Erlang ver. 25.3.2.12

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>

erlang.spec

@@ -68,7 +68,7 @@
 
 
 Name:		erlang
-Version:	25.3.2
+Version:	25.3.2.12
 Release:	1%{?dist}
 Summary:	General-purpose programming language and runtime environment
 
@@ -112,6 +112,20 @@ Patch9: otp-0009-Load-man-pages-from-system-wide-directory.patch
 Patch10: otp-0010-configure.ac-C99-fix-for-ERTS___AFTER_MORECORE_HOOK_.patch
 Patch11: otp-0011-configure.ac-C99-fixes-for-poll_works-check.patch
 Patch12: otp-0012-Revert-Do-not-install-erlang-sources.patch
+Patch13: otp-0013-crypto-Fix-generate_key-3-for-ecdh-to-only-use-OpenS.patch
+Patch14: otp-0014-crypto-Fix-get_ossl_BN_param_from_bin_sz-to-not-abus.patch
+Patch15: otp-0015-crypto-Re-enable-FIPS_SUPPORT-for-HAS_3_0_API.patch
+Patch16: otp-0016-crypto-Fix-FIPS-bug-in-check_pkey_algorithm_type.patch
+Patch17: otp-0017-crypto_SUITE-Change-to-longer-dss-keys-acceptable-to.patch
+Patch18: otp-0018-crypto_SUITE-Remove-sha-1-as-hash-for-dss-if-FIPS.patch
+Patch19: otp-0019-crypto_SUITE-Remove-md5-ripemd160-and-sha-as-hash-fo.patch
+Patch20: otp-0020-crypto-Try-generate-ec-key-by-name-if-possible.patch
+Patch21: otp-0021-crypto_SUITE-Skip-sha-1-sign-for-FIPS.patch
+Patch22: otp-0022-crypto-Unalias-some-ec-curve-names.patch
+Patch23: otp-0023-crypto_SUITE-Skip-ec-curves-with-224-bits-if-FIPS.patch
+Patch24: otp-0024-crypto_SUITE-Fix-safe-primes-for-DH-with-FIPS.patch
+Patch25: otp-0025-crypto-Skip-entire-engine_SUITE-if-notsup.patch
+Patch26: otp-0026-crypto-Fix-doc-for-FIPS-with-OpenSSL-3.patch
 # end of autogenerated patch tag list
 
 BuildRequires:	gcc
@@ -247,10 +261,10 @@ A byte code compiler for Erlang which produces highly compact code.
 
 %package crypto
 Summary: Cryptographical support
-#BuildRequires: pkgconfig(openssl)
+BuildRequires: pkgconfig(openssl)
 # FIXME there is something wrong with OpenSSL 3.0 support in Erlang right now.
 # We have to fallback to OpenSSL1 explicitly.
-BuildRequires: openssl1.1-devel
+# BuildRequires: openssl1.1-devel
 Requires: %{name}-erts%{?_isa} = %{version}-%{release}
 Requires: %{name}-kernel%{?_isa} = %{version}-%{release}
 Requires: %{name}-stdlib%{?_isa} = %{version}-%{release}
@@ -1971,6 +1985,45 @@ useradd -r -g epmd -d /dev/null -s /sbin/nologin \
 
 
 %changelog
+* Sat May  4 2024 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.12-1
+- Ver. 25.3.2.12
+
+* Sat Apr 13 2024 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.11-1
+- Ver. 25.3.2.11
+
+* Thu Mar 14 2024 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.10-1
+- Ver. 25.3.2.10
+
+* Mon Feb 12 2024 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.9-1
+- Ver. 25.3.2.9
+
+* Tue Dec 19 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.8-1
+- Ver. 25.3.2.8
+
+* Fri Oct 13 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.7-1
+- Ver. 25.3.2.7
+
+* Sat Sep  9 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.6-1
+- Ver. 25.3.2.6
+
+* Tue Aug  8 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.5-2
+- Reenable OpenSSL 3
+
+* Mon Jul 31 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.5-1
+- Ver. 25.3.2.5
+
+* Mon Jul 17 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.4-1
+- Ver. 25.3.2.4
+
+* Sat Jul  1 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.3-1
+- Ver. 25.3.2.3
+
+* Wed Jun  7 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.2-1
+- Ver. 25.3.2.2
+
+* Tue May 30 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2.1-1
+- Ver. 25.3.2.1
+
 * Sat May  6 2023 Peter Lemenkov <lemenkov@gmail.com> - 25.3.2-1
 - Ver. 25.3.2
 

otp-0001-Do-not-format-man-pages-and-do-not-install-miscellan.patch

@@ -6,7 +6,7 @@ Subject: [PATCH] Do not format man-pages and do not install miscellaneous
 Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
 
 diff --git a/erts/etc/common/Makefile.in b/erts/etc/common/Makefile.in
-index 86f63dcf41..b74c789775 100644
+index 2b87b6269a..4c55b76c60 100644
 --- a/erts/etc/common/Makefile.in
 +++ b/erts/etc/common/Makefile.in
 @@ -555,10 +555,6 @@ endif

otp-0003-Do-not-install-C-sources.patch

@@ -27,10 +27,10 @@ index 82a6b6e87a..5f2fe8ba7d 100644
  release_docs_spec:
  
 diff --git a/lib/erl_interface/src/Makefile.in b/lib/erl_interface/src/Makefile.in
-index 0a5ae800be..2cc354c43e 100644
+index fa1ea3cd39..b977b6afe5 100644
 --- a/lib/erl_interface/src/Makefile.in
 +++ b/lib/erl_interface/src/Makefile.in
-@@ -712,13 +712,11 @@ ifeq (@DYNAMIC_LIB@, yes)
+@@ -715,13 +715,11 @@ ifeq (@DYNAMIC_LIB@, yes)
  endif
  	$(INSTALL_PROGRAM) $(EXE_TARGETS) "$(RELSYSDIR)/bin"
  	$(INSTALL_DATA) $(EXTRA)        "$(RELSYSDIR)/src"

otp-0010-configure.ac-C99-fix-for-ERTS___AFTER_MORECORE_HOOK_.patch

@@ -6,10 +6,10 @@ Subject: [PATCH] configure.ac: C99 fix for
 #include <unistd.h> for the sbrk function if the header is available.
 
 diff --git a/erts/configure b/erts/configure
-index fbdb6baba8..46e882e99a 100755
+index 44bbe9ef68..8a7d47b1f9 100755
 --- a/erts/configure
 +++ b/erts/configure
-@@ -20644,6 +20644,9 @@ else $as_nop
+@@ -20672,6 +20672,9 @@ else $as_nop
  #ifdef HAVE_MALLOC_H
  #  include <malloc.h>
  #endif
@@ -20,10 +20,10 @@ index fbdb6baba8..46e882e99a 100755
  extern char end;
  #elif defined(HAVE__END_SYMBOL)
 diff --git a/erts/configure.ac b/erts/configure.ac
-index 307be5042d..316345079b 100644
+index f6bcbd11ff..617deafc42 100644
 --- a/erts/configure.ac
 +++ b/erts/configure.ac
-@@ -2436,6 +2436,9 @@ AC_CACHE_CHECK([if __after_morecore_hook can track malloc()s core memory use],
+@@ -2445,6 +2445,9 @@ AC_CACHE_CHECK([if __after_morecore_hook can track malloc()s core memory use],
  #ifdef HAVE_MALLOC_H
  #  include <malloc.h>
  #endif

otp-0011-configure.ac-C99-fixes-for-poll_works-check.patch

@@ -7,10 +7,10 @@ Return from main instead of calling exit, so that no function
 declaration is needed.
 
 diff --git a/erts/configure b/erts/configure
-index 46e882e99a..7cc6f802ce 100755
+index 8a7d47b1f9..c960b81fd7 100755
 --- a/erts/configure
 +++ b/erts/configure
-@@ -24575,10 +24575,13 @@ else $as_nop
+@@ -24608,10 +24608,13 @@ else $as_nop
  /* end confdefs.h.  */
  
  #include <poll.h>
@@ -26,7 +26,7 @@ index 46e882e99a..7cc6f802ce 100755
  #else
    struct pollfd fds[1];
    int fd;
-@@ -24587,9 +24590,9 @@ main()
+@@ -24620,9 +24623,9 @@ main()
    fds[0].events = POLLIN;
    fds[0].revents = 0;
    if (poll(fds, 1, 0) < 0 || (fds[0].revents & POLLNVAL) != 0) {
@@ -39,10 +39,10 @@ index 46e882e99a..7cc6f802ce 100755
  }
  
 diff --git a/erts/configure.ac b/erts/configure.ac
-index 316345079b..439ec5d4a1 100644
+index 617deafc42..23e04d09ab 100644
 --- a/erts/configure.ac
 +++ b/erts/configure.ac
-@@ -3055,10 +3055,13 @@ poll_works=no
+@@ -3068,10 +3068,13 @@ poll_works=no
  
  AC_RUN_IFELSE([AC_LANG_SOURCE([[
  #include <poll.h>
@@ -58,7 +58,7 @@ index 316345079b..439ec5d4a1 100644
  #else
    struct pollfd fds[1];
    int fd;
-@@ -3067,9 +3070,9 @@ main()
+@@ -3080,9 +3083,9 @@ main()
    fds[0].events = POLLIN;
    fds[0].revents = 0;
    if (poll(fds, 1, 0) < 0 || (fds[0].revents & POLLNVAL) != 0) {

otp-0013-crypto-Fix-generate_key-3-for-ecdh-to-only-use-OpenS.patch

@@ -0,0 +1,215 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Wed, 7 Jun 2023 18:52:46 +0200
+Subject: [PATCH] crypto: Fix generate_key/3 for ecdh to only use OpenSSL 3.0
+ API
+
+to prepare for using FIPS on OpenSSL 3.0
+
+diff --git a/lib/crypto/c_src/Makefile.in b/lib/crypto/c_src/Makefile.in
+index 2345970fa9..28f7b595e8 100644
+--- a/lib/crypto/c_src/Makefile.in
++++ b/lib/crypto/c_src/Makefile.in
+@@ -205,9 +205,9 @@ $(LIBDIR)/otp_test_engine$(TYPEMARKER).dll: $(TEST_ENGINE_OBJS)
+ 	$(V_LD) $(LDFLAGS) -o $@  $(SSL_DED_LD_RUNTIME_LIBRARY_PATH) -L$(SSL_LIBDIR) $(TEST_ENGINE_OBJS) -l$(SSL_CRYPTO_LIBNAME) -l$(SSL_SSL_LIBNAME) $(SSL_EXTRA_LIBS)
+ endif
+ 
+-$(OBJDIR)/ec$(TYPEMARKER).o: ec.c
+-	$(V_at)$(INSTALL_DIR) $(OBJDIR)
+-	$(V_CC) -c -o $@ $(ALL_CFLAGS) $(CRYPTO_NO_DEPRECATE_WARN) $<
++# $(OBJDIR)/ec$(TYPEMARKER).o: ec.c
++# 	$(V_at)$(INSTALL_DIR) $(OBJDIR)
++# 	$(V_CC) -c -o $@ $(ALL_CFLAGS) $(CRYPTO_NO_DEPRECATE_WARN) $<
+ 
+ $(OBJDIR)/%$(TYPEMARKER).o: %.c
+ 	$(V_at)$(INSTALL_DIR) $(OBJDIR)
+diff --git a/lib/crypto/c_src/ec.c b/lib/crypto/c_src/ec.c
+index 124582c4f8..852f3ba79c 100644
+--- a/lib/crypto/c_src/ec.c
++++ b/lib/crypto/c_src/ec.c
+@@ -24,6 +24,8 @@
+ #ifdef HAVE_EC
+ # if defined(HAS_3_0_API)
+ 
++# include <openssl/core_names.h>
++
+ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+                          OSSL_PARAM params[], int *i,
+                          size_t *order_size)
+@@ -253,13 +255,7 @@ int get_ec_public_key(ErlNifEnv* env, ERL_NIF_TERM key, EVP_PKEY **pkey)
+ }
+ 
+ 
+-int get_ec_private_key_2(ErlNifEnv* env,
+-                         ERL_NIF_TERM curve, ERL_NIF_TERM key,
+-                         EVP_PKEY **pkey,
+-                         ERL_NIF_TERM *ret,
+-                         size_t *order_size);
+-
+-int get_ec_private_key_2(ErlNifEnv* env,
++static int get_ec_private_key_2(ErlNifEnv* env,
+                          ERL_NIF_TERM curve, ERL_NIF_TERM key,
+                          EVP_PKEY **pkey,
+                          ERL_NIF_TERM *ret,
+@@ -319,7 +315,8 @@ int get_ec_private_key(ErlNifEnv* env, ERL_NIF_TERM key, EVP_PKEY **pkey)
+     return 0;
+ }
+ 
+-int mk_pub_key_binary(ErlNifEnv* env, EVP_PKEY **peer_pkey, ErlNifBinary *pubkey_bin, ERL_NIF_TERM *ret);
++static int mk_pub_key_binary(ErlNifEnv* env, EVP_PKEY *peer_pkey,
++                             ErlNifBinary *pubkey_bin, ERL_NIF_TERM *ret);
+ 
+ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
+ { /* (Curve, PrivKey|undefined)  */
+@@ -339,9 +336,8 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+             
+             /* Get the two keys, pub as binary and priv as BN.
+                Since the private key is explicitly given, it must be calculated.
+-               I haven't found any way to do that with the pure 3.0 interface yet.
+             */
+-            if (!mk_pub_key_binary(env, &peer_pkey, &pubkey_bin, &ret))
++            if (!mk_pub_key_binary(env, peer_pkey, &pubkey_bin, &ret))
+                 goto err;
+ 
+             if (!EVP_PKEY_get_bn_param(peer_pkey, "priv", &priv_bn))
+@@ -398,67 +394,81 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+     return ret;
+ }
+ 
+-int mk_pub_key_binary(ErlNifEnv* env, EVP_PKEY **peer_pkey, ErlNifBinary *pubkey_bin, ERL_NIF_TERM *ret)
++static int mk_pub_key_binary(ErlNifEnv* env, EVP_PKEY *peer_pkey,
++                             ErlNifBinary *pubkey_bin, ERL_NIF_TERM *ret)
+ {
+-    EC_KEY *ec_key = NULL;
+-    EC_POINT *public_key = NULL;
+-    EC_GROUP *group = NULL;
+-    BIGNUM *priv_bn = NULL;
+-    
+-    *ret = atom_undefined;
+-
+-    /* Use the deprecated interface to get the curve and
+-       private key in pre 3.0 form: */
+-    if ((ec_key = EVP_PKEY_get1_EC_KEY(*peer_pkey)) == NULL)
+-        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get EC key"));
+-
+-    if ((group = EC_GROUP_dup(EC_KEY_get0_group(ec_key))) == NULL)
++    size_t pub_key_size = 0;
++    size_t group_name_size = 0;
++    char group_name_buf[20];
++    char* group_name = group_name_buf;
++    int group_nid;
++    EC_GROUP* ec_group = NULL;
++    EC_POINT* pub_key = NULL;
++    BIGNUM* priv_bn = NULL;
++    int ok = 0;
++
++    /* This code was inspired by
++     * https://github.com/openssl/openssl/issues/18437
++     * which first tried to get public key directly with
++     * EVP_PKEY_get_octet_string_param(peer_pkey, OSSL_PKEY_PARAM_PUB_KEY,..)
++     *
++     * I removed that since I don't know what key format that will produce
++     * if it succeeds. That is, we go directly to the "fallback" and calculate
++     * the public key.
++     */
++
++    if (!EVP_PKEY_get_utf8_string_param(peer_pkey, OSSL_PKEY_PARAM_GROUP_NAME,
++                                        NULL, 0, &group_name_size))
++        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get EC group name size"));
++
++    if (group_name_size >= sizeof(group_name_buf))
++        group_name = enif_alloc(group_name_size + 1);
++    if (!EVP_PKEY_get_utf8_string_param(peer_pkey, OSSL_PKEY_PARAM_GROUP_NAME,
++                                            group_name, group_name_size+1,
++                                            NULL))
++        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get EC group name"));
++
++    group_nid = OBJ_sn2nid(group_name);
++    if (group_nid == NID_undef)
++        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get EC group nid"));
++
++    ec_group = EC_GROUP_new_by_curve_name(group_nid);
++    if (ec_group == NULL)
+         assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get EC_GROUP"));
+ 
+-    if ((public_key = EC_POINT_new(group)) == NULL)
++    pub_key = EC_POINT_new(ec_group);
++    if (pub_key == NULL)
+         assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't create POINT"));
+ 
+-    if (!EC_POINT_copy(public_key, EC_GROUP_get0_generator(group)))
+-        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't copy POINT"));
+-
+-    /* Make the corresponding public key */
+-    if (!EVP_PKEY_get_bn_param(*peer_pkey, "priv", &priv_bn))
++    if (!EVP_PKEY_get_bn_param(peer_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_bn))
+         assign_goto(*ret, err, EXCP_BADARG_N(env, 1, "Couldn't get peer priv key bytes"));
+ 
+-    if (BN_is_zero(priv_bn))
+-        assign_goto(*ret, err, EXCP_BADARG_N(env, 1, "peer priv key must not be 0"));
+-
+-    if (!EC_POINT_mul(group, public_key, priv_bn, NULL, NULL, NULL))
++    if (!EC_POINT_mul(ec_group, pub_key, priv_bn, NULL, NULL, NULL))
+         assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't multiply POINT"));
+ 
+-    if (!EC_KEY_set_public_key(ec_key, public_key))
+-        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't set EC_KEY"));
+-
+-    if (!EVP_PKEY_assign_EC_KEY(*peer_pkey, ec_key))
+-        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't assign EC_KEY to PKEY"));
+-            
+-    /* And now get the binary representation (by some reason we can't read it from
+-       peer_pubkey in the calling function with 3.0-functions.)
+-    */
+-    {
+-        point_conversion_form_t form = EC_KEY_get_conv_form(ec_key);
+-        size_t dlen = EC_POINT_point2oct(group, public_key, form, NULL, 0, NULL);
+-
+-        if (!enif_alloc_binary(dlen, pubkey_bin) ||
+-            !EC_POINT_point2oct(group, public_key, form, pubkey_bin->data, pubkey_bin->size, NULL)
+-            )
+-            assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get public key"));
++    pub_key_size = EC_POINT_point2oct(ec_group, pub_key,
++                                      POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
++    if (pub_key_size == 0)
++        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get pub_key_size"));
++
++    enif_alloc_binary(pub_key_size, pubkey_bin);
++    if (!EC_POINT_point2oct(ec_group, pub_key, POINT_CONVERSION_UNCOMPRESSED,
++                            pubkey_bin->data,
++                            pubkey_bin->size, NULL)) {
++        enif_release_binary(pubkey_bin);
++        assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get pub key bytes"));
+     }
+ 
+- err:
+-    if (public_key) EC_POINT_free(public_key);
+-    if (group) EC_GROUP_free(group);
++    *ret = enif_make_binary(env, pubkey_bin);
++    ok = 1;
++
++err:
++    if (group_name != group_name_buf) enif_free(group_name);
++    if (pub_key) EC_POINT_free(pub_key);
++    if (ec_group) EC_GROUP_free(ec_group);
+     if (priv_bn) BN_free(priv_bn);
+ 
+-    if (*ret == atom_undefined)
+-        return 1;
+-    else
+-        return 0;
++    return ok;
+ }
+     
+ # endif /* HAS_3_0_API */
+@@ -908,10 +918,8 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+ 
+ # endif /* ! HAS_3_0_API */
+ 
+-#endif /* HAVE_EC */
+-
++#else /* ifndef HAVE_EC */
+ 
+-#if ! defined(HAVE_EC)
+ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
+ { /* (Curve, PrivKey)  */
+     return EXCP_NOTSUP_N(env, 0, "EC not supported");

otp-0014-crypto-Fix-get_ossl_BN_param_from_bin_sz-to-not-abus.patch

@@ -0,0 +1,102 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Wed, 7 Jun 2023 18:50:23 +0200
+Subject: [PATCH] crypto: Fix get_ossl_BN_param_from_bin_sz() to not abuse
+ ErlNifBinary
+
+It is not allowed to write to the binary buffer returned by
+enif_inspect_binary() (even if you created the binary yourself).
+
+In DEBUG built VM such abuse will be punished with:
+
+"Readonly data written by NIF, checksums differ 8000425 != 25040008
+ABORTING"
+
+Instead use enif_make_new_binary() to create a writable binary buffer.
+
+diff --git a/lib/crypto/c_src/bn.c b/lib/crypto/c_src/bn.c
+index f06ed9002e..5e9fec5093 100644
+--- a/lib/crypto/c_src/bn.c
++++ b/lib/crypto/c_src/bn.c
+@@ -212,23 +212,38 @@ int get_ossl_BN_param_from_bin(ErlNifEnv* env, char* key, ERL_NIF_TERM bin, OSSL
+     return get_ossl_BN_param_from_bin_sz(env, key, bin, dest, NULL);
+ }
+ 
+-int get_ossl_BN_param_from_bin_sz(ErlNifEnv* env, char* key, ERL_NIF_TERM bin, OSSL_PARAM *dest, size_t *size)
++int get_ossl_BN_param_from_bin_sz(ErlNifEnv* env, char* key, ERL_NIF_TERM bin,
++                                  OSSL_PARAM *dest, size_t *size)
+ {
+     BIGNUM *bn = NULL;
+-    ErlNifBinary tmp;
++    int ok = 0;
+ 
+-    if (!get_bn_from_bin_sz(env, bin, &bn, size) ||
+-        !enif_inspect_binary(env, bin_from_bn(env,bn), &tmp) || // Allocate buf
+-        BN_bn2nativepad(bn, tmp.data, tmp.size) < 0) {// Fill with BN in right endianity
+-        if (bn) BN_free(bn);
++    if (!get_bn_from_bin_sz(env, bin, &bn, size))
+         return 0;
+-    }
+-    
+-    *dest = OSSL_PARAM_construct_BN(key, tmp.data, tmp.size);
+-    if (bn) BN_free(bn);
++
++    ok = get_ossl_BN_param_from_bn(env, key, bn, dest);
++    BN_free(bn);
++    return ok;
++}
++
++int get_ossl_BN_param_from_bn(ErlNifEnv* env, char* key, const BIGNUM* bn,
++                              OSSL_PARAM *dest)
++{
++    const size_t bn_sz = BN_num_bytes(bn);
++    unsigned char* tmp_buf;
++    ERL_NIF_TERM dummy_term;
++
++    /* Create a binary term just as a convenient tmp buffer */
++    tmp_buf = enif_make_new_binary(env, bn_sz, &dummy_term);
++    if (BN_bn2nativepad(bn, tmp_buf, bn_sz) < 0) // Fill with BN in right endianity
++        return 0;
++
++    *dest = OSSL_PARAM_construct_BN(key, tmp_buf, bn_sz);
+     return 1;
+ }
+ 
++
++
+ int get_ossl_param_from_bin_in_list(ErlNifEnv* env, char* key, ERL_NIF_TERM *listcell, OSSL_PARAM *dest)
+ {
+     ERL_NIF_TERM head;
+diff --git a/lib/crypto/c_src/bn.h b/lib/crypto/c_src/bn.h
+index 5e207aed2d..662a32dc29 100644
+--- a/lib/crypto/c_src/bn.h
++++ b/lib/crypto/c_src/bn.h
+@@ -38,6 +38,7 @@ int get_bn_from_bin_sz(ErlNifEnv* env, ERL_NIF_TERM term, BIGNUM** bnp, size_t*
+ int get_ossl_octet_string_param_from_bin(ErlNifEnv* env, char* key, ERL_NIF_TERM bin, OSSL_PARAM *dest);
+ int get_ossl_BN_param_from_bin(ErlNifEnv* env, char* key, ERL_NIF_TERM bin, OSSL_PARAM *dest);
+ int get_ossl_BN_param_from_bin_sz(ErlNifEnv* env, char* key, ERL_NIF_TERM bin, OSSL_PARAM *dest, size_t *size);
++int get_ossl_BN_param_from_bn(ErlNifEnv* env, char* key, const BIGNUM* bn, OSSL_PARAM *dest);
+ 
+ int get_ossl_param_from_bin_in_list(ErlNifEnv* env, char* key, ERL_NIF_TERM *listcell, OSSL_PARAM *dest);
+ #endif
+diff --git a/lib/crypto/c_src/ec.c b/lib/crypto/c_src/ec.c
+index 852f3ba79c..af5f5d6f4a 100644
+--- a/lib/crypto/c_src/ec.c
++++ b/lib/crypto/c_src/ec.c
+@@ -189,15 +189,8 @@ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+         } else
+             assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "Bad last field"));
+ 
+-        {
+-            ErlNifBinary tmp;
+-                        
+-            if (!enif_inspect_binary(env, bin_from_bn(env,p), &tmp) || // Allocate buf
+-                BN_bn2nativepad(p, tmp.data, tmp.size) < 0) {// Fill with BN in right endianity
+-                assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "BN padding failed"));
+-            }
+-            params[(*i)++] = OSSL_PARAM_construct_BN("p", tmp.data, tmp.size);
+-        }
++        if (!get_ossl_BN_param_from_bn(env, "p", p, &params[(*i)++]))
++            assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "BN padding failed"));
+ #  endif
+     }
+     else

otp-0015-crypto-Re-enable-FIPS_SUPPORT-for-HAS_3_0_API.patch

@@ -0,0 +1,22 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Wed, 7 Jun 2023 20:38:11 +0200
+Subject: [PATCH] crypto: Re-enable FIPS_SUPPORT for HAS_3_0_API
+
+
+diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
+index 647ab25ad4..e7a0366771 100644
+--- a/lib/crypto/c_src/openssl_config.h
++++ b/lib/crypto/c_src/openssl_config.h
+@@ -452,12 +452,6 @@ do {                                                    \
+ # undef FIPS_SUPPORT
+ #endif
+ 
+-/* Disable FIPS for 3.0 temporaryly until the support is added */
+-#if defined(FIPS_SUPPORT) &&                                            \
+-    defined(HAS_3_0_API)
+-# undef FIPS_SUPPORT
+-#endif
+-
+ #if defined(FIPS_SUPPORT) && \
+     defined(HAS_3_0_API)
+ # define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)

otp-0016-crypto-Fix-FIPS-bug-in-check_pkey_algorithm_type.patch

@@ -0,0 +1,18 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Mon, 12 Jun 2023 17:14:19 +0200
+Subject: [PATCH] crypto: Fix FIPS bug in check_pkey_algorithm_type
+
+
+diff --git a/lib/crypto/c_src/pkey.c b/lib/crypto/c_src/pkey.c
+index bfdcfe3553..afdff78f48 100644
+--- a/lib/crypto/c_src/pkey.c
++++ b/lib/crypto/c_src/pkey.c
+@@ -100,7 +100,7 @@ static int check_pkey_algorithm_type(ErlNifEnv *env,
+         
+ 
+ #ifdef HAVE_EDDSA
+-    if (FIPS_MODE())
++    if (FIPS_MODE() && algorithm == atom_eddsa)
+         assign_goto(*err_return, err, EXCP_NOTSUP_N(env, alg_arg_num, "Unsupported algorithm in FIPS mode"));
+ #endif    
+ 

otp-0017-crypto_SUITE-Change-to-longer-dss-keys-acceptable-to.patch

@@ -0,0 +1,28 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 13 Jun 2023 18:58:31 +0200
+Subject: [PATCH] crypto_SUITE: Change to longer dss keys acceptable to FIPS
+
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index ffa08bcbe3..ecb3882305 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -3550,13 +3550,13 @@ rsa_private_stronger() ->
+ dss_plain() ->
+     rsa_plain().
+ dss_public() ->
+-    25854665488880835237281628794585130313500176551981812527054397586638455298000483144002221850980183404910190346416063318160497344811383498859129095184158800144312512447497510551471331451396405348497845813002058423110442376886564659959543650802132345311573634832461635601376738282831340827591903548964194832978.
++    16#289ff18c32a56bb0b8839370647683a38a5a7e291410b93207212adc8088d30f93e9e4abc523f3d46936e7d5c90d88742b36afd37563408f15c8c1a4f7ac24bf05f01008ffee70c8825d57c3a9308bad8a095af2b53b2dda3cbed846d95e301eb9b84766415d11f6c33209a0d28571096ab04a79aa0dc465997529686b68e887cd8a205c2dc8195aef0422eba9979f549ac85548e419413643b7244361153ada1480d238cd00dc16527938955548dd5d027ded1029eeeb8ed6c61b4cd59341d8b15466e9da890a989996f4d7691e6072de136af28b5874bf08bd1f8a60cfb1c00888132909f515e04bce81b02951aa41baac68ffdb8c5dc77a1d32d8f2c10dd7.
+ dss_private() ->
+-    441502407453038284293378221372000880210588566361.  
++    16#6132e551cdac88409183bd37ee1452cd247d4834b08814b275be3ff5.
+ dss_params() ->
+-    [109799869232806890760655301608454668257695818999841877165019612946154359052535682480084145133201304812979481136659521529774182959764860329095546511521488413513097576425638476458000255392402120367876345280670101492199681798674053929238558140260669578407351853803102625390950534052428162468100618240968893110797,
+-     1349199015905534965792122312016505075413456283393,
+-     18320614775012672475365915366944922415598782131828709277168615511695849821411624805195787607930033958243224786899641459701930253094446221381818858674389863050420226114787005820357372837321561754462061849169568607689530279303056075793886577588606958623645901271866346406773590024901668622321064384483571751669].
++    [16#f2d39ed3062b13c916273600a0f2a029e86d7a4b9217b4f1815bf2b24d9710a57ab33f997294b014585b8d0198dfdccbcd75314da5ff85aa344b45adaeaa979b51a312a7bfa94472fb633f1a6f156bb4458867dfd38403f06b851f00fe2d3484077bded71ab7513d04a140220575fb693395480e4c8402b7a46cec2d37a778c305accd1f13e9f62e865315f4b22cc467c8986ec8e4961ddf810566b0c4ee369ac6aa15e43f4744005826f5bde8071a19e30b6909aac4b3d174237270dad02799d09b8a2cc5f22e66894b5422228b2c234f11f5a771c5b89cf465a2acecbbeeaa1725fe8f9b59422be8991052cb556ddf2c8ce8fa9206dbf39feadc194e00f8e5,
++     16#8000000000000000c118f49835e4ef733c4d15800fcf059e884d31b1,
++     16#e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac1463c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a943854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf8957c4ba0630f3f32ad689389ac47443176063f247d9e2296b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b894f01afec523833669eac031a420e540ba1320a59c424a3e5849a460a56bcb001647885b1433c4f992971746bfe2977ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d1684eab90d863f29f41cf7578faa908c].
+ 
+ ec_key_named() ->
+     Curve = hd(crypto:ec_curves()),

otp-0018-crypto_SUITE-Remove-sha-1-as-hash-for-dss-if-FIPS.patch

@@ -0,0 +1,33 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 13 Jun 2023 19:00:31 +0200
+Subject: [PATCH] crypto_SUITE: Remove sha-1 as hash for dss if FIPS
+
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index ecb3882305..0f2d223b6b 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -2230,15 +2230,19 @@ group_config(dss = Type, Config) ->
+     Public = dss_params() ++ [dss_public()], 
+     Private = dss_params() ++ [dss_private()], 
+     SupportedHashs = proplists:get_value(hashs, crypto:supports(), []),
+-    DssHashs = 
++    DssHashs0 =
+         case crypto:info_lib() of
+             [{<<"OpenSSL">>,LibVer,_}] when is_integer(LibVer), LibVer > 16#10001000 ->
+-                [sha, sha224, sha256, sha384, sha512];
++                [sha224, sha256, sha384, sha512];
+             [{<<"OpenSSL">>,LibVer,_}] when is_integer(LibVer), LibVer > 16#10000000 ->
+-                [sha, sha224, sha256];
++                [sha224, sha256];
+             _Else ->
+-                [sha]
++                []
+         end,
++    DssHashs = case crypto:info_fips() of
++                   enabled -> DssHashs0;
++                   _ -> [sha | DssHashs0]
++               end,
+     SignVerify = [{Type, Hash, Public, Private, Msg} 
+                   || Hash <- DssHashs,
+                      lists:member(Hash, SupportedHashs)],

otp-0019-crypto_SUITE-Remove-md5-ripemd160-and-sha-as-hash-fo.patch

@@ -0,0 +1,24 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 13 Jun 2023 19:02:32 +0200
+Subject: [PATCH] crypto_SUITE: Remove md5, ripemd160 and sha as hash for rsa
+ sign if FIPS
+
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index 0f2d223b6b..15fd40be1d 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -2391,7 +2391,12 @@ rsa_sign_verify_tests(Config, Msg, Public, Private, PublicS, PrivateS, OptsToTry
+         end.
+ 
+ rsa_sign_verify_tests(Msg, Public, Private, PublicS, PrivateS, OptsToTry) ->
+-    gen_rsa_sign_verify_tests([md5, ripemd160, sha, sha224, sha256], Msg, Public, Private,
++    Hashs0 = [sha224, sha256],
++    Hashs = case crypto:info_fips() of
++                enabled -> Hashs0;
++                _ -> [md5, ripemd160, sha | Hashs0]
++            end,
++    gen_rsa_sign_verify_tests(Hashs, Msg, Public, Private,
+                               [undefined | OptsToTry]) ++
+ 	gen_rsa_sign_verify_tests([sha384, sha512], Msg, PublicS, PrivateS,
+                                   [undefined | OptsToTry]).

otp-0020-crypto-Try-generate-ec-key-by-name-if-possible.patch

@@ -0,0 +1,284 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Wed, 14 Jun 2023 22:00:35 +0200
+Subject: [PATCH] crypto: Try generate ec key by name if possible
+
+OpenSSL 3 FIPS does only accept named ec curves.
+
+So we try that first, and if it fails we retry
+with the params passed down by crypto.erl.
+
+diff --git a/lib/crypto/c_src/ec.c b/lib/crypto/c_src/ec.c
+index af5f5d6f4a..49e1da4fe4 100644
+--- a/lib/crypto/c_src/ec.c
++++ b/lib/crypto/c_src/ec.c
+@@ -28,7 +28,8 @@
+ 
+ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+                          OSSL_PARAM params[], int *i,
+-                         size_t *order_size)
++                         size_t *order_size,
++                         struct get_curve_def_ctx* gcd)
+ {
+     const ERL_NIF_TERM* curve;
+     int c_arity = -1;
+@@ -40,6 +41,7 @@ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+     int arity = -1;
+     const ERL_NIF_TERM* curve_tuple;
+ 
++
+     /* Here are two random curve definition examples, one prime_field and
+        one characteristic_two_field. Both are from the crypto/src/crypto_ec_curves.erl.
+ 
+@@ -79,6 +81,23 @@ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+         c_arity != 5)
+         assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "Bad curve def. Expect 5-tuple."));
+ 
++    if (gcd->use_curve_name
++        && curve_tuple[1] != atom_undefined
++        && enif_get_atom(env, curve_tuple[1], gcd->curve_name,
++                         sizeof(gcd->curve_name), ERL_NIF_LATIN1)) {
++        ErlNifBinary order_bin;
++        params[(*i)++] = OSSL_PARAM_construct_utf8_string("group", gcd->curve_name, 0);
++
++        if (order_size) {
++            if (!enif_inspect_binary(env, curve[3], &order_bin))
++                assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "Bad order"));
++            *order_size = order_bin.size;
++        }
++        gcd->use_curve_name = 1;
++        return 1;
++    }
++    gcd->use_curve_name = 0;
++
+     if (!get_ossl_octet_string_param_from_bin(env, "generator", curve[2], &params[(*i)++]))
+         assign_goto(*ret, err, EXCP_ERROR_N(env, 1, "Bad Generator (Point)"));
+ 
+@@ -211,6 +230,7 @@ int get_ec_public_key(ErlNifEnv* env, ERL_NIF_TERM key, EVP_PKEY **pkey)
+     int tpl_arity;
+     int i = 0;
+     OSSL_PARAM params[15];
++    struct get_curve_def_ctx gcd;
+     EVP_PKEY_CTX *pctx = NULL;
+     
+     if (!enif_get_tuple(env, key, &tpl_arity, &tpl_terms) ||
+@@ -222,19 +242,27 @@ int get_ec_public_key(ErlNifEnv* env, ERL_NIF_TERM key, EVP_PKEY **pkey)
+     if (!get_ossl_octet_string_param_from_bin(env, "pub",  tpl_terms[1], &params[i++]))
+         assign_goto(ret, err, EXCP_BADARG_N(env, 0, "Bad public key"));
+ 
+-    if (!get_curve_definition(env, &ret, tpl_terms[0], params, &i, NULL))
++    if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
++        assign_goto(ret, err, EXCP_ERROR(env, "Can't make EVP_PKEY_CTX"));
++
++    gcd.use_curve_name = 1;
++retry_without_name:
++    if (!get_curve_definition(env, &ret, tpl_terms[0], params, &i, NULL, &gcd))
+         goto err;
+ 
+     params[i++] = OSSL_PARAM_construct_end();
+ 
+-    if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
+-        assign_goto(ret, err, EXCP_ERROR(env, "Can't make EVP_PKEY_CTX"));
+-
+     if (EVP_PKEY_fromdata_init(pctx) <= 0)
+         assign_goto(ret, err, EXCP_ERROR(env, "Can't init fromdata"));
+     
+-    if (EVP_PKEY_fromdata(pctx, pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
++    if (EVP_PKEY_fromdata(pctx, pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
++        if (gcd.use_curve_name) {
++            gcd.use_curve_name = 0;
++            i = 1;
++            goto retry_without_name;
++        }
+         assign_goto(ret, err, EXCP_ERROR(env, "Can't do fromdata"));
++    }
+ 
+     if (!*pkey)
+         assign_goto(ret, err, EXCP_ERROR(env, "Couldn't get a public key"));
+@@ -256,24 +284,33 @@ static int get_ec_private_key_2(ErlNifEnv* env,
+ {
+     int i = 0;
+     OSSL_PARAM params[15];
++    struct get_curve_def_ctx gcd;
+     EVP_PKEY_CTX *pctx = NULL;
+ 
+     if (!get_ossl_BN_param_from_bin(env, "priv",  key, &params[i++]))
+         assign_goto(*ret, err, EXCP_BADARG_N(env, 0, "Bad private key"));
+ 
+-    if (!get_curve_definition(env, ret, curve, params, &i, order_size))
++    if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
++        assign_goto(*ret, err, EXCP_ERROR(env, "Can't make EVP_PKEY_CTX"));
++
++    gcd.use_curve_name = 1;
++retry_without_name:
++    if (!get_curve_definition(env, ret, curve, params, &i, order_size, &gcd))
+         goto err;
+ 
+     params[i++] = OSSL_PARAM_construct_end();
+ 
+-    if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
+-        assign_goto(*ret, err, EXCP_ERROR(env, "Can't make EVP_PKEY_CTX"));
+-
+     if (EVP_PKEY_fromdata_init(pctx) <= 0)
+         assign_goto(*ret, err, EXCP_ERROR(env, "Can't init fromdata"));
+     
+-    if (EVP_PKEY_fromdata(pctx, pkey, EVP_PKEY_KEYPAIR, params) <= 0)
++    if (EVP_PKEY_fromdata(pctx, pkey, EVP_PKEY_KEYPAIR, params) <= 0) {
++        if (gcd.use_curve_name) {
++            gcd.use_curve_name = 0;
++            i = 1;
++            goto retry_without_name;
++        }
+         assign_goto(*ret, err, EXCP_ERROR(env, "Can't do fromdata"));
++    }
+ 
+     if (!*pkey)
+         assign_goto(*ret, err, EXCP_ERROR(env, "Couldn't get a private key"));
+@@ -316,9 +353,10 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+     ERL_NIF_TERM ret = atom_undefined;
+     int i = 0;
+     OSSL_PARAM params[15];
++    struct get_curve_def_ctx gcd;
+     EVP_PKEY_CTX *pctx = NULL;
+     EVP_PKEY *pkey = NULL, *peer_pkey = NULL;
+-    size_t sz, order_size;
++    size_t sz, order_size = 0;
+     BIGNUM *priv_bn = NULL;
+     ErlNifBinary pubkey_bin;
+     
+@@ -338,26 +376,36 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+         }
+     else
+         {
++            /* Neither the private nor the public key is known, so we generate the pair: */
++            if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
++                assign_goto(ret, err, EXCP_ERROR(env, "Can't EVP_PKEY_CTX_new_from_name"));
++
++            gcd.use_curve_name = 1;
++    retry_without_name:
+             /* PrivKey (that is, argv[1]) == atom_undefined */
+-            if (!get_curve_definition(env, &ret, argv[0], params, &i, &order_size))
++            if (!get_curve_definition(env, &ret, argv[0], params, &i,
++                                      &order_size, &gcd))
+                 // INSERT "ret" parameter in get_curve_definition !!
+                 assign_goto(ret, err, EXCP_BADARG_N(env, 0, "Couldn't get Curve definition"));
+     
+             params[i++] = OSSL_PARAM_construct_end();
+ 
+-            /* Neither the private nor the public key is known, so we generate the pair: */
+-            if (!(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)))
+-                assign_goto(ret, err, EXCP_ERROR(env, "Can't EVP_PKEY_CTX_new_from_name"));
+-
+             if (EVP_PKEY_keygen_init(pctx) <= 0)
+                 assign_goto(ret, err, EXCP_ERROR(env, "Can't EVP_PKEY_keygen_init"));
+ 
+             if (!EVP_PKEY_CTX_set_params(pctx, params))
+                 assign_goto(ret, err, EXCP_ERROR(env, "Can't EVP_PKEY_CTX_set_params"));
+-        
+-            if (!EVP_PKEY_generate(pctx, &pkey))
++
++            if (!EVP_PKEY_generate(pctx, &pkey)) {
++                if (gcd.use_curve_name) {
++                    gcd.use_curve_name = 0;
++                    i = 0;
++                    goto retry_without_name;
++                }
+                 assign_goto(ret, err, EXCP_ERROR(env, "Couldn't generate EC key"));
+-    
++            }
++
++
+             /* Get the two keys, pub as binary and priv as BN */
+             if (!EVP_PKEY_get_octet_string_param(pkey, "encoded-pub-key", NULL, 0, &sz))
+                 assign_goto(ret, err, EXCP_ERROR(env, "Can't get pub octet string size"));
+@@ -375,6 +423,8 @@ ERL_NIF_TERM ec_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
+                 assign_goto(ret, err, EXCP_BADARG_N(env, 1, "Couldn't get priv key bytes"));
+         }
+ 
++    if (order_size == 0)
++        order_size = BN_num_bytes(priv_bn);
+     ret = enif_make_tuple2(env,
+                            enif_make_binary(env, &pubkey_bin),
+                            bn2term(env, order_size, priv_bn));
+diff --git a/lib/crypto/c_src/ec.h b/lib/crypto/c_src/ec.h
+index e53986d64e..f0b0b96207 100644
+--- a/lib/crypto/c_src/ec.h
++++ b/lib/crypto/c_src/ec.h
+@@ -26,9 +26,17 @@
+ #if defined(HAVE_EC)
+ 
+ # if defined(HAS_3_0_API)
++
++struct get_curve_def_ctx
++{
++    char curve_name[20];
++    int use_curve_name;
++};
++
+ int get_curve_definition(ErlNifEnv* env, ERL_NIF_TERM *ret, ERL_NIF_TERM def,
+                          OSSL_PARAM params[], int *i,
+-                         size_t *order_size);
++                         size_t *order_size,
++                         struct get_curve_def_ctx*);
+ # endif /* HAS_3_0_API */
+ 
+ # if ! defined(HAS_3_0_API)
+diff --git a/lib/crypto/c_src/ecdh.c b/lib/crypto/c_src/ecdh.c
+index 7509d9cb84..f1b0f7eb28 100644
+--- a/lib/crypto/c_src/ecdh.c
++++ b/lib/crypto/c_src/ecdh.c
+@@ -42,6 +42,7 @@ ERL_NIF_TERM ecdh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
+     int ret_bin_alloc = 0;
+     int i = 0, i_key = 0;
+     OSSL_PARAM params[15];
++    struct get_curve_def_ctx gcd;
+     EVP_PKEY_CTX *own_pctx = NULL, *peer_pctx = NULL, *pctx_gen = NULL;
+     EVP_PKEY *own_pkey = NULL, *peer_pkey = NULL;
+     int err;
+@@ -53,21 +54,29 @@ ERL_NIF_TERM ecdh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
+     if (!get_ossl_octet_string_param_from_bin(env, "pub",  argv[0], &params[i++]))
+         assign_goto(ret, err, EXCP_BADARG_N(env, 0, "Bad peer public key; binary expected"));
+ 
++    /* Build the remote public key in peer_pkey */
++    peer_pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
++
++    gcd.use_curve_name = 1;
++retry_without_name:
+     /* Curve definition/name */
+-    if (!get_curve_definition(env, &ret, argv[1], params, &i, NULL))
++    if (!get_curve_definition(env, &ret, argv[1], params, &i, NULL, &gcd))
+         goto err;
+ 
+     /* End of params */
+     params[i++] = OSSL_PARAM_construct_end();
+ 
+-    /* Build the remote public key in peer_pkey */
+-    peer_pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+-
+     if (EVP_PKEY_fromdata_init(peer_pctx) <= 0)
+         assign_goto(ret, err, EXCP_ERROR(env, "Can't init fromdata"));
+     
+-    if (EVP_PKEY_fromdata(peer_pctx, &peer_pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
++    if (EVP_PKEY_fromdata(peer_pctx, &peer_pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
++        if (gcd.use_curve_name) {
++            gcd.use_curve_name = 0;
++            i = 1;
++            goto retry_without_name;
++        }
+         assign_goto(ret, err, EXCP_ERROR(env, "Can't do fromdata"));
++    }
+ 
+     if (!peer_pkey)
+         assign_goto(ret, err, EXCP_ERROR(env, "No peer_pkey"));
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index 15fd40be1d..cf6ef5dde3 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -3568,7 +3568,7 @@ dss_params() ->
+      16#e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac1463c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a943854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf8957c4ba0630f3f32ad689389ac47443176063f247d9e2296b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b894f01afec523833669eac031a420e540ba1320a59c424a3e5849a460a56bcb001647885b1433c4f992971746bfe2977ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d1684eab90d863f29f41cf7578faa908c].
+ 
+ ec_key_named() ->
+-    Curve = hd(crypto:ec_curves()),
++    Curve = secp224r1, %hd(crypto:ec_curves()),
+     {D2_pub, D2_priv} = crypto:generate_key(ecdh, Curve),
+     {[D2_priv, Curve], [D2_pub, Curve]}.
+ 

otp-0021-crypto_SUITE-Skip-sha-1-sign-for-FIPS.patch

@@ -0,0 +1,59 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Thu, 15 Jun 2023 19:53:14 +0200
+Subject: [PATCH] crypto_SUITE: Skip sha-1 sign for FIPS
+
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index cf6ef5dde3..8a2dfef234 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -1257,6 +1257,12 @@ use_all_ec_sign_verify(_Config) ->
+                                                          crypto:info_fips(),
+                                                          Curves,
+                                                          Hashs]),
++    SkipHashs0 = [md4, md5, ripemd160, sha3_224, sha3_256, sha3_384, sha3_512,
++                  blake2b, blake2s],
++    SkipHashs = case crypto:info_fips() of
++                    enabled -> [sha | SkipHashs0];
++                    _ -> SkipHashs0
++                end,
+     Results =
+         [{{Curve,Hash},
+           try
+@@ -1271,7 +1277,7 @@ use_all_ec_sign_verify(_Config) ->
+                   {C,E}
+           end}
+          || Curve <- Curves -- [ed25519, ed448, x25519, x448, ipsec3, ipsec4],
+-            Hash <- Hashs -- [md4, md5, ripemd160, sha3_224, sha3_256, sha3_384, sha3_512, blake2b, blake2s]
++            Hash <- Hashs -- SkipHashs
+         ],
+     Fails =
+         lists:filter(fun({_,true}) -> false;
+@@ -1709,14 +1715,19 @@ do_sign_verify({Type, undefined=Hash, Private, Public, Msg, Signature}) ->
+     end;
+ 
+ do_sign_verify({Type, Hash, Public, Private, Msg}) ->
+-    Signature = crypto:sign(Type, Hash, Msg, Private),
+-    case crypto:verify(Type, Hash, Msg, Signature, Public) of
+-	true ->
+-            ct:log("OK crypto:sign(~p, ~p, ..., ..., ...)", [Type,Hash]),
+-	    negative_verify(Type, Hash, Msg, <<10,20>>, Public);
+-	false ->
+-            ct:log("ERROR crypto:sign(~p, ~p, ..., ..., ...)", [Type,Hash]),
+-	    ct:fail({{crypto, verify, [Type, Hash, Msg, Signature, Public]}})
++    case {Hash, crypto:info_fips()} of
++        {sha, enabled} ->
++            io:format("Skip sign with SHA for FIPS\n");
++        _ ->
++            Signature = crypto:sign(Type, Hash, Msg, Private),
++            case crypto:verify(Type, Hash, Msg, Signature, Public) of
++                true ->
++                    ct:log("OK crypto:sign(~p, ~p, ..., ..., ...)", [Type,Hash]),
++                    negative_verify(Type, Hash, Msg, <<10,20>>, Public);
++                false ->
++                    ct:log("ERROR crypto:sign(~p, ~p, ..., ..., ...)", [Type,Hash]),
++                    ct:fail({{crypto, verify, [Type, Hash, Msg, Signature, Public]}})
++            end
+     end;
+ do_sign_verify({Type, Hash, Public, Private, Msg, Options}) ->
+     LibVer =

otp-0022-crypto-Unalias-some-ec-curve-names.patch

@@ -0,0 +1,806 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Fri, 16 Jun 2023 16:55:41 +0200
+Subject: [PATCH] crypto: Unalias some ec curve names
+
+to pass OpenSSL the name it accepts.
+
+diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
+index 53cdc76830..9805d303f2 100644
+--- a/lib/crypto/src/crypto.erl
++++ b/lib/crypto/src/crypto.erl
+@@ -2346,14 +2346,12 @@ nif_curve_params(CurveName) when is_atom(CurveName) ->
+         x448   -> {evp,CurveName};
+         x25519 -> {evp,CurveName};
+         _ ->
+-            Spec =
+-                try
+-                    crypto_ec_curves:curve(CurveName)
+-                catch
+-                    _:_ ->
+-                        undefined
+-                end,
+-            {Spec, CurveName}
++            try
++                crypto_ec_curves:curve_with_name(CurveName)
++            catch
++                _:_ ->
++                    {undefined, CurveName}
++            end
+     end.
+ 
+ 
+diff --git a/lib/crypto/src/crypto_ec_curves.erl b/lib/crypto/src/crypto_ec_curves.erl
+index a0a2f99601..3f14c34a26 100644
+--- a/lib/crypto/src/crypto_ec_curves.erl
++++ b/lib/crypto/src/crypto_ec_curves.erl
+@@ -1,11 +1,22 @@
+ -module(crypto_ec_curves).
+ 
+--export([curve/1, curves/0]).
++-export([curve/1, curves/0, curve_with_name/1]).
+ 
+ curves() ->
+     proplists:get_value(curves,  crypto:supports()) -- [x25519,x448].
+ 
+-curve(secp112r1) ->
++real_name(secp192r1) -> prime192v1;
++real_name(secp256r1) -> prime256v1;
++real_name(Name) -> Name.
++
++curve_with_name(Curve) ->
++    RealName = real_name(Curve),
++    {params(RealName), RealName}.
++
++curve(Curve) ->
++    params(real_name(Curve)).
++
++params(secp112r1) ->
+     {
+      {prime_field, <<16#DB7C2ABF62E35E668076BEAD208B:112>>},                                        %% Prime
+      {<<16#DB7C2ABF62E35E668076BEAD2088:112>>,                                                      %% A
+@@ -18,7 +29,7 @@ curve(secp112r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp112r2) ->
++params(secp112r2) ->
+     {
+      {prime_field, <<16#DB7C2ABF62E35E668076BEAD208B:112>>},                                        %% Prime
+      {<<16#6127C24C05F38A0AAAF65C0EF02C:112>>,                                                      %% A
+@@ -31,7 +42,7 @@ curve(secp112r2) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp128r1) ->
++params(secp128r1) ->
+     {
+      {prime_field, <<16#FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF:128>>},                                    %% Prime
+      {<<16#FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC:128>>,                                                  %% A
+@@ -44,7 +55,7 @@ curve(secp128r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp128r2) ->
++params(secp128r2) ->
+     {
+      {prime_field, <<16#FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF:128>>},                                    %% Prime
+      {<<16#D6031998D1B3BBFEBF59CC9BBFF9AEE1:128>>,                                                  %% A
+@@ -57,7 +68,7 @@ curve(secp128r2) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp160k1) ->
++params(secp160k1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73:160>>},                            %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -70,7 +81,7 @@ curve(secp160k1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp160r1) ->
++params(secp160r1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF:160>>},                            %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC:160>>,                                          %% A
+@@ -83,7 +94,7 @@ curve(secp160r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp160r2) ->
++params(secp160r2) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73:160>>},                            %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70:160>>,                                          %% A
+@@ -96,20 +107,7 @@ curve(secp160r2) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp192r1) ->
+-    {
+-     {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF:192>>},                    %% Prime
+-     {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC:192>>,                                  %% A
+-      <<16#64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1:192>>,                                  %% B
+-      <<16#3045AE6FC8422F64ED579528D38120EAE12196D5:160>>},                                         %% Seed
+-      <<16#04:8,
+-        16#188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012:192,                                    %% X(p0)
+-        16#07192B95FFC8DA78631011ED6B24CDD573F977A11E794811:192>>,                                  %% Y(p0)
+-      <<16#FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831:192>>,                                  %% Order
+-      <<16#01:8>>                                                                                   %% CoFactor
+-    };
+-
+-curve(secp192k1) ->
++params(secp192k1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37:192>>},                    %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -122,7 +120,7 @@ curve(secp192k1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp224k1) ->
++params(secp224k1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D:224>>},            %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -135,7 +133,7 @@ curve(secp224k1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp224r1) ->
++params(secp224r1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001:224>>},            %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE:224>>,                          %% A
+@@ -148,7 +146,7 @@ curve(secp224r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp256k1) ->
++params(secp256k1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F:256>>},    %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -161,20 +159,7 @@ curve(secp256k1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp256r1) ->
+-    {
+-     {prime_field, <<16#FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF:256>>},    %% Prime
+-     {<<16#FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC:256>>,                  %% A
+-      <<16#5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B:256>>,                  %% B
+-      <<16#C49D360886E704936A6678E1139D26B7819F7E90:160>>},                                         %% Seed
+-      <<16#04:8,
+-        16#6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296:256,                    %% X(p0)
+-        16#4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5:256>>,                  %% Y(p0)
+-      <<16#FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551:256>>,                  %% Order
+-      <<16#01:8>>                                                                                   %% CoFactor
+-    };
+-
+-curve(secp384r1) ->
++params(secp384r1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE:256,       %% Prime
+                      16#FFFFFFFF0000000000000000FFFFFFFF:128>>},
+@@ -193,7 +178,7 @@ curve(secp384r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(secp521r1) ->
++params(secp521r1) ->
+     {
+      {prime_field, <<16#01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:256,       %% Prime
+                      16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:256,
+@@ -218,7 +203,7 @@ curve(secp521r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime192v1) ->
++params(prime192v1) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF:192>>},                    %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC:192>>,                                  %% A
+@@ -231,7 +216,7 @@ curve(prime192v1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime192v2) ->
++params(prime192v2) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF:192>>},                    %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC:192>>,                                  %% A
+@@ -244,7 +229,7 @@ curve(prime192v2) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime192v3) ->
++params(prime192v3) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF:192>>},                    %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC:192>>,                                  %% A
+@@ -257,7 +242,7 @@ curve(prime192v3) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime239v1) ->
++params(prime239v1) ->
+     {
+      {prime_field, <<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF:240>>},        %% Prime
+      {<<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC:240>>,                      %% A
+@@ -270,7 +255,7 @@ curve(prime239v1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime239v2) ->
++params(prime239v2) ->
+     {
+      {prime_field, <<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF:240>>},        %% Prime
+      {<<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC:240>>,                      %% A
+@@ -283,7 +268,7 @@ curve(prime239v2) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime239v3) ->
++params(prime239v3) ->
+     {
+      {prime_field, <<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF:240>>},        %% Prime
+      {<<16#7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC:240>>,                      %% A
+@@ -296,7 +281,7 @@ curve(prime239v3) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(prime256v1) ->
++params(prime256v1) ->
+     {
+      {prime_field, <<16#FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF:256>>},    %% Prime
+      {<<16#FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC:256>>,                  %% A
+@@ -309,7 +294,7 @@ curve(prime256v1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect113r1) ->
++params(sect113r1) ->
+     {
+      {characteristic_two_field, 113, {tpbasis,9}},
+      {<<16#3088250CA6E7C7FE649CE85820F7:112>>,                                                      %% A
+@@ -322,7 +307,7 @@ curve(sect113r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect113r2) ->
++params(sect113r2) ->
+     {
+      {characteristic_two_field, 113, {tpbasis,9}},
+      {<<16#689918DBEC7E5A0DD6DFC0AA55C7:112>>,                                                      %% A
+@@ -335,7 +320,7 @@ curve(sect113r2) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect131r1) ->
++params(sect131r1) ->
+     {
+      {characteristic_two_field, 131, {ppbasis,2,3,8}},
+      {<<16#07A11B09A76B562144418FF3FF8C2570B8:136>>,                                                %% A
+@@ -348,7 +333,7 @@ curve(sect131r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect131r2) ->
++params(sect131r2) ->
+     {
+      {characteristic_two_field, 131, {ppbasis,2,3,8}},
+      {<<16#03E5A88919D7CAFCBF415F07C2176573B2:136>>,                                                %% A
+@@ -361,7 +346,7 @@ curve(sect131r2) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect163k1) ->
++params(sect163k1) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,3,6,7}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -374,7 +359,7 @@ curve(sect163k1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect163r1) ->
++params(sect163r1) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,3,6,7}},
+      {<<16#07B6882CAAEFA84F9554FF8428BD88E246D2782AE2:168>>,                                        %% A
+@@ -387,7 +372,7 @@ curve(sect163r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect163r2) ->
++params(sect163r2) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,3,6,7}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -400,7 +385,7 @@ curve(sect163r2) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect193r1) ->
++params(sect193r1) ->
+     {
+      {characteristic_two_field, 193, {tpbasis,15}},
+      {<<16#17858FEB7A98975169E171F77B4087DE098AC8A911DF7B01:192>>,                                  %% A
+@@ -413,7 +398,7 @@ curve(sect193r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect193r2) ->
++params(sect193r2) ->
+     {
+      {characteristic_two_field, 193, {tpbasis,15}},
+      {<<16#0163F35A5137C2CE3EA6ED8667190B0BC43ECD69977702709B:200>>,                                %% A
+@@ -426,7 +411,7 @@ curve(sect193r2) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect233k1) ->
++params(sect233k1) ->
+     {
+      {characteristic_two_field, 233, {tpbasis,74}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -439,7 +424,7 @@ curve(sect233k1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect233r1) ->
++params(sect233r1) ->
+     {
+      {characteristic_two_field, 233, {tpbasis,74}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -452,7 +437,7 @@ curve(sect233r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect239k1) ->
++params(sect239k1) ->
+     {
+      {characteristic_two_field, 239, {tpbasis,158}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -465,7 +450,7 @@ curve(sect239k1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect283k1) ->
++params(sect283k1) ->
+     {
+      {characteristic_two_field, 283, {ppbasis,5,7,12}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -481,7 +466,7 @@ curve(sect283k1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect283r1) ->
++params(sect283r1) ->
+     {
+      {characteristic_two_field, 283, {ppbasis,5,7,12}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -498,7 +483,7 @@ curve(sect283r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect409k1) ->
++params(sect409k1) ->
+     {
+      {characteristic_two_field, 409, {tpbasis,87}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -514,7 +499,7 @@ curve(sect409k1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect409r1) ->
++params(sect409r1) ->
+     {
+      {characteristic_two_field, 409, {tpbasis,87}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -531,7 +516,7 @@ curve(sect409r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect571k1) ->
++params(sect571k1) ->
+     {
+      {characteristic_two_field, 571, {ppbasis,2,5,10}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -550,7 +535,7 @@ curve(sect571k1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(sect571r1) ->
++params(sect571r1) ->
+     {
+      {characteristic_two_field, 571, {ppbasis,2,5,10}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -571,7 +556,7 @@ curve(sect571r1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb163v1) ->
++params(c2pnb163v1) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,1,2,8}},
+      {<<16#072546B5435234A422E0789675F432C89435DE5242:168>>,                                        %% A
+@@ -584,7 +569,7 @@ curve(c2pnb163v1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb163v2) ->
++params(c2pnb163v2) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,1,2,8}},
+      {<<16#0108B39E77C4B108BED981ED0E890E117C511CF072:168>>,                                        %% A
+@@ -597,7 +582,7 @@ curve(c2pnb163v2) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb163v3) ->
++params(c2pnb163v3) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,1,2,8}},
+      {<<16#07A526C63D3E25A256A007699F5447E32AE456B50E:168>>,                                        %% A
+@@ -610,7 +595,7 @@ curve(c2pnb163v3) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb176v1) ->
++params(c2pnb176v1) ->
+     {
+      {characteristic_two_field, 176, {ppbasis,1,2,43}},
+      {<<16#E4E6DB2995065C407D9D39B8D0967B96704BA8E9C90B:176>>,                                      %% A
+@@ -623,7 +608,7 @@ curve(c2pnb176v1) ->
+       <<16#FF6E:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(c2tnb191v1) ->
++params(c2tnb191v1) ->
+     {
+      {characteristic_two_field, 191, {tpbasis,9}},
+      {<<16#2866537B676752636A68F56554E12640276B649EF7526267:192>>,                                  %% A
+@@ -636,7 +621,7 @@ curve(c2tnb191v1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2tnb191v2) ->
++params(c2tnb191v2) ->
+     {
+      {characteristic_two_field, 191, {tpbasis,9}},
+      {<<16#401028774D7777C7B7666D1366EA432071274F89FF01E718:192>>,                                  %% A
+@@ -649,7 +634,7 @@ curve(c2tnb191v2) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2tnb191v3) ->
++params(c2tnb191v3) ->
+     {
+      {characteristic_two_field, 191, {tpbasis,9}},
+      {<<16#6C01074756099122221056911C77D77E77A777E7E7E77FCB:192>>,                                  %% A
+@@ -662,7 +647,7 @@ curve(c2tnb191v3) ->
+       <<16#06:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb208w1) ->
++params(c2pnb208w1) ->
+     {
+      {characteristic_two_field, 208, {ppbasis,1,2,83}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -675,7 +660,7 @@ curve(c2pnb208w1) ->
+       <<16#FE48:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(c2tnb239v1) ->
++params(c2tnb239v1) ->
+     {
+      {characteristic_two_field, 239, {tpbasis,36}},
+      {<<16#32010857077C5431123A46B808906756F543423E8D27877578125778AC76:240>>,                      %% A
+@@ -688,7 +673,7 @@ curve(c2tnb239v1) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2tnb239v2) ->
++params(c2tnb239v2) ->
+     {
+      {characteristic_two_field, 239, {tpbasis,36}},
+      {<<16#4230017757A767FAE42398569B746325D45313AF0766266479B75654E65F:240>>,                      %% A
+@@ -701,7 +686,7 @@ curve(c2tnb239v2) ->
+       <<16#06:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2tnb239v3) ->
++params(c2tnb239v3) ->
+     {
+      {characteristic_two_field, 239, {tpbasis,36}},
+      {<<16#01238774666A67766D6676F778E676B66999176666E687666D8766C66A9F:240>>,                      %% A
+@@ -714,7 +699,7 @@ curve(c2tnb239v3) ->
+       <<16#0A:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb272w1) ->
++params(c2pnb272w1) ->
+     {
+      {characteristic_two_field, 272, {ppbasis,1,3,56}},
+      {<<16#91A091F03B5FBA4AB2CCF49C4EDD220FB028712D42BE752B2C40094DBACDB586:256,                    %% A
+@@ -732,7 +717,7 @@ curve(c2pnb272w1) ->
+       <<16#FF06:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(c2pnb304w1) ->
++params(c2pnb304w1) ->
+     {
+      {characteristic_two_field, 304, {ppbasis,1,2,11}},
+      {<<16#FD0D693149A118F651E6DCE6802085377E5F882D1B510B44160074C128807836:256,                    %% A
+@@ -750,7 +735,7 @@ curve(c2pnb304w1) ->
+       <<16#FE2E:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(c2tnb359v1) ->
++params(c2tnb359v1) ->
+     {
+      {characteristic_two_field, 359, {tpbasis,68}},
+      {<<16#5667676A654B20754F356EA92017D946567C46675556F19556A04616B567D223:256,                    %% A
+@@ -768,7 +753,7 @@ curve(c2tnb359v1) ->
+       <<16#4C:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(c2pnb368w1) ->
++params(c2pnb368w1) ->
+     {
+      {characteristic_two_field, 368, {ppbasis,1,2,85}},
+      {<<16#E0D2EE25095206F5E2A4F9ED229F1F256E79A0E2B455970D8D0D865BD94778C5:256,                    %% A
+@@ -786,7 +771,7 @@ curve(c2pnb368w1) ->
+       <<16#FF70:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(c2tnb431r1) ->
++params(c2tnb431r1) ->
+     {
+      {characteristic_two_field, 431, {tpbasis,120}},
+      {<<16#1A827EF00DD6FC0E234CAF046C6A5D8A85395B236CC4AD2CF32A0CADBDC9DDF6:256,                    %% A
+@@ -804,7 +789,7 @@ curve(c2tnb431r1) ->
+       <<16#2760:16>>                                                                                %% CoFactor
+     };
+ 
+-curve(wtls1) ->
++params(wtls1) ->
+     {
+      {characteristic_two_field, 113, {tpbasis,9}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -817,7 +802,7 @@ curve(wtls1) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls3) ->
++params(wtls3) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,3,6,7}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -830,7 +815,7 @@ curve(wtls3) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls4) ->
++params(wtls4) ->
+     {
+      {characteristic_two_field, 113, {tpbasis,9}},
+      {<<16#3088250CA6E7C7FE649CE85820F7:112>>,                                                      %% A
+@@ -843,7 +828,7 @@ curve(wtls4) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls5) ->
++params(wtls5) ->
+     {
+      {characteristic_two_field, 163, {ppbasis,1,2,8}},
+      {<<16#072546B5435234A422E0789675F432C89435DE5242:168>>,                                        %% A
+@@ -856,7 +841,7 @@ curve(wtls5) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls6) ->
++params(wtls6) ->
+     {
+      {prime_field, <<16#DB7C2ABF62E35E668076BEAD208B:112>>},                                        %% Prime
+      {<<16#DB7C2ABF62E35E668076BEAD2088:112>>,                                                      %% A
+@@ -869,7 +854,7 @@ curve(wtls6) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls7) ->
++params(wtls7) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73:160>>},                            %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70:160>>,                                          %% A
+@@ -882,7 +867,7 @@ curve(wtls7) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls8) ->
++params(wtls8) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFDE7:112>>},                                        %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -895,7 +880,7 @@ curve(wtls8) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls9) ->
++params(wtls9) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC808F:160>>},                            %% Prime
+      {<<16#00:8>>,                                                                                  %% A
+@@ -908,7 +893,7 @@ curve(wtls9) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls10) ->
++params(wtls10) ->
+     {
+      {characteristic_two_field, 233, {tpbasis,74}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -921,7 +906,7 @@ curve(wtls10) ->
+       <<16#04:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls11) ->
++params(wtls11) ->
+     {
+      {characteristic_two_field, 233, {tpbasis,74}},
+      {<<16#01:8>>,                                                                                  %% A
+@@ -934,7 +919,7 @@ curve(wtls11) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(wtls12) ->
++params(wtls12) ->
+     {
+      {prime_field, <<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001:224>>},            %% Prime
+      {<<16#FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE:224>>,                          %% A
+@@ -947,7 +932,7 @@ curve(wtls12) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(ipsec3) ->
++params(ipsec3) ->
+     {
+      {characteristic_two_field, 155, {tpbasis,62}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -960,7 +945,7 @@ curve(ipsec3) ->
+       <<16#03:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(ipsec4) ->
++params(ipsec4) ->
+     {
+      {characteristic_two_field, 185, {tpbasis,69}},
+      {<<16#00:8>>,                                                                                  %% A
+@@ -973,7 +958,7 @@ curve(ipsec4) ->
+       <<16#02:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP160r1) ->
++params(brainpoolP160r1) ->
+     {
+      {prime_field, <<16#E95E4A5F737059DC60DFC7AD95B3D8139515620F:160>>},                            %% Prime
+      {<<16#340E7BE2A280EB74E2BE61BADA745D97E8F7C300:160>>,                                          %% A
+@@ -986,7 +971,7 @@ curve(brainpoolP160r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP160t1) ->
++params(brainpoolP160t1) ->
+     {
+      {prime_field, <<16#E95E4A5F737059DC60DFC7AD95B3D8139515620F:160>>},                            %% Prime
+      {<<16#E95E4A5F737059DC60DFC7AD95B3D8139515620C:160>>,                                          %% A
+@@ -999,7 +984,7 @@ curve(brainpoolP160t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP192r1) ->
++params(brainpoolP192r1) ->
+     {
+      {prime_field, <<16#C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297:192>>},                    %% Prime
+      {<<16#6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF:192>>,                                  %% A
+@@ -1012,7 +997,7 @@ curve(brainpoolP192r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP192t1) ->
++params(brainpoolP192t1) ->
+     {
+      {prime_field, <<16#C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297:192>>},                    %% Prime
+      {<<16#C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294:192>>,                                  %% A
+@@ -1025,7 +1010,7 @@ curve(brainpoolP192t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP224r1) ->
++params(brainpoolP224r1) ->
+     {
+      {prime_field, <<16#D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF:224>>},            %% Prime
+      {<<16#68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43:224>>,                          %% A
+@@ -1038,7 +1023,7 @@ curve(brainpoolP224r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP224t1) ->
++params(brainpoolP224t1) ->
+     {
+      {prime_field, <<16#D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF:224>>},            %% Prime
+      {<<16#D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC:224>>,                          %% A
+@@ -1051,7 +1036,7 @@ curve(brainpoolP224t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP256r1) ->
++params(brainpoolP256r1) ->
+     {
+      {prime_field, <<16#A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377:256>>},    %% Prime
+      {<<16#7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9:256>>,                  %% A
+@@ -1064,7 +1049,7 @@ curve(brainpoolP256r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP256t1) ->
++params(brainpoolP256t1) ->
+     {
+      {prime_field, <<16#A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377:256>>},    %% Prime
+      {<<16#A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374:256>>,                  %% A
+@@ -1077,7 +1062,7 @@ curve(brainpoolP256t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP320r1) ->
++params(brainpoolP320r1) ->
+     {
+      {prime_field, <<16#D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28:256,       %% Prime
+                      16#FCD412B1F1B32E27:64>>},
+@@ -1096,7 +1081,7 @@ curve(brainpoolP320r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP320t1) ->
++params(brainpoolP320t1) ->
+     {
+      {prime_field, <<16#D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28:256,       %% Prime
+                      16#FCD412B1F1B32E27:64>>},
+@@ -1115,7 +1100,7 @@ curve(brainpoolP320t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP384r1) ->
++params(brainpoolP384r1) ->
+     {
+      {prime_field, <<16#8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123:256,       %% Prime
+                      16#ACD3A729901D1A71874700133107EC53:128>>},
+@@ -1134,7 +1119,7 @@ curve(brainpoolP384r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP384t1) ->
++params(brainpoolP384t1) ->
+     {
+      {prime_field, <<16#8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123:256,       %% Prime
+                      16#ACD3A729901D1A71874700133107EC53:128>>},
+@@ -1153,7 +1138,7 @@ curve(brainpoolP384t1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP512r1) ->
++params(brainpoolP512r1) ->
+     {
+      {prime_field, <<16#AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330871:256,       %% Prime
+                      16#7D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3:256>>},
+@@ -1172,7 +1157,7 @@ curve(brainpoolP512r1) ->
+       <<16#01:8>>                                                                                   %% CoFactor
+     };
+ 
+-curve(brainpoolP512t1) ->
++params(brainpoolP512t1) ->
+     {
+      {prime_field, <<16#AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330871:256,       %% Prime
+                      16#7D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3:256>>},

otp-0023-crypto_SUITE-Skip-ec-curves-with-224-bits-if-FIPS.patch

@@ -0,0 +1,78 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Fri, 16 Jun 2023 19:31:34 +0200
+Subject: [PATCH] crypto_SUITE: Skip ec curves with < 224 bits if FIPS
+
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index 8a2dfef234..e3835b4d8b 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -1245,8 +1245,19 @@ no_generate_compute(Config) when is_list(Config) ->
+ compute() ->
+      [{doc, " Test crypto:compute_key"}].
+ compute(Config) when is_list(Config) ->
+-    Gen = proplists:get_value(compute, Config),
++    Gen0 = proplists:get_value(compute, Config),
++    Gen = case crypto:info_fips() of
++              enabled ->
++                  SkipCurves = [secp192r1],
++                  lists:filter(fun({_,_,_,Curve,_}) ->
++                                       not lists:member(Curve,SkipCurves)
++                               end,
++                               Gen0);
++              _ ->
++                  Gen0
++    end,
+     lists:foreach(fun do_compute/1, Gen).
++
+ %%--------------------------------------------------------------------
+ use_all_ec_sign_verify(_Config) ->
+     Msg = <<"hello world!">>,
+@@ -1259,10 +1270,17 @@ use_all_ec_sign_verify(_Config) ->
+                                                          Hashs]),
+     SkipHashs0 = [md4, md5, ripemd160, sha3_224, sha3_256, sha3_384, sha3_512,
+                   blake2b, blake2s],
+-    SkipHashs = case crypto:info_fips() of
+-                    enabled -> [sha | SkipHashs0];
+-                    _ -> SkipHashs0
+-                end,
++    SkipCurves0 = [ed25519, ed448, x25519, x448, ipsec3, ipsec4],
++
++    {SkipHashs, SkipCurves}
++        = case crypto:info_fips() of
++              enabled ->
++                  {[sha | SkipHashs0],
++                   [secp192r1, prime192v1, sect163k1, sect163r2]};
++              _ ->
++                  {SkipHashs0, SkipCurves0}
++          end,
++
+     Results =
+         [{{Curve,Hash},
+           try
+@@ -1276,7 +1294,7 @@ use_all_ec_sign_verify(_Config) ->
+               C:E ->
+                   {C,E}
+           end}
+-         || Curve <- Curves -- [ed25519, ed448, x25519, x448, ipsec3, ipsec4],
++         || Curve <- Curves -- SkipCurves,
+             Hash <- Hashs -- SkipHashs
+         ],
+     Fails =
+@@ -1305,7 +1323,15 @@ use_all_ec_sign_verify(_Config) ->
+ 
+ %%--------------------------------------------------------------------
+ use_all_ecdh_generate_compute(Config) ->
+-    Curves = crypto:supports(curves) -- [ed25519, ed448, x25519, x448],
++    SkipCurves0 = [ed25519, ed448, x25519, x448],
++    SkipCurves =
++        case crypto:info_fips() of
++            enabled ->
++                [secp192r1, prime192v1, sect163k1, sect163r2 | SkipCurves0];
++            _ ->
++                SkipCurves0
++        end,
++    Curves = crypto:supports(curves) -- SkipCurves,
+     do_dh_curves(Config, Curves).
+ 
+ use_all_eddh_generate_compute(Config) ->

otp-0024-crypto_SUITE-Fix-safe-primes-for-DH-with-FIPS.patch

@@ -0,0 +1,37 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 20 Jun 2023 14:50:27 +0200
+Subject: [PATCH] crypto_SUITE: Fix safe primes for DH with FIPS
+
+FIPs on OpenSSL 3 seems to demand P to be a safe prime
+where Q = (P-1)/2 is also prime.
+
+diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
+index e3835b4d8b..147cc4809d 100644
+--- a/lib/crypto/test/crypto_SUITE.erl
++++ b/lib/crypto/test/crypto_SUITE.erl
+@@ -1209,6 +1209,15 @@ generate_compute(Config) when is_list(Config) ->
+ compute_bug() ->
+     [{doc, "Test that it works even if the Secret is smaller than expected"}].
+ compute_bug(_Config) ->
++    case crypto:info_fips() of
++        enabled ->
++            %% FIPs on OpenSSL 3 seems to demand P to be a safe prime
++            %% where Q = (P-1)/2 is also prime.
++            skip;
++        _ -> do_compute_bug()
++    end.
++
++do_compute_bug() ->
+     ExpectedSecret = <<118,89,171,16,156,18,156,103,189,134,130,49,28,144,111,241,247,82,79,32,228,11,209,141,119,176,251,80,105,143,235,251,203,121,223,211,129,3,233,133,45,2,31,157,24,111,5,75,153,66,135,185,128,115,229,178,216,39,73,52,80,151,8,241,34,52,226,71,137,167,53,48,59,224,175,154,89,110,76,83,24,117,149,21,72,6,186,78,149,74,188,56,98,244,30,77,108,248,88,194,195,237,23,51,20,242,254,123,21,12,209,74,217,168,230,65,7,60,211,139,128,239,234,153,22,229,180,59,159,121,41,156,121,200,177,130,163,162,54,224,93,1,94,11,177,254,118,28,156,26,116,10,207,145,219,166,214,189,214,230,221,170,228,15,69,88,31,68,94,255,113,58,49,82,86,192,248,176,131,133,39,186,194,172,206,84,184,16,66,68,153,128,178,227,27,118,52,130,122,92,24,222,102,195,221,207,255,13,152,175,65,32,167,84,54,244,243,109,244,18,234,16,159,224,188,2,106,123,27,17,131,171,226,34,111,251,62,119,155,124,221,124,254,62,97,167,1,105,116,98,98,19,197,30,72,180,79,221,100,134,120,117,124,85,73,132,224,223,222,41,155,137,218,130,238,237,157,161,134,150,69,206,91,141,17,89,120,218,235,229,37,150,76,197,7,157,56,144,42,203,137,100,200,72,141,194,239,1,67,236,238,183,48,214,75,76,108,235,3,237,67,40,137,45,182,236,246,37,116,103,144,237,142,211,88,233,11,24,21,218,41,245,250,51,130,250,104,74,189,17,69,145,70,50,50,215,253,155,10,128,41,114,185,211,82,164,72,92,17,145,104,66,6,140,226,80,43,62,1,166,216,153,118,96,15,147,126,137,118,191,192,75,149,241,206,18,92,17,154,215,219,18,6,139,190,103,210,156,184,29,224,213,157,60,112,189,104,220,125,40,186,50,119,17,143,136,149,38,74,107,21,192,59,61,59,42,231,144,59,175,3,176,87,23,16,122,54,31,82,34,230,211,44,81,41,47,86,37,228,175,130,148,88,136,131,254,241,202,99,199,175,1,141,215,124,155,120,43,141,89,11,140,120,141,29,35,82,219,155,204,75,12,66,241,253,33,250,84,24,85,68,13,80,85,142,227,34,139,26,146,24>>,
+     OthersPublicKey = 635619632099733175381667940709387641100492974601603060984753028943194386334921787463327680809776598322996634648015962954045728174069768874873236397421720142610982770302060309928552098274817978606093380781524199673890631795310930242601197479471368910519338301177304682162189801040921618559902948819107531088646753320486728060005223263561551402855338732899079439899705951063999951507319258050864346087428042978411873495523439615429804957374639092580169417598963105885529553632847023899713490485619763926900318508906706745060947269748612049634207985438016935262521715769812475329234748426647554362991758104620357149045960316987533503707855364806010494793980069245562784050236811004893018183726397041999426883788660276453352521120006817370050691205529335316794439089316232980047277245051173281601960196573681285904611182521967067911862467395705665888521948321299521549941618586026714676885890192323289343756440666276226084448279082483536164085883288884231665240707495770544705648564889889198060417915693315346959170105413290799314390963124178046425737828369059171472978294050322371452255088799865552038756937873388385970088906560408959959429398326288750834357514847891423941047433478384621074116184703014798814515161475596555032391555842,
+     MyPrivateKey = 387759582879975726965038486537011291913744975764132199838375902680222019267527675651273586836110220500657652661706223760165097275862806031329642160439090779625708664007910974206651834216043397115514725827856461492311499129200688538220719685637154290305617686974719521885238198226075381217068175824097878445476010193039590876624464274744156624589136789060427283492343902761765833713520850870233407503430180028104167029073459918756981323130062648615262139444306321256382009848217866984408901761817655567071716275177768316006340055589170095799943481591033461616307776069027985761229636731465482676467627154100912586936231051371168178564599296638350391246393336702334311781595616786107810962134407697848002331639021101685320844880636050048769216986088652236979636019052557155807310341483407890060105599892252118584570558049301477535792498672552850760356632076013402382600669875697284264329434950712239302528367835155163504374877787288116104285944993818319105835423479332617802010952731990182088670508346704423006877514817882782443833997288652405892920173712497948376815825396272381214976859009518623799156300136570204539240675245115597412280078940442452936425561984312708387584800789375684525365060589104566195610526570099527133097201479,
+@@ -4276,8 +4285,7 @@ ecdh() ->
+         ).
+ 
+ dh() ->
+-    {dh, 90970053988169282502023478715631717259407236400413906591937635666709823903223997309250405131675572047545403771567755831138144089197560332757755059848492919215391041119286178688014693040542889497092308638580104031455627238700168892909539193174537248629499995652186913900511641708112112482297874449292467498403, 2}.
+-
++    {dh, 16#FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B423861285C97FFFFFFFFFFFFFFFF, 2}.
+ 
+ 
+ rsa_oaep() ->

otp-0025-crypto-Skip-entire-engine_SUITE-if-notsup.patch

@@ -0,0 +1,53 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 20 Jun 2023 15:29:57 +0200
+Subject: [PATCH] crypto: Skip entire engine_SUITE if notsup
+
+
+diff --git a/lib/crypto/test/engine_SUITE.erl b/lib/crypto/test/engine_SUITE.erl
+index 8907d3968f..b2c25bdcae 100644
+--- a/lib/crypto/test/engine_SUITE.erl
++++ b/lib/crypto/test/engine_SUITE.erl
+@@ -136,20 +136,23 @@ groups() ->
+ 
+ 
+ init_per_suite(Config) ->
+-    try {os:type(), crypto:info_lib()} of
+-        {_, [{_,_, <<"OpenSSL 1.0.1s-freebsd  1 Mar 2016">>}]} ->
++    try {engine_supported(), os:type(), crypto:info_lib()} of
++        {false,_,[{_,_,OpenSSLversion}]} ->
++            {skip, "Engine not supported by " ++ OpenSSLversion};
++
++        {_,_, [{_,_, <<"OpenSSL 1.0.1s-freebsd  1 Mar 2016">>}]} ->
+             {skip, "Problem with engine on OpenSSL 1.0.1s-freebsd"};
+ 
+-        {_, [{_,_,<<"LibreSSL 2.1.",_/binary>>}]} ->
++        {_,_, [{_,_,<<"LibreSSL 2.1.",_/binary>>}]} ->
+             {skip, "Problem with engine on older LibreSSL 2.1.*"};
+ 
+-        {{unix,darwin}, _} ->
++        {_,{unix,darwin}, _} ->
+             {skip, "Engine unsupported on Darwin"};
+-        
+-        {{win32,_}, _} ->
++
++        {_,{win32,_}, _} ->
+             {skip, "Engine unsupported on Windows"};
+-        
+-        {OS, Res} ->
++
++        {_,OS, Res} ->
+             ct:log("crypto:info_lib() -> ~p\nos:type() -> ~p", [Res,OS]),
+             try crypto:start() of
+                 ok ->
+@@ -166,6 +169,11 @@ init_per_suite(Config) ->
+ end_per_suite(_Config) ->
+     ok.
+ 
++engine_supported() ->
++    try crypto:engine_list(), true
++    catch error:notsup -> false
++    end.
++
+ %%--------------------------------------------------------------------
+ init_per_group(engine_stored_key, Config) ->
+     group_load_engine(Config,  [engine_method_rsa]);

otp-0026-crypto-Fix-doc-for-FIPS-with-OpenSSL-3.patch

@@ -0,0 +1,21 @@
+From: Sverker Eriksson <sverker@erlang.org>
+Date: Tue, 20 Jun 2023 20:55:03 +0200
+Subject: [PATCH] crypto: Fix doc for FIPS with OpenSSL 3
+
+
+diff --git a/lib/crypto/doc/src/crypto_app.xml b/lib/crypto/doc/src/crypto_app.xml
+index dcc86cd49c..4bc019f244 100644
+--- a/lib/crypto/doc/src/crypto_app.xml
++++ b/lib/crypto/doc/src/crypto_app.xml
+@@ -50,9 +50,9 @@
+     LibreSSL should also work.</p>
+ 
+     <p>The crypto app is tested daily with at least one version of each of the
+-    OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0. FIPS mode is also tested for 1.0.1 and 1.0.2.</p>
++    OpenSSL 1.0.1, 1.0.2, 1.1.0, 1.1.1 and 3.0. FIPS mode is also tested for 1.0.1, 1.0.2 and 3.0.</p>
+     
+-    <p>Using OpenSSL 3.0 with Engines or in FIPS mode is not yet supported by the OTP/crypto app.</p>
++    <p>Using OpenSSL 3.0 with Engines is not yet supported by the OTP/crypto app.</p>
+ 
+     <p>Source releases of OpenSSL can be downloaded from the <url href="http://www.openssl.org">OpenSSL</url> project home page,
+     or mirror sites listed there.

sources

@@ -1 +1 @@
-SHA512 (otp-OTP-25.3.2.tar.gz) = d307d59708da8e6f233ec60292925fc9c0f4c1aaf14643790b7ead27ae858ac14bab7356c926055872df63500eac117db31b0b69cc0416a5f535b0443cda457d
+SHA512 (otp-OTP-25.3.2.12.tar.gz) = fba028c15f22e9adb198c94522a05a97a9816c8b7d41248053c781816a174b50ad6d1174db4c8afb5f8133e58b053bdd95ff44829dca77750072b4478eb2668a