-+++ openssl-3.2.3/crypto/rand/rand_lib.c
-@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB
-         return ret;
-     }
- 
--#ifndef FIPS_MODULE
--    if (dgbl->seed == NULL) {
--        ERR_set_mark();
--        dgbl->seed = rand_new_seed(ctx);
--        ERR_pop_to_mark();
--    }
--#endif
--
--    ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed,
-+    ret = dgbl->primary = rand_new_drbg(ctx, NULL,
-                                         PRIMARY_RESEED_INTERVAL,
-                                         PRIMARY_RESEED_TIME_INTERVAL, 1);
-     /*
-Index: openssl-3.2.3/providers/implementations/rands/crngt.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/rands/crngt.c
-+++ openssl-3.2.3/providers/implementations/rands/crngt.c
-@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG
-      * to the nearest byte.  If the entropy is of less than full quality,
-      * the amount required should be scaled up appropriately here.
-      */
--    bytes_needed = (entropy + 7) / 8;
-+    /*
-+     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
-+     * + 128 bits during initial seeding
-+     */
-+    bytes_needed = (entropy + 128 + 7) / 8;
-     if (bytes_needed < min_len)
-         bytes_needed = min_len;
-     if (bytes_needed > max_len)
-Index: openssl-3.2.3/providers/implementations/rands/drbg.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/rands/drbg.c
-+++ openssl-3.2.3/providers/implementations/rands/drbg.c
-@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke
- #endif
-     }
- 
-+#ifdef FIPS_MODULE
-+    prediction_resistance = 1;
-+#endif
-     /* Reseed using our sources in addition */
-     entropylen = get_entropy(drbg, &entropy, drbg->strength,
-                              drbg->min_entropylen, drbg->max_entropylen,
-@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d
-             reseed_required = 1;
-     }
-     if (drbg->parent != NULL
--            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
-+            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
-+#ifdef FIPS_MODULE
-+        /* SUSE patches provide chain reseeding when necessary so just sync counters*/
-+        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
-+#else
-         reseed_required = 1;
-+#endif
-+        }
- 
-     if (reseed_required || prediction_resistance) {
-         if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
-Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h
-+++ openssl-3.2.3/providers/implementations/rands/drbg_local.h
-@@ -38,7 +38,7 @@
-  *
-  * The value is in bytes.
-  */
--#define CRNGT_BUFSIZ    16
-+#define CRNGT_BUFSIZ   32
- 
- /*
-  * Maximum input size for the DRBG (entropy, nonce, personalization string)
-Index: openssl-3.2.3/providers/implementations/rands/seed_src.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c
-+++ openssl-3.2.3/providers/implementations/rands/seed_src.c
-@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed
-         return 0;
-     }
- 
--    pool = ossl_rand_pool_new(strength, 1, outlen, outlen);
-+    /*
-+     * OpenSSL still implements an internal entropy pool of
-+     * some size that is hashed to get seed data.
-+     * Note that this is a conditioning step for which SP800-90C requires
-+     * 64 additional bits from the entropy source to claim the requested
-+     * amount of entropy.
-+     */
-+    pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen);
-     if (pool == NULL) {
-         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
-         return 0;
-@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed,
-     size_t i;
-     RAND_POOL *pool;
- 
--    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
-+    /*
-+     * OpenSSL still implements an internal entropy pool of
-+     * some size that is hashed to get seed data.
-+     * Note that this is a conditioning step for which SP800-90C requires
-+     * 64 additional bits from the entropy source to claim the requested
-+     * amount of entropy.
-+     */
-+    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
-     if (pool == NULL) {
-         ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB);
-         return 0;

openssl-FIPS-140-3-zeroization.patch

@@ -1,81 +0,0 @@
-Index: openssl-3.2.3/crypto/ec/ec_lib.c
-===================================================================
---- openssl-3.2.3.orig/crypto/ec/ec_lib.c
-+++ openssl-3.2.3/crypto/ec/ec_lib.c
-@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
- 
- void EC_POINT_free(EC_POINT *point)
- {
-+#ifdef FIPS_MODULE
-+    EC_POINT_clear_free(point);
-+#else
-     if (point == NULL)
-         return;
- 
-     if (point->meth->point_finish != 0)
-         point->meth->point_finish(point);
-     OPENSSL_free(point);
-+#endif
- }
- 
- void EC_POINT_clear_free(EC_POINT *point)
-Index: openssl-3.2.3/crypto/ffc/ffc_params.c
-===================================================================
---- openssl-3.2.3.orig/crypto/ffc/ffc_params.c
-+++ openssl-3.2.3/crypto/ffc/ffc_params.c
-@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
- 
- void ossl_ffc_params_cleanup(FFC_PARAMS *params)
- {
--    BN_free(params->p);
--    BN_free(params->q);
--    BN_free(params->g);
--    BN_free(params->j);
-+    BN_clear_free(params->p);
-+    BN_clear_free(params->q);
-+    BN_clear_free(params->g);
-+    BN_clear_free(params->j);
-     OPENSSL_free(params->seed);
-     ossl_ffc_params_init(params);
- }
-Index: openssl-3.2.3/crypto/rsa/rsa_lib.c
-===================================================================
---- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c
-+++ openssl-3.2.3/crypto/rsa/rsa_lib.c
-@@ -159,8 +159,8 @@ void RSA_free(RSA *r)
-     CRYPTO_THREAD_lock_free(r->lock);
-     CRYPTO_FREE_REF(&r->references);
- 
--    BN_free(r->n);
--    BN_free(r->e);
-+    BN_clear_free(r->n);
-+    BN_clear_free(r->e);
-     BN_clear_free(r->d);
-     BN_clear_free(r->p);
-     BN_clear_free(r->q);
-Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c
-+++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c
-@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)
-     void *provctx = ctx->provctx;
- 
-     ossl_prov_digest_reset(&ctx->digest);
--    OPENSSL_free(ctx->salt);
-+    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
-     OPENSSL_free(ctx->prefix);
-     OPENSSL_free(ctx->label);
-     OPENSSL_clear_free(ctx->data, ctx->data_len);
-Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
-+++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
-@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct
- static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
- {
-     ossl_prov_digest_reset(&ctx->digest);
--    OPENSSL_free(ctx->salt);
-+    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
-     OPENSSL_clear_free(ctx->pass, ctx->pass_len);
-     memset(ctx, 0, sizeof(*ctx));
- }

openssl-FIPS-Add-explicit-indicator-for-key-length.patch

@@ -1,108 +0,0 @@
-From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Thu, 17 Nov 2022 18:08:24 +0100
-Subject: [PATCH] hmac: Add explicit FIPS indicator for key length
-
-NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms"
-specifies key lengths < 112 bytes are disallowed for HMAC generation and
-are legacy use for HMAC verification.
-
-Add an explicit indicator that will mark shorter key lengths as
-unsupported. The indicator can be queries from the EVP_MAC_CTX object
-using EVP_MAC_CTX_get_params() with the
-  OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR
-parameter.
-
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- include/crypto/evp.h                       |  7 +++++++
- include/openssl/evp.h                      |  3 +++
- providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
- 4 files changed, 28 insertions(+)
-
-Index: openssl-3.2.3/include/crypto/evp.h
-===================================================================
---- openssl-3.2.3.orig/include/crypto/evp.h
-+++ openssl-3.2.3/include/crypto/evp.h
-@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m
- const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
- const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
- 
-+#ifdef FIPS_MODULE
-+/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
-+ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
-+ * HMAC verification. */
-+# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
-+#endif
-+
- struct evp_mac_st {
-     OSSL_PROVIDER *prov;
-     int name_id;
-Index: openssl-3.2.3/include/openssl/evp.h
-===================================================================
---- openssl-3.2.3.orig/include/openssl/evp.h
-+++ openssl-3.2.3/include/openssl/evp.h
-@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX
-                             void *arg);
- 
- /* MAC stuff */
-+# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED     1
-+# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
- 
- EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
-                        const char *properties);
-Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c
-+++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c
-@@ -23,6 +23,8 @@
- 
- #include "internal/ssl3_cbc.h"
- 
-+#include "crypto/evp.h"
-+
- #include "prov/implementations.h"
- #include "prov/provider_ctx.h"
- #include "prov/provider_util.h"
-@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns
- static const OSSL_PARAM known_gettable_ctx_params[] = {
-     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
-     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+    OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-     OSSL_PARAM_END
- };
- static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
-@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma
-             && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
-         return 0;
- 
-+#ifdef FIPS_MODULE
-+    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) {
-+        int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED;
-+        /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
-+         * specifies key lengths < 112 bytes are disallowed for HMAC generation
-+         * and legacy use for HMAC verification. */
-+        if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
-+            fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+        return OSSL_PARAM_set_int(p, fips_indicator);
-+    }
-+#endif /* defined(FIPS_MODULE) */
-+
-     return 1;
- }
- 
-Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-===================================================================
---- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
-+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-@@ -143,6 +143,7 @@ my %params = (
-     'MAC_PARAM_SIZE' =>             "size",                     # size_t
-     'MAC_PARAM_BLOCK_SIZE' =>       "block-size",               # size_t
-     'MAC_PARAM_TLS_DATA_SIZE' =>    "tls-data-size",            # size_t
-+    'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",   # size_t
- 
- # KDF / PRF parameters
-     'KDF_PARAM_SECRET' =>       "secret",                   # octet string

openssl-FIPS-Mark-SHA1-as-nonapproved.patch

@@ -1,25 +0,0 @@
-Index: openssl-3.2.4/providers/fips/fipsprov.c
-===================================================================
---- openssl-3.2.4.orig/providers/fips/fipsprov.c
-+++ openssl-3.2.4/providers/fips/fipsprov.c
-@@ -278,7 +278,7 @@ static int fips_self_test(void *provctx)
-  */
- static const OSSL_ALGORITHM fips_digests[] = {
-     /* Our primary name:NiST name[:our older names] */
--    { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions },
-+    { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions },
-     { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions },
-     { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions },
-     { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions },
-@@ -355,9 +355,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
-     ALG(PROV_NAMES_AES_256_WRAP_PAD_INV, ossl_aes256wrappadinv_functions),
-     ALG(PROV_NAMES_AES_192_WRAP_PAD_INV, ossl_aes192wrappadinv_functions),
-     ALG(PROV_NAMES_AES_128_WRAP_PAD_INV, ossl_aes128wrappadinv_functions),
--    ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
-+    UNAPPROVED_ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA1, ossl_aes128cbc_hmac_sha1_functions,
-          ossl_cipher_capable_aes_cbc_hmac_sha1),
--    ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
-+    UNAPPROVED_ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA1, ossl_aes256cbc_hmac_sha1_functions,
-          ossl_cipher_capable_aes_cbc_hmac_sha1),
-     ALGC(PROV_NAMES_AES_128_CBC_HMAC_SHA256, ossl_aes128cbc_hmac_sha256_functions,
-          ossl_cipher_capable_aes_cbc_hmac_sha256),

openssl-FIPS-Use-FFDHE2048-in-self-test.patch

@@ -1,378 +0,0 @@
-From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Fri, 22 Jul 2022 17:51:16 +0200
-Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
-
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
- 1 file changed, 172 insertions(+), 170 deletions(-)
-
-diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index a29cc650b5..1b5623833f 100644
---- a/providers/fips/self_test_data.inc
-+++ b/providers/fips/self_test_data.inc
-@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
- 
- #ifndef OPENSSL_NO_DH
- /* DH KAT */
-+/* RFC7919 FFDHE2048 p */
- static const unsigned char dh_p[] = {
--    0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
--    0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
--    0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
--    0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
--    0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
--    0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
--    0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
--    0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
--    0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
--    0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
--    0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
--    0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
--    0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
--    0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
--    0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
--    0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
--    0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
--    0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
--    0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
--    0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
--    0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
--    0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
--    0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
--    0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
--    0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
--    0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
--    0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
--    0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
--    0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
--    0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
--    0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
--    0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
--};
-+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-+    0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
-+    0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
-+    0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
-+    0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
-+    0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
-+    0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
-+    0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
-+    0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
-+    0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
-+    0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
-+    0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
-+    0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
-+    0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
-+    0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
-+    0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
-+    0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
-+    0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
-+    0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
-+    0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
-+    0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
-+    0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
-+    0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
-+    0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
-+    0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
-+    0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
-+    0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
-+    0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
-+    0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
-+    0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
-+    0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
-+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
-+};
-+/* RFC7919 FFDHE2048 q */
- static const unsigned char dh_q[] = {
--    0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
--    0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
--    0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
--    0x11, 0xac, 0xb5, 0x7d
--};
-+    0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-+    0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
-+    0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
-+    0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
-+    0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
-+    0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
-+    0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
-+    0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
-+    0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
-+    0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
-+    0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
-+    0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
-+    0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
-+    0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
-+    0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
-+    0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
-+    0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
-+    0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
-+    0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
-+    0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
-+    0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
-+    0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
-+    0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
-+    0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
-+    0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
-+    0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
-+    0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
-+    0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
-+    0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
-+    0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
-+    0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
-+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
-+};
-+/* RFC7919 FFDHE2048 g */
- static const unsigned char dh_g[] = {
--    0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
--    0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
--    0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
--    0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
--    0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
--    0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
--    0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
--    0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
--    0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
--    0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
--    0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
--    0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
--    0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
--    0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
--    0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
--    0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
--    0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
--    0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
--    0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
--    0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
--    0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
--    0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
--    0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
--    0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
--    0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
--    0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
--    0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
--    0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
--    0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
--    0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
--    0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
--    0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
-+    0x02
- };
- static const unsigned char dh_priv[] = {
--    0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
--    0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
--    0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
--    0x40, 0xb8, 0xfc, 0xe6
-+    0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
-+    0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
-+    0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
-+    0x6c, 0xdc, 0x5d, 0x6e, 0x94
- };
- static const unsigned char dh_pub[] = {
--    0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
--    0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
--    0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
--    0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
--    0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
--    0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
--    0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
--    0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
--    0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
--    0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
--    0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
--    0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
--    0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
--    0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
--    0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
--    0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
--    0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
--    0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
--    0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
--    0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
--    0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
--    0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
--    0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
--    0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
--    0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
--    0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
--    0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
--    0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
--    0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
--    0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
--    0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
--    0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
-+    0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
-+    0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
-+    0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
-+    0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
-+    0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
-+    0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
-+    0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
-+    0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
-+    0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
-+    0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
-+    0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
-+    0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
-+    0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
-+    0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
-+    0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
-+    0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
-+    0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
-+    0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
-+    0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
-+    0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
-+    0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
-+    0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
-+    0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
-+    0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
-+    0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
-+    0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
-+    0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
-+    0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
-+    0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
-+    0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
-+    0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
-+    0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
-+    0x32
- };
- static const unsigned char dh_peer_pub[] = {
--    0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
--    0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
--    0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
--    0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
--    0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
--    0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
--    0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
--    0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
--    0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
--    0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
--    0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
--    0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
--    0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
--    0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
--    0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
--    0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
--    0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
--    0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
--    0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
--    0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
--    0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
--    0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
--    0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
--    0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
--    0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
--    0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
--    0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
--    0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
--    0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
--    0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
--    0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
--    0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
-+    0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
-+    0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
-+    0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
-+    0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
-+    0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
-+    0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
-+    0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
-+    0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
-+    0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
-+    0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
-+    0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
-+    0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
-+    0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
-+    0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
-+    0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
-+    0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
-+    0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
-+    0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
-+    0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
-+    0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
-+    0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
-+    0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
-+    0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
-+    0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
-+    0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
-+    0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
-+    0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
-+    0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
-+    0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
-+    0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
-+    0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
-+    0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
-+    0x64
- };
- 
- static const unsigned char dh_secret_expected[] = {
--    0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
--    0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
--    0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
--    0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
--    0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
--    0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
--    0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
--    0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
--    0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
--    0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
--    0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
--    0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
--    0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
--    0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
--    0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
--    0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
--    0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
--    0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
--    0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
--    0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
--    0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
--    0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
--    0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
--    0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
--    0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
--    0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
--    0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
--    0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
--    0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
--    0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
--    0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
--    0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
-+    0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
-+    0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
-+    0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
-+    0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
-+    0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
-+    0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
-+    0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
-+    0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
-+    0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
-+    0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
-+    0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
-+    0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
-+    0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
-+    0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
-+    0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
-+    0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
-+    0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
-+    0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
-+    0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
-+    0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
-+    0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
-+    0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
-+    0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
-+    0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
-+    0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
-+    0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
-+    0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
-+    0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
-+    0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
-+    0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
-+    0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
-+    0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
- };
- 
- static const ST_KAT_PARAM dh_group[] = {
--- 
-2.35.3
-

openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch

@@ -1,312 +0,0 @@
-From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 28/49] 
- 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
-
-Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
-Patch-id: 74
-Patch-status: |
-    # [PATCH 29/46]
-    # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
-From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
----
- crypto/evp/m_sigver.c           | 54 ++++++++++++++++++++++++++++-----
- providers/fips/self_test_kats.c | 43 +++++++++++++++-----------
- 2 files changed, 73 insertions(+), 24 deletions(-)
-
-Index: openssl-3.2.3/crypto/evp/m_sigver.c
-===================================================================
---- openssl-3.2.3.orig/crypto/evp/m_sigver.c
-+++ openssl-3.2.3/crypto/evp/m_sigver.c
-@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const
-     ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
-     return 0;
- }
-+#endif /* !defined(FIPS_MODULE) */
- 
- /*
-  * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
-@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
-         reinit = 0;
-         if (e == NULL)
-             ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
-+#ifndef FIPS_MODULE
-         else
-             ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
-+#endif /* !defined(FIPS_MODULE) */
-     }
-     if (ctx->pctx == NULL)
-         return 0;
-@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
-     locpctx = ctx->pctx;
-     ERR_set_mark();
- 
-+#ifndef FIPS_MODULE
-     if (evp_pkey_ctx_is_legacy(locpctx))
-         goto legacy;
-+#endif /* !defined(FIPS_MODULE) */
- 
-     /* do not reinitialize if pkey is set or operation is different */
-     if (reinit
-@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct
-             signature =
-                 evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
-                                               supported_sig, locpctx->propquery);
-+#ifndef FIPS_MODULE
-             if (signature == NULL)
-                 goto legacy;
-+#endif /* !defined(FIPS_MODULE) */
-             break;
-         }
-         if (signature == NULL)
-@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
-             ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
-             if (ctx->fetched_digest != NULL) {
-                 ctx->digest = ctx->reqdigest = ctx->fetched_digest;
-+#ifndef FIPS_MODULE
-             } else {
-                 /* legacy engine support : remove the mark when this is deleted */
-                 ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
-@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct
-                     ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
-                     goto err;
-                 }
-+#endif /* !defined(FIPS_MODULE) */
-             }
-             (void)ERR_pop_to_mark();
-         }
-     }
- 
-+#ifndef FIPS_MODULE
-     if (ctx->reqdigest != NULL
-             && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
-             && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
-@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
-             goto err;
-         }
-     }
-+#endif /* !defined(FIPS_MODULE) */
- 
-     if (ver) {
-         if (signature->digest_verify_init == NULL) {
-@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
-     EVP_KEYMGMT_free(tmp_keymgmt);
-     return 0;
- 
-+#ifndef FIPS_MODULE
-  legacy:
-     /*
-      * If we don't have the full support we need with provided methods,
-@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct
-         ctx->pctx->flag_call_digest_custom = 1;
- 
-     ret = 1;
-+#endif /* !defined(FIPS_MODULE) */
- 
-  end:
- #ifndef FIPS_MODULE
-@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx
-     return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
-                           NULL);
- }
--#endif /* FIPS_MDOE */
- 
- int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
- {
-@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c
-     return EVP_DigestUpdate(ctx, data, dsize);
- }
- 
--#ifndef FIPS_MODULE
- int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
-                         size_t *siglen)
- {
--    int sctx = 0, r = 0;
--    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
-+    int r = 0;
-+#ifndef FIPS_MODULE
-+    int sctx = 0;
-+    EVP_PKEY_CTX *dctx = NULL;
-+#endif /* !defined(FIPS_MODULE) */
-+    EVP_PKEY_CTX *pctx = ctx->pctx;
- 
-     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
-         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
-         return 0;
-     }
- 
-+#ifndef FIPS_MODULE
-     if (pctx == NULL
-             || pctx->operation != EVP_PKEY_OP_SIGNCTX
-             || pctx->op.sig.algctx == NULL
-             || pctx->op.sig.signature == NULL)
-         goto legacy;
-+#endif /* !defined(FIPS_MODULE) */
- 
-+#ifndef FIPS_MODULE
-     if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
-         /* try dup */
-         dctx = EVP_PKEY_CTX_dup(pctx);
-@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
-     else
-         EVP_PKEY_CTX_free(dctx);
-     return r;
-+#else
-+    r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
-+                                                  sigret, siglen,
-+                                                  sigret == NULL ? 0 : *siglen);
-+    return r;
-+#endif /* !defined(FIPS_MODULE) */
- 
-+#ifndef FIPS_MODULE
-  legacy:
-     if (pctx == NULL || pctx->pmeth == NULL) {
-         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
-@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
-         }
-     }
-     return 1;
-+#endif /* !defined(FIPS_MODULE) */
- }
- 
- int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
-@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi
- int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
-                           size_t siglen)
- {
--    unsigned char md[EVP_MAX_MD_SIZE];
-     int r = 0;
-+#ifndef FIPS_MODULE
-+    unsigned char md[EVP_MAX_MD_SIZE];
-     unsigned int mdlen = 0;
-     int vctx = 0;
--    EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx;
-+    EVP_PKEY_CTX *dctx = NULL;
-+#endif /* !defined(FIPS_MODULE) */
-+    EVP_PKEY_CTX *pctx = ctx->pctx;
- 
-     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) {
-         ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR);
-         return 0;
-     }
- 
-+#ifndef FIPS_MODULE
-     if (pctx == NULL
-             || pctx->operation != EVP_PKEY_OP_VERIFYCTX
-             || pctx->op.sig.algctx == NULL
-             || pctx->op.sig.signature == NULL)
-         goto legacy;
-+#endif /* !defined(FIPS_MODULE) */
- 
-+#ifndef FIPS_MODULE
-     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) {
-         /* try dup */
-         dctx = EVP_PKEY_CTX_dup(pctx);
-@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
-     else
-         EVP_PKEY_CTX_free(dctx);
-     return r;
-+#else
-+    r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
-+                                                    sig, siglen);
-+    return r;
-+#endif /* !defined(FIPS_MODULE) */
- 
-+#ifndef FIPS_MODULE
-  legacy:
-     if (pctx == NULL || pctx->pmeth == NULL) {
-         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
-@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct
-     if (vctx || !r)
-         return r;
-     return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
-+#endif /* !defined(FIPS_MODULE) */
- }
- 
- int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
-@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co
-         return -1;
-     return EVP_DigestVerifyFinal(ctx, sigret, siglen);
- }
--#endif /* FIPS_MODULE */
-Index: openssl-3.2.3/providers/fips/self_test_kats.c
-===================================================================
---- openssl-3.2.3.orig/providers/fips/self_test_kats.c
-+++ openssl-3.2.3/providers/fips/self_test_kats.c
-@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S
-     int ret = 0;
-     OSSL_PARAM *params = NULL, *params_sig = NULL;
-     OSSL_PARAM_BLD *bld = NULL;
-+    EVP_MD *md = NULL;
-+    EVP_MD_CTX *ctx = NULL;
-     EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
-     EVP_PKEY *pkey = NULL;
--    unsigned char sig[256];
-     BN_CTX *bnctx = NULL;
-+    const char *msg = "Hello World!";
-+    unsigned char sig[256];
-     size_t siglen = sizeof(sig);
-     static const unsigned char dgst[] = {
-         0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
-@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S
-         || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
-         goto err;
- 
--    /* Create a EVP_PKEY_CTX to use for the signing operation */
--    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
--    if (sctx == NULL
--        || EVP_PKEY_sign_init(sctx) <= 0)
--        goto err;
--
--    /* set signature parameters */
--    if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
--                                         t->mdalgorithm,
--                                         strlen(t->mdalgorithm) + 1))
--        goto err;
-+    /* Create a EVP_MD_CTX to use for the signature operation, assign signature
-+     * parameters and sign */
-     params_sig = OSSL_PARAM_BLD_to_param(bld);
--    if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
-+    md = EVP_MD_fetch(libctx, "SHA256", NULL);
-+    ctx = EVP_MD_CTX_new();
-+    if (md == NULL || ctx == NULL)
-+        goto err;
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
-+    if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
-+        || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
-+        || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
-+        || EVP_MD_CTX_reset(ctx) <= 0)
-         goto err;
- 
--    if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
--        || EVP_PKEY_verify_init(sctx) <= 0
-+    /* sctx is not freed automatically inside the FIPS module */
-+    EVP_PKEY_CTX_free(sctx);
-+    sctx = NULL;
-+
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
-+    if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
-         || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
-         goto err;
- 
-@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S
-         goto err;
- 
-     OSSL_SELF_TEST_oncorrupt_byte(st, sig);
--    if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
-+    if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
-         goto err;
-     ret = 1;
- err:
-     BN_CTX_free(bnctx);
-     EVP_PKEY_free(pkey);
--    EVP_PKEY_CTX_free(kctx);
-+    EVP_MD_free(md);
-+    EVP_MD_CTX_free(ctx);
-+    /* sctx is not freed automatically inside the FIPS module */
-     EVP_PKEY_CTX_free(sctx);
-+    EVP_PKEY_CTX_free(kctx);
-     OSSL_PARAM_free(params);
-     OSSL_PARAM_free(params_sig);
-     OSSL_PARAM_BLD_free(bld);

openssl-FIPS-enforce-security-checks-during-initialization.patch

@@ -1,22 +0,0 @@
-Index: openssl-3.1.4/providers/fips/fipsprov.c
-===================================================================
---- openssl-3.1.4.orig/providers/fips/fipsprov.c
-+++ openssl-3.1.4/providers/fips/fipsprov.c
-@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L
-         return NULL;
-     init_fips_option(&fgbl->fips_security_checks, 1);
-     init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
--    init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
-+    init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */
-     return fgbl;
- }
- 
-@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO
-     if (fgbl->field.option != NULL) {                                       \
-         if (strcmp(fgbl->field.option, "1") == 0)                           \
-             fgbl->field.enabled = 1;                                        \
--        else if (strcmp(fgbl->field.option, "0") == 0)                      \
--            fgbl->field.enabled = 0;                                        \
-         else                                                                \
-             goto err;                                                       \
-     }

openssl-FIPS-release_num_in_version_string.patch

@@ -1,27 +0,0 @@
-Index: openssl-3.1.4/providers/fips/fipsprov.c
-===================================================================
---- openssl-3.1.4.orig/providers/fips/fipsprov.c
-+++ openssl-3.1.4/providers/fips/fipsprov.c
-@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
- 
- static int fips_get_params(void *provctx, OSSL_PARAM params[])
- {
-+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
-     OSSL_PARAM *p;
-     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
-                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
- 
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
-     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

openssl-FIPS-services-minimize.patch

@@ -1,782 +0,0 @@
-From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch
-
-Patch-name: 0045-FIPS-services-minimize.patch
-Patch-id: 45
-Patch-status: |
-    # # Minimize fips services
-From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
----
- apps/ecparam.c                                |  7 +++
- apps/req.c                                    |  2 +-
- providers/common/capabilities.c               |  2 +-
- providers/fips/fipsprov.c                     | 44 +++++++++++--------
- providers/fips/self_test_data.inc             |  9 +++-
- providers/implementations/signature/rsa_sig.c | 26 +++++++++++
- ssl/ssl_ciph.c                                |  3 ++
- test/acvp_test.c                              |  2 +
- test/endecode_test.c                          |  4 ++
- test/evp_libctx_test.c                        |  9 +++-
- test/recipes/15-test_gendsa.t                 |  2 +-
- test/recipes/20-test_cli_fips.t               |  3 +-
- test/recipes/30-test_evp.t                    | 20 ++++-----
- .../30-test_evp_data/evpmac_common.txt        | 22 ++++++++++
- test/recipes/80-test_cms.t                    | 22 +++++-----
- test/recipes/80-test_ssl_old.t                |  2 +-
- 16 files changed, 128 insertions(+), 51 deletions(-)
-
-Index: openssl-3.2.3/apps/ecparam.c
-===================================================================
---- openssl-3.2.3.orig/apps/ecparam.c
-+++ openssl-3.2.3/apps/ecparam.c
-@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
-         const char *comment = curves[n].comment;
-         const char *sname = OBJ_nid2sn(curves[n].nid);
- 
-+        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
-+            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
-+            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
-+            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
-+            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
-+            continue;
-+
-         if (comment == NULL)
-             comment = "CURVE DESCRIPTION NOT AVAILABLE";
-         if (sname == NULL)
-Index: openssl-3.2.3/apps/req.c
-===================================================================
---- openssl-3.2.3.orig/apps/req.c
-+++ openssl-3.2.3/apps/req.c
-@@ -268,7 +268,7 @@ int req_main(int argc, char **argv)
-     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
- 
- #ifndef OPENSSL_NO_DES
--    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
-+    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
- #endif
- 
-     opt_set_unknown_name("digest");
-Index: openssl-3.2.3/providers/common/capabilities.c
-===================================================================
---- openssl-3.2.3.orig/providers/common/capabilities.c
-+++ openssl-3.2.3/providers/common/capabilities.c
-@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list
-     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
-     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
-     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
--#  endif
-     TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
-     TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
-+#  endif
- #  ifndef FIPS_MODULE
-     TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30),
-     TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31),
-Index: openssl-3.2.3/providers/fips/fipsprov.c
-===================================================================
---- openssl-3.2.3.orig/providers/fips/fipsprov.c
-+++ openssl-3.2.3/providers/fips/fipsprov.c
-@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
- 
- static int fips_get_params(void *provctx, OSSL_PARAM params[])
- {
-+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
-     OSSL_PARAM *p;
-     FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
-                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
- 
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
--    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
-+    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
-         return 0;
-     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
-     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
-@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests
-      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
-      * KMAC128 and KMAC256.
-      */
--    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
-+    /* We don't certify KECCAK in our FIPS provider */
-+    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
-       ossl_keccak_kmac_128_functions },
-     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
--      ossl_keccak_kmac_256_functions },
-+      ossl_keccak_kmac_256_functions }, */
-     { NULL, NULL, NULL }
- };
- 
-@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips
-     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
-          ossl_cipher_capable_aes_cbc_hmac_sha256),
- #ifndef OPENSSL_NO_DES
--    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
--    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
-+    /* We don't certify 3DES in our FIPS provider */
-+    /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
-+    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
- #endif  /* OPENSSL_NO_DES */
-     { { NULL, NULL, NULL }, NULL }
- };
-@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[]
- #endif
-     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
-     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
--    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
--    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
-+    /* We don't certify KMAC in our FIPS provider */
-+    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
-+    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
-     { NULL, NULL, NULL }
- };
- 
-@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch
- #ifndef OPENSSL_NO_EC
-     { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
- # ifndef OPENSSL_NO_ECX
--    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
--    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
-+    /* We don't certify Edwards curves in our FIPS provider */
-+    /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
-+    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
- # endif
- #endif
-     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
-@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch
- 
- static const OSSL_ALGORITHM fips_signature[] = {
- #ifndef OPENSSL_NO_DSA
--    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
-+    /* We don't certify DSA in our FIPS provider */
-+    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/
- #endif
-     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
- #ifndef OPENSSL_NO_EC
- # ifndef OPENSSL_NO_ECX
--    { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
-+    /* We don't certify Edwards curves in our FIPS provider */
-+    /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
-       ossl_ed25519_signature_functions },
--    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
-+    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/
- # endif
-     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
- #endif
-@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt
-       PROV_DESCS_DHX },
- #endif
- #ifndef OPENSSL_NO_DSA
--    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
--      PROV_DESCS_DSA },
-+    /* We don't certify DSA in our FIPS provider */
-+    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
-+      PROV_DESCS_DSA }, */
- #endif
-     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
-       PROV_DESCS_RSA },
-@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt
-     { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
-       PROV_DESCS_EC },
- # ifndef OPENSSL_NO_ECX
--    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
-+    /* We don't certify Edwards curves in our FIPS provider */
-+    /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
-       PROV_DESCS_X25519 },
-     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
-       PROV_DESCS_X448 },
-     { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
-       PROV_DESCS_ED25519 },
-     { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
--      PROV_DESCS_ED448 },
-+      PROV_DESCS_ED448 }, */
- # endif
- #endif
-     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
-Index: openssl-3.2.3/providers/fips/self_test_data.inc
-===================================================================
---- openssl-3.2.3.orig/providers/fips/self_test_data.inc
-+++ openssl-3.2.3/providers/fips/self_test_data.inc
-@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest
- /*- CIPHER TEST DATA */
- 
- /* DES3 test data */
-+#if 0
- static const unsigned char des_ede3_cbc_pt[] = {
-     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_
-     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
-     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
- };
--
-+#endif
- /* AES-256 GCM test data */
- static const unsigned char aes_256_gcm_key[] = {
-     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
-@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[
- # endif /* OPENSSL_NO_EC2M */
- #endif /* OPENSSL_NO_EC */
- 
--#ifndef OPENSSL_NO_DSA
- /* dsa 2048 */
-+#if 0
-+#ifndef OPENSSL_NO_DSA
- static const unsigned char dsa_p[] = {
-     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
-     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
-@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
-     ST_KAT_PARAM_END()
- };
- #endif /* OPENSSL_NO_DSA */
-+#endif
- 
- /* Hash DRBG inputs for signature KATs */
- static const unsigned char sig_kat_entropyin[] = {
-@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
-     },
- # endif
- #endif /* OPENSSL_NO_EC */
-+#if 0
- #ifndef OPENSSL_NO_DSA
-     {
-         OSSL_SELF_TEST_DESC_SIGN_DSA,
-@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes
-         ITM(dsa_expected_sig)
-     },
- #endif /* OPENSSL_NO_DSA */
-+#endif
- };
- 
- static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
-Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
-+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs
- {
-     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
-     int ret;
-+# ifdef FIPS_MODULE
-+    size_t rsabits = RSA_bits(prsactx->rsa);
-+
-+    if (rsabits < 2048) {
-+        if (rsabits != 1024
-+            && rsabits != 1280
-+            && rsabits != 1536
-+            && rsabits != 1792) {
-+            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
-+            return 0;
-+        }
-+    }
-+# endif
- 
-     if (!ossl_prov_is_running())
-         return 0;
-@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co
- {
-     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
-     size_t rslen;
-+# ifdef FIPS_MODULE
-+    size_t rsabits = RSA_bits(prsactx->rsa);
-+
-+    if (rsabits < 2048) {
-+        if (rsabits != 1024
-+            && rsabits != 1280
-+            && rsabits != 1536
-+            && rsabits != 1792) {
-+            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
-+            return 0;
-+        }
-+    }
-+# endif
- 
-     if (!ossl_prov_is_running())
-         return 0;
-Index: openssl-3.2.3/ssl/ssl_ciph.c
-===================================================================
---- openssl-3.2.3.orig/ssl/ssl_ciph.c
-+++ openssl-3.2.3/ssl/ssl_ciph.c
-@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
-     ctx->disabled_mkey_mask = 0;
-     ctx->disabled_auth_mask = 0;
- 
-+    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
-+        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
-+
-     /*
-      * We ignore any errors from the fetches below. They are expected to fail
-      * if these algorithms are not available.
-Index: openssl-3.2.3/test/acvp_test.c
-===================================================================
---- openssl-3.2.3.orig/test/acvp_test.c
-+++ openssl-3.2.3/test/acvp_test.c
-@@ -1478,6 +1478,7 @@ int setup_tests(void)
-                   OSSL_NELEM(dh_safe_prime_keyver_data));
- #endif /* OPENSSL_NO_DH */
- 
-+#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */
- #ifndef OPENSSL_NO_DSA
-     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
-     ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
-@@ -1485,6 +1486,7 @@ int setup_tests(void)
-     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
-     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
- #endif /* OPENSSL_NO_DSA */
-+#endif
- 
- #ifndef OPENSSL_NO_EC
-     ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
-Index: openssl-3.2.3/test/endecode_test.c
-===================================================================
---- openssl-3.2.3.orig/test/endecode_test.c
-+++ openssl-3.2.3/test/endecode_test.c
-@@ -1424,6 +1424,7 @@ int setup_tests(void)
-          * so no legacy tests.
-          */
- #endif
-+    if (is_fips == 0) {
- #ifndef OPENSSL_NO_DSA
-         ADD_TEST_SUITE(DSA);
-         ADD_TEST_SUITE_PARAMS(DSA);
-@@ -1434,6 +1435,7 @@ int setup_tests(void)
-         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
- # endif
- #endif
-+    }
- #ifndef OPENSSL_NO_EC
-         ADD_TEST_SUITE(EC);
-         ADD_TEST_SUITE_PARAMS(EC);
-@@ -1454,10 +1456,12 @@ int setup_tests(void)
-             ADD_TEST_SUITE(SM2);
-         }
- # endif
-+    if (is_fips == 0) {
-         ADD_TEST_SUITE(ED25519);
-         ADD_TEST_SUITE(ED448);
-         ADD_TEST_SUITE(X25519);
-         ADD_TEST_SUITE(X448);
-+    }
-         /*
-          * ED25519, ED448, X25519 and X448 have no support for
-          * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
-Index: openssl-3.2.3/test/evp_libctx_test.c
-===================================================================
---- openssl-3.2.3.orig/test/evp_libctx_test.c
-+++ openssl-3.2.3/test/evp_libctx_test.c
-@@ -21,6 +21,7 @@
-  */
- #include "internal/deprecated.h"
- #include <assert.h>
-+#include <string.h>
- #include <openssl/evp.h>
- #include <openssl/provider.h>
- #include <openssl/dsa.h>
-@@ -726,7 +727,9 @@ int setup_tests(void)
-         return 0;
- 
- #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
--    ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
-+    if (strcmp(prov_name, "fips") != 0) {
-+        ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
-+    }
- #endif
- #ifndef OPENSSL_NO_DH
-     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
-@@ -746,7 +749,9 @@ int setup_tests(void)
-     ADD_TEST(kem_invalid_keytype);
- #endif
- #ifndef OPENSSL_NO_DES
--    ADD_TEST(test_cipher_tdes_randkey);
-+    if (strcmp(prov_name, "fips") != 0) {
-+        ADD_TEST(test_cipher_tdes_randkey);
-+    }
- #endif
-     return 1;
- }
-Index: openssl-3.2.3/test/recipes/15-test_gendsa.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t
-+++ openssl-3.2.3/test/recipes/15-test_gendsa.t
-@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
- plan skip_all => "This test is unsupported in a no-dsa build"
-     if disabled("dsa");
- 
--my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-+my $no_fips = 1;
- 
- plan tests =>
-     ($no_fips ? 0 : 2)          # FIPS related tests
-Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t
-+++ openssl-3.2.3/test/recipes/20-test_cli_fips.t
-@@ -278,8 +278,7 @@ SKIP: {
- }
- 
- SKIP : {
--    skip "FIPS DSA tests because of no dsa in this build", 1
--        if disabled("dsa");
-+    skip "FIPS DSA tests because of no dsa in this build", 1;
- 
-     subtest DSA => sub {
-         my $testtext_prefix = 'DSA';
-Index: openssl-3.2.3/test/recipes/30-test_evp.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/30-test_evp.t
-+++ openssl-3.2.3/test/recipes/30-test_evp.t
-@@ -46,10 +46,8 @@ my @files = qw(
-                 evpciph_aes_cts.txt
-                 evpciph_aes_wrap.txt
-                 evpciph_aes_stitched.txt
--                evpciph_des3_common.txt
-                 evpkdf_hkdf.txt
-                 evpkdf_kbkdf_counter.txt
--                evpkdf_kbkdf_kmac.txt
-                 evpkdf_pbkdf1.txt
-                 evpkdf_pbkdf2.txt
-                 evpkdf_ss.txt
-@@ -70,15 +68,6 @@ push @files, qw(
-                 evppkey_dh.txt
-                ) unless $no_dh;
- push @files, qw(
--                evpkdf_x942_des.txt
--                evpmac_cmac_des.txt
--               ) unless $no_des;
--push @files, qw(evppkey_dsa.txt) unless $no_dsa;
--push @files, qw(
--                evppkey_ecx.txt
--                evppkey_mismatch_ecx.txt
--               ) unless $no_ecx;
--push @files, qw(
-                 evppkey_ecc.txt
-                 evppkey_ecdh.txt
-                 evppkey_ecdsa.txt
-@@ -97,6 +86,7 @@ my @defltfiles = qw(
-                      evpciph_cast5.txt
-                      evpciph_chacha.txt
-                      evpciph_des.txt
-+                     evpciph_des3_common.txt
-                      evpciph_idea.txt
-                      evpciph_rc2.txt
-                      evpciph_rc4.txt
-@@ -121,13 +111,19 @@ my @defltfiles = qw(
-                      evpmd_whirlpool.txt
-                      evppbe_scrypt.txt
-                      evppbe_pkcs12.txt
-+                     evpkdf_kbkdf_kmac.txt
-                      evppkey_kdf_scrypt.txt
-                      evppkey_kdf_tls1_prf.txt
-                      evppkey_rsa.txt
-                     );
-+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
-+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
-+push @defltfiles, qw(
-+                evpkdf_x942_des.txt
-+                evpmac_cmac_des.txt
-+               ) unless $no_des;
- push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
- push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec;
--push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa;
- push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
- push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv;
- push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv;
-Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
-===================================================================
---- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt
-+++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt
-@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C
- Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
- Result = MAC_INIT_ERROR
- 
-+Availablein = default
- Title = KMAC Tests (From NIST)
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
-@@ -373,12 +374,14 @@ Ctrl = xof:0
- OutputSize = 32
- BlockSize = 168
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
- Custom = "My Tagged Application"
- Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -386,6 +389,7 @@ Custom = "My Tagged Application"
- Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
- Ctrl = size:32
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
-@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6
- OutputSize = 64
- BlockSize = 136
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
- Custom = ""
- Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -409,12 +415,14 @@ Ctrl = size:64
- 
- Title = KMAC XOF Tests (From NIST)
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
- Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
- XOF = 1
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
-@@ -422,6 +430,7 @@ Custom = "My Tagged Application"
- Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
- XOF = 1
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584
- XOF = 1
- Ctrl = size:32
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
-@@ -437,6 +447,7 @@ Custom = "My Tagged Application"
- Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
- XOF = 1
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -444,6 +455,7 @@ Custom = ""
- Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
- XOF = 1
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -454,6 +466,7 @@ XOF = 1
- 
- Title = KMAC long customisation string (from NIST ACVP)
- 
-+Availablein = default
- MAC = KMAC256
- Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
- Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
-@@ -464,12 +477,14 @@ XOF = 1
- 
- Title = KMAC XOF Tests via ctrl (From NIST)
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
- Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
- Ctrl = xof:1
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
-@@ -477,6 +492,7 @@ Custom = "My Tagged Application"
- Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
- Ctrl = xof:1
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584
- Ctrl = xof:1
- Ctrl = size:32
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 00010203
-@@ -492,6 +509,7 @@ Custom = "My Tagged Application"
- Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
- Ctrl = xof:1
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -499,6 +517,7 @@ Custom = ""
- Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
- Ctrl = xof:1
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -509,6 +528,7 @@ Ctrl = xof:1
- 
- Title = KMAC long customisation string via ctrl (from NIST ACVP)
- 
-+Availablein = default
- MAC = KMAC256
- Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
- Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
-@@ -519,6 +539,7 @@ Ctrl = xof:1
- 
- Title = KMAC long customisation string negative test
- 
-+Availablein = default
- MAC = KMAC128
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR
- 
- Title = KMAC output is too large
- 
-+Availablein = default
- MAC = KMAC256
- Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
- Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
-Index: openssl-3.2.3/test/recipes/80-test_cms.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/80-test_cms.t
-+++ openssl-3.2.3/test/recipes/80-test_cms.t
-@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content DER format, DSA key",
-+    [ "signed content DER format, DSA key, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
-         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
-       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
-@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed detached content DER format, DSA key",
-+    [ "signed detached content DER format, DSA key, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
-       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
-@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed detached content DER format, add RSA signer (with DSA existing)",
-+    [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
-       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
-@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content test streaming BER format, DSA key",
-+    [ "signed content test streaming BER format, DSA key, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-nodetach", "-stream",
-         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
-@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
-+    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-nodetach", "-stream",
-         "-signer", $smrsa1,
-@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
-+    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-noattr", "-nodetach", "-stream",
-         "-signer", $smrsa1,
-@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
-       \&zero_compare
-     ],
- 
--    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
-+    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
-         "-signer", $smrsa1,
-         "-signer", catfile($smdir, "smrsa2.pem"),
-@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
-+    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
-         "-signer", $smrsa1,
-         "-signer", catfile($smdir, "smrsa2.pem"),
-@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
- 
- my @smime_cms_tests = (
- 
--    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
-+    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
-         "-nodetach", "-keyid",
-         "-signer", $smrsa1,
-@@ -263,7 +263,7 @@ my @smime_cms_tests = (
-       \&final_compare
-     ],
- 
--    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
-+    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
-         "-signer", $smrsa1,
-         "-signer", catfile($smdir, "smrsa2.pem"),
-@@ -373,7 +373,7 @@ my @smime_cms_tests = (
-       \&final_compare
-     ],
- 
--    [ "encrypted content test streaming PEM format, triple DES key",
-+    [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS",
-       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
-         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
-         "-stream", "-out", "{output}.cms" ],
-Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t
-+++ openssl-3.2.3/test/recipes/80-test_ssl_old.t
-@@ -436,7 +436,7 @@ sub testssl {
-         my @exkeys = ();
-         my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
- 
--        if (!$no_dsa) {
-+        if (!$no_dsa && $provider ne "fips") {
-             push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
-         }
- 

openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch

@@ -1,113 +0,0 @@
-From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Thu, 17 Nov 2022 19:33:02 +0100
-Subject: [PATCH] signature: Add indicator for PSS salt length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
-5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the
-salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
-the hash function output block (in bytes)."
-
-It is not exactly clear from this text whether hLen refers to the
-message digest or the hash function used for the mask generation
-function MGF1. PKCS#1 v2.1 suggests it is the former:
-
-| Typical salt lengths in octets are hLen (the length of the output of
-| the hash function Hash) and 0. In both cases the security of
-| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1.
-| Bellare and Rogaway [4] give a tight lower bound for the security of
-| the original RSA-PSS scheme, which corresponds roughly to the former
-| case, while Coron [12] gives a lower bound for the related Full Domain
-| Hashing scheme, which corresponds roughly to the latter case. In [13]
-| Coron provides a general treatment with various salt lengths ranging
-| from 0 to hLen; see [27] for discussion. See also [31], which adapts
-| the security proofs in [4][13] to address the differences between the
-| original and the present version of RSA-PSS as listed in Note 1 above.
-
-Since OpenSSL defaults to creating signatures with the maximum salt
-length, blocking the use of longer salts would probably lead to
-significant problems in practice. Instead, introduce an explicit
-indicator that can be obtained from the EVP_PKEY_CTX object using
-EVP_PKEY_CTX_get_params() with the
-  OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR
-parameter.
-
-We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch.
-Dmitry Belyavskiy <dbelyavs@redhat.com>
-
-Signed-off-by: Clemens Lang <cllang@redhat.com>
----
- include/openssl/evp.h                         |  4 ++++
- providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++
- util/perl/OpenSSL/paramnames.pm               | 23 ++++++++++---------
- 3 files changed, 37 insertions(+), 11 deletions(-)
-
-Index: openssl-3.2.3/include/openssl/evp.h
-===================================================================
---- openssl-3.2.3.orig/include/openssl/evp.h
-+++ openssl-3.2.3/include/openssl/evp.h
-@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT
- __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
-                               int *outl);
- 
-+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED     1
-+# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2
-+
- __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
-                          EVP_PKEY *pkey);
- __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
-Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-===================================================================
---- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c
-+++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c
-@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs
-         }
-     }
- 
-+#ifdef FIPS_MODULE
-+    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR);
-+    if (p != NULL) {
-+        int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED;
-+        if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
-+            if (prsactx->md == NULL) {
-+                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED;
-+            } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
-+                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+            }
-+        } else if (prsactx->pad_mode == RSA_NO_PADDING) {
-+            if (prsactx->md == NULL) /* Should always be the case */
-+                fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED;
-+        }
-+        return OSSL_PARAM_set_int(p, fips_indicator);
-+    }
-+#endif
-+
-     return 1;
- }
- 
-@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c
-     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
-     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
-     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
-+#ifdef FIPS_MODULE
-+    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif
-     OSSL_PARAM_END
- };
- 
-Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-===================================================================
---- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm
-+++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm
-@@ -386,6 +386,7 @@ my %params = (
-     'SIGNATURE_PARAM_MGF1_PROPERTIES' =>    '*PKEY_PARAM_MGF1_PROPERTIES',
-     'SIGNATURE_PARAM_DIGEST_SIZE' =>        '*PKEY_PARAM_DIGEST_SIZE',
-     'SIGNATURE_PARAM_NONCE_TYPE' =>         "nonce-type",
-+    'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",
-     'SIGNATURE_PARAM_INSTANCE' =>           "instance",
-     'SIGNATURE_PARAM_CONTEXT_STRING' =>     "context-string",
- 

openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch

@@ -1,309 +0,0 @@
-From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
-From: Todd Short <todd.short@me.com>
-Date: Thu, 1 Feb 2024 23:09:38 -0500
-Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
-
-Fix #23448
-
-`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
-
-Fix the setting of the parameter in the params code.
-Update the TLS_PRF code to also use the params code.
-Add tests.
-
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23456)
-
-(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
----
- crypto/evp/pmeth_lib.c                        | 65 ++++++++++++++++++-
- providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
- providers/implementations/kdfs/hkdf.c         |  8 +++
- test/pkey_meth_kdf_test.c                     | 53 +++++++++++----
- 4 files changed, 156 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index ba1971c..d0eeaf7 100644
---- a/crypto/evp/pmeth_lib.c
-+++ b/crypto/evp/pmeth_lib.c
-@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
-     return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
- }
- 
-+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
-+                                          const char *param, int op, int ctrl,
-+                                          const unsigned char *data,
-+                                          int datalen)
-+{
-+    OSSL_PARAM os_params[2];
-+    unsigned char *info = NULL;
-+    size_t info_len = 0;
-+    size_t info_alloc = 0;
-+    int ret = 0;
-+
-+    if (ctx == NULL || (ctx->operation & op) == 0) {
-+        ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
-+        /* Uses the same return values as EVP_PKEY_CTX_ctrl */
-+        return -2;
-+    }
-+
-+    /* Code below to be removed when legacy support is dropped. */
-+    if (fallback)
-+        return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
-+    /* end of legacy support */
-+
-+    if (datalen < 0) {
-+        ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
-+        return 0;
-+    }
-+
-+    /* Get the original value length */
-+    os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
-+    os_params[1] = OSSL_PARAM_construct_end();
-+
-+    if (!EVP_PKEY_CTX_get_params(ctx, os_params))
-+        return 0;
-+
-+    /* Older provider that doesn't support getting this parameter */
-+    if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
-+        return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
-+
-+    info_alloc = os_params[0].return_size + datalen;
-+    if (info_alloc == 0)
-+        return 0;
-+    info = OPENSSL_zalloc(info_alloc);
-+    if (info == NULL)
-+        return 0;
-+    info_len = os_params[0].return_size;
-+
-+    os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
-+
-+    /* if we have data, then go get it */
-+    if (info_len > 0) {
-+        if (!EVP_PKEY_CTX_get_params(ctx, os_params))
-+            goto error;
-+    }
-+
-+    /* Copy the input data */
-+    memcpy(&info[info_len], data, datalen);
-+    ret = EVP_PKEY_CTX_set_params(ctx, os_params);
-+
-+ error:
-+    OPENSSL_clear_free(info, info_alloc);
-+    return ret;
-+}
-+
- int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
-                                       const unsigned char *sec, int seclen)
- {
-@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
- int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
-                                       const unsigned char *info, int infolen)
- {
--    return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
-+    return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
-                                           OSSL_KDF_PARAM_INFO,
-                                           EVP_PKEY_OP_DERIVE,
-                                           EVP_PKEY_CTRL_HKDF_INFO,
-diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
-index 527a866..4bc8102 100644
---- a/providers/implementations/exchange/kdf_exch.c
-+++ b/providers/implementations/exchange/kdf_exch.c
-@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
- static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
- static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
- static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
-+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
- static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
- static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
- static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
-+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
-+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
-+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
- 
- typedef struct {
-     void *provctx;
-@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
-     return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
- }
- 
-+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
-+{
-+    PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
-+
-+    return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
-+}
-+
- static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
-                                                  void *provctx,
-                                                  const char *kdfname)
-@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
- KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
- KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
- 
-+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
-+                                                 void *provctx,
-+                                                 const char *kdfname)
-+{
-+    EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
-+                                 NULL);
-+    const OSSL_PARAM *params;
-+
-+    if (kdf == NULL)
-+        return NULL;
-+
-+    params = EVP_KDF_gettable_ctx_params(kdf);
-+    EVP_KDF_free(kdf);
-+
-+    return params;
-+}
-+
-+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
-+    static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
-+                                                                  void *provctx) \
-+    { \
-+        return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
-+    }
-+
-+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
-+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
-+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
-+
- #define KDF_KEYEXCH_FUNCTIONS(funcname) \
-     const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
-         { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
-@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
-         { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
-         { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
-         { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
-+        { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
-         { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
-         (void (*)(void))kdf_##funcname##_settable_ctx_params }, \
-+        { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
-+        (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
-         { 0, NULL } \
-     };
- 
-diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
-index daa619b..dd65a2a 100644
---- a/providers/implementations/kdfs/hkdf.c
-+++ b/providers/implementations/kdfs/hkdf.c
-@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
-             return 0;
-         return OSSL_PARAM_set_size_t(p, sz);
-     }
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
-+        if (ctx->info == NULL || ctx->info_len == 0) {
-+            p->return_size = 0;
-+            return 1;
-+        }
-+        return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
-+    }
-     return -2;
- }
- 
-@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+        OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
-diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
-index f816d24..c09e2f3 100644
---- a/test/pkey_meth_kdf_test.c
-+++ b/test/pkey_meth_kdf_test.c
-@@ -16,7 +16,7 @@
- #include <openssl/kdf.h>
- #include "testutil.h"
- 
--static int test_kdf_tls1_prf(void)
-+static int test_kdf_tls1_prf(int index)
- {
-     int ret = 0;
-     EVP_PKEY_CTX *pctx;
-@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
-         TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
-         goto err;
-     }
--    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
--                                        (unsigned char *)"seed", 4) <= 0) {
--        TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
--        goto err;
-+    if (index == 0) {
-+        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-+                                            (unsigned char *)"seed", 4) <= 0) {
-+            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-+            goto err;
-+        }
-+    } else {
-+        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-+                                            (unsigned char *)"se", 2) <= 0) {
-+            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-+            goto err;
-+        }
-+        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-+                                            (unsigned char *)"ed", 2) <= 0) {
-+            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-+            goto err;
-+        }
-     }
-     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
-         TEST_error("EVP_PKEY_derive");
-@@ -65,7 +78,7 @@ err:
-     return ret;
- }
- 
--static int test_kdf_hkdf(void)
-+static int test_kdf_hkdf(int index)
- {
-     int ret = 0;
-     EVP_PKEY_CTX *pctx;
-@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
-         TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
-         goto err;
-     }
--    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
-+    if (index == 0) {
-+        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
-             <= 0) {
--        TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
--        goto err;
-+            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-+            goto err;
-+        }
-+    } else {
-+        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
-+            <= 0) {
-+            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-+            goto err;
-+        }
-+        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
-+            <= 0) {
-+            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-+            goto err;
-+        }
-     }
-     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
-         TEST_error("EVP_PKEY_derive");
-@@ -195,8 +221,13 @@ err:
- 
- int setup_tests(void)
- {
--    ADD_TEST(test_kdf_tls1_prf);
--    ADD_TEST(test_kdf_hkdf);
-+    int tests = 1;
-+
-+    if (fips_provider_version_ge(NULL, 3, 3, 1))
-+        tests = 2;
-+
-+    ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
-+    ADD_ALL_TESTS(test_kdf_hkdf, tests);
- #ifndef OPENSSL_NO_SCRYPT
-     ADD_TEST(test_kdf_scrypt);
- #endif
--- 
-2.45.1
-

openssl-Fix-P384-on-P8-targets.patch

@@ -1,125 +0,0 @@
-From a72f753cc5a43e58087358317975f6be46c15e01 Mon Sep 17 00:00:00 2001
-From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
-Date: Thu, 17 Apr 2025 08:51:53 -0500
-Subject: [PATCH] Fix P-384 curve on lower-than-P9 PPC64 targets
-
-The change adding an asm implementation of p384_felem_reduce incorrectly
-uses the accelerated version on both targets that support the intrinsics
-*and* targets that don't, instead of falling back to the generics on older
-targets.  This results in crashes when trying to use P-384 on < Power9.
-
-Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com>
-Closes: #27350
-Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC")
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/27429)
-
-(cherry picked from commit 29864f2b0f1046177e8048a5b17440893d3f9425)
----
- crypto/ec/ecp_nistp384.c | 54 ++++++++++++++++++++++++----------------
- 1 file changed, 33 insertions(+), 21 deletions(-)
-
-diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
-index 2ceb94fe33b7e..9d682f5a02cce 100644
---- a/crypto/ec/ecp_nistp384.c
-+++ b/crypto/ec/ecp_nistp384.c
-@@ -684,6 +684,22 @@ static void felem_reduce_ref(felem out, const widefelem in)
-         out[i] = acc[i];
- }
- 
-+static ossl_inline void felem_square_reduce_ref(felem out, const felem in)
-+{
-+    widefelem tmp;
-+
-+    felem_square_ref(tmp, in);
-+    felem_reduce_ref(out, tmp);
-+}
-+
-+static ossl_inline void felem_mul_reduce_ref(felem out, const felem in1, const felem in2)
-+{
-+    widefelem tmp;
-+
-+    felem_mul_ref(tmp, in1, in2);
-+    felem_reduce_ref(out, tmp);
-+}
-+
- #if defined(ECP_NISTP384_ASM)
- static void felem_square_wrapper(widefelem out, const felem in);
- static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2);
-@@ -695,10 +711,18 @@ static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
- 
- static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
- 
-+static void (*felem_square_reduce_p)(felem out, const felem in) =
-+    felem_square_reduce_ref;
-+static void (*felem_mul_reduce_p)(felem out, const felem in1, const felem in2) =
-+    felem_mul_reduce_ref;
-+
- void p384_felem_square(widefelem out, const felem in);
- void p384_felem_mul(widefelem out, const felem in1, const felem in2);
- void p384_felem_reduce(felem out, const widefelem in);
- 
-+void p384_felem_square_reduce(felem out, const felem in);
-+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
-+
- # if defined(_ARCH_PPC64)
- #  include "crypto/ppc_arch.h"
- # endif
-@@ -710,6 +734,8 @@ static void felem_select(void)
-         felem_square_p = p384_felem_square;
-         felem_mul_p = p384_felem_mul;
-         felem_reduce_p = p384_felem_reduce;
-+        felem_square_reduce_p = p384_felem_square_reduce;
-+        felem_mul_reduce_p = p384_felem_mul_reduce;
- 
-         return;
-     }
-@@ -718,7 +744,9 @@ static void felem_select(void)
-     /* Default */
-     felem_square_p = felem_square_ref;
-     felem_mul_p = felem_mul_ref;
--    felem_reduce_p = p384_felem_reduce;
-+    felem_reduce_p = felem_reduce_ref;
-+    felem_square_reduce_p = felem_square_reduce_ref;
-+    felem_mul_reduce_p = felem_mul_reduce_ref;
- }
- 
- static void felem_square_wrapper(widefelem out, const felem in)
-@@ -737,31 +765,15 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
- # define felem_mul felem_mul_p
- # define felem_reduce felem_reduce_p
- 
--void p384_felem_square_reduce(felem out, const felem in);
--void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
--
--# define felem_square_reduce p384_felem_square_reduce
--# define felem_mul_reduce p384_felem_mul_reduce
-+# define felem_square_reduce felem_square_reduce_p
-+# define felem_mul_reduce felem_mul_reduce_p
- #else
- # define felem_square felem_square_ref
- # define felem_mul felem_mul_ref
- # define felem_reduce felem_reduce_ref
- 
--static ossl_inline void felem_square_reduce(felem out, const felem in)
--{
--    widefelem tmp;
--
--    felem_square(tmp, in);
--    felem_reduce(out, tmp);
--}
--
--static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2)
--{
--    widefelem tmp;
--
--    felem_mul(tmp, in1, in2);
--    felem_reduce(out, tmp);
--}
-+# define felem_square_reduce felem_square_reduce_ref
-+# define felem_mul_reduce felem_mul_reduce_ref
- #endif
- 
- /*-

openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch

@@ -1,94 +0,0 @@
-From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
-From: trinity-1686a <trinity@deuxfleurs.fr>
-Date: Mon, 15 Apr 2024 11:13:14 +0200
-Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
-
-Fixes #24130
-The regression was introduced in PR #23456.
-
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24141)
-
-(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
----
- crypto/evp/pmeth_lib.c |  2 ++
- test/evp_extra_test.c  | 42 ++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 44 insertions(+)
-
-diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index d0eeaf7..bce1ebc 100644
---- a/crypto/evp/pmeth_lib.c
-+++ b/crypto/evp/pmeth_lib.c
-@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
-     if (datalen < 0) {
-         ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
-         return 0;
-+    } else if (datalen == 0) {
-+        return 1;
-     }
- 
-     /* Get the original value length */
-diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
-index 9b3bee7..22121ce 100644
---- a/test/evp_extra_test.c
-+++ b/test/evp_extra_test.c
-@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
-     return ret;
- }
- 
-+static int test_empty_salt_info_HKDF(void)
-+{
-+    EVP_PKEY_CTX *pctx;
-+    unsigned char out[20];
-+    size_t outlen;
-+    int ret = 0;
-+    unsigned char salt[] = "";
-+    unsigned char key[] = "012345678901234567890123456789";
-+    unsigned char info[] = "";
-+    const unsigned char expected[] = {
-+	0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
-+	0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
-+    };
-+    size_t expectedlen = sizeof(expected);
-+
-+    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
-+        goto done;
-+
-+    outlen = sizeof(out);
-+    memset(out, 0, outlen);
-+
-+    if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
-+            || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
-+            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
-+                                                        sizeof(salt) - 1), 0)
-+            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
-+                                                       sizeof(key) - 1), 0)
-+            || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
-+                                                        sizeof(info) - 1), 0)
-+            || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
-+            || !TEST_mem_eq(out, outlen, expected, expectedlen))
-+        goto done;
-+
-+    ret = 1;
-+
-+ done:
-+    EVP_PKEY_CTX_free(pctx);
-+
-+    return ret;
-+}
-+
- #ifndef OPENSSL_NO_EC
- static int test_X509_PUBKEY_inplace(void)
- {
-@@ -5166,6 +5207,7 @@ int setup_tests(void)
- #endif
-     ADD_TEST(test_HKDF);
-     ADD_TEST(test_emptyikm_HKDF);
-+    ADD_TEST(test_empty_salt_info_HKDF);
- #ifndef OPENSSL_NO_EC
-     ADD_TEST(test_X509_PUBKEY_inplace);
-     ADD_TEST(test_X509_PUBKEY_dup);
--- 
-2.45.1
-

openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch

@@ -1,495 +0,0 @@
-From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
-From: Danny Tsen <dtsen@linux.ibm.com>
-Date: Tue, 22 Aug 2023 15:58:53 -0400
-Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
- instruction
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21812)
----
- crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
- 1 file changed, 95 insertions(+), 50 deletions(-)
-
-diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
-index 60cf86f52aed2..38b9405a283b7 100755
---- a/crypto/aes/asm/aesp8-ppc.pl
-+++ b/crypto/aes/asm/aesp8-ppc.pl
-@@ -99,11 +99,12 @@
- .long	0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000	?rev
- .long	0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c	?rev
- .long	0,0,0,0						?asis
-+.long	0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
- Lconsts:
- 	mflr	r0
- 	bcl	20,31,\$+4
- 	mflr	$ptr	 #vvvvv "distance between . and rcon
--	addi	$ptr,$ptr,-0x48
-+	addi	$ptr,$ptr,-0x58
- 	mtlr	r0
- 	blr
- 	.long	0
-@@ -2405,7 +2406,7 @@ ()
- my $key_=$key2;
- my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
-     $x00=0 if ($flavour =~ /osx/);
--my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5 )=map("v$_",(0..5));
-+my ($in0,  $in1,  $in2,  $in3,  $in4,  $in5)=map("v$_",(0..5));
- my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
- my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
- my $rndkey0="v23";	# v24-v25 rotating buffer for first found keys
-@@ -2460,6 +2461,18 @@ ()
- 	li		$x70,0x70
- 	mtspr		256,r0
- 
-+	# Reverse eighty7 to 0x010101..87
-+	xxlor		2, 32+$eighty7, 32+$eighty7
-+	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
-+	xxlor		1, 32+$eighty7, 32+$eighty7
-+
-+	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
-+	mr		$x70, r6
-+	bl		Lconsts
-+	lxvw4x		0, $x40, r6		# load XOR contents
-+	mr		r6, $x70
-+	li		$x70,0x70
-+
- 	subi		$rounds,$rounds,3	# -4 in total
- 
- 	lvx		$rndkey0,$x00,$key1	# load key schedule
-@@ -2502,69 +2515,77 @@ ()
- 	?vperm		v31,v31,$twk5,$keyperm
- 	lvx		v25,$x10,$key_		# pre-load round[2]
- 
-+	# Switch to use the following codes with 0x010101..87 to generate tweak.
-+	#     eighty7 = 0x010101..87
-+	# vsrab		tmp, tweak, seven	# next tweak value, right shift 7 bits
-+	# vand		tmp, tmp, eighty7	# last byte with carry
-+	# vaddubm	tweak, tweak, tweak	# left shift 1 bit (x2)
-+	# xxlor		vsx, 0, 0
-+	# vpermxor	tweak, tweak, tmp, vsx
-+
- 	 vperm		$in0,$inout,$inptail,$inpperm
- 	 subi		$inp,$inp,31		# undo "caller"
- 	vxor		$twk0,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out0,$in0,$twk0
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in1, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in1
- 
- 	 lvx_u		$in1,$x10,$inp
- 	vxor		$twk1,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in1,$in1,$in1,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out1,$in1,$twk1
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in2, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in2
- 
- 	 lvx_u		$in2,$x20,$inp
- 	 andi.		$taillen,$len,15
- 	vxor		$twk2,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in2,$in2,$in2,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out2,$in2,$twk2
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in3, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in3
- 
- 	 lvx_u		$in3,$x30,$inp
- 	 sub		$len,$len,$taillen
- 	vxor		$twk3,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in3,$in3,$in3,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out3,$in3,$twk3
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in4, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in4
- 
- 	 lvx_u		$in4,$x40,$inp
- 	 subi		$len,$len,0x60
- 	vxor		$twk4,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in4,$in4,$in4,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out4,$in4,$twk4
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in5, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in5
- 
- 	 lvx_u		$in5,$x50,$inp
- 	 addi		$inp,$inp,0x60
- 	vxor		$twk5,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in5,$in5,$in5,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out5,$in5,$twk5
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in0, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in0
- 
- 	vxor		v31,v31,$rndkey0
- 	mtctr		$rounds
-@@ -2590,6 +2611,8 @@ ()
- 	lvx		v25,$x10,$key_		# round[4]
- 	bdnz		Loop_xts_enc6x
- 
-+	xxlor		32+$eighty7, 1, 1		# 0x010101..87
-+
- 	subic		$len,$len,96		# $len-=96
- 	 vxor		$in0,$twk0,v31		# xor with last round key
- 	vcipher		$out0,$out0,v24
-@@ -2599,7 +2622,6 @@ ()
- 	 vaddubm	$tweak,$tweak,$tweak
- 	vcipher		$out2,$out2,v24
- 	vcipher		$out3,$out3,v24
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vcipher		$out4,$out4,v24
- 	vcipher		$out5,$out5,v24
- 
-@@ -2607,7 +2629,8 @@ ()
- 	 vand		$tmp,$tmp,$eighty7
- 	vcipher		$out0,$out0,v25
- 	vcipher		$out1,$out1,v25
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in1, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in1
- 	vcipher		$out2,$out2,v25
- 	vcipher		$out3,$out3,v25
- 	 vxor		$in1,$twk1,v31
-@@ -2618,13 +2641,13 @@ ()
- 
- 	and		r0,r0,$len
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vcipher		$out0,$out0,v26
- 	vcipher		$out1,$out1,v26
- 	 vand		$tmp,$tmp,$eighty7
- 	vcipher		$out2,$out2,v26
- 	vcipher		$out3,$out3,v26
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in2, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in2
- 	vcipher		$out4,$out4,v26
- 	vcipher		$out5,$out5,v26
- 
-@@ -2638,7 +2661,6 @@ ()
- 	 vaddubm	$tweak,$tweak,$tweak
- 	vcipher		$out0,$out0,v27
- 	vcipher		$out1,$out1,v27
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vcipher		$out2,$out2,v27
- 	vcipher		$out3,$out3,v27
- 	 vand		$tmp,$tmp,$eighty7
-@@ -2646,7 +2668,8 @@ ()
- 	vcipher		$out5,$out5,v27
- 
- 	addi		$key_,$sp,$FRAME+15	# rewind $key_
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in3, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in3
- 	vcipher		$out0,$out0,v28
- 	vcipher		$out1,$out1,v28
- 	 vxor		$in3,$twk3,v31
-@@ -2655,7 +2678,6 @@ ()
- 	vcipher		$out2,$out2,v28
- 	vcipher		$out3,$out3,v28
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vcipher		$out4,$out4,v28
- 	vcipher		$out5,$out5,v28
- 	lvx		v24,$x00,$key_		# re-pre-load round[1]
-@@ -2663,7 +2685,8 @@ ()
- 
- 	vcipher		$out0,$out0,v29
- 	vcipher		$out1,$out1,v29
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in4, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in4
- 	vcipher		$out2,$out2,v29
- 	vcipher		$out3,$out3,v29
- 	 vxor		$in4,$twk4,v31
-@@ -2673,14 +2696,14 @@ ()
- 	vcipher		$out5,$out5,v29
- 	lvx		v25,$x10,$key_		# re-pre-load round[2]
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 
- 	vcipher		$out0,$out0,v30
- 	vcipher		$out1,$out1,v30
- 	 vand		$tmp,$tmp,$eighty7
- 	vcipher		$out2,$out2,v30
- 	vcipher		$out3,$out3,v30
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in5, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in5
- 	vcipher		$out4,$out4,v30
- 	vcipher		$out5,$out5,v30
- 	 vxor		$in5,$twk5,v31
-@@ -2690,7 +2713,6 @@ ()
- 	vcipherlast	$out0,$out0,$in0
- 	 lvx_u		$in0,$x00,$inp		# load next input block
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vcipherlast	$out1,$out1,$in1
- 	 lvx_u		$in1,$x10,$inp
- 	vcipherlast	$out2,$out2,$in2
-@@ -2703,7 +2725,10 @@ ()
- 	vcipherlast	$out4,$out4,$in4
- 	 le?vperm	$in2,$in2,$in2,$leperm
- 	 lvx_u		$in4,$x40,$inp
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		10, 32+$in0, 32+$in0
-+	 xxlor		32+$in0, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in0
-+	 xxlor		32+$in0, 10, 10
- 	vcipherlast	$tmp,$out5,$in5		# last block might be needed
- 						# in stealing mode
- 	 le?vperm	$in3,$in3,$in3,$leperm
-@@ -2736,6 +2761,8 @@ ()
- 	mtctr		$rounds
- 	beq		Loop_xts_enc6x		# did $len-=96 borrow?
- 
-+	xxlor		32+$eighty7, 2, 2		# 0x870101..01
-+
- 	addic.		$len,$len,0x60
- 	beq		Lxts_enc6x_zero
- 	cmpwi		$len,0x20
-@@ -3112,6 +3139,18 @@ ()
- 	li		$x70,0x70
- 	mtspr		256,r0
- 
-+	# Reverse eighty7 to 0x010101..87
-+	xxlor		2, 32+$eighty7, 32+$eighty7
-+	vsldoi		$eighty7,$tmp,$eighty7,1	# 0x010101..87
-+	xxlor		1, 32+$eighty7, 32+$eighty7
-+
-+	# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
-+	mr		$x70, r6
-+	bl		Lconsts
-+	lxvw4x		0, $x40, r6		# load XOR contents
-+	mr		r6, $x70
-+	li		$x70,0x70
-+
- 	subi		$rounds,$rounds,3	# -4 in total
- 
- 	lvx		$rndkey0,$x00,$key1	# load key schedule
-@@ -3159,64 +3198,64 @@ ()
- 	vxor		$twk0,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out0,$in0,$twk0
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in1, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in1
- 
- 	 lvx_u		$in1,$x10,$inp
- 	vxor		$twk1,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in1,$in1,$in1,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out1,$in1,$twk1
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in2, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in2
- 
- 	 lvx_u		$in2,$x20,$inp
- 	 andi.		$taillen,$len,15
- 	vxor		$twk2,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in2,$in2,$in2,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out2,$in2,$twk2
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in3, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in3
- 
- 	 lvx_u		$in3,$x30,$inp
- 	 sub		$len,$len,$taillen
- 	vxor		$twk3,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in3,$in3,$in3,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out3,$in3,$twk3
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in4, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in4
- 
- 	 lvx_u		$in4,$x40,$inp
- 	 subi		$len,$len,0x60
- 	vxor		$twk4,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in4,$in4,$in4,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out4,$in4,$twk4
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in5, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in5
- 
- 	 lvx_u		$in5,$x50,$inp
- 	 addi		$inp,$inp,0x60
- 	vxor		$twk5,$tweak,$rndkey0
- 	vsrab		$tmp,$tweak,$seven	# next tweak value
- 	vaddubm		$tweak,$tweak,$tweak
--	vsldoi		$tmp,$tmp,$tmp,15
- 	 le?vperm	$in5,$in5,$in5,$leperm
- 	vand		$tmp,$tmp,$eighty7
- 	 vxor		$out5,$in5,$twk5
--	vxor		$tweak,$tweak,$tmp
-+	xxlor		32+$in0, 0, 0
-+	vpermxor	$tweak, $tweak, $tmp, $in0
- 
- 	vxor		v31,v31,$rndkey0
- 	mtctr		$rounds
-@@ -3242,6 +3281,8 @@ ()
- 	lvx		v25,$x10,$key_		# round[4]
- 	bdnz		Loop_xts_dec6x
- 
-+	xxlor		32+$eighty7, 1, 1
-+
- 	subic		$len,$len,96		# $len-=96
- 	 vxor		$in0,$twk0,v31		# xor with last round key
- 	vncipher	$out0,$out0,v24
-@@ -3251,7 +3292,6 @@ ()
- 	 vaddubm	$tweak,$tweak,$tweak
- 	vncipher	$out2,$out2,v24
- 	vncipher	$out3,$out3,v24
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vncipher	$out4,$out4,v24
- 	vncipher	$out5,$out5,v24
- 
-@@ -3259,7 +3299,8 @@ ()
- 	 vand		$tmp,$tmp,$eighty7
- 	vncipher	$out0,$out0,v25
- 	vncipher	$out1,$out1,v25
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in1, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in1
- 	vncipher	$out2,$out2,v25
- 	vncipher	$out3,$out3,v25
- 	 vxor		$in1,$twk1,v31
-@@ -3270,13 +3311,13 @@ ()
- 
- 	and		r0,r0,$len
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vncipher	$out0,$out0,v26
- 	vncipher	$out1,$out1,v26
- 	 vand		$tmp,$tmp,$eighty7
- 	vncipher	$out2,$out2,v26
- 	vncipher	$out3,$out3,v26
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in2, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in2
- 	vncipher	$out4,$out4,v26
- 	vncipher	$out5,$out5,v26
- 
-@@ -3290,7 +3331,6 @@ ()
- 	 vaddubm	$tweak,$tweak,$tweak
- 	vncipher	$out0,$out0,v27
- 	vncipher	$out1,$out1,v27
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vncipher	$out2,$out2,v27
- 	vncipher	$out3,$out3,v27
- 	 vand		$tmp,$tmp,$eighty7
-@@ -3298,7 +3338,8 @@ ()
- 	vncipher	$out5,$out5,v27
- 
- 	addi		$key_,$sp,$FRAME+15	# rewind $key_
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in3, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in3
- 	vncipher	$out0,$out0,v28
- 	vncipher	$out1,$out1,v28
- 	 vxor		$in3,$twk3,v31
-@@ -3307,7 +3348,6 @@ ()
- 	vncipher	$out2,$out2,v28
- 	vncipher	$out3,$out3,v28
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vncipher	$out4,$out4,v28
- 	vncipher	$out5,$out5,v28
- 	lvx		v24,$x00,$key_		# re-pre-load round[1]
-@@ -3315,7 +3355,8 @@ ()
- 
- 	vncipher	$out0,$out0,v29
- 	vncipher	$out1,$out1,v29
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in4, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in4
- 	vncipher	$out2,$out2,v29
- 	vncipher	$out3,$out3,v29
- 	 vxor		$in4,$twk4,v31
-@@ -3325,14 +3366,14 @@ ()
- 	vncipher	$out5,$out5,v29
- 	lvx		v25,$x10,$key_		# re-pre-load round[2]
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 
- 	vncipher	$out0,$out0,v30
- 	vncipher	$out1,$out1,v30
- 	 vand		$tmp,$tmp,$eighty7
- 	vncipher	$out2,$out2,v30
- 	vncipher	$out3,$out3,v30
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		32+$in5, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in5
- 	vncipher	$out4,$out4,v30
- 	vncipher	$out5,$out5,v30
- 	 vxor		$in5,$twk5,v31
-@@ -3342,7 +3383,6 @@ ()
- 	vncipherlast	$out0,$out0,$in0
- 	 lvx_u		$in0,$x00,$inp		# load next input block
- 	 vaddubm	$tweak,$tweak,$tweak
--	 vsldoi		$tmp,$tmp,$tmp,15
- 	vncipherlast	$out1,$out1,$in1
- 	 lvx_u		$in1,$x10,$inp
- 	vncipherlast	$out2,$out2,$in2
-@@ -3355,7 +3395,10 @@ ()
- 	vncipherlast	$out4,$out4,$in4
- 	 le?vperm	$in2,$in2,$in2,$leperm
- 	 lvx_u		$in4,$x40,$inp
--	 vxor		$tweak,$tweak,$tmp
-+	 xxlor		10, 32+$in0, 32+$in0
-+	 xxlor		32+$in0, 0, 0
-+	 vpermxor	$tweak, $tweak, $tmp, $in0
-+	 xxlor		32+$in0, 10, 10
- 	vncipherlast	$out5,$out5,$in5
- 	 le?vperm	$in3,$in3,$in3,$leperm
- 	 lvx_u		$in5,$x50,$inp
-@@ -3386,6 +3429,8 @@ ()
- 	mtctr		$rounds
- 	beq		Loop_xts_dec6x		# did $len-=96 borrow?
- 
-+	xxlor		32+$eighty7, 2, 2
-+
- 	addic.		$len,$len,0x60
- 	beq		Lxts_dec6x_zero
- 	cmpwi		$len,0x20

openssl-Remove-EC-curves.patch

@@ -1,267 +0,0 @@
-From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Mon, 21 Aug 2023 11:46:40 +0200
-Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
-
-Patch-name: 0011-Remove-EC-curves.patch
-Patch-id: 11
-Patch-status: |
-    # remove unsupported EC curves
----
- apps/speed.c                 |  8 +---
- crypto/evp/ec_support.c      | 87 ------------------------------------
- test/acvp_test.inc           |  9 ----
- test/ecdsatest.h             | 17 -------
- test/recipes/15-test_genec.t | 27 -----------
- 5 files changed, 1 insertion(+), 147 deletions(-)
-
-Index: openssl-3.2.3/apps/speed.c
-===================================================================
---- openssl-3.2.3.orig/apps/speed.c
-+++ openssl-3.2.3/apps/speed.c
-@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1];
- #endif /* OPENSSL_NO_DH */
- 
- enum ec_curves_t {
--    R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
-+    R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
- #ifndef OPENSSL_NO_EC2M
-     R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
-     R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
-@@ -411,8 +411,6 @@ enum ec_curves_t {
- };
- /* list of ecdsa curves */
- static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
--    {"ecdsap160", R_EC_P160},
--    {"ecdsap192", R_EC_P192},
-     {"ecdsap224", R_EC_P224},
-     {"ecdsap256", R_EC_P256},
-     {"ecdsap384", R_EC_P384},
-@@ -445,8 +443,6 @@ enum {
- };
- /* list of ecdh curves, extension of |ecdsa_choices| list above */
- static const OPT_PAIR ecdh_choices[EC_NUM] = {
--    {"ecdhp160", R_EC_P160},
--    {"ecdhp192", R_EC_P192},
-     {"ecdhp224", R_EC_P224},
-     {"ecdhp256", R_EC_P256},
-     {"ecdhp384", R_EC_P384},
-@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv)
-      */
-     static const EC_CURVE ec_curves[EC_NUM] = {
-         /* Prime Curves */
--        {"secp160r1", NID_secp160r1, 160},
--        {"nistp192", NID_X9_62_prime192v1, 192},
-         {"nistp224", NID_secp224r1, 224},
-         {"nistp256", NID_X9_62_prime256v1, 256},
-         {"nistp384", NID_secp384r1, 384},
-Index: openssl-3.2.3/crypto/evp/ec_support.c
-===================================================================
---- openssl-3.2.3.orig/crypto/evp/ec_support.c
-+++ openssl-3.2.3/crypto/evp/ec_support.c
-@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
- static const EC_NAME2NID curve_list[] = {
-     /* prime field curves */
-     /* secg curves */
--    {"secp112r1", NID_secp112r1 },
--    {"secp112r2", NID_secp112r2 },
--    {"secp128r1", NID_secp128r1 },
--    {"secp128r2", NID_secp128r2 },
--    {"secp160k1", NID_secp160k1 },
--    {"secp160r1", NID_secp160r1 },
--    {"secp160r2", NID_secp160r2 },
--    {"secp192k1", NID_secp192k1 },
--    {"secp224k1", NID_secp224k1 },
-     {"secp224r1", NID_secp224r1 },
-     {"secp256k1", NID_secp256k1 },
-     {"secp384r1", NID_secp384r1 },
-     {"secp521r1", NID_secp521r1 },
-     /* X9.62 curves */
--    {"prime192v1", NID_X9_62_prime192v1 },
--    {"prime192v2", NID_X9_62_prime192v2 },
--    {"prime192v3", NID_X9_62_prime192v3 },
--    {"prime239v1", NID_X9_62_prime239v1 },
--    {"prime239v2", NID_X9_62_prime239v2 },
--    {"prime239v3", NID_X9_62_prime239v3 },
-     {"prime256v1", NID_X9_62_prime256v1 },
-     /* characteristic two field curves */
-     /* NIST/SECG curves */
--    {"sect113r1", NID_sect113r1 },
--    {"sect113r2", NID_sect113r2 },
--    {"sect131r1", NID_sect131r1 },
--    {"sect131r2", NID_sect131r2 },
--    {"sect163k1", NID_sect163k1 },
--    {"sect163r1", NID_sect163r1 },
--    {"sect163r2", NID_sect163r2 },
--    {"sect193r1", NID_sect193r1 },
--    {"sect193r2", NID_sect193r2 },
--    {"sect233k1", NID_sect233k1 },
--    {"sect233r1", NID_sect233r1 },
--    {"sect239k1", NID_sect239k1 },
--    {"sect283k1", NID_sect283k1 },
--    {"sect283r1", NID_sect283r1 },
--    {"sect409k1", NID_sect409k1 },
--    {"sect409r1", NID_sect409r1 },
--    {"sect571k1", NID_sect571k1 },
--    {"sect571r1", NID_sect571r1 },
--    /* X9.62 curves */
--    {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
--    {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
--    {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
--    {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
--    {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
--    {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
--    {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
--    {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
--    {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
--    {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
--    {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
--    {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
--    {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
--    {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
--    {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
--    {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
--    /*
--     * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
--     * from X9.62]
--     */
--    {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
--    {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
--    {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
--    {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
--    {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
--    {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
--    {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
--    {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
--    {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
--    {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
--    {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
--    /* IPSec curves */
--    {"Oakley-EC2N-3", NID_ipsec3 },
--    {"Oakley-EC2N-4", NID_ipsec4 },
-     /* brainpool curves */
--    {"brainpoolP160r1", NID_brainpoolP160r1 },
--    {"brainpoolP160t1", NID_brainpoolP160t1 },
--    {"brainpoolP192r1", NID_brainpoolP192r1 },
--    {"brainpoolP192t1", NID_brainpoolP192t1 },
--    {"brainpoolP224r1", NID_brainpoolP224r1 },
--    {"brainpoolP224t1", NID_brainpoolP224t1 },
-     {"brainpoolP256r1", NID_brainpoolP256r1 },
-     {"brainpoolP256t1", NID_brainpoolP256t1 },
-     {"brainpoolP320r1", NID_brainpoolP320r1 },
-@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n
- /* Functions to translate between common NIST curve names and NIDs */
- 
- static const EC_NAME2NID nist_curves[] = {
--    {"B-163", NID_sect163r2},
--    {"B-233", NID_sect233r1},
--    {"B-283", NID_sect283r1},
--    {"B-409", NID_sect409r1},
--    {"B-571", NID_sect571r1},
--    {"K-163", NID_sect163k1},
--    {"K-233", NID_sect233k1},
--    {"K-283", NID_sect283k1},
--    {"K-409", NID_sect409k1},
--    {"K-571", NID_sect571k1},
--    {"P-192", NID_X9_62_prime192v1},
-     {"P-224", NID_secp224r1},
-     {"P-256", NID_X9_62_prime256v1},
-     {"P-384", NID_secp384r1},
-Index: openssl-3.2.3/test/acvp_test.inc
-===================================================================
---- openssl-3.2.3.orig/test/acvp_test.inc
-+++ openssl-3.2.3/test/acvp_test.inc
-@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_
- };
- static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
-     {
--        "SHA-1",
--        "P-192",
--        ITM(ecdsa_sigver_msg0),
--        ITM(ecdsa_sigver_pub0),
--        ITM(ecdsa_sigver_r0),
--        ITM(ecdsa_sigver_s0),
--        PASS,
--    },
--    {
-         "SHA2-512",
-         "P-521",
-         ITM(ecdsa_sigver_msg1),
-Index: openssl-3.2.3/test/ecdsatest.h
-===================================================================
---- openssl-3.2.3.orig/test/ecdsatest.h
-+++ openssl-3.2.3/test/ecdsatest.h
-@@ -32,23 +32,6 @@ typedef struct {
- } ecdsa_cavs_kat_t;
- 
- static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
--    /* prime KATs from X9.62 */
--    {NID_X9_62_prime192v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
--     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
--     "5ca5c0d69716dfcb3474373902",
--     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
--     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
--     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
--    {NID_X9_62_prime239v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
--     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
--     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
--     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
--     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
--     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
-     /* prime KATs from NIST CAVP */
-     {NID_secp224r1, NID_sha224,
-      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
-Index: openssl-3.2.3/test/recipes/15-test_genec.t
-===================================================================
---- openssl-3.2.3.orig/test/recipes/15-test_genec.t
-+++ openssl-3.2.3/test/recipes/15-test_genec.t
-@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport
-     if disabled("ec");
- 
- my @prime_curves = qw(
--    secp112r1
--    secp112r2
--    secp128r1
--    secp128r2
--    secp160k1
--    secp160r1
--    secp160r2
--    secp192k1
--    secp224k1
-     secp224r1
-     secp256k1
-     secp384r1
-     secp521r1
--    prime192v1
--    prime192v2
--    prime192v3
--    prime239v1
--    prime239v2
--    prime239v3
-     prime256v1
--    wap-wsg-idm-ecid-wtls6
--    wap-wsg-idm-ecid-wtls7
--    wap-wsg-idm-ecid-wtls8
--    wap-wsg-idm-ecid-wtls9
--    wap-wsg-idm-ecid-wtls12
--    brainpoolP160r1
--    brainpoolP160t1
--    brainpoolP192r1
--    brainpoolP192t1
--    brainpoolP224r1
--    brainpoolP224t1
-     brainpoolP256r1
-     brainpoolP256t1
-     brainpoolP320r1
-@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
-     if !disabled("sm2");
- 
- my @curve_aliases = qw(
--    P-192
-     P-224
-     P-256
-     P-384

openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch

@@ -1,171 +0,0 @@
-Subject: [PATCH] Revert "Improve FIPS RSA keygen performance."
-
-This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5.
----
- crypto/bn/bn_prime.c         | 11 --------
- crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------
- include/crypto/bn.h          |  2 --
- 3 files changed, 8 insertions(+), 54 deletions(-)
-
-diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
-index 79776f1ce5..ddd31a0252 100644
---- a/crypto/bn/bn_prime.c
-+++ b/crypto/bn/bn_prime.c
-@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
-     return bn_is_prime_int(w, checks, ctx, do_trial_division, cb);
- }
- 
--/*
-- * Use this only for key generation.
-- * It always uses trial division. The number of checks
-- * (MR rounds) passed in is used without being clamped to a minimum value.
-- */
--int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
--                                  BN_GENCB *cb)
--{
--    return bn_is_prime_int(w, checks, ctx, 1, cb);
--}
--
- int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb)
- {
-     return ossl_bn_check_prime(p, 0, ctx, 1, cb);
-diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c
-index e9f0d4038c..8a7b2ecf2f 100644
---- a/crypto/bn/bn_rsa_fips186_4.c
-+++ b/crypto/bn/bn_rsa_fips186_4.c
-@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = {
-     BN_FLG_STATIC_DATA
- };
- 
--/*
-- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
-- * required for generation of RSA aux primes (p1, p2, q1 and q2).
-- */
--static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits)
--{
--    if (nbits >= 4096)
--        return 44;
--    if (nbits >= 3072)
--        return 41;
--    if (nbits >= 2048)
--        return 38;
--    return 0; /* Error */
--}
--
--/*
-- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
-- * required for generation of RSA primes (p and q)
-- */
--static int bn_rsa_fips186_5_prime_MR_rounds(int nbits)
--{
--    if (nbits >= 3072)
--        return 4;
--    if (nbits >= 2048)
--        return 5;
--    return 0; /* Error */
--}
--
- /*
-  * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2".
-  * (FIPS 186-5 has an entry for >= 4096 bits).
-@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
-  *     Xp1 The passed in starting point to find a probably prime.
-  *     p1 The returned probable prime (first odd integer >= Xp1)
-  *     ctx A BN_CTX object.
-- *     rounds The number of Miller Rabin rounds
-  *     cb An optional BIGNUM callback.
-  * Returns: 1 on success otherwise it returns 0.
-  */
- static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
-                                                 BIGNUM *p1, BN_CTX *ctx,
--                                                int rounds,
-                                                 BN_GENCB *cb)
- {
-     int ret = 0;
-@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
-         i++;
-         BN_GENCB_call(cb, 0, i);
-         /* MR test with trial division */
--        tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb);
-+        tmp = BN_check_prime(p1, ctx, cb);
-         if (tmp > 0)
-             break;
-         if (tmp < 0)
-@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
- {
-     int ret = 0;
-     BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL;
--    int bitlen, rounds;
-+    int bitlen;
- 
-     if (p == NULL || Xpout == NULL)
-         return 0;
-@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
-     bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen);
-     if (bitlen == 0)
-         goto err;
--    rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen);
- 
-     /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */
-     if (Xp1 == NULL) {
-@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
-     }
- 
-     /* (Steps 4.2/5.2) - find first auxiliary probable primes */
--    if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
--            || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
-+    if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb)
-+            || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb))
-         goto err;
-     /* (Table B.1) auxiliary prime Max length check */
-     if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >=
-@@ -274,11 +243,11 @@ err:
-  */
- int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
-                                        const BIGNUM *r1, const BIGNUM *r2,
--                                       int nlen, const BIGNUM *e,
--                                       BN_CTX *ctx, BN_GENCB *cb)
-+                                       int nlen, const BIGNUM *e, BN_CTX *ctx,
-+                                       BN_GENCB *cb)
- {
-     int ret = 0;
--    int i, imax, rounds;
-+    int i, imax;
-     int bits = nlen >> 1;
-     BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2;
-     BIGNUM *base, *range;
-@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
-      * The number has been updated to 20 * nlen/2 as used in
-      * FIPS186-5 Appendix B.9 Step 9.
-      */
--    rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen);
-     imax = 20 * bits; /* max = 20/2 * nbits */
-     for (;;) {
-         if (Xin == NULL) {
-@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
-             if (BN_copy(y1, Y) == NULL
-                     || !BN_sub_word(y1, 1))
-                 goto err;
--
-             if (BN_are_coprime(y1, e, ctx)) {
--                int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb);
-+                int rv = BN_check_prime(Y, ctx, cb);
- 
-                 if (rv > 0)
-                     goto end;
-diff --git a/include/crypto/bn.h b/include/crypto/bn.h
-index 4d11e0e4b1..cf69bea848 100644
---- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
- 
- int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
-                                   BN_GENCB *cb, int enhanced, int *status);
--int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
--                                  BN_GENCB *cb);
- 
- const BIGNUM *ossl_bn_get0_small_factors(void);
- 
--- 
-2.44.0
-

openssl-crypto-policies-support.patch

@@ -1,35 +0,0 @@
-Add default section to load crypto-policies configuration for TLS.
-
-It needs to be reverted before running tests.
-
----
- apps/openssl.cnf | 20 ++++++++++++++++++--
- 2 files changed, 19 insertions(+), 3 deletions(-)
-
-Index: openssl-3.2.0/apps/openssl.cnf
-===================================================================
---- openssl-3.2.0.orig/apps/openssl.cnf
-+++ openssl-3.2.0/apps/openssl.cnf
-@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
- 
- [openssl_init]
- providers = provider_sect
-+# Load default TLS policy configuration
-+ssl_conf = ssl_module
- 
- # List of providers to load
- [provider_sect]
-@@ -71,6 +73,13 @@ default = default_sect
- [default_sect]
- # activate = 1
- 
-+[ ssl_module ]
-+
-+system_default = crypto_policy
-+
-+[ crypto_policy ]
-+
-+.include = /etc/crypto-policies/back-ends/opensslcnf.config
- 
- ####################################################################
- [ ca ]

openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch

@@ -1,65 +0,0 @@
-From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rohanmclure@linux.ibm.com>
-Date: Fri, 23 Jun 2023 16:41:48 +1000
-Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
- wrappers
-
-Runtime selection of implementations for felem_{square,mul} depends on
-felem_{square,mul}_wrapper functions, which overwrite function points in
-a similar design to that of .plt.got sections used by program loaders
-during dynamic linking.
-
-There's no reason why these functions need to have external linkage.
-Mark static.
-
-Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Todd Short <todd.short@me.com>
-(Merged from https://github.com/openssl/openssl/pull/21471)
----
- crypto/ec/ecp_nistp521.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
-index 97815cac1f13..32a9268ecf17 100644
---- a/crypto/ec/ecp_nistp521.c
-+++ b/crypto/ec/ecp_nistp521.c
-@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
- }
- 
- #if defined(ECP_NISTP521_ASM)
--void felem_square_wrapper(largefelem out, const felem in);
--void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
-+static void felem_square_wrapper(largefelem out, const felem in);
-+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
- 
- static void (*felem_square_p)(largefelem out, const felem in) =
-     felem_square_wrapper;
-@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
- #  include "crypto/ppc_arch.h"
- # endif
- 
--void felem_select(void)
-+static void felem_select(void)
- {
- # if defined(_ARCH_PPC64)
-     if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
-@@ -707,13 +707,13 @@ void felem_select(void)
-     felem_mul_p = felem_mul_ref;
- }
- 
--void felem_square_wrapper(largefelem out, const felem in)
-+static void felem_square_wrapper(largefelem out, const felem in)
- {
-     felem_select();
-     felem_square_p(out, in);
- }
- 
--void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
-+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
- {
-     felem_select();
-     felem_mul_p(out, in1, in2);

openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch

@@ -1,428 +0,0 @@
-From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rohanmclure@linux.ibm.com>
-Date: Wed, 31 May 2023 14:32:26 +1000
-Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
-
-Add an assembly implementation of felem_{square,mul}, which will be
-implemented whenever Altivec support is present and the core implements
-ISA 3.0 (Power 9) or greater.
-
-Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Todd Short <todd.short@me.com>
-(Merged from https://github.com/openssl/openssl/pull/21471)
----
- crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
- crypto/ec/build.info                |   6 +-
- crypto/ec/ecp_nistp384.c            |   9 +
- 3 files changed, 368 insertions(+), 2 deletions(-)
- create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
-
-diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
-new file mode 100755
-index 000000000000..3f86b391af69
---- /dev/null
-+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
-@@ -0,0 +1,355 @@
-+#! /usr/bin/env perl
-+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+#
-+# ====================================================================
-+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
-+# project.
-+# ====================================================================
-+#
-+# p384 lower-level primitives for PPC64 using vector instructions.
-+#
-+
-+use strict;
-+use warnings;
-+
-+my $flavour = shift;
-+my $output = "";
-+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
-+if (!$output) {
-+    $output = "-";
-+}
-+
-+my ($xlate, $dir);
-+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-+die "can't locate ppc-xlate.pl";
-+
-+open OUT,"| \"$^X\" $xlate $flavour $output";
-+*STDOUT=*OUT;
-+
-+my $code = "";
-+
-+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
-+
-+my $vzero = "v32";
-+
-+sub startproc($)
-+{
-+    my ($name) = @_;
-+
-+    $code.=<<___;
-+    .globl ${name}
-+    .align 5
-+${name}:
-+
-+___
-+}
-+
-+sub endproc($)
-+{
-+    my ($name) = @_;
-+
-+    $code.=<<___;
-+    blr
-+        .size ${name},.-${name}
-+
-+___
-+}
-+
-+
-+sub push_vrs($$)
-+{
-+    my ($min, $max) = @_;
-+
-+    my $count = $max - $min + 1;
-+
-+    $code.=<<___;
-+    mr      $savesp,$sp
-+    stdu        $sp,-16*`$count+1`($sp)
-+
-+___
-+        for (my $i = $min; $i <= $max; $i++) {
-+            my $mult = $max - $i + 1;
-+            $code.=<<___;
-+    stxv        $i,-16*$mult($savesp)
-+___
-+
-+    }
-+
-+    $code.=<<___;
-+
-+___
-+}
-+
-+sub pop_vrs($$)
-+{
-+    my ($min, $max) = @_;
-+
-+    $code.=<<___;
-+    ld      $savesp,0($sp)
-+___
-+    for (my $i = $min; $i <= $max; $i++) {
-+        my $mult = $max - $i + 1;
-+        $code.=<<___;
-+    lxv     $i,-16*$mult($savesp)
-+___
-+    }
-+
-+    $code.=<<___;
-+    mr      $sp,$savesp
-+
-+___
-+}
-+
-+sub load_vrs($$)
-+{
-+    my ($pointer, $reg_list) = @_;
-+
-+    for (my $i = 0; $i <= 6; $i++) {
-+        my $offset = $i * 8;
-+        $code.=<<___;
-+    lxsd        $reg_list->[$i],$offset($pointer)
-+___
-+    }
-+
-+    $code.=<<___;
-+
-+___
-+}
-+
-+sub store_vrs($$)
-+{
-+    my ($pointer, $reg_list) = @_;
-+
-+    for (my $i = 0; $i <= 12; $i++) {
-+        my $offset = $i * 16;
-+        $code.=<<___;
-+    stxv        $reg_list->[$i],$offset($pointer)
-+___
-+    }
-+
-+    $code.=<<___;
-+
-+___
-+}
-+
-+$code.=<<___;
-+.machine    "any"
-+.text
-+
-+___
-+
-+{
-+    # mul/square common
-+    my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
-+    my ($zero, $one) = ("r8", "r9");
-+    my $out = "v51";
-+
-+    {
-+        #
-+        # p384_felem_mul
-+        #
-+
-+        my ($in1p, $in2p) = ("r4", "r5");
-+        my @in1 = map("v$_",(44..50));
-+        my @in2 = map("v$_",(35..41));
-+
-+        startproc("p384_felem_mul");
-+
-+        push_vrs(52, 63);
-+
-+        $code.=<<___;
-+    vspltisw    $vzero,0
-+
-+___
-+
-+        load_vrs($in1p, \@in1);
-+        load_vrs($in2p, \@in2);
-+
-+        $code.=<<___;
-+    vmsumudm    $out,$in1[0],$in2[0],$vzero
-+    stxv        $out,0($outp)
-+
-+    xxpermdi    $t1,$in1[0],$in1[1],0b00
-+    xxpermdi    $t2,$in2[1],$in2[0],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    stxv        $out,16($outp)
-+
-+    xxpermdi    $t2,$in2[2],$in2[1],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$in1[2],$in2[0],$out
-+    stxv        $out,32($outp)
-+
-+    xxpermdi    $t2,$in2[1],$in2[0],0b00
-+    xxpermdi    $t3,$in1[2],$in1[3],0b00
-+    xxpermdi    $t4,$in2[3],$in2[2],0b00
-+    vmsumudm    $out,$t1,$t4,$vzero
-+    vmsumudm    $out,$t3,$t2,$out
-+    stxv        $out,48($outp)
-+
-+    xxpermdi    $t2,$in2[4],$in2[3],0b00
-+    xxpermdi    $t4,$in2[2],$in2[1],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$t3,$t4,$out
-+    vmsumudm    $out,$in1[4],$in2[0],$out
-+    stxv        $out,64($outp)
-+
-+    xxpermdi    $t2,$in2[5],$in2[4],0b00
-+    xxpermdi    $t4,$in2[3],$in2[2],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$t3,$t4,$out
-+    xxpermdi    $t4,$in2[1],$in2[0],0b00
-+    xxpermdi    $t1,$in1[4],$in1[5],0b00
-+    vmsumudm    $out,$t1,$t4,$out
-+    stxv        $out,80($outp)
-+
-+    xxpermdi    $t1,$in1[0],$in1[1],0b00
-+    xxpermdi    $t2,$in2[6],$in2[5],0b00
-+    xxpermdi    $t4,$in2[4],$in2[3],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$t3,$t4,$out
-+    xxpermdi    $t2,$in2[2],$in2[1],0b00
-+    xxpermdi    $t1,$in1[4],$in1[5],0b00
-+    vmsumudm    $out,$t1,$t2,$out
-+    vmsumudm    $out,$in1[6],$in2[0],$out
-+    stxv        $out,96($outp)
-+
-+    xxpermdi    $t1,$in1[1],$in1[2],0b00
-+    xxpermdi    $t2,$in2[6],$in2[5],0b00
-+    xxpermdi    $t3,$in1[3],$in1[4],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$t3,$t4,$out
-+    xxpermdi    $t3,$in2[2],$in2[1],0b00
-+    xxpermdi    $t1,$in1[5],$in1[6],0b00
-+    vmsumudm    $out,$t1,$t3,$out
-+    stxv        $out,112($outp)
-+
-+    xxpermdi    $t1,$in1[2],$in1[3],0b00
-+    xxpermdi    $t3,$in1[4],$in1[5],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$t3,$t4,$out
-+    vmsumudm    $out,$in1[6],$in2[2],$out
-+    stxv        $out,128($outp)
-+
-+    xxpermdi    $t1,$in1[3],$in1[4],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    xxpermdi    $t1,$in1[5],$in1[6],0b00
-+    vmsumudm    $out,$t1,$t4,$out
-+    stxv        $out,144($outp)
-+
-+    vmsumudm    $out,$t3,$t2,$vzero
-+    vmsumudm    $out,$in1[6],$in2[4],$out
-+    stxv        $out,160($outp)
-+
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    stxv        $out,176($outp)
-+
-+    vmsumudm    $out,$in1[6],$in2[6],$vzero
-+    stxv        $out,192($outp)
-+___
-+
-+        endproc("p384_felem_mul");
-+    }
-+
-+    {
-+        #
-+        # p384_felem_square
-+        #
-+
-+        my ($inp) = ("r4");
-+        my @in = map("v$_",(44..50));
-+        my @inx2 = map("v$_",(35..41));
-+
-+        startproc("p384_felem_square");
-+
-+        push_vrs(52, 63);
-+
-+        $code.=<<___;
-+    vspltisw    $vzero,0
-+
-+___
-+
-+        load_vrs($inp, \@in);
-+
-+        $code.=<<___;
-+    li        $zero,0
-+    li        $one,1
-+    mtvsrdd        $t1,$one,$zero
-+___
-+
-+        for (my $i = 0; $i <= 6; $i++) {
-+            $code.=<<___;
-+    vsld        $inx2[$i],$in[$i],$t1
-+___
-+        }
-+
-+        $code.=<<___;
-+    vmsumudm    $out,$in[0],$in[0],$vzero
-+    stxv        $out,0($outp)
-+
-+    vmsumudm    $out,$in[0],$inx2[1],$vzero
-+    stxv        $out,16($outp)
-+
-+    vmsumudm    $out,$in[0],$inx2[2],$vzero
-+    vmsumudm    $out,$in[1],$in[1],$out
-+    stxv        $out,32($outp)
-+
-+    xxpermdi    $t1,$in[0],$in[1],0b00
-+    xxpermdi    $t2,$inx2[3],$inx2[2],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    stxv        $out,48($outp)
-+
-+    xxpermdi    $t4,$inx2[4],$inx2[3],0b00
-+    vmsumudm    $out,$t1,$t4,$vzero
-+    vmsumudm    $out,$in[2],$in[2],$out
-+    stxv        $out,64($outp)
-+
-+    xxpermdi    $t2,$inx2[5],$inx2[4],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$in[2],$inx2[3],$out
-+    stxv        $out,80($outp)
-+
-+    xxpermdi    $t2,$inx2[6],$inx2[5],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$in[2],$inx2[4],$out
-+    vmsumudm    $out,$in[3],$in[3],$out
-+    stxv        $out,96($outp)
-+
-+    xxpermdi    $t3,$in[1],$in[2],0b00
-+    vmsumudm    $out,$t3,$t2,$vzero
-+    vmsumudm    $out,$in[3],$inx2[4],$out
-+    stxv        $out,112($outp)
-+
-+    xxpermdi    $t1,$in[2],$in[3],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    vmsumudm    $out,$in[4],$in[4],$out
-+    stxv        $out,128($outp)
-+
-+    xxpermdi    $t1,$in[3],$in[4],0b00
-+    vmsumudm    $out,$t1,$t2,$vzero
-+    stxv        $out,144($outp)
-+
-+    vmsumudm    $out,$in[4],$inx2[6],$vzero
-+    vmsumudm    $out,$in[5],$in[5],$out
-+    stxv        $out,160($outp)
-+
-+    vmsumudm    $out,$in[5],$inx2[6],$vzero
-+    stxv        $out,176($outp)
-+
-+    vmsumudm    $out,$in[6],$in[6],$vzero
-+    stxv        $out,192($outp)
-+___
-+
-+        endproc("p384_felem_square");
-+    }
-+}
-+
-+$code =~ s/\`([^\`]*)\`/eval $1/gem;
-+print $code;
-+close STDOUT or die "error closing STDOUT: $!";
-diff --git a/crypto/ec/build.info b/crypto/ec/build.info
-index 1fa60a1deddd..4077bead7bdb 100644
---- a/crypto/ec/build.info
-+++ b/crypto/ec/build.info
-@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
-   $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
-   $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
-   IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
--    $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
--    $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
-+    $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
-+    $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
-+    INCLUDE[ecp_nistp384.o]=..
-     INCLUDE[ecp_nistp521.o]=..
-   ENDIF
- 
-@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
- INCLUDE[ecp_nistz256-armv8.o]=..
- GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
- 
-+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
- GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
- 
- GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
-diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
-index a0559487ed4e..14f9530d07c6 100644
---- a/crypto/ec/ecp_nistp384.c
-+++ b/crypto/ec/ecp_nistp384.c
-@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
- 
- static void felem_select(void)
- {
-+# if defined(_ARCH_PPC64)
-+    if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
-+        felem_square_p = p384_felem_square;
-+        felem_mul_p = p384_felem_mul;
-+
-+        return;
-+    }
-+# endif
-+
-     /* Default */
-     felem_square_p = felem_square_ref;
-     felem_mul_p = felem_mul_ref;

openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch

@@ -1,76 +0,0 @@
-From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rohanmclure@linux.ibm.com>
-Date: Tue, 15 Aug 2023 15:20:20 +1000
-Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
-
-Substitutions in the felem_reduce() method feature unecessary
-parentheses, remove them.
-
-Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21749)
----
- crypto/ec/ecp_nistp384.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
-index 14f9530d07c6..ff68f9cc7ad0 100644
---- a/crypto/ec/ecp_nistp384.c
-+++ b/crypto/ec/ecp_nistp384.c
-@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[7] += in[12] >> 8;
-     acc[6] += (in[12] & 0xff) << 48;
-     acc[6] -= in[12] >> 16;
--    acc[5] -= ((in[12] & 0xffff) << 40);
-+    acc[5] -= (in[12] & 0xffff) << 40;
-     acc[6] += in[12] >> 48;
-     acc[5] += (in[12] & 0xffffffffffff) << 8;
- 
-@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[6] += in[11] >> 8;
-     acc[5] += (in[11] & 0xff) << 48;
-     acc[5] -= in[11] >> 16;
--    acc[4] -= ((in[11] & 0xffff) << 40);
-+    acc[4] -= (in[11] & 0xffff) << 40;
-     acc[5] += in[11] >> 48;
-     acc[4] += (in[11] & 0xffffffffffff) << 8;
- 
-@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[5] += in[10] >> 8;
-     acc[4] += (in[10] & 0xff) << 48;
-     acc[4] -= in[10] >> 16;
--    acc[3] -= ((in[10] & 0xffff) << 40);
-+    acc[3] -= (in[10] & 0xffff) << 40;
-     acc[4] += in[10] >> 48;
-     acc[3] += (in[10] & 0xffffffffffff) << 8;
- 
-@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[4] += in[9] >> 8;
-     acc[3] += (in[9] & 0xff) << 48;
-     acc[3] -= in[9] >> 16;
--    acc[2] -= ((in[9] & 0xffff) << 40);
-+    acc[2] -= (in[9] & 0xffff) << 40;
-     acc[3] += in[9] >> 48;
-     acc[2] += (in[9] & 0xffffffffffff) << 8;
- 
-@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[3] += acc[8] >> 8;
-     acc[2] += (acc[8] & 0xff) << 48;
-     acc[2] -= acc[8] >> 16;
--    acc[1] -= ((acc[8] & 0xffff) << 40);
-+    acc[1] -= (acc[8] & 0xffff) << 40;
-     acc[2] += acc[8] >> 48;
-     acc[1] += (acc[8] & 0xffffffffffff) << 8;
- 
-@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
-     acc[2] += acc[7] >> 8;
-     acc[1] += (acc[7] & 0xff) << 48;
-     acc[1] -= acc[7] >> 16;
--    acc[0] -= ((acc[7] & 0xffff) << 40);
-+    acc[0] -= (acc[7] & 0xffff) << 40;
-     acc[1] += acc[7] >> 48;
-     acc[0] += (acc[7] & 0xffffffffffff) << 8;
- 

openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch

@@ -1,75 +0,0 @@
-From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <dbelyavs@redhat.com>
-Date: Mon, 21 Aug 2023 16:12:33 +0200
-Subject: [PATCH 46/48] 
- 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
-
-Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
-Patch-id: 112
----
- providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
- 1 file changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
-index 11820d1e69..bae2238ab5 100644
---- a/providers/implementations/kdfs/pbkdf2.c
-+++ b/providers/implementations/kdfs/pbkdf2.c
-@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
- 
- static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
- {
-+#ifdef FIPS_MODULE
-+    KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
-+#endif /* defined(FIPS_MODULE) */
-     OSSL_PARAM *p;
-+    int any_valid = 0; /* set to 1 when at least one parameter was valid */
-+
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
-+        any_valid = 1;
-+
-+        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
-+            return 0;
-+    }
-+
-+#ifdef FIPS_MODULE
-+    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
-+            != NULL) {
-+        int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
-+
-+        /* The lower_bound_checks parameter enables checks required by FIPS. If
-+         * those checks are disabled, the PBKDF2 implementation will also
-+         * support non-approved parameters (e.g., salt lengths < 16 bytes, see
-+         * NIST SP 800-132 section 5.1). */
-+        if (!ctx->lower_bound_checks)
-+            fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
- 
--    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
--        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
--    return -2;
-+        if (!OSSL_PARAM_set_int(p, fips_indicator))
-+            return 0;
-+
-+        any_valid = 1;
-+    }
-+#endif /* defined(FIPS_MODULE) */
-+
-+    if (!any_valid)
-+        return -2;
-+
-+    return 1;
- }
- 
- static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
-@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
- {
-     static const OSSL_PARAM known_gettable_ctx_params[] = {
-         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
-+#ifdef FIPS_MODULE
-+        OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
-+#endif /* defined(FIPS_MODULE) */
-         OSSL_PARAM_END
-     };
-     return known_gettable_ctx_params;
--- 
-2.41.0
-

openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch

@@ -1,96 +0,0 @@
-From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rohanmclure@linux.ibm.com>
-Date: Wed, 16 Aug 2023 16:52:47 +1000
-Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
-
-Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
-VSX enabled systems make extensive use of renaming, and so writebacks in
-felem_{mul,square}() can be reordered for best cache effects.
-
-Remove stack allocations. This in turn fixes unmatched push/pops in
-felem_{mul,square}().
-
-Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21749)
----
- crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
- 1 file changed, 49 deletions(-)
-
-diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
-index 3f86b391af69..28f4168e5218 100755
---- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
-+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
-@@ -62,51 +62,6 @@ ($)
- ___
- }
- 
--
--sub push_vrs($$)
--{
--    my ($min, $max) = @_;
--
--    my $count = $max - $min + 1;
--
--    $code.=<<___;
--    mr      $savesp,$sp
--    stdu        $sp,-16*`$count+1`($sp)
--
--___
--        for (my $i = $min; $i <= $max; $i++) {
--            my $mult = $max - $i + 1;
--            $code.=<<___;
--    stxv        $i,-16*$mult($savesp)
--___
--
--    }
--
--    $code.=<<___;
--
--___
--}
--
--sub pop_vrs($$)
--{
--    my ($min, $max) = @_;
--
--    $code.=<<___;
--    ld      $savesp,0($sp)
--___
--    for (my $i = $min; $i <= $max; $i++) {
--        my $mult = $max - $i + 1;
--        $code.=<<___;
--    lxv     $i,-16*$mult($savesp)
--___
--    }
--
--    $code.=<<___;
--    mr      $sp,$savesp
--
--___
--}
--
- sub load_vrs($$)
- {
-     my ($pointer, $reg_list) = @_;
-@@ -162,8 +117,6 @@ ($$)
- 
-         startproc("p384_felem_mul");
- 
--        push_vrs(52, 63);
--
-         $code.=<<___;
-     vspltisw    $vzero,0
- 
-@@ -268,8 +221,6 @@ ($$)
- 
-         startproc("p384_felem_square");
- 
--        push_vrs(52, 63);
--
-         $code.=<<___;
-     vspltisw    $vzero,0
- 

openssl-rh-allow-sha1-signatures.patch

@@ -1,54 +0,0 @@
-Index: openssl-3.5.0/crypto/evp/evp_cnf.c
-===================================================================
---- openssl-3.5.0.orig/crypto/evp/evp_cnf.c
-+++ openssl-3.5.0/crypto/evp/evp_cnf.c
-@@ -10,6 +10,7 @@
- #include <stdio.h>
- #include <openssl/crypto.h>
- #include "internal/cryptlib.h"
-+#include "internal/sslconf.h"
- #include <openssl/conf.h>
- #include <openssl/x509.h>
- #include <openssl/x509v3.h>
-@@ -57,6 +58,15 @@ static int alg_module_init(CONF_IMODULE
-                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
-                 return 0;
-             }
-+	} else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
-+            int m;
-+
-+            /* Detailed error already reported. */
-+            if (!X509V3_get_value_bool(oval, &m))
-+                return 0;
-+
-+            /* NO-OP */
-+
-         } else {
-             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
-                            "name=%s, value=%s", oval->name, oval->value);
-Index: openssl-3.5.0/doc/man5/config.pod
-===================================================================
---- openssl-3.5.0.orig/doc/man5/config.pod
-+++ openssl-3.5.0/doc/man5/config.pod
-@@ -315,6 +315,21 @@ Within the algorithm properties section,
- The value may be anything that is acceptable as a property query
- string for EVP_set_default_properties().
- 
-+=item B<rh-allow-sha1-signatures> (NOOP)
-+
-+The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
-+it behaves as if it was set to B<yes>.
-+
-+When set to B<no>, any attempt to create or verify a signature with a SHA1
-+digest will fail.  To test whether your software will work with future versions
-+of OpenSSL, set this option to B<no>.  This setting also affects TLS, where
-+signature algorithms that use SHA1 as digest will no longer be supported if
-+this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
-+pseudorandom function (PRF) to derive key material, disabling
-+B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
-+
-+This option is not implemented in this build.
-+
- =item B<fips_mode> (deprecated)
- 
- The value is a boolean that can be B<yes> or B<no>.  If the value is

reproducible.patch

@@ -1,929 +0,0 @@
-commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf
-Author: trigpolynom <trigpolynom@gmail.com>
-Date:   Tue Oct 17 22:44:45 2023 -0400
-
-    aes-gcm-avx512.pl: fix non-reproducibility issue
-    
-    Replace the random suffix with a counter, to make the
-    build reproducible.
-    
-    Fixes #20954
-    
-    Reviewed-by: Richard Levitte <levitte@openssl.org>
-    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
-    Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-    Reviewed-by: Hugo Landau <hlandau@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/22415)
-
-diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl
-index afd2af941a..9f9124373b 100644
---- a/crypto/modes/asm/aes-gcm-avx512.pl
-+++ b/crypto/modes/asm/aes-gcm-avx512.pl
-@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
- # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
- 
-+# ; Counter used for assembly label generation
-+my $label_count = 0;
-+
- # ; This implementation follows the convention: for non-leaf functions (they
- # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
- # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)].  This
-@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable    = (16 * 6);          #  ; (Htable) Precomputed table (a
- # ;;; Helper functions
- # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- 
--# ; Generates "random" local labels
--sub random_string() {
--  my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
--  my $length = 15;
--  my $str;
--  map { $str .= $chars[rand(33)] } 1 .. $length;
--  return $str;
--}
--
- sub BYTE {
-   my ($reg) = @_;
-   if ($reg =~ /%r[abcd]x/i) {
-@@ -417,7 +411,7 @@ ___
- sub EPILOG {
-   my ($hkeys_storage_on_stack, $payload_len) = @_;
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
- 
-@@ -425,13 +419,13 @@ sub EPILOG {
-     # ; were stored in the local frame storage
-     $code .= <<___;
-         cmpq              \$`16*16`,$payload_len
--        jbe               .Lskip_hkeys_cleanup_${rndsuffix}
-+        jbe               .Lskip_hkeys_cleanup_${label_suffix}
-         vpxor             %xmm0,%xmm0,%xmm0
- ___
-     for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
-       $code .= "vmovdqa64         %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
-     }
--    $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
-+    $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n";
-   }
- 
-   if ($CLEAR_SCRATCH_REGISTERS) {
-@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack {
-     && $HKEYS_RANGE ne "first32"
-     && $HKEYS_RANGE ne "last32");
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         test              $HKEYS_READY,$HKEYS_READY
--        jnz               .L_skip_hkeys_precomputation_${rndsuffix}
-+        jnz               .L_skip_hkeys_precomputation_${label_suffix}
- ___
- 
-   if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
-@@ -615,7 +609,7 @@ ___
-     }
-   }
- 
--  $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
-+  $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n";
- }
- 
- # ;; =============================================================================
-@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH {
- 
-   my $SHFMSK = $ZT13;
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         mov               $A_IN,$T1      # ; T1 = AAD
-         mov               $A_LEN,$T2     # ; T2 = aadLen
-         or                $T2,$T2
--        jz                .L_CALC_AAD_done_${rndsuffix}
-+        jz                .L_CALC_AAD_done_${label_suffix}
- 
-         xor               $HKEYS_READY,$HKEYS_READY
-         vmovdqa64         SHUF_MASK(%rip),$SHFMSK
- 
--.L_get_AAD_loop48x16_${rndsuffix}:
-+.L_get_AAD_loop48x16_${label_suffix}:
-         cmp               \$`(48*16)`,$T2
--        jl                .L_exit_AAD_loop48x16_${rndsuffix}
-+        jl                .L_exit_AAD_loop48x16_${label_suffix}
- ___
- 
-   $code .= <<___;
-@@ -1499,15 +1493,15 @@ ___
- 
-   $code .= <<___;
-         sub               \$`(48*16)`,$T2
--        je                .L_CALC_AAD_done_${rndsuffix}
-+        je                .L_CALC_AAD_done_${label_suffix}
- 
-         add               \$`(48*16)`,$T1
--        jmp               .L_get_AAD_loop48x16_${rndsuffix}
-+        jmp               .L_get_AAD_loop48x16_${label_suffix}
- 
--.L_exit_AAD_loop48x16_${rndsuffix}:
-+.L_exit_AAD_loop48x16_${label_suffix}:
-         # ; Less than 48x16 bytes remaining
-         cmp               \$`(32*16)`,$T2
--        jl                .L_less_than_32x16_${rndsuffix}
-+        jl                .L_less_than_32x16_${label_suffix}
- ___
- 
-   $code .= <<___;
-@@ -1556,14 +1550,14 @@ ___
- 
-   $code .= <<___;
-         sub               \$`(32*16)`,$T2
--        je                .L_CALC_AAD_done_${rndsuffix}
-+        je                .L_CALC_AAD_done_${label_suffix}
- 
-         add               \$`(32*16)`,$T1
--        jmp               .L_less_than_16x16_${rndsuffix}
-+        jmp               .L_less_than_16x16_${label_suffix}
- 
--.L_less_than_32x16_${rndsuffix}:
-+.L_less_than_32x16_${label_suffix}:
-         cmp               \$`(16*16)`,$T2
--        jl                .L_less_than_16x16_${rndsuffix}
-+        jl                .L_less_than_16x16_${label_suffix}
-         # ; Get next 16 blocks
-         vmovdqu64         `64*0`($T1),$ZT1
-         vmovdqu64         `64*1`($T1),$ZT2
-@@ -1588,11 +1582,11 @@ ___
- 
-   $code .= <<___;
-         sub               \$`(16*16)`,$T2
--        je                .L_CALC_AAD_done_${rndsuffix}
-+        je                .L_CALC_AAD_done_${label_suffix}
- 
-         add               \$`(16*16)`,$T1
-         # ; Less than 16x16 bytes remaining
--.L_less_than_16x16_${rndsuffix}:
-+.L_less_than_16x16_${label_suffix}:
-         # ;; prep mask source address
-         lea               byte64_len_to_mask_table(%rip),$T3
-         lea               ($T3,$T2,8),$T3
-@@ -1601,28 +1595,28 @@ ___
-         add               \$15,@{[DWORD($T2)]}
-         shr               \$4,@{[DWORD($T2)]}
-         cmp               \$2,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_1_${rndsuffix}
--        je                .L_AAD_blocks_2_${rndsuffix}
-+        jb                .L_AAD_blocks_1_${label_suffix}
-+        je                .L_AAD_blocks_2_${label_suffix}
-         cmp               \$4,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_3_${rndsuffix}
--        je                .L_AAD_blocks_4_${rndsuffix}
-+        jb                .L_AAD_blocks_3_${label_suffix}
-+        je                .L_AAD_blocks_4_${label_suffix}
-         cmp               \$6,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_5_${rndsuffix}
--        je                .L_AAD_blocks_6_${rndsuffix}
-+        jb                .L_AAD_blocks_5_${label_suffix}
-+        je                .L_AAD_blocks_6_${label_suffix}
-         cmp               \$8,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_7_${rndsuffix}
--        je                .L_AAD_blocks_8_${rndsuffix}
-+        jb                .L_AAD_blocks_7_${label_suffix}
-+        je                .L_AAD_blocks_8_${label_suffix}
-         cmp               \$10,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_9_${rndsuffix}
--        je                .L_AAD_blocks_10_${rndsuffix}
-+        jb                .L_AAD_blocks_9_${label_suffix}
-+        je                .L_AAD_blocks_10_${label_suffix}
-         cmp               \$12,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_11_${rndsuffix}
--        je                .L_AAD_blocks_12_${rndsuffix}
-+        jb                .L_AAD_blocks_11_${label_suffix}
-+        je                .L_AAD_blocks_12_${label_suffix}
-         cmp               \$14,@{[DWORD($T2)]}
--        jb                .L_AAD_blocks_13_${rndsuffix}
--        je                .L_AAD_blocks_14_${rndsuffix}
-+        jb                .L_AAD_blocks_13_${label_suffix}
-+        je                .L_AAD_blocks_14_${label_suffix}
-         cmp               \$15,@{[DWORD($T2)]}
--        je                .L_AAD_blocks_15_${rndsuffix}
-+        je                .L_AAD_blocks_15_${label_suffix}
- ___
- 
-   # ;; fall through for 16 blocks
-@@ -1635,7 +1629,7 @@ ___
-   # ;; - jump to reduction code
- 
-   for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
--    $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
-+    $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n";
-     if ($aad_blocks > 12) {
-       $code .= "sub               \$`12*16*8`, $T3\n";
-     } elsif ($aad_blocks > 8) {
-@@ -1656,11 +1650,11 @@ ___
-     if ($aad_blocks > 1) {
- 
-       # ;; fall through to CALC_AAD_done in 1 block case
--      $code .= "jmp           .L_CALC_AAD_done_${rndsuffix}\n";
-+      $code .= "jmp           .L_CALC_AAD_done_${label_suffix}\n";
-     }
- 
-   }
--  $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
-+  $code .= ".L_CALC_AAD_done_${label_suffix}:\n";
- 
-   # ;; result in AAD_HASH
- }
-@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK {
-   my $IA1    = $GPTMP2;
-   my $IA2    = $GPTMP0;
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
-         mov             ($PBLOCK_LEN),$LENGTH
-         or              $LENGTH,$LENGTH
--        je              .L_partial_block_done_${rndsuffix}         #  ;Leave Macro if no partial blocks
-+        je              .L_partial_block_done_${label_suffix}         #  ;Leave Macro if no partial blocks
- ___
- 
-   &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
-@@ -1755,9 +1749,9 @@ ___
-   }
-   $code .= <<___;
-         sub               \$16,$IA1
--        jge               .L_no_extra_mask_${rndsuffix}
-+        jge               .L_no_extra_mask_${label_suffix}
-         sub               $IA1,$IA0
--.L_no_extra_mask_${rndsuffix}:
-+.L_no_extra_mask_${label_suffix}:
-         # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
-         # ;; - mask out bottom $LENGTH bytes of $XTMP1
-         # ;; sizeof(SHIFT_MASK) == 16 bytes
-@@ -1781,7 +1775,7 @@ ___
-   }
-   $code .= <<___;
-         cmp               \$0,$IA1
--        jl                .L_partial_incomplete_${rndsuffix}
-+        jl                .L_partial_incomplete_${label_suffix}
- ___
- 
-   # ;; GHASH computation for the last <16 Byte block
-@@ -1793,9 +1787,9 @@ ___
-         mov               $LENGTH,$IA0
-         mov               \$16,$LENGTH
-         sub               $IA0,$LENGTH
--        jmp               .L_enc_dec_done_${rndsuffix}
-+        jmp               .L_enc_dec_done_${label_suffix}
- 
--.L_partial_incomplete_${rndsuffix}:
-+.L_partial_incomplete_${label_suffix}:
- ___
-   if ($win64) {
-     $code .= <<___;
-@@ -1808,7 +1802,7 @@ ___
-   $code .= <<___;
-         mov               $PLAIN_CIPH_LEN,$LENGTH
- 
--.L_enc_dec_done_${rndsuffix}:
-+.L_enc_dec_done_${label_suffix}:
-         # ;; output encrypted Bytes
- 
-         lea               byte_len_to_mask_table(%rip),$IA0
-@@ -1826,7 +1820,7 @@ ___
-   $code .= <<___;
-         mov               $CIPH_PLAIN_OUT,$IA0
-         vmovdqu8          $XTMP1,($IA0){$MASKREG}
--.L_partial_block_done_${rndsuffix}:
-+.L_partial_block_done_${label_suffix}:
- ___
- }
- 
-@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
-   my $GM              = $_[23];    # [in] ZMM with mid prodcut part
-   my $GL              = $_[24];    # [in] ZMM with lo product part
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-   # ;;; - Hash all but the last partial block of data
-@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
-         # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
-         # ;;      This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
-         cmp               \$16,$LENGTH
--        jl                .L_small_initial_partial_block_${rndsuffix}
-+        jl                .L_small_initial_partial_block_${label_suffix}
- 
-         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-         # ;;; Handle a full length final block - encrypt and hash all blocks
-@@ -2056,11 +2050,11 @@ ___
-       &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-         $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
-     }
--    $code .= "jmp           .L_small_initial_compute_done_${rndsuffix}\n";
-+    $code .= "jmp           .L_small_initial_compute_done_${label_suffix}\n";
-   }
- 
-   $code .= <<___;
--.L_small_initial_partial_block_${rndsuffix}:
-+.L_small_initial_partial_block_${label_suffix}:
- 
-         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-         # ;;; Handle ghash for a <16B final block
-@@ -2125,7 +2119,7 @@ ___
-         # ;; a partial block of data, so xor that into the hash.
-         vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
-         # ;; The result is in $HASH_IN_OUT
--        jmp               .L_after_reduction_${rndsuffix}
-+        jmp               .L_after_reduction_${label_suffix}
- ___
-   }
- 
-@@ -2133,7 +2127,7 @@ ___
-   # ;;; After GHASH reduction
-   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- 
--  $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
-+  $code .= ".L_small_initial_compute_done_${label_suffix}:\n";
- 
-   # ;; If using init/update/finalize, we need to xor any partial block data
-   # ;; into the hash.
-@@ -2144,13 +2138,13 @@ ___
-       $code .= <<___;
-         # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
-         or                $LENGTH,$LENGTH
--        je                .L_after_reduction_${rndsuffix}
-+        je                .L_after_reduction_${label_suffix}
- ___
-     }
-     $code .= "vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
-   }
- 
--  $code .= ".L_after_reduction_${rndsuffix}:\n";
-+  $code .= ".L_after_reduction_${label_suffix}:\n";
- 
-   # ;; Final hash is now in HASH_IN_OUT
- }
-@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N {
-   die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
-     if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   my $GH1H = $HASH_IN_OUT;
- 
-@@ -2326,16 +2320,16 @@ ___
- 
-   $code .= <<___;
-         cmp               \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
--        jae               .L_16_blocks_overflow_${rndsuffix}
-+        jae               .L_16_blocks_overflow_${label_suffix}
- ___
- 
-   &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-     $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07,     $B08_11,    $B12_15,    $CTR_BE,
-     $B00_03,     $B04_07,  $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
-   $code .= <<___;
--        jmp               .L_16_blocks_ok_${rndsuffix}
-+        jmp               .L_16_blocks_ok_${label_suffix}
- 
--.L_16_blocks_overflow_${rndsuffix}:
-+.L_16_blocks_overflow_${label_suffix}:
-         vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
-         vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
- ___
-@@ -2355,7 +2349,7 @@ ___
-     $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
-     $B04_07,     $B08_11,   $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
-   $code .= <<___;
--.L_16_blocks_ok_${rndsuffix}:
-+.L_16_blocks_ok_${label_suffix}:
- 
-         # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-         # ;; - pre-load constants
-@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST {
-   my $MASKREG            = $_[44];    # [clobbered] mask register
-   my $PBLOCK_LEN         = $_[45];    # [in] partial block length
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
-         add               \$15,@{[DWORD($IA0)]}
-         shr               \$4,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_0_${rndsuffix}
-+        je                .L_last_num_blocks_is_0_${label_suffix}
- 
-         cmp               \$8,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_8_${rndsuffix}
--        jb                .L_last_num_blocks_is_7_1_${rndsuffix}
-+        je                .L_last_num_blocks_is_8_${label_suffix}
-+        jb                .L_last_num_blocks_is_7_1_${label_suffix}
- 
- 
-         cmp               \$12,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_12_${rndsuffix}
--        jb                .L_last_num_blocks_is_11_9_${rndsuffix}
-+        je                .L_last_num_blocks_is_12_${label_suffix}
-+        jb                .L_last_num_blocks_is_11_9_${label_suffix}
- 
-         # ;; 16, 15, 14 or 13
-         cmp               \$15,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_15_${rndsuffix}
--        ja                .L_last_num_blocks_is_16_${rndsuffix}
-+        je                .L_last_num_blocks_is_15_${label_suffix}
-+        ja                .L_last_num_blocks_is_16_${label_suffix}
-         cmp               \$14,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_14_${rndsuffix}
--        jmp               .L_last_num_blocks_is_13_${rndsuffix}
-+        je                .L_last_num_blocks_is_14_${label_suffix}
-+        jmp               .L_last_num_blocks_is_13_${label_suffix}
- 
--.L_last_num_blocks_is_11_9_${rndsuffix}:
-+.L_last_num_blocks_is_11_9_${label_suffix}:
-         # ;; 11, 10 or 9
-         cmp               \$10,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_10_${rndsuffix}
--        ja                .L_last_num_blocks_is_11_${rndsuffix}
--        jmp               .L_last_num_blocks_is_9_${rndsuffix}
-+        je                .L_last_num_blocks_is_10_${label_suffix}
-+        ja                .L_last_num_blocks_is_11_${label_suffix}
-+        jmp               .L_last_num_blocks_is_9_${label_suffix}
- 
--.L_last_num_blocks_is_7_1_${rndsuffix}:
-+.L_last_num_blocks_is_7_1_${label_suffix}:
-         cmp               \$4,@{[DWORD($IA0)]}
--        je                .L_last_num_blocks_is_4_${rndsuffix}
--        jb                .L_last_num_blocks_is_3_1_${rndsuffix}
-+        je                .L_last_num_blocks_is_4_${label_suffix}
-+        jb                .L_last_num_blocks_is_3_1_${label_suffix}
-         # ;; 7, 6 or 5
-         cmp               \$6,@{[DWORD($IA0)]}
--        ja                .L_last_num_blocks_is_7_${rndsuffix}
--        je                .L_last_num_blocks_is_6_${rndsuffix}
--        jmp               .L_last_num_blocks_is_5_${rndsuffix}
-+        ja                .L_last_num_blocks_is_7_${label_suffix}
-+        je                .L_last_num_blocks_is_6_${label_suffix}
-+        jmp               .L_last_num_blocks_is_5_${label_suffix}
- 
--.L_last_num_blocks_is_3_1_${rndsuffix}:
-+.L_last_num_blocks_is_3_1_${label_suffix}:
-         # ;; 3, 2 or 1
-         cmp               \$2,@{[DWORD($IA0)]}
--        ja                .L_last_num_blocks_is_3_${rndsuffix}
--        je                .L_last_num_blocks_is_2_${rndsuffix}
-+        ja                .L_last_num_blocks_is_3_${label_suffix}
-+        je                .L_last_num_blocks_is_2_${label_suffix}
- ___
- 
-   # ;; fall through for `jmp .L_last_num_blocks_is_1`
-@@ -2859,7 +2853,7 @@ ___
-   # ;; Use rep to generate different block size variants
-   # ;; - one block size has to be the first one
-   for my $num_blocks (1 .. 16) {
--    $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
-+    $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n";
-     &GHASH_16_ENCRYPT_N_GHASH_N(
-       $AES_KEYS,   $GCM128_CTX,  $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET,
-       $LENGTH,     $CTR_BE,      $CTR_CHECK,      $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
-@@ -2872,10 +2866,10 @@ ___
-       $ENC_DEC,    $HASH_IN_OUT, $IA0,            $IA1,            $MASKREG,
-       $num_blocks, $PBLOCK_LEN);
- 
--    $code .= "jmp           .L_last_blocks_done_${rndsuffix}\n";
-+    $code .= "jmp           .L_last_blocks_done_${label_suffix}\n";
-   }
- 
--  $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
-+  $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n";
- 
-   # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
-   # ;; - convert mid into end_reduce
-@@ -2891,7 +2885,7 @@ ___
-     $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
-     $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
- 
--  $code .= ".L_last_blocks_done_${rndsuffix}:\n";
-+  $code .= ".L_last_blocks_done_${label_suffix}:\n";
- }
- 
- # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
-   my $GHDAT1 = $ZT21;
-   my $GHDAT2 = $ZT22;
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-   # ;; prepare counter blocks
- 
-   $code .= <<___;
-         cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
--        jae               .L_16_blocks_overflow_${rndsuffix}
-+        jae               .L_16_blocks_overflow_${label_suffix}
-         vpaddd            $ADDBE_1234,$CTR_BE,$B00_03
-         vpaddd            $ADDBE_4x4,$B00_03,$B04_07
-         vpaddd            $ADDBE_4x4,$B04_07,$B08_11
-         vpaddd            $ADDBE_4x4,$B08_11,$B12_15
--        jmp               .L_16_blocks_ok_${rndsuffix}
--.L_16_blocks_overflow_${rndsuffix}:
-+        jmp               .L_16_blocks_ok_${label_suffix}
-+.L_16_blocks_overflow_${label_suffix}:
-         vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
-         vmovdqa64         ddq_add_4444(%rip),$B12_15
-         vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
-@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
-         vpshufb           $SHFMSK,$B04_07,$B04_07
-         vpshufb           $SHFMSK,$B08_11,$B08_11
-         vpshufb           $SHFMSK,$B12_15,$B12_15
--.L_16_blocks_ok_${rndsuffix}:
-+.L_16_blocks_ok_${label_suffix}:
- ___
- 
-   # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK {
-   my $XMM0    = $_[1];    # ; [in/out]
-   my $GPR1    = $_[2];    # ; [clobbered]
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         # ; load number of rounds from AES_KEY structure (offset in bytes is
-         # ; size of the |rd_key| buffer)
-         mov             `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
-         cmp             \$9,@{[DWORD($GPR1)]}
--        je              .Laes_128_${rndsuffix}
-+        je              .Laes_128_${label_suffix}
-         cmp             \$11,@{[DWORD($GPR1)]}
--        je              .Laes_192_${rndsuffix}
-+        je              .Laes_192_${label_suffix}
-         cmp             \$13,@{[DWORD($GPR1)]}
--        je              .Laes_256_${rndsuffix}
--        jmp             .Lexit_aes_${rndsuffix}
-+        je              .Laes_256_${label_suffix}
-+        jmp             .Lexit_aes_${label_suffix}
- ___
-   for my $keylen (sort keys %aes_rounds) {
-     my $nr = $aes_rounds{$keylen};
-     $code .= <<___;
- .align 32
--.Laes_${keylen}_${rndsuffix}:
-+.Laes_${keylen}_${label_suffix}:
- ___
-     $code .= "vpxorq          `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
-     for (my $i = 1; $i <= $nr; $i++) {
-@@ -3364,10 +3358,10 @@ ___
-     }
-     $code .= <<___;
-         vaesenclast     `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
--        jmp .Lexit_aes_${rndsuffix}
-+        jmp .Lexit_aes_${label_suffix}
- ___
-   }
--  $code .= ".Lexit_aes_${rndsuffix}:\n\n";
-+  $code .= ".Lexit_aes_${label_suffix}:\n\n";
- }
- 
- sub CALC_J0 {
-@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL {
-   my $SHUFMASK       = $_[29];    # [in] ZMM with BE/LE shuffle mask
-   my $PBLOCK_LEN     = $_[30];    # [in] partial block length
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         cmp               \$8,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_8_${rndsuffix}
--        jl                .L_small_initial_num_blocks_is_7_1_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_8_${label_suffix}
-+        jl                .L_small_initial_num_blocks_is_7_1_${label_suffix}
- 
- 
-         cmp               \$12,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_12_${rndsuffix}
--        jl                .L_small_initial_num_blocks_is_11_9_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_12_${label_suffix}
-+        jl                .L_small_initial_num_blocks_is_11_9_${label_suffix}
- 
-         # ;; 16, 15, 14 or 13
-         cmp               \$16,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_16_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_16_${label_suffix}
-         cmp               \$15,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_15_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_15_${label_suffix}
-         cmp               \$14,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_14_${rndsuffix}
--        jmp               .L_small_initial_num_blocks_is_13_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_14_${label_suffix}
-+        jmp               .L_small_initial_num_blocks_is_13_${label_suffix}
- 
--.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
-+.L_small_initial_num_blocks_is_11_9_${label_suffix}:
-         # ;; 11, 10 or 9
-         cmp               \$11,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_11_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_11_${label_suffix}
-         cmp               \$10,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_10_${rndsuffix}
--        jmp               .L_small_initial_num_blocks_is_9_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_10_${label_suffix}
-+        jmp               .L_small_initial_num_blocks_is_9_${label_suffix}
- 
--.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
-+.L_small_initial_num_blocks_is_7_1_${label_suffix}:
-         cmp               \$4,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_4_${rndsuffix}
--        jl                .L_small_initial_num_blocks_is_3_1_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_4_${label_suffix}
-+        jl                .L_small_initial_num_blocks_is_3_1_${label_suffix}
-         # ;; 7, 6 or 5
-         cmp               \$7,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_7_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_7_${label_suffix}
-         cmp               \$6,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_6_${rndsuffix}
--        jmp               .L_small_initial_num_blocks_is_5_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_6_${label_suffix}
-+        jmp               .L_small_initial_num_blocks_is_5_${label_suffix}
- 
--.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
-+.L_small_initial_num_blocks_is_3_1_${label_suffix}:
-         # ;; 3, 2 or 1
-         cmp               \$3,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_3_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_3_${label_suffix}
-         cmp               \$2,$NUM_BLOCKS
--        je                .L_small_initial_num_blocks_is_2_${rndsuffix}
-+        je                .L_small_initial_num_blocks_is_2_${label_suffix}
- 
-         # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
- 
-@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL {
- ___
- 
-   for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
--    $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
-+    $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n";
-     &INITIAL_BLOCKS_PARTIAL(
-       $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH,   $DATA_OFFSET,
-       $num_blocks, $CTR,        $HASH_IN_OUT,    $ENC_DEC,       $ZTMP0,    $ZTMP1,
-@@ -3625,11 +3619,11 @@ ___
-       $ZTMP14,     $IA0,        $IA1,            $MASKREG,       $SHUFMASK, $PBLOCK_LEN);
- 
-     if ($num_blocks != 16) {
--      $code .= "jmp           .L_small_initial_blocks_encrypted_${rndsuffix}\n";
-+      $code .= "jmp           .L_small_initial_blocks_encrypted_${label_suffix}\n";
-     }
-   }
- 
--  $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
-+  $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n";
- }
- 
- # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC {
- 
-   my $MASKREG = "%k1";
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   # ;; reduction every 48 blocks, depth 32 blocks
-   # ;; @note 48 blocks is the maximum capacity of the stack frame
-@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC {
-   } else {
-     $code .= "or                $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
-   }
--  $code .= "je            .L_enc_dec_done_${rndsuffix}\n";
-+  $code .= "je            .L_enc_dec_done_${label_suffix}\n";
- 
-   # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
-   # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
-@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC {
-   # ;; There may be no more data if it was consumed in the partial block.
-   $code .= <<___;
-         sub               $DATA_OFFSET,$LENGTH
--        je                .L_enc_dec_done_${rndsuffix}
-+        je                .L_enc_dec_done_${label_suffix}
- ___
- 
-   $code .= <<___;
-         cmp               \$`(16 * 16)`,$LENGTH
--        jbe              .L_message_below_equal_16_blocks_${rndsuffix}
-+        jbe              .L_message_below_equal_16_blocks_${label_suffix}
- 
-         vmovdqa64         SHUF_MASK(%rip),$SHUF_MASK
-         vmovdqa64         ddq_addbe_4444(%rip),$ADDBE_4x4
-@@ -3815,7 +3809,7 @@ ___
- 
-   $code .= <<___;
-         cmp               \$`(32 * 16)`,$LENGTH
--        jb                .L_message_below_32_blocks_${rndsuffix}
-+        jb                .L_message_below_32_blocks_${label_suffix}
- ___
- 
-   # ;; ==== AES-CTR - next 16 blocks
-@@ -3836,13 +3830,13 @@ ___
-         sub               \$`(32 * 16)`,$LENGTH
- 
-         cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
--        jb                .L_no_more_big_nblocks_${rndsuffix}
-+        jb                .L_no_more_big_nblocks_${label_suffix}
- ___
- 
-   # ;; ====
-   # ;; ==== AES-CTR + GHASH - 48 blocks loop
-   # ;; ====
--  $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
-+  $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n";
- 
-   # ;; ==== AES-CTR + GHASH - 16 blocks, start
-   $aesout_offset      = ($STACK_LOCAL_OFFSET + (32 * 16));
-@@ -3893,15 +3887,15 @@ ___
-         add               \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
-         sub               \$`($big_loop_nblocks * 16)`,$LENGTH
-         cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
--        jae               .L_encrypt_big_nblocks_${rndsuffix}
-+        jae               .L_encrypt_big_nblocks_${label_suffix}
- 
--.L_no_more_big_nblocks_${rndsuffix}:
-+.L_no_more_big_nblocks_${label_suffix}:
- 
-         cmp               \$`(32 * 16)`,$LENGTH
--        jae               .L_encrypt_32_blocks_${rndsuffix}
-+        jae               .L_encrypt_32_blocks_${label_suffix}
- 
-         cmp               \$`(16 * 16)`,$LENGTH
--        jae               .L_encrypt_16_blocks_${rndsuffix}
-+        jae               .L_encrypt_16_blocks_${label_suffix}
- ___
- 
-   # ;; =====================================================
-@@ -3909,7 +3903,7 @@ ___
-   # ;; ==== GHASH 1 x 16 blocks
-   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-   # ;; ====      then GHASH N blocks
--  $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
-+  $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n";
- 
-   # ;; calculate offset to the right hash key
-   $code .= <<___;
-@@ -3937,7 +3931,7 @@ ___
-     $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
- 
-   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
--  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
-+  $code .= "jmp           .L_ghash_done_${label_suffix}\n";
- 
-   # ;; =====================================================
-   # ;; =====================================================
-@@ -3946,7 +3940,7 @@ ___
-   # ;; ==== GHASH 1 x 16 blocks (reduction)
-   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-   # ;; ====      then GHASH N blocks
--  $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
-+  $code .= ".L_encrypt_32_blocks_${label_suffix}:\n";
- 
-   # ;; ==== AES-CTR + GHASH - 16 blocks, start
-   $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
-@@ -4007,7 +4001,7 @@ ___
-     $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
- 
-   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
--  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
-+  $code .= "jmp           .L_ghash_done_${label_suffix}\n";
- 
-   # ;; =====================================================
-   # ;; =====================================================
-@@ -4015,7 +4009,7 @@ ___
-   # ;; ==== GHASH 1 x 16 blocks
-   # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-   # ;; ====      then GHASH N blocks
--  $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
-+  $code .= ".L_encrypt_16_blocks_${label_suffix}:\n";
- 
-   # ;; ==== AES-CTR + GHASH - 16 blocks, start
-   $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
-@@ -4059,9 +4053,9 @@ ___
- 
-   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-   $code .= <<___;
--        jmp               .L_ghash_done_${rndsuffix}
-+        jmp               .L_ghash_done_${label_suffix}
- 
--.L_message_below_32_blocks_${rndsuffix}:
-+.L_message_below_32_blocks_${label_suffix}:
-         # ;; 32 > number of blocks > 16
- 
-         sub               \$`(16 * 16)`,$LENGTH
-@@ -4094,9 +4088,9 @@ ___
- 
-   $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-   $code .= <<___;
--        jmp           .L_ghash_done_${rndsuffix}
-+        jmp           .L_ghash_done_${label_suffix}
- 
--.L_message_below_equal_16_blocks_${rndsuffix}:
-+.L_message_below_equal_16_blocks_${label_suffix}:
-         # ;; Determine how many blocks to process
-         # ;; - process one additional block if there is a partial block
-         mov               @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
-@@ -4113,13 +4107,13 @@ ___
- 
-   # ;; fall through to exit
- 
--  $code .= ".L_ghash_done_${rndsuffix}:\n";
-+  $code .= ".L_ghash_done_${label_suffix}:\n";
- 
-   # ;; save the last counter block
-   $code .= "vmovdqu64         $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
-   $code .= <<___;
-         vmovdqu64         $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
--.L_enc_dec_done_${rndsuffix}:
-+.L_enc_dec_done_${label_suffix}:
- ___
- }
- 
-@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 {
-   my $B08_11 = $T7;
-   my $B12_15 = $T8;
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   my $stack_offset = $BLK_OFFSET;
-   $code .= <<___;
-@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 {
-         # ;; prepare counter blocks
- 
-         cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
--        jae               .L_next_16_overflow_${rndsuffix}
-+        jae               .L_next_16_overflow_${label_suffix}
-         vpaddd            $ADDBE_1234,$CTR,$B00_03
-         vpaddd            $ADDBE_4x4,$B00_03,$B04_07
-         vpaddd            $ADDBE_4x4,$B04_07,$B08_11
-         vpaddd            $ADDBE_4x4,$B08_11,$B12_15
--        jmp               .L_next_16_ok_${rndsuffix}
--.L_next_16_overflow_${rndsuffix}:
-+        jmp               .L_next_16_ok_${label_suffix}
-+.L_next_16_overflow_${label_suffix}:
-         vpshufb           $SHUF_MASK,$CTR,$CTR
-         vmovdqa64         ddq_add_4444(%rip),$B12_15
-         vpaddd            ddq_add_1234(%rip),$CTR,$B00_03
-@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 {
-         vpshufb           $SHUF_MASK,$B04_07,$B04_07
-         vpshufb           $SHUF_MASK,$B08_11,$B08_11
-         vpshufb           $SHUF_MASK,$B12_15,$B12_15
--.L_next_16_ok_${rndsuffix}:
-+.L_next_16_ok_${label_suffix}:
-         vshufi64x2        \$0b11111111,$B12_15,$B12_15,$CTR
-         addb               \$16,@{[BYTE($CTR_CHECK)]}
-         # ;; === load 16 blocks of data
-@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE {
-   my $GCM128_CTX = $_[0];
-   my $PBLOCK_LEN = $_[1];
- 
--  my $rndsuffix = &random_string();
-+  my $label_suffix = $label_count++;
- 
-   $code .= <<___;
-         vmovdqu           @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
-@@ -4276,14 +4270,14 @@ ___
- 
-         # ;; Process the final partial block.
-         cmp               \$0,$PBLOCK_LEN
--        je                .L_partial_done_${rndsuffix}
-+        je                .L_partial_done_${label_suffix}
- ___
- 
-   #  ;GHASH computation for the last <16 Byte block
-   &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
- 
-   $code .= <<___;
--.L_partial_done_${rndsuffix}:
-+.L_partial_done_${label_suffix}:
-         vmovq           `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
-         vpinsrq         \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5    #  ; xmm5 = len(A)||len(C)
-         vpsllq          \$3, %xmm5, %xmm5                                       #  ; convert bytes into bits
-@@ -4297,7 +4291,7 @@ ___
-         vpshufb         SHUF_MASK(%rip),%xmm4,%xmm4      # ; perform a 16Byte swap
-         vpxor           %xmm4,%xmm3,%xmm3
- 
--.L_return_T_${rndsuffix}:
-+.L_return_T_${label_suffix}:
-         vmovdqu           %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
- ___
- }