Update for riscv64

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,6 +1,5 @@
 .build*.log
 clog
-000*.patch
 *.src.rpm
 openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.0b-usa.tar.bz2
@@ -49,3 +48,15 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1f-hobbled.tar.xz
 /openssl-1.1.1g-hobbled.tar.xz
 /openssl-1.1.1h-hobbled.tar.xz
+/openssl-1.1.1i-hobbled.tar.xz
+/openssl-1.1.1j-hobbled.tar.xz
+/openssl-1.1.1k-hobbled.tar.xz
+/openssl-3.0.0-hobbled.tar.xz
+/openssl-3.0.2-hobbled.tar.gz
+/openssl-3.0.3-hobbled.tar.gz
+/openssl-3.0.5-hobbled.tar.xz
+/openssl-3.0.7-hobbled.tar.gz
+/openssl-3.0.8-hobbled.tar.gz
+/openssl-3.0.8.tar.gz
+/openssl-3.1.1.tar.gz
+/openssl-3.1.4.tar.gz

0001-Aarch64-and-ppc64le-use-lib64.patch

@@ -0,0 +1,33 @@
+From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:01:41 +0200
+Subject: Aarch64 and ppc64le use lib64
+
+(Was openssl-1.1.1-build.patch)
+---
+ Configurations/10-main.conf | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
+index d7580bf3e1..a7dbfd7f40 100644
+--- a/Configurations/10-main.conf
++++ b/Configurations/10-main.conf
+@@ -723,6 +723,7 @@ my %targets = (
+         lib_cppflags     => add("-DL_ENDIAN"),
+         asm_arch         => 'ppc64',
+         perlasm_scheme   => "linux64le",
++        multilib         => "64",
+     },
+ 
+     "linux-armv4" => {
+@@ -765,6 +766,7 @@ my %targets = (
+         inherit_from     => [ "linux-generic64" ],
+         asm_arch         => 'aarch64',
+         perlasm_scheme   => "linux64",
++        multilib         => "64",
+     },
+     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
+         inherit_from     => [ "linux-generic32" ],
+-- 
+2.26.2
+

0002-Use-more-general-default-values-in-openssl.cnf.patch

@@ -1,7 +1,21 @@
-diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
---- openssl-1.1.1a/apps/openssl.cnf.defaults	2018-11-20 14:35:37.000000000 +0100
-+++ openssl-1.1.1a/apps/openssl.cnf	2019-01-15 13:56:50.841719776 +0100
-@@ -74,7 +74,7 @@ cert_opt 	= ca_default		# Certificate fi
+From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:03:40 +0200
+Subject: Use more general default values in openssl.cnf
+
+Also set sha256 as default hash, although that should not be
+necessary anymore.
+
+(was openssl-1.1.1-defaults.patch)
+---
+ apps/openssl.cnf | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 97567a67be..eb25a0ac48 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -104,7 +104,7 @@ cert_opt 	= ca_default		# Certificate field options
  
  default_days	= 365			# how long to certify for
  default_crl_days= 30			# how long before next CRL
@@ -10,7 +24,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
  preserve	= no			# keep passed DN ordering
  
  # A few difference way of specifying how similar the request should look
-@@ -106,6 +106,7 @@ emailAddress		= optional
+@@ -136,6 +136,7 @@ emailAddress		= optional
  ####################################################################
  [ req ]
  default_bits		= 2048
@@ -18,7 +32,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
  default_keyfile 	= privkey.pem
  distinguished_name	= req_distinguished_name
  attributes		= req_attributes
-@@ -128,17 +129,18 @@ string_mask = utf8only
+@@ -158,17 +159,18 @@ string_mask = utf8only
  
  [ req_distinguished_name ]
  countryName			= Country Name (2 letter code)
@@ -40,7 +54,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
  
  # we can do this but it is not needed normally :-)
  #1.organizationName		= Second Organization Name (eg, company)
-@@ -147,7 +149,7 @@ localityName			= Locality Name (eg, city
+@@ -177,7 +179,7 @@ localityName			= Locality Name (eg, city)
  organizationalUnitName		= Organizational Unit Name (eg, section)
  #organizationalUnitName_default	=
  
@@ -49,3 +63,6 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
  commonName_max			= 64
  
  emailAddress			= Email Address
+-- 
+2.26.2
+

0003-Do-not-install-html-docs.patch

@@ -0,0 +1,30 @@
+From a3e7963320ba44e96a60b389fccb8e1cccc30674 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 19 Oct 2023 13:12:39 +0200
+Subject: [PATCH 03/46] 0003-Do-not-install-html-docs.patch
+
+Patch-name: 0003-Do-not-install-html-docs.patch
+Patch-id: 3
+Patch-status: |
+    # # Do not install html docs
+From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index a48fae5fb8..56b42926e7 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
+ 
+ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
+ 
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"
+-- 
+2.41.0
+

0004-Override-default-paths-for-the-CA-directory-tree.patch

@@ -0,0 +1,77 @@
+From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 04/35] 
+ 0004-Override-default-paths-for-the-CA-directory-tree.patch
+
+Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch
+Patch-id: 4
+Patch-status: |
+    # Override default paths for the CA directory tree
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ apps/CA.pl.in    |  2 +-
+ apps/openssl.cnf | 13 +++++++++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/apps/CA.pl.in b/apps/CA.pl.in
+index f029470005..729f104a7e 100644
+--- a/apps/CA.pl.in
++++ b/apps/CA.pl.in
+@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
+ my $PKCS12 = "$openssl pkcs12";
+ 
+ # Default values for various configuration settings.
+-my $CATOP = "./demoCA";
++my $CATOP = "/etc/pki/CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 8141ab20cd..3956235fda 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
+ 
+ [openssl_init]
+ providers = provider_sect
++# Load default TLS policy configuration
++ssl_conf = ssl_module
+ 
+ # List of providers to load
+ [provider_sect]
+@@ -71,6 +73,13 @@ default = default_sect
+ [default_sect]
+ # activate = 1
+ 
++[ ssl_module ]
++
++system_default = crypto_policy
++
++[ crypto_policy ]
++
++.include = /etc/crypto-policies/back-ends/opensslcnf.config
+ 
+ ####################################################################
+ [ ca ]
+@@ -79,7 +88,7 @@ default_ca	= CA_default		# The default ca section
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.
+@@ -311,7 +320,7 @@ default_tsa = tsa_config1	# the default TSA section
+ [ tsa_config1 ]
+ 
+ # These are used by the TSA reply generation only.
+-dir		= ./demoCA		# TSA root directory
++dir		= /etc/pki/CA		# TSA root directory
+ serial		= $dir/tsaserial	# The current serial number (mandatory)
+ crypto_device	= builtin		# OpenSSL engine to use for signing
+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+-- 
+2.41.0
+

0005-apps-ca-fix-md-option-help-text.patch

@@ -0,0 +1,28 @@
+From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:27:18 +0200
+Subject: apps/ca: fix md option help text
+
+upstreamable
+
+(was openssl-1.1.1-apps-dgst.patch)
+---
+ apps/ca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/apps/ca.c b/apps/ca.c
+index 0f21b4fa1c..3d4b2c1673 100755
+--- a/apps/ca.c
++++ b/apps/ca.c
+@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
+     {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+ 
+     OPT_SECTION("Signing"),
+-    {"md", OPT_MD, 's', "Digest to use, such as sha256"},
++    {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
+     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
+     {"keyform", OPT_KEYFORM, 'f',
+      "Private key file format (ENGINE, other values ignored)"},
+-- 
+2.26.2
+

0006-Disable-signature-verification-with-totally-unsafe-h.patch

@@ -0,0 +1,29 @@
+From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Thu, 24 Sep 2020 09:51:34 +0200
+Subject: Disable signature verification with totally unsafe hash algorithms
+
+(was openssl-1.1.1-no-weak-verify.patch)
+---
+ crypto/asn1/a_verify.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index b7eed914b0..af62f0ef08 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+             ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
+         if (ret <= 1)
+             goto err;
++    } else if ((mdnid == NID_md5
++               && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
++               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
++        ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
++        goto err;
+     } else {
+         const EVP_MD *type = NULL;
+ 
+-- 
+2.26.2
+

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -1,7 +1,30 @@
-diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist	2019-05-29 15:42:27.951329271 +0200
-+++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl	2019-05-29 15:42:27.974328867 +0200
-@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
+From 66b728801f141c9db8e647ab02421c83694ade79 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 07/35] 
+ 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+
+Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+Patch-id: 7
+Patch-status: |
+    # Add support for PROFILE=SYSTEM system default cipherlist
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ Configurations/unix-Makefile.tmpl |  5 ++
+ Configure                         | 11 +++-
+ doc/man1/openssl-ciphers.pod.in   |  9 ++++
+ include/openssl/ssl.h.in          |  5 ++
+ ssl/ssl_ciph.c                    | 87 +++++++++++++++++++++++++++----
+ ssl/ssl_lib.c                     |  4 +-
+ test/cipherlist_test.c            |  2 +
+ util/libcrypto.num                |  1 +
+ 8 files changed, 110 insertions(+), 14 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index f29cdc7f38..c0df026de3 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
  DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
  HTMLDIR=$(DOCDIR)/html
  
@@ -12,7 +35,7 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
  # MANSUFFIX is for the benefit of anyone who may want to have a suffix
  # appended after the manpage file section number.  "ssl" is popular,
  # resulting in files such as config.5ssl rather than config.5.
-@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
  CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
  CPPFLAGS={- our $cppflags1 = join(" ",
                                    (map { "-D".$_} @{$config{CPPDEFINES}}),
@@ -20,29 +43,31 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open
                                    (map { "-I".$_} @{$config{CPPINCLUDES}}),
                                    @{$config{CPPFLAGS}}) -}
  CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
---- openssl-1.1.1c/Configure.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/Configure	2019-05-29 15:45:10.465469533 +0200
-@@ -24,7 +24,7 @@ use OpenSSL::Glob;
+diff --git a/Configure b/Configure
+index 456995240b..93be83be94 100755
+--- a/Configure
++++ b/Configure
+@@ -27,7 +27,7 @@ use OpenSSL::config;
  my $orig_death_handler = $SIG{__DIE__};
  $SIG{__DIE__} = \&death_handler;
  
 -my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
 +my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
  
- # Options:
- #
-@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
+ my $banner = <<"EOF";
+ 
+@@ -61,6 +61,10 @@ EOF
+ #               given with --prefix.
  #               This becomes the value of OPENSSLDIR in Makefile and in C.
  #               (Default: PREFIX/ssl)
- #
++#
 +# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
 +#		cipher is specified (default).
 +#
- # --cross-compile-prefix Add specified prefix to binutils components.
+ # --banner=".." Output specified text instead of default completion banner
  #
- # --api         One of 0.9.8, 1.0.0 or 1.1.0.  Do not compile support for
-@@ -295,6 +298,7 @@ $config{prefix}="";
+ # -w            Don't wait after showing a Configure warning
+@@ -387,6 +391,7 @@ $config{prefix}="";
  $config{openssldir}="";
  $config{processor}="";
  $config{libdir}="";
@@ -50,30 +75,22 @@ diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
  my $auto_threads=1;    # enable threads automatically? true by default
  my $default_ranlib;
  
-@@ -824,6 +828,10 @@ while (@argvcopy)
-                             push @seed_sources, $x;
-                             }
+@@ -989,6 +994,10 @@ while (@argvcopy)
+                         die "FIPS key too long (64 bytes max)\n"
+                            if length $1 > 64;
                          }
 +		elsif (/^--system-ciphers-file=(.*)$/)
 +			{
 +			$config{system_ciphers_file}=$1;
 +			}
-                 elsif (/^--cross-compile-prefix=(.*)$/)
+                 elsif (/^--banner=(.*)$/)
                          {
-                         $user{CROSS_COMPILE}=$1;
-@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
-     exit 0;
- }
- 
-+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
-+
- print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
- print "for $target\n";
- 
-diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
---- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/doc/man1/ciphers.pod	2019-05-29 15:42:27.975328849 +0200
-@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+                         $banner = $1 . "\n";
+diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
+index 658730ec53..04e66bcebe 100644
+--- a/doc/man1/openssl-ciphers.pod.in
++++ b/doc/man1/openssl-ciphers.pod.in
+@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
  
  The cipher suites not enabled by B<ALL>, currently B<eNULL>.
  
@@ -89,34 +106,27 @@ diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/do
  =item B<HIGH>
  
  "High" encryption cipher suites. This currently means those with key lengths
-diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
---- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/include/openssl/ssl.h	2019-05-29 15:42:27.975328849 +0200
-@@ -186,6 +186,11 @@ extern "C" {
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index f03f52fbd8..0b6de603e2 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -208,6 +208,11 @@ extern "C" {
   * throwing out anonymous and unencrypted ciphersuites! (The latter are not
   * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
   */
 +# ifdef SYSTEM_CIPHERS_FILE
 +#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
 +# else
-+#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
 +# endif
  
  /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
  # define SSL_SENT_SHUTDOWN       1
-diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
---- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/ssl/ssl_ciph.c	2019-05-29 15:42:27.976328831 +0200
-@@ -9,6 +9,8 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
- #include <stdio.h>
- #include <ctype.h>
- #include <openssl/objects.h>
-@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 93de9cf8fd..a5e60e8839 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
      return ret;
  }
  
@@ -129,7 +139,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +    const char *ciphers_path;
 +    unsigned len, slen;
 +
-+    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
++    if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
 +        ciphers_path = SYSTEM_CIPHERS_FILE;
 +    fp = fopen(ciphers_path, "r");
 +    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
@@ -167,19 +177,19 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +}
 +#endif
 +
- STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
                                               STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
                                               STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
-     const char *rule_p;
+@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
      const SSL_CIPHER **ca_list = NULL;
+     const SSL_METHOD *ssl_method = ctx->method;
 +#ifdef SYSTEM_CIPHERS_FILE
 +    char *new_rules = NULL;
 +
 +    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
 +        char *p = rule_str + 14;
-+    
++
 +        new_rules = load_system_str(p);
 +        rule_str = new_rules;
 +    }
@@ -191,23 +201,23 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
 -        return NULL;
 +        goto err;
- #ifndef OPENSSL_NO_EC
+ 
      if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
 -        return NULL;
 +        goto err;
- #endif
  
      /*
-@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * To reduce the work to do we only want to process the compiled
+@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
      if (co_list == NULL) {
-         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
 -        return NULL;          /* Failure */
 +        goto err;
      }
  
      ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
       * in force within each class
       */
      if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -217,18 +227,18 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      }
  
      /*
-@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
      ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
      if (ca_list == NULL) {
 -        OPENSSL_free(co_list);
-         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+         ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
 -        return NULL;          /* Failure */
 +        goto err;
      }
      ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                 disabled_mkey, disabled_auth, disabled_enc,
-@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      OPENSSL_free(ca_list);      /* Not needed anymore */
  
      if (!ok) {                  /* Rule processing failure */
@@ -238,7 +248,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
      }
  
      /*
-@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
       * if we cannot get one.
       */
      if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -253,13 +263,8 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
 +
      /* Add TLSv1.3 ciphers first - we always prefer those if possible */
      for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
-         if (!sk_SSL_CIPHER_push(cipherstack,
-                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
-+            OPENSSL_free(co_list);
-             sk_SSL_CIPHER_free(cipherstack);
-             return NULL;
-         }
-@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+         const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
      *cipher_list = cipherstack;
  
      return cipherstack;
@@ -274,31 +279,33 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_
  }
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
---- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist	2019-05-29 15:42:27.970328937 +0200
-+++ openssl-1.1.1c/ssl/ssl_lib.c	2019-05-29 15:42:27.977328814 +0200
-@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index f12ad6d034..a059bcd83b 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
                                  ctx->tls13_ciphersuites,
                                  &(ctx->cipher_list),
                                  &(ctx->cipher_list_by_id),
--                                SSL_DEFAULT_CIPHER_LIST, ctx->cert);
+-                                OSSL_default_cipher_list(), ctx->cert);
 +                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
      if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-         SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+         ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
          return 0;
-@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-     if (!ssl_create_cipher_list(ret->method,
+@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
+     if (!ssl_create_cipher_list(ret,
                                  ret->tls13_ciphersuites,
                                  &ret->cipher_list, &ret->cipher_list_by_id,
--                                SSL_DEFAULT_CIPHER_LIST, ret->cert)
+-                                OSSL_default_cipher_list(), ret->cert)
 +                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
          || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
-         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+         ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
          goto err2;
-diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
---- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
-+++ openssl-1.1.1c/test/cipherlist_test.c	2019-05-29 15:42:27.977328814 +0200
-@@ -251,7 +251,9 @@ end:
+diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
+index 2d166e2b46..4ff2aa12d6 100644
+--- a/test/cipherlist_test.c
++++ b/test/cipherlist_test.c
+@@ -246,7 +246,9 @@ end:
  
  int setup_tests(void)
  {
@@ -308,3 +315,15 @@ diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/
      ADD_TEST(test_default_cipherlist_explicit);
      ADD_TEST(test_default_cipherlist_clear);
      return 1;
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index 406392a7d9..9cb8a4dda2 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup                          5562	3_1_0	EXIST::FUNCTION:
+ EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
+ BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
+ OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
++ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
+-- 
+2.41.0
+

0008-Add-FIPS_mode-compatibility-macro.patch

@@ -0,0 +1,83 @@
+From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch
+
+Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
+Patch-id: 8
+Patch-status: |
+    # Add FIPS_mode() compatibility macro
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ include/openssl/fips.h | 26 ++++++++++++++++++++++++++
+ test/property_test.c   | 14 ++++++++++++++
+ 2 files changed, 40 insertions(+)
+ create mode 100644 include/openssl/fips.h
+
+diff --git a/include/openssl/fips.h b/include/openssl/fips.h
+new file mode 100644
+index 0000000000..4162cbf88e
+--- /dev/null
++++ b/include/openssl/fips.h
+@@ -0,0 +1,26 @@
++/*
++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_FIPS_H
++# define OPENSSL_FIPS_H
++# pragma once
++
++# include <openssl/evp.h>
++# include <openssl/macros.h>
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
++
++# ifdef __cplusplus
++}
++# endif
++#endif
+diff --git a/test/property_test.c b/test/property_test.c
+index 45b1db3e85..8894c1c1cb 100644
+--- a/test/property_test.c
++++ b/test/property_test.c
+@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
+     return ret;
+ }
+ 
++#include <openssl/fips.h>
++static int test_downstream_FIPS_mode(void)
++{
++    int ret = 0;
++
++    ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes"))
++          && TEST_true(FIPS_mode())
++          && TEST_true(EVP_set_default_properties(NULL, "fips=no"))
++          && TEST_false(FIPS_mode());
++
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_TEST(test_property_string);
+@@ -690,6 +703,7 @@ int setup_tests(void)
+     ADD_TEST(test_property);
+     ADD_TEST(test_query_cache_stochastic);
+     ADD_TEST(test_fips_mode);
++    ADD_TEST(test_downstream_FIPS_mode);
+     ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
+     return 1;
+ }
+-- 
+2.41.0
+

0009-Add-Kernel-FIPS-mode-flag-support.patch

@@ -0,0 +1,86 @@
+From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:27 +0200
+Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
+
+Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
+Patch-id: 9
+Patch-status: |
+    # Add check to see if fips flag is enabled in kernel
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/context.c            | 36 ++++++++++++++++++++++++++++++++++++
+ include/internal/provider.h |  3 +++
+ 2 files changed, 39 insertions(+)
+
+diff --git a/crypto/context.c b/crypto/context.c
+index e294ea1512..51002ba79a 100644
+--- a/crypto/context.c
++++ b/crypto/context.c
+@@ -16,6 +16,41 @@
+ #include "internal/provider.h"
+ #include "crypto/context.h"
+ 
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <openssl/evp.h>
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static int kernel_fips_flag;
++
++static void read_kernel_fips_flag(void)
++{
++	char buf[2] = "0";
++	int fd;
++
++	if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++		buf[0] = '1';
++	} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++		close(fd);
++	}
++
++	if (buf[0] == '1') {
++		kernel_fips_flag = 1;
++	}
++
++		return;
++}
++
++int ossl_get_kernel_fips_flag()
++{
++	return kernel_fips_flag;
++}
++
++
+ struct ossl_lib_ctx_st {
+     CRYPTO_RWLOCK *lock, *rand_crngt_lock;
+     OSSL_EX_DATA_GLOBAL global;
+@@ -336,6 +371,7 @@ static int default_context_inited = 0;
+ 
+ DEFINE_RUN_ONCE_STATIC(default_context_do_init)
+ {
++	 read_kernel_fips_flag();
+     if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
+         goto err;
+ 
+diff --git a/include/internal/provider.h b/include/internal/provider.h
+index 18937f84c7..1446bf7afb 100644
+--- a/include/internal/provider.h
++++ b/include/internal/provider.h
+@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
+                                 const OSSL_DISPATCH *in);
+ void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+ 
++/* FIPS flag access */
++int ossl_get_kernel_fips_flag(void);
++
+ # ifdef __cplusplus
+ }
+ # endif
+-- 
+2.41.0
+

0011-Remove-EC-curves.patch

@@ -0,0 +1,279 @@
+From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:46:40 +0200
+Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
+
+Patch-name: 0011-Remove-EC-curves.patch
+Patch-id: 11
+Patch-status: |
+    # remove unsupported EC curves
+---
+ apps/speed.c                 |  8 +---
+ crypto/evp/ec_support.c      | 87 ------------------------------------
+ test/acvp_test.inc           |  9 ----
+ test/ecdsatest.h             | 17 -------
+ test/recipes/15-test_genec.t | 27 -----------
+ 5 files changed, 1 insertion(+), 147 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index cace25eda1..d527f12f18 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1];  /* 1 op: derivation */
+ #endif /* OPENSSL_NO_DH */
+ 
+ enum ec_curves_t {
+-    R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
++    R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
+ #ifndef OPENSSL_NO_EC2M
+     R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
+     R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
+@@ -395,8 +395,6 @@ enum ec_curves_t {
+ };
+ /* list of ecdsa curves */
+ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
+-    {"ecdsap160", R_EC_P160},
+-    {"ecdsap192", R_EC_P192},
+     {"ecdsap224", R_EC_P224},
+     {"ecdsap256", R_EC_P256},
+     {"ecdsap384", R_EC_P384},
+@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
+ enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM };
+ /* list of ecdh curves, extension of |ecdsa_choices| list above */
+ static const OPT_PAIR ecdh_choices[EC_NUM] = {
+-    {"ecdhp160", R_EC_P160},
+-    {"ecdhp192", R_EC_P192},
+     {"ecdhp224", R_EC_P224},
+     {"ecdhp256", R_EC_P256},
+     {"ecdhp384", R_EC_P384},
+@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv)
+      */
+     static const EC_CURVE ec_curves[EC_NUM] = {
+         /* Prime Curves */
+-        {"secp160r1", NID_secp160r1, 160},
+-        {"nistp192", NID_X9_62_prime192v1, 192},
+         {"nistp224", NID_secp224r1, 224},
+         {"nistp256", NID_X9_62_prime256v1, 256},
+         {"nistp384", NID_secp384r1, 384},
+diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
+index 1ec10143d2..82b95294b4 100644
+--- a/crypto/evp/ec_support.c
++++ b/crypto/evp/ec_support.c
+@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
+ static const EC_NAME2NID curve_list[] = {
+     /* prime field curves */
+     /* secg curves */
+-    {"secp112r1", NID_secp112r1 },
+-    {"secp112r2", NID_secp112r2 },
+-    {"secp128r1", NID_secp128r1 },
+-    {"secp128r2", NID_secp128r2 },
+-    {"secp160k1", NID_secp160k1 },
+-    {"secp160r1", NID_secp160r1 },
+-    {"secp160r2", NID_secp160r2 },
+-    {"secp192k1", NID_secp192k1 },
+-    {"secp224k1", NID_secp224k1 },
+     {"secp224r1", NID_secp224r1 },
+     {"secp256k1", NID_secp256k1 },
+     {"secp384r1", NID_secp384r1 },
+     {"secp521r1", NID_secp521r1 },
+     /* X9.62 curves */
+-    {"prime192v1", NID_X9_62_prime192v1 },
+-    {"prime192v2", NID_X9_62_prime192v2 },
+-    {"prime192v3", NID_X9_62_prime192v3 },
+-    {"prime239v1", NID_X9_62_prime239v1 },
+-    {"prime239v2", NID_X9_62_prime239v2 },
+-    {"prime239v3", NID_X9_62_prime239v3 },
+     {"prime256v1", NID_X9_62_prime256v1 },
+     /* characteristic two field curves */
+     /* NIST/SECG curves */
+-    {"sect113r1", NID_sect113r1 },
+-    {"sect113r2", NID_sect113r2 },
+-    {"sect131r1", NID_sect131r1 },
+-    {"sect131r2", NID_sect131r2 },
+-    {"sect163k1", NID_sect163k1 },
+-    {"sect163r1", NID_sect163r1 },
+-    {"sect163r2", NID_sect163r2 },
+-    {"sect193r1", NID_sect193r1 },
+-    {"sect193r2", NID_sect193r2 },
+-    {"sect233k1", NID_sect233k1 },
+-    {"sect233r1", NID_sect233r1 },
+-    {"sect239k1", NID_sect239k1 },
+-    {"sect283k1", NID_sect283k1 },
+-    {"sect283r1", NID_sect283r1 },
+-    {"sect409k1", NID_sect409k1 },
+-    {"sect409r1", NID_sect409r1 },
+-    {"sect571k1", NID_sect571k1 },
+-    {"sect571r1", NID_sect571r1 },
+-    /* X9.62 curves */
+-    {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
+-    {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
+-    {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
+-    {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
+-    {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
+-    {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
+-    {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
+-    {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
+-    {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
+-    {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
+-    {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
+-    {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
+-    {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
+-    {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
+-    {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
+-    {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
+-    /*
+-     * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
+-     * from X9.62]
+-     */
+-    {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
+-    {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
+-    {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
+-    {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
+-    {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
+-    {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
+-    {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
+-    {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
+-    {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
+-    {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
+-    {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
+-    /* IPSec curves */
+-    {"Oakley-EC2N-3", NID_ipsec3 },
+-    {"Oakley-EC2N-4", NID_ipsec4 },
+     /* brainpool curves */
+-    {"brainpoolP160r1", NID_brainpoolP160r1 },
+-    {"brainpoolP160t1", NID_brainpoolP160t1 },
+-    {"brainpoolP192r1", NID_brainpoolP192r1 },
+-    {"brainpoolP192t1", NID_brainpoolP192t1 },
+-    {"brainpoolP224r1", NID_brainpoolP224r1 },
+-    {"brainpoolP224t1", NID_brainpoolP224t1 },
+     {"brainpoolP256r1", NID_brainpoolP256r1 },
+     {"brainpoolP256t1", NID_brainpoolP256t1 },
+     {"brainpoolP320r1", NID_brainpoolP320r1 },
+@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
+     {"brainpoolP384t1", NID_brainpoolP384t1 },
+     {"brainpoolP512r1", NID_brainpoolP512r1 },
+     {"brainpoolP512t1", NID_brainpoolP512t1 },
+-    /* SM2 curve */
+-    {"SM2", NID_sm2 },
+ };
+ 
+ const char *OSSL_EC_curve_nid2name(int nid)
+@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
+ /* Functions to translate between common NIST curve names and NIDs */
+ 
+ static const EC_NAME2NID nist_curves[] = {
+-    {"B-163", NID_sect163r2},
+-    {"B-233", NID_sect233r1},
+-    {"B-283", NID_sect283r1},
+-    {"B-409", NID_sect409r1},
+-    {"B-571", NID_sect571r1},
+-    {"K-163", NID_sect163k1},
+-    {"K-233", NID_sect233k1},
+-    {"K-283", NID_sect283k1},
+-    {"K-409", NID_sect409k1},
+-    {"K-571", NID_sect571k1},
+-    {"P-192", NID_X9_62_prime192v1},
+     {"P-224", NID_secp224r1},
+     {"P-256", NID_X9_62_prime256v1},
+     {"P-384", NID_secp384r1},
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index ad11d3ae1e..894a0bff9d 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = {
+     0xB1, 0xAC,
+ };
+ static const struct ecdsa_sigver_st ecdsa_sigver_data[] = {
+-    {
+-        "SHA-1",
+-        "P-192",
+-        ITM(ecdsa_sigver_msg0),
+-        ITM(ecdsa_sigver_pub0),
+-        ITM(ecdsa_sigver_r0),
+-        ITM(ecdsa_sigver_s0),
+-        PASS,
+-    },
+     {
+         "SHA2-512",
+         "P-521",
+diff --git a/test/ecdsatest.h b/test/ecdsatest.h
+index 63fe319025..06b5c0aac5 100644
+--- a/test/ecdsatest.h
++++ b/test/ecdsatest.h
+@@ -32,23 +32,6 @@ typedef struct {
+ } ecdsa_cavs_kat_t;
+ 
+ static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
+-    /* prime KATs from X9.62 */
+-    {NID_X9_62_prime192v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
+-     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
+-     "5ca5c0d69716dfcb3474373902",
+-     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+-     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
+-     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
+-    {NID_X9_62_prime239v1, NID_sha1,
+-     "616263",                  /* "abc" */
+-     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
+-     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
+-     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
+-     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
+-     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
+-     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
+     /* prime KATs from NIST CAVP */
+     {NID_secp224r1, NID_sha224,
+      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t
+index 2dfed387ca..c733b68f83 100644
+--- a/test/recipes/15-test_genec.t
++++ b/test/recipes/15-test_genec.t
+@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build"
+     if disabled("ec");
+ 
+ my @prime_curves = qw(
+-    secp112r1
+-    secp112r2
+-    secp128r1
+-    secp128r2
+-    secp160k1
+-    secp160r1
+-    secp160r2
+-    secp192k1
+-    secp224k1
+     secp224r1
+     secp256k1
+     secp384r1
+     secp521r1
+-    prime192v1
+-    prime192v2
+-    prime192v3
+-    prime239v1
+-    prime239v2
+-    prime239v3
+     prime256v1
+-    wap-wsg-idm-ecid-wtls6
+-    wap-wsg-idm-ecid-wtls7
+-    wap-wsg-idm-ecid-wtls8
+-    wap-wsg-idm-ecid-wtls9
+-    wap-wsg-idm-ecid-wtls12
+-    brainpoolP160r1
+-    brainpoolP160t1
+-    brainpoolP192r1
+-    brainpoolP192t1
+-    brainpoolP224r1
+-    brainpoolP224t1
+     brainpoolP256r1
+     brainpoolP256t1
+     brainpoolP320r1
+@@ -136,7 +110,6 @@ push(@other_curves, 'SM2')
+     if !disabled("sm2");
+ 
+ my @curve_aliases = qw(
+-    P-192
+     P-224
+     P-256
+     P-384
+-- 
+2.41.0
+

0012-Disable-explicit-ec.patch

@@ -0,0 +1,235 @@
+From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch
+
+Patch-name: 0012-Disable-explicit-ec.patch
+Patch-id: 12
+Patch-status: |
+    # Disable explicit EC curves
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/ec/ec_asn1.c                           | 11 ++++++++++
+ crypto/ec/ec_lib.c                            |  6 +++++
+ test/ectest.c                                 | 22 ++++++++++---------
+ test/endecode_test.c                          | 20 ++++++++---------
+ .../30-test_evp_data/evppkey_ecdsa.txt        | 12 ----------
+ 5 files changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
+index 7a0b35a594..d19d57344e 100644
+--- a/crypto/ec/ec_asn1.c
++++ b/crypto/ec/ec_asn1.c
+@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
+     if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
+         group->decoded_from_explicit_params = 1;
+ 
++    if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++        EC_GROUP_free(group);
++        ECPKPARAMETERS_free(params);
++        return NULL;
++    }
++
+     if (a) {
+         EC_GROUP_free(*a);
+         *a = group;
+@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
+         goto err;
+     }
+ 
++    if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {
++        ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++        goto err;
++    }
++
+     ret->version = priv_key->version;
+ 
+     if (priv_key->privateKey) {
+diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
+index a84e088c19..6c37bf78ae 100644
+--- a/crypto/ec/ec_lib.c
++++ b/crypto/ec/ec_lib.c
+@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+         goto err;
+     }
+     if (named_group == group) {
++        if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++            ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++            goto err;
++        }
++#if 0
+         /*
+          * If we did not find a named group then the encoding should be explicit
+          * if it was specified
+@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+             goto err;
+         }
+         EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
++#endif
+     } else {
+         EC_GROUP_free(group);
+         group = named_group;
+diff --git a/test/ectest.c b/test/ectest.c
+index 4890b0555e..e11aec5b3b 100644
+--- a/test/ectest.c
++++ b/test/ectest.c
+@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+     if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
+         || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
+         || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+-        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
++        || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
+                                           EVP_PKEY_KEY_PARAMETERS, params), 0))
+         goto err;
+-
++/* As creating the key should fail, the rest of the test is pointless */
++# if 0
+     /*- Check that all the set values are retrievable -*/
+ 
+     /* There should be no match to a group name since the generator changed */
+@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+ #endif
+         )
+         goto err;
++#endif
+     ret = 1;
+ err:
+     BN_free(order_out);
+@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
+ 
+     /* Compute keyexchange in both directions */
+     if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
+             || !TEST_int_gt(bsize, sslen)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
+         goto err;
+     if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
+-            || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
+-            || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
++            || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
++/*          || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+             || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
+             || !TEST_int_gt(bsize, t)
+             || !TEST_int_le(sslen, t)
+-            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
++            || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
+         goto err;
+-
++#if 0
+     /* Both sides should expect the same shared secret */
+     if (!TEST_mem_eq(buf1, sslen, buf2, t))
+         goto err;
+@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
+             /* compare with previous result */
+             || !TEST_mem_eq(buf1, t, buf2, sslen))
+         goto err;
+-
++#endif
+     ret = 1;
+ 
+  err:
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 14648287eb..9a437d8c64 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL;
+ static OSSL_PARAM_BLD *bld_prime_nc = NULL;
+ static OSSL_PARAM_BLD *bld_prime = NULL;
+ static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;
+-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
+ 
+ # ifndef OPENSSL_NO_EC2M
+ static OSSL_PARAM_BLD *bld_tri_nc = NULL;
+@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
+ DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
+ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
+-DOMAIN_KEYS(ECExplicitPrime2G);
+-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
+-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
++/*DOMAIN_KEYS(ECExplicitPrime2G);*/
++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
+ # ifndef OPENSSL_NO_EC2M
+ DOMAIN_KEYS(ECExplicitTriNamedCurve);
+ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
+@@ -1352,7 +1352,7 @@ int setup_tests(void)
+         || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
+         || !create_ec_explicit_prime_params(bld_prime)
+         || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
+-        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
++/*        || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
+ # ifndef OPENSSL_NO_EC2M
+         || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
+         || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
+@@ -1380,7 +1380,7 @@ int setup_tests(void)
+     TEST_info("Generating EC keys...");
+     MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
+     MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
+-    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
++/*    MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
+ # ifndef OPENSSL_NO_EC2M
+     MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
+     MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
+@@ -1423,8 +1423,8 @@ int setup_tests(void)
+         ADD_TEST_SUITE_LEGACY(EC);
+         ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
+-        ADD_TEST_SUITE(ECExplicitPrime2G);
+-        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
++/*        ADD_TEST_SUITE(ECExplicitPrime2G);*/
++/*        ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+         ADD_TEST_SUITE(ECExplicitTriNamedCurve);
+         ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
+@@ -1461,7 +1461,7 @@ void cleanup_tests(void)
+ {
+ #ifndef OPENSSL_NO_EC
+     OSSL_PARAM_free(ec_explicit_prime_params_nc);
+-    OSSL_PARAM_free(ec_explicit_prime_params_explicit);
++/*    OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
+     OSSL_PARAM_BLD_free(bld_prime_nc);
+     OSSL_PARAM_BLD_free(bld_prime);
+ # ifndef OPENSSL_NO_EC2M
+@@ -1483,7 +1483,7 @@ void cleanup_tests(void)
+ #ifndef OPENSSL_NO_EC
+     FREE_DOMAIN_KEYS(EC);
+     FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
+-    FREE_DOMAIN_KEYS(ECExplicitPrime2G);
++/*    FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
+ # ifndef OPENSSL_NO_EC2M
+     FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
+     FREE_DOMAIN_KEYS(ECExplicitTri2G);
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index ec3c032aba..584ecee0eb 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
+ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl
+ -----END PRIVATE KEY-----
+ 
+-PrivateKey = EC_EXPLICIT
+------BEGIN PRIVATE KEY-----
+-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG
+-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A
+-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk
+-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL
+-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg
+------END PRIVATE KEY-----
+-
+ PrivateKey = B-163
+ -----BEGIN PRIVATE KEY-----
+ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+-- 
+2.41.0
+

0013-skipped-tests-EC-curves.patch

@@ -0,0 +1,58 @@
+From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch
+
+Patch-name: 0013-skipped-tests-EC-curves.patch
+Patch-id: 13
+Patch-status: |
+    # Skipped tests from former 0011-Remove-EC-curves.patch
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ test/recipes/15-test_ec.t          | 2 +-
+ test/recipes/65-test_cmp_protect.t | 2 +-
+ test/recipes/65-test_cmp_vfy.t     | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
+index 0638d626e7..c0efd77649 100644
+--- a/test/recipes/15-test_ec.t
++++ b/test/recipes/15-test_ec.t
+@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub {
+ 
+ subtest 'Check loading of fips and non-fips keys' => sub {
+     plan skip_all => "FIPS is disabled"
+-        if $no_fips;
++        if 1; #Red Hat specific, original value is $no_fips;
+ 
+     plan tests => 2;
+ 
+diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t
+index 631603df7c..4cb2ffebbc 100644
+--- a/test/recipes/65-test_cmp_protect.t
++++ b/test/recipes/65-test_cmp_protect.t
+@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
+ plan skip_all => "This test is not supported in a shared library build on Windows"
+     if $^O eq 'MSWin32' && !disabled("shared");
+ 
+-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
+ 
+ my @basic_cmd = ("cmp_protect_test",
+                  data_file("server.pem"),
+diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t
+index f722800e27..26a01786bb 100644
+--- a/test/recipes/65-test_cmp_vfy.t
++++ b/test/recipes/65-test_cmp_vfy.t
+@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build"
+ plan skip_all => "This test is not supported in a no-ec build"
+     if disabled("ec");
+ 
+-plan tests => 2 + ($no_fips ? 0 : 1); #fips test
++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test
+ 
+ my @basic_cmd = ("cmp_vfy_test",
+                  data_file("server.crt"),     data_file("client.crt"),
+-- 
+2.41.0
+

0024-load-legacy-prov.patch

@@ -0,0 +1,93 @@
+From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 14/35] 0024-load-legacy-prov.patch
+
+Patch-name: 0024-load-legacy-prov.patch
+Patch-id: 24
+Patch-status: |
+    # Instructions to load legacy provider in openssl.cnf
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ apps/openssl.cnf    | 37 +++++++++++++++----------------------
+ doc/man5/config.pod |  8 ++++++++
+ 2 files changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 3956235fda..bddb6bc029 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
+ tsa_policy2 = 1.2.3.4.5.6
+ tsa_policy3 = 1.2.3.4.5.7
+ 
+-# For FIPS
+-# Optionally include a file that is generated by the OpenSSL fipsinstall
+-# application. This file contains configuration data required by the OpenSSL
+-# fips provider. It contains a named section e.g. [fips_sect] which is
+-# referenced from the [provider_sect] below.
+-# Refer to the OpenSSL security policy for more information.
+-# .include fipsmodule.cnf
+-
+ [openssl_init]
+ providers = provider_sect
+ # Load default TLS policy configuration
+ ssl_conf = ssl_module
+ 
+-# List of providers to load
++# Uncomment the sections that start with ## below to enable the legacy provider.
++# Loading the legacy provider enables support for the following algorithms:
++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
++# Key Derivation Function (KDF): PBKDF1
++# In general it is not recommended to use the above mentioned algorithms for
++# security critical operations, as they are cryptographically weak or vulnerable
++# to side-channel attacks and as such have been deprecated.
++
+ [provider_sect]
+ default = default_sect
+-# The fips section name should match the section name inside the
+-# included fipsmodule.cnf.
+-# fips = fips_sect
+-
+-# If no providers are activated explicitly, the default one is activated implicitly.
+-# See man 7 OSSL_PROVIDER-default for more details.
+-#
+-# If you add a section explicitly activating any other provider(s), you most
+-# probably need to explicitly activate the default provider, otherwise it
+-# becomes unavailable in openssl.  As a consequence applications depending on
+-# OpenSSL may not work correctly which could lead to significant system
+-# problems including inability to remotely access the system.
++##legacy = legacy_sect
++##
+ [default_sect]
+-# activate = 1
++activate = 1
++
++##[legacy_sect]
++##activate = 1
+ 
+ [ ssl_module ]
+ 
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 8d312c661f..714a10437b 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -273,6 +273,14 @@ significant.
+ All parameters in the section as well as sub-sections are made
+ available to the provider.
+ 
++=head3 Loading the legacy provider
++
++Uncomment the sections that start with ## in openssl.cnf
++to enable the legacy provider.
++Note: In general it is not recommended to use the above mentioned algorithms for
++security critical operations, as they are cryptographically weak or vulnerable
++to side-channel attacks and as such have been deprecated.
++
+ =head3 Default provider and its activation
+ 
+ If no providers are activated explicitly, the default one is activated implicitly.
+-- 
+2.41.0
+

0025-for-tests.patch

@@ -0,0 +1,18 @@
+diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
+--- openssl-3.0.0/apps/openssl.cnf.xxx	2021-11-23 16:29:50.618691603 +0100
++++ openssl-3.0.0/apps/openssl.cnf	2021-11-23 16:28:16.872882099 +0100
+@@ -55,11 +55,11 @@ providers = provider_sect
+ # to side-channel attacks and as such have been deprecated.
+ 
+ [provider_sect]
+-default = default_sect
++##default = default_sect
+ ##legacy = legacy_sect
+ ##
+-[default_sect]
+-activate = 1
++##[default_sect]
++##activate = 1
+ 
+ ##[legacy_sect]
+ ##activate = 1

0032-Force-fips.patch

@@ -0,0 +1,69 @@
+From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:59:02 +0200
+Subject: [PATCH 16/48] 0032-Force-fips.patch
+
+Patch-name: 0032-Force-fips.patch
+Patch-id: 32
+Patch-status: |
+    # We load FIPS provider and set FIPS properties implicitly
+---
+ crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
+index 058fb58837..5274265a70 100644
+--- a/crypto/provider_conf.c
++++ b/crypto/provider_conf.c
+@@ -10,6 +10,8 @@
+ #include <string.h>
+ #include <openssl/trace.h>
+ #include <openssl/err.h>
++#include <openssl/evp.h>
++#include <unistd.h>
+ #include <openssl/conf.h>
+ #include <openssl/safestack.h>
+ #include <openssl/provider.h>
+@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+         if (path != NULL)
+             ossl_provider_set_module_path(prov, path);
+ 
+-        ok = provider_conf_params(prov, NULL, NULL, value, cnf);
++        ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
+ 
+         if (ok) {
+             if (!ossl_provider_activate(prov, 1, 0)) {
+@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+             return 0;
+     }
+ 
++    if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
++        OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
++#  define FIPS_LOCAL_CONF           OPENSSLDIR "/fips_local.cnf"
++
++        if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
++            CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
++            if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
++                return 0;
++
++            if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
++                NCONF_free(fips_conf);
++                return 0;
++            }
++            NCONF_free(fips_conf);
++        } else {
++            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
++                return 0;
++        }
++        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
++            return 0;
++        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
++            return 0;
++    }
++
+     return 1;
+ }
+ 
+-- 
+2.41.0
+

0033-FIPS-embed-hmac.patch

@@ -0,0 +1,250 @@
+From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 19 Oct 2023 13:12:40 +0200
+Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch
+
+Patch-name: 0033-FIPS-embed-hmac.patch
+Patch-id: 33
+Patch-status: |
+    # # Embed HMAC into the fips.so
+From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
+---
+ providers/fips/self_test.c            | 70 ++++++++++++++++++++++++---
+ test/fipsmodule.cnf                   |  2 +
+ test/recipes/00-prep_fipsmodule_cnf.t |  2 +-
+ test/recipes/01-test_fipsmodule_cnf.t |  2 +-
+ test/recipes/03-test_fipsinstall.t    |  2 +-
+ test/recipes/30-test_defltfips.t      |  2 +-
+ test/recipes/80-test_ssl_new.t        |  2 +-
+ test/recipes/90-test_sslapi.t         |  2 +-
+ 8 files changed, 71 insertions(+), 13 deletions(-)
+ create mode 100644 test/fipsmodule.cnf
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index b8dc9817b2..e3a629018a 100644
+--- a/providers/fips/self_test.c
++++ b/providers/fips/self_test.c
+@@ -230,11 +230,27 @@ err:
+     return ok;
+ }
+ 
++#define HMAC_LEN 32
++/*
++ * The __attribute__ ensures we've created the .rodata1 section
++ * static ensures it's zero filled
++*/
++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
++
+ /*
+  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
+  * the result matches the expected value.
+  * Return 1 if verified, or 0 if it fails.
+  */
++#ifndef __USE_GNU
++#define __USE_GNU
++#include <dlfcn.h>
++#undef __USE_GNU
++#else
++#include <dlfcn.h>
++#endif
++#include <link.h>
++
+ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
+                             unsigned char *expected, size_t expected_len,
+                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+     EVP_MAC *mac = NULL;
+     EVP_MAC_CTX *ctx = NULL;
+     OSSL_PARAM params[2], *p = params;
++    Dl_info info;
++    void *extra_info = NULL;
++    struct link_map *lm = NULL;
++    unsigned long paddr;
++    unsigned long off = 0;
+ 
+     if (!integrity_self_test(ev, libctx))
+         goto err;
+ 
+     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
+ 
++    if (!dladdr1 ((const void *)fips_hmac_container,
++                &info, &extra_info, RTLD_DL_LINKMAP))
++        goto err;
++    lm = extra_info;
++    paddr = (unsigned long)fips_hmac_container - lm->l_addr;
++
+     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
+     if (mac == NULL)
+         goto err;
+@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
+         goto err;
+ 
+-    while (1) {
+-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
++    while ((off + INTEGRITY_BUF_SIZE) <= paddr) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
++        if (status != 1)
++            break;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++    }
++
++    if (off + INTEGRITY_BUF_SIZE > paddr) {
++        int delta = paddr - off;
++        status = read_ex_cb(bio, buf, delta, &bytes_read);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++
++        status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
++        memset(buf, 0, HMAC_LEN);
++        if (status != 1)
++            goto err;
++        if (!EVP_MAC_update(ctx, buf, bytes_read))
++            goto err;
++	off += bytes_read;
++    }
++
++    while (bytes_read > 0) {
++        status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read);
+         if (status != 1)
+             break;
+         if (!EVP_MAC_update(ctx, buf, bytes_read))
+             goto err;
++	off += bytes_read;
+     }
++
+     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
+         goto err;
+ 
+@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+         goto err;
+     ret = 1;
+ err:
++    OPENSSL_cleanse(out, sizeof(out));
+     OSSL_SELF_TEST_onend(ev, ret);
+     EVP_MAC_CTX_free(ctx);
+     EVP_MAC_free(mac);
+@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+         return 0;
+     }
+ 
+-    if (st == NULL
+-            || st->module_checksum_data == NULL) {
++    if (st == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
+         goto end;
+     }
+@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     if (ev == NULL)
+         goto end;
+ 
+-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
+-                                         &checksum_len);
++    module_checksum = fips_hmac_container;
++    checksum_len = sizeof(fips_hmac_container);
++
+     if (module_checksum == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
+         goto end;
+@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+ end:
+     EVP_RAND_free(testrand);
+     OSSL_SELF_TEST_free(ev);
+-    OPENSSL_free(module_checksum);
+     OPENSSL_free(indicator_checksum);
+ 
+     if (st != NULL) {
+diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf
+new file mode 100644
+index 0000000000..f05d0dedbe
+--- /dev/null
++++ b/test/fipsmodule.cnf
+@@ -0,0 +1,2 @@
++[fips_sect]
++activate = 1
+diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
+index 4e3a6d85e8..e8255ba974 100644
+--- a/test/recipes/00-prep_fipsmodule_cnf.t
++++ b/test/recipes/00-prep_fipsmodule_cnf.t
+@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
++my $no_check = 1;
+ plan skip_all => "FIPS module config file only supported in a fips build"
+     if $no_check;
+ 
+diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t
+index ce594817d5..00cebacff8 100644
+--- a/test/recipes/01-test_fipsmodule_cnf.t
++++ b/test/recipes/01-test_fipsmodule_cnf.t
+@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-my $no_check = disabled("fips");
++my $no_check = 1;
+ plan skip_all => "Test only supported in a fips build"
+     if $no_check;
+ plan tests => 1;
+diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
+index b8b136d110..8242f4ebc3 100644
+--- a/test/recipes/03-test_fipsinstall.t
++++ b/test/recipes/03-test_fipsinstall.t
+@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ use platform;
+ 
+-plan skip_all => "Test only supported in a fips build" if disabled("fips");
++plan skip_all => "Test only supported in a fips build" if 1;
+ 
+ # Compatible options for pedantic FIPS compliance
+ my @pedantic_okay =
+diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t
+index c8f145405b..56a2ec5dc4 100644
+--- a/test/recipes/30-test_defltfips.t
++++ b/test/recipes/30-test_defltfips.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "Configuration loading is turned off"
+     if disabled("autoload-config");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+ plan tests =>
+     ($no_fips ? 1 : 5);
+diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
+index 0c6d6402d9..e45f9cb560 100644
+--- a/test/recipes/80-test_ssl_new.t
++++ b/test/recipes/80-test_ssl_new.t
+@@ -27,7 +27,7 @@ setup("test_ssl_new");
+ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+ $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
+ 
+diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
+index 9e9e32b51e..1a1a7159b5 100644
+--- a/test/recipes/90-test_sslapi.t
++++ b/test/recipes/90-test_sslapi.t
+@@ -17,7 +17,7 @@ setup("test_sslapi");
+ use lib srctop_dir('Configurations');
+ use lib bldtop_dir('.');
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
+ my $fipsmodcfg_filename = "fipsmodule.cnf";
+ my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
+ 
+-- 
+2.41.0
+

0034.fipsinstall_disable.patch

@@ -0,0 +1,473 @@
+From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch
+
+Patch-name: 0034.fipsinstall_disable.patch
+Patch-id: 34
+Patch-status: |
+    # Comment out fipsinstall command-line utility
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ apps/fipsinstall.c                  |   3 +
+ doc/man1/openssl-fipsinstall.pod.in | 272 +---------------------------
+ doc/man1/openssl.pod                |   4 -
+ doc/man5/config.pod                 |   1 -
+ doc/man5/fips_config.pod            | 104 +----------
+ doc/man7/OSSL_PROVIDER-FIPS.pod     |   1 -
+ 6 files changed, 10 insertions(+), 375 deletions(-)
+
+diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
+index e1ef645b60..db92cb5fb2 100644
+--- a/apps/fipsinstall.c
++++ b/apps/fipsinstall.c
+@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)
+     EVP_MAC *mac = NULL;
+     CONF *conf = NULL;
+ 
++    BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
++    return 1;
++
+     if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
+         goto end;
+ 
+diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
+index b1768b7f91..b6b00e27d8 100644
+--- a/doc/man1/openssl-fipsinstall.pod.in
++++ b/doc/man1/openssl-fipsinstall.pod.in
+@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
+ =head1 SYNOPSIS
+ 
+ B<openssl fipsinstall>
+-[B<-help>]
+-[B<-in> I<configfilename>]
+-[B<-out> I<configfilename>]
+-[B<-module> I<modulefilename>]
+-[B<-provider_name> I<providername>]
+-[B<-section_name> I<sectionname>]
+-[B<-verify>]
+-[B<-mac_name> I<macname>]
+-[B<-macopt> I<nm>:I<v>]
+-[B<-noout>]
+-[B<-quiet>]
+-[B<-pedantic>]
+-[B<-no_conditional_errors>]
+-[B<-no_security_checks>]
+-[B<-ems_check>]
+-[B<-no_drbg_truncated_digests>]
+-[B<-self_test_onload>]
+-[B<-self_test_oninstall>]
+-[B<-corrupt_desc> I<selftest_description>]
+-[B<-corrupt_type> I<selftest_type>]
+-[B<-config> I<parent_config>]
+-
+-=head1 DESCRIPTION
+-
+-This command is used to generate a FIPS module configuration file.
+-This configuration file can be used each time a FIPS module is loaded
+-in order to pass data to the FIPS module self tests. The FIPS module always
+-verifies its MAC, but optionally only needs to run the KAT's once,
+-at installation.
+-
+-The generated configuration file consists of:
+-
+-=over 4
+-
+-=item - A MAC of the FIPS module file.
+-
+-=item - A test status indicator.
+-
+-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
+-
+-=item - A MAC of the status indicator.
+-
+-=item - A control for conditional self tests errors.
+-
+-By default if a continuous test (e.g a key pair test) fails then the FIPS module
+-will enter an error state, and no services or cryptographic algorithms will be
+-able to be accessed after this point.
+-The default value of '1' will cause the fips module error state to be entered.
+-If the value is '0' then the module error state will not be entered.
+-Regardless of whether the error state is entered or not, the current operation
+-(e.g. key generation) will return an error. The user is responsible for retrying
+-the operation if the module error state is not entered.
+-
+-=item - A control to indicate whether run-time security checks are done.
+-
+-This indicates if run-time checks related to enforcement of security parameters
+-such as minimum security strength of keys and approved curve names are used.
+-The default value of '1' will perform the checks.
+-If the value is '0' the checks are not performed and FIPS compliance must
+-be done by procedures documented in the relevant Security Policy.
+-
+-=back
+-
+-This file is described in L<fips_config(5)>.
+-
+-=head1 OPTIONS
+-
+-=over 4
+-
+-=item B<-help>
+-
+-Print a usage message.
+-
+-=item B<-module> I<filename>
+-
+-Filename of the FIPS module to perform an integrity check on.
+-The path provided in the filename is used to load the module when it is
+-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
+-
+-=item B<-out> I<configfilename>
+-
+-Filename to output the configuration data to; the default is standard output.
+-
+-=item B<-in> I<configfilename>
+-
+-Input filename to load configuration data from.
+-Must be used if the B<-verify> option is specified.
+-
+-=item B<-verify>
+-
+-Verify that the input configuration file contains the correct information.
+-
+-=item B<-provider_name> I<providername>
+-
+-Name of the provider inside the configuration file.
+-The default value is C<fips>.
+-
+-=item B<-section_name> I<sectionname>
+-
+-Name of the section inside the configuration file.
+-The default value is C<fips_sect>.
+-
+-=item B<-mac_name> I<name>
+-
+-Specifies the name of a supported MAC algorithm which will be used.
+-The MAC mechanisms that are available will depend on the options
+-used when building OpenSSL.
+-To see the list of supported MAC's use the command
+-C<openssl list -mac-algorithms>.  The default is B<HMAC>.
+-
+-=item B<-macopt> I<nm>:I<v>
+-
+-Passes options to the MAC algorithm.
+-A comprehensive list of controls can be found in the EVP_MAC implementation
+-documentation.
+-Common control strings used for this command are:
+-
+-=over 4
+-
+-=item B<key>:I<string>
+-
+-Specifies the MAC key as an alphanumeric string (use if the key contains
+-printable characters only).
+-The string length must conform to any restrictions of the MAC algorithm.
+-A key must be specified for every MAC algorithm.
+-If no key is provided, the default that was specified when OpenSSL was
+-configured is used.
+-
+-=item B<hexkey>:I<string>
+-
+-Specifies the MAC key in hexadecimal form (two hex digits per byte).
+-The key length must conform to any restrictions of the MAC algorithm.
+-A key must be specified for every MAC algorithm.
+-If no key is provided, the default that was specified when OpenSSL was
+-configured is used.
+-
+-=item B<digest>:I<string>
+-
+-Used by HMAC as an alphanumeric string (use if the key contains printable
+-characters only).
+-The string length must conform to any restrictions of the MAC algorithm.
+-To see the list of supported digests, use the command
+-C<openssl list -digest-commands>.
+-The default digest is SHA-256.
+-
+-=back
+-
+-=item B<-noout>
+-
+-Disable logging of the self tests.
+-
+-=item B<-pedantic>
+-
+-Configure the module so that it is strictly FIPS compliant rather
+-than being backwards compatible.  This enables conditional errors,
+-security checks etc.  Note that any previous configuration options will
+-be overwritten and any subsequent configuration options that violate
+-FIPS compliance will result in an error.
+-
+-=item B<-no_conditional_errors>
+-
+-Configure the module to not enter an error state if a conditional self test
+-fails as described above.
+-
+-=item B<-no_security_checks>
+-
+-Configure the module to not perform run-time security checks as described above.
+-
+-Enabling the configuration option "no-fips-securitychecks" provides another way to
+-turn off the check at compile time.
+-
+-=item B<-ems_check>
+-
+-Configure the module to enable a run-time Extended Master Secret (EMS) check
+-when using the TLS1_PRF KDF algorithm. This check is disabled by default.
+-See RFC 7627 for information related to EMS.
+-
+-=item B<-no_drbg_truncated_digests>
+-
+-Configure the module to not allow truncated digests to be used with Hash and
+-HMAC DRBGs.  See FIPS 140-3 IG D.R for details.
+-
+-=item B<-self_test_onload>
+-
+-Do not write the two fields related to the "test status indicator" and
+-"MAC status indicator" to the output configuration file. Without these fields
+-the self tests KATS will run each time the module is loaded. This option could be
+-used for cross compiling, since the self tests need to run at least once on each
+-target machine. Once the self tests have run on the target machine the user
+-could possibly then add the 2 fields into the configuration using some other
+-mechanism.
+-
+-This is the default.
+-
+-=item B<-self_test_oninstall>
+-
+-The converse of B<-self_test_oninstall>.  The two fields related to the
+-"test status indicator" and "MAC status indicator" are written to the
+-output configuration file.
+-
+-=item B<-quiet>
+-
+-Do not output pass/fail messages. Implies B<-noout>.
+-
+-=item B<-corrupt_desc> I<selftest_description>,
+-B<-corrupt_type> I<selftest_type>
+-
+-The corrupt options can be used to test failure of one or more self tests by
+-name.
+-Either option or both may be used to select the tests to corrupt.
+-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
+-values that can be used.
+-
+-=item B<-config> I<parent_config>
+-
+-Test that a FIPS provider can be loaded from the specified configuration file.
+-A previous call to this application needs to generate the extra configuration
+-data that is included by the base C<parent_config> configuration file.
+-See L<config(5)> for further information on how to set up a provider section.
+-All other options are ignored if '-config' is used.
+-
+-=back
+-
+-=head1 NOTES
+-
+-Self tests results are logged by default if the options B<-quiet> and B<-noout>
+-are not specified, or if either of the options B<-corrupt_desc> or
+-B<-corrupt_type> are used.
+-If the base configuration file is set up to autoload the fips module, then the
+-fips module will be loaded and self tested BEFORE the fipsinstall application
+-has a chance to set up its own self test callback. As a result of this the self
+-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
+-For normal usage the base configuration file should use the default provider
+-when generating the fips configuration file.
+-
+-The B<-self_test_oninstall> option was added and the
+-B<-self_test_onload> option was made the default in OpenSSL 3.1.
+-
+-The command and all remaining options were added in OpenSSL 3.0.
+-
+-=head1 EXAMPLES
+-
+-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
+-for the module, and save the F<fips.cnf> configuration file:
+-
+- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
+-
+-Verify that the configuration file F<fips.cnf> contains the correct info:
+-
+- openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
+-
+-Corrupt any self tests which have the description C<SHA1>:
+-
+- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
+-         -corrupt_desc 'SHA1'
+-
+-Validate that the fips module can be loaded from a base configuration file:
+-
+- export OPENSSL_CONF_INCLUDE=<path of configuration files>
+- export OPENSSL_MODULES=<provider-path>
+- openssl fipsinstall -config' 'default.cnf'
+-
+-
+-=head1 SEE ALSO
+-
+-L<config(5)>,
+-L<fips_config(5)>,
+-L<OSSL_PROVIDER-FIPS(7)>,
+-L<EVP_MAC(3)>
++This command is disabled.
++Please consult Red Hat Enterprise Linux documentation to learn how to correctly
++enable FIPS mode on Red Hat Enterprise
+ 
+ =head1 COPYRIGHT
+ 
+diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
+index d9c22a580f..d5ec3b9a6a 100644
+--- a/doc/man1/openssl.pod
++++ b/doc/man1/openssl.pod
+@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.
+ 
+ Error Number to Error String Conversion.
+ 
+-=item B<fipsinstall>
+-
+-FIPS configuration installation.
+-
+ =item B<gendsa>
+ 
+ Generation of DSA Private Key from Parameters. Superseded by
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 714a10437b..bd05736220 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.
+ =head1 SEE ALSO
+ 
+ L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
+-L<openssl-fipsinstall(1)>,
+ L<ASN1_generate_nconf(3)>,
+ L<EVP_set_default_properties(3)>,
+ L<CONF_modules_load(3)>,
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index 2255464304..1c15e32a5c 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
+ 
+ =head1 DESCRIPTION
+ 
+-A separate configuration file, using the OpenSSL L<config(5)> syntax,
+-is used to hold information about the FIPS module. This includes a digest
+-of the shared library file, and status about the self-testing.
+-This data is used automatically by the module itself for two
+-purposes:
+-
+-=over 4
+-
+-=item - Run the startup FIPS self-test known answer tests (KATS).
+-
+-This is normally done once, at installation time, but may also be set up to
+-run each time the module is used.
+-
+-=item - Verify the module's checksum.
+-
+-This is done each time the module is used.
+-
+-=back
+-
+-This file is generated by the L<openssl-fipsinstall(1)> program, and
+-used internally by the FIPS module during its initialization.
+-
+-The following options are supported. They should all appear in a section
+-whose name is identified by the B<fips> option in the B<providers>
+-section, as described in L<config(5)/Provider Configuration Module>.
+-
+-=over 4
+-
+-=item B<activate>
+-
+-If present, the module is activated. The value assigned to this name is not
+-significant.
+-
+-=item B<install-version>
+-
+-A version number for the fips install process. Should be 1.
+-
+-=item B<conditional-errors>
+-
+-The FIPS module normally enters an internal error mode if any self test fails.
+-Once this error mode is active, no services or cryptographic algorithms are
+-accessible from this point on.
+-Continuous tests are a subset of the self tests (e.g., a key pair test during key
+-generation, or the CRNG output test).
+-Setting this value to C<0> allows the error mode to not be triggered if any
+-continuous test fails. The default value of C<1> will trigger the error mode.
+-Regardless of the value, the operation (e.g., key generation) that called the
+-continuous test will return an error code if its continuous test fails. The
+-operation may then be retried if the error mode has not been triggered.
+-
+-=item B<security-checks>
+-
+-This indicates if run-time checks related to enforcement of security parameters
+-such as minimum security strength of keys and approved curve names are used.
+-A value of '1' will perform the checks, otherwise if the value is '0' the checks
+-are not performed and FIPS compliance must be done by procedures documented in
+-the relevant Security Policy.
+-
+-=item B<module-mac>
+-
+-The calculated MAC of the FIPS provider file.
+-
+-=item B<install-status>
+-
+-An indicator that the self-tests were successfully run.
+-This should only be written after the module has
+-successfully passed its self tests during installation.
+-If this field is not present, then the self tests will run when the module
+-loads.
+-
+-=item B<install-mac>
+-
+-A MAC of the value of the B<install-status> option, to prevent accidental
+-changes to that value.
+-It is written-to at the same time as B<install-status> is updated.
+-
+-=back
+-
+-For example:
+-
+- [fips_sect]
+- activate = 1
+- install-version = 1
+- conditional-errors = 1
+- security-checks = 1
+- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
+- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
+- install-status = INSTALL_SELF_TEST_KATS_RUN
+-
+-=head1 NOTES
+-
+-When using the FIPS provider, it is recommended that the
+-B<config_diagnostics> option is enabled to prevent accidental use of
+-non-FIPS validated algorithms via broken or mistaken configuration.
+-See L<config(5)>.
+-
+-=head1 SEE ALSO
+-
+-L<config(5)>
+-L<openssl-fipsinstall(1)>
++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
++automatically loaded when the system is booted in FIPS mode, or when the
++environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
++for more information.
+ 
+ =head1 HISTORY
+ 
+diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
+index 4f908888ba..ef00247770 100644
+--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
++++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
+@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner.  The algorithms are:
+ 
+ =head1 SEE ALSO
+ 
+-L<openssl-fipsinstall(1)>,
+ L<fips_config(5)>,
+ L<OSSL_SELF_TEST_set_callback(3)>,
+ L<OSSL_SELF_TEST_new(3)>,
+-- 
+2.41.0
+

0035-speed-skip-unavailable-dgst.patch

@@ -0,0 +1,31 @@
+From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch
+
+Patch-name: 0035-speed-skip-unavailable-dgst.patch
+Patch-id: 35
+Patch-status: |
+    # Skip unavailable algorithms running `openssl speed`
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ apps/speed.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index d527f12f18..2ff3eb53bd 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args)
+     for (count = 0; COND(c[algindex][testnum]); count++) {
+         size_t outl;
+ 
++        if (mctx == NULL)
++            return -1;
++
+         if (!EVP_MAC_init(mctx, NULL, 0, NULL)
+             || !EVP_MAC_update(mctx, buf, lengths[testnum])
+             || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
+-- 
+2.41.0
+

0044-FIPS-140-3-keychecks.patch

@@ -0,0 +1,388 @@
+From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 12:05:23 +0200
+Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
+
+Patch-name: 0044-FIPS-140-3-keychecks.patch
+Patch-id: 44
+Patch-status: |
+    # Extra public/private key checks required by FIPS-140-3
+---
+ crypto/dh/dh_key.c                            | 26 ++++++++++
+ .../implementations/exchange/ecdh_exch.c      | 19 ++++++++
+ providers/implementations/keymgmt/ec_kmgmt.c  | 24 +++++++++-
+ providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
+ .../implementations/signature/ecdsa_sig.c     | 37 +++++++++++++--
+ providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
+ 6 files changed, 162 insertions(+), 9 deletions(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 4e9705beef..83773cceea 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *z = NULL, *pminus1;
+     int ret = -1;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        return 0;
++    }
++#endif
++
+     ctx = BN_CTX_new_ex(dh->libctx);
+     if (ctx == NULL)
+         goto err;
+@@ -262,6 +272,9 @@ static int generate_key(DH *dh)
+ #endif
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
++#ifdef FIPS_MODULE
++    int validate = 0;
++#endif
+ 
+     if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
+     if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
+         goto err;
+ 
++#ifdef FIPS_MODULE
++    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
++        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
++        goto err;
++    }
++#endif
++
+     dh->pub_key = pub_key;
+     dh->priv_key = priv_key;
++#ifdef FIPS_MODULE
++    if (ossl_dh_check_pairwise(dh) <= 0) {
++        abort();
++    }
++#endif
++
+     dh->dirty_cnt++;
+     ok = 1;
+  err:
+diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
+index 43caedb6df..73873f9758 100644
+--- a/providers/implementations/exchange/ecdh_exch.c
++++ b/providers/implementations/exchange/ecdh_exch.c
+@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
+     }
+ 
+     ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
++#ifdef FIPS_MODULE
++    {
++        BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk));
++        int check = 0;
++
++        if (bn_ctx == NULL) {
++            ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
++            goto end;
++        }
++
++        check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx);
++        BN_CTX_free(bn_ctx);
++
++        if (check <= 0) {
++            ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY);
++            goto end;
++        }
++    }
++#endif
+ 
+     retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
+ 
+diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
+index a37cbbdba8..bca3f3c674 100644
+--- a/providers/implementations/keymgmt/ec_kmgmt.c
++++ b/providers/implementations/keymgmt/ec_kmgmt.c
+@@ -989,8 +989,17 @@ struct ec_gen_ctx {
+     int selection;
+     int ecdh_mode;
+     EC_GROUP *gen_group;
++#ifdef FIPS_MODULE
++    void *ecdsa_sig_ctx;
++#endif
+ };
+ 
++#ifdef FIPS_MODULE
++void *ecdsa_newctx(void *provctx, const char *propq);
++void ecdsa_freectx(void *vctx);
++int do_ec_pct(void *, const char *, void *);
++#endif
++
+ static void *ec_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
+ {
+@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
+             gctx = NULL;
+         }
+     }
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ }
+ 
+@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ 
+     if (gctx->ecdh_mode != -1)
+         ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
++        && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
++        abort();
++#endif
+ 
+     if (gctx->group_check != NULL)
+         ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
+@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
+ 
+     if (gctx == NULL)
+         return;
+-
++#ifdef FIPS_MODULE
++    ecdsa_freectx(gctx->ecdsa_sig_ctx);
++    gctx->ecdsa_sig_ctx = NULL;
++#endif
+     EC_GROUP_free(gctx->gen_group);
+     BN_free(gctx->p);
+     BN_free(gctx->a);
+diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
+index 3ba12c4889..ff49f8fcd8 100644
+--- a/providers/implementations/keymgmt/rsa_kmgmt.c
++++ b/providers/implementations/keymgmt/rsa_kmgmt.c
+@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     /* ACVP test parameters */
+     OSSL_PARAM *acvp_test_params;
++    void *prov_rsa_ctx;
+ #endif
+ };
+ 
+@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
+     return gctx->cb(params, gctx->cbarg);
+ }
+ 
++#ifdef FIPS_MODULE
++void *rsa_newctx(void *provctx, const char *propq);
++void rsa_freectx(void *vctx);
++int do_rsa_pct(void *, const char *, void *);
++#endif
++
+ static void *gen_init(void *provctx, int selection, int rsa_type,
+                       const OSSL_PARAM params[])
+ {
+@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
+ 
+     if (!rsa_gen_set_params(gctx, params))
+         goto err;
++#ifdef FIPS_MODULE
++    if (gctx != NULL)
++        gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
++#endif
+     return gctx;
+ 
+ err:
+@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ 
+     rsa = rsa_tmp;
+     rsa_tmp = NULL;
++#ifdef FIPS_MODULE
++    /* Pairwise consistency test */
++    if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
++        abort();
++#endif
+  err:
+     BN_GENCB_free(gencb);
+     RSA_free(rsa_tmp);
+@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+     ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+     gctx->acvp_test_params = NULL;
++    rsa_freectx(gctx->prov_rsa_ctx);
++    gctx->prov_rsa_ctx = NULL;
+ #endif
+     BN_clear_free(gctx->pub_exp);
+     OPENSSL_free(gctx);
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 865d49d100..ebeb30e002 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -32,7 +32,7 @@
+ #include "crypto/ec.h"
+ #include "prov/der_ec.h"
+ 
+-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
++OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
+ static OSSL_FUNC_signature_sign_fn ecdsa_sign;
+@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
++OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
+@@ -104,7 +104,7 @@ typedef struct {
+ #endif
+ } PROV_ECDSA_CTX;
+ 
+-static void *ecdsa_newctx(void *provctx, const char *propq)
++void *ecdsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_ECDSA_CTX *ctx;
+ 
+@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+     return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
+ }
+ 
+-static void ecdsa_freectx(void *vctx)
++void ecdsa_freectx(void *vctx)
+ {
+     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
+ 
+@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+     return EVP_MD_settable_ctx_params(ctx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_ec_pct(void *vctx, const char *mdname, void *ec)
++{
++    static const unsigned char data[32];
++    unsigned char sigbuf[256];
++    size_t siglen = sizeof(sigbuf);
++
++    if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
++        return 0;
++
++    if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        return 0;
++
++    return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index cd5de6bd51..d4261e8f7d 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -34,7 +34,7 @@
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+ 
+-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
++OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
+ static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
+@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
++OSSL_FUNC_signature_freectx_fn rsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
+@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
+     return 1;
+ }
+ 
+-static void *rsa_newctx(void *provctx, const char *propq)
++void *rsa_newctx(void *provctx, const char *propq)
+ {
+     PROV_RSA_CTX *prsactx = NULL;
+     char *propq_copy = NULL;
+@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+     return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
+ }
+ 
+-static void rsa_freectx(void *vprsactx)
++void rsa_freectx(void *vprsactx)
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ 
+@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+     return EVP_MD_settable_ctx_params(prsactx->md);
+ }
+ 
++#ifdef FIPS_MODULE
++int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
++{
++    static const unsigned char data[32];
++    unsigned char *sigbuf = NULL;
++    size_t siglen = 0;
++    int ret = 0;
++
++    if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
++        return 0;
++
++    if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
++        return 0;
++
++    if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
++        return 0;
++
++    if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
++        goto err;
++
++    if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++        goto err;
++
++    if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++        goto err;
++    ret = 1;
++
++ err:
++    OPENSSL_free(sigbuf);
++    return ret;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
+     { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
+     { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
+-- 
+2.41.0
+

0045-FIPS-services-minimize.patch

@@ -0,0 +1,771 @@
+From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 12:55:57 +0200
+Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
+
+Patch-name: 0045-FIPS-services-minimize.patch
+Patch-id: 45
+Patch-status: |
+    # Minimize fips services
+---
+ apps/ecparam.c                                |  7 +++
+ apps/req.c                                    |  2 +-
+ providers/common/capabilities.c               |  2 +-
+ providers/fips/fipsprov.c                     | 44 +++++++++++--------
+ providers/fips/self_test_data.inc             |  9 +++-
+ providers/implementations/signature/rsa_sig.c | 26 +++++++++++
+ ssl/ssl_ciph.c                                |  3 ++
+ test/acvp_test.c                              |  2 +
+ test/endecode_test.c                          |  4 ++
+ test/evp_libctx_test.c                        |  9 +++-
+ test/recipes/15-test_gendsa.t                 |  2 +-
+ test/recipes/20-test_cli_fips.t               |  3 +-
+ test/recipes/30-test_evp.t                    | 16 +++----
+ .../30-test_evp_data/evpmac_common.txt        | 22 ++++++++++
+ test/recipes/80-test_cms.t                    | 22 +++++-----
+ test/recipes/80-test_ssl_old.t                |  2 +-
+ 16 files changed, 128 insertions(+), 47 deletions(-)
+
+diff --git a/apps/ecparam.c b/apps/ecparam.c
+index 9e9ad13683..9c66cf2434 100644
+--- a/apps/ecparam.c
++++ b/apps/ecparam.c
+@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
++        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
++            continue;
++
+         if (comment == NULL)
+             comment = "CURVE DESCRIPTION NOT AVAILABLE";
+         if (sname == NULL)
+diff --git a/apps/req.c b/apps/req.c
+index 23757044ab..5916914978 100644
+--- a/apps/req.c
++++ b/apps/req.c
+@@ -266,7 +266,7 @@ int req_main(int argc, char **argv)
+     unsigned long chtype = MBSTRING_ASC, reqflag = 0;
+ 
+ #ifndef OPENSSL_NO_DES
+-    cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
++    cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
+ #endif
+ 
+     prog = opt_init(argc, argv, req_options);
+diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c
+index ed37e76969..eb836dfa6a 100644
+--- a/providers/common/capabilities.c
++++ b/providers/common/capabilities.c
+@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {
+     TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25),
+     TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26),
+     TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27),
+-#  endif
+     TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28),
+     TLS_GROUP_ENTRY("x448", "X448", "X448", 29),
++#  endif
+ # endif /* OPENSSL_NO_EC */
+ # ifndef OPENSSL_NO_DH
+     /* Security bit values for FFDHE groups are as per RFC 7919 */
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 518226dfc6..29438faea8 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+                                               OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ 
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
+-    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
++    if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
+         return 0;
+     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
+     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
+@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+      * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
+      * KMAC128 and KMAC256.
+      */
+-    { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
++    /* We don't certify KECCAK in our FIPS provider */
++    /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
+       ossl_keccak_kmac_128_functions },
+     { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
+-      ossl_keccak_kmac_256_functions },
++      ossl_keccak_kmac_256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
+     ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
+          ossl_cipher_capable_aes_cbc_hmac_sha256),
+ #ifndef OPENSSL_NO_DES
+-    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+-    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
++    /* We don't certify 3DES in our FIPS provider */
++    /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
++    UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
+ #endif  /* OPENSSL_NO_DES */
+     { { NULL, NULL, NULL }, NULL }
+ };
+@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+ #endif
+     { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
+-    { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
+-    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
++    /* We don't certify KMAC in our FIPS provider */
++    /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
++    { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */
+     { NULL, NULL, NULL }
+ };
+ 
+@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+ #endif
+ #ifndef OPENSSL_NO_EC
+     { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
+-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
+-    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
++    /* We don't certify Edwards curves in our FIPS provider */
++    /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
++    { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/
+ #endif
+     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
+       ossl_kdf_tls1_prf_keyexch_functions },
+@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+ 
+ static const OSSL_ALGORITHM fips_signature[] = {
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
+ #ifndef OPENSSL_NO_EC
+-    { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
++    /* We don't certify Edwards curves in our FIPS provider */
++    /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+       ossl_ed25519_signature_functions },
+-    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
++    { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */
+     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
+ #endif
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
+@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+       PROV_DESCS_DHX },
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-    { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
+-      PROV_DESCS_DSA },
++    /* We don't certify DSA in our FIPS provider */
++    /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
++      PROV_DESCS_DSA }, */
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
+       PROV_DESCS_RSA },
+@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+ #ifndef OPENSSL_NO_EC
+     { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
+       PROV_DESCS_EC },
+-    { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
++    /* We don't certify Edwards curves in our FIPS provider */
++    /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+       PROV_DESCS_X25519 },
+     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
+       PROV_DESCS_X448 },
+     { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
+       PROV_DESCS_ED25519 },
+     { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
+-      PROV_DESCS_ED448 },
++      PROV_DESCS_ED448 }, */
+ #endif
+     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+       PROV_DESCS_TLS1_PRF_SIGN },
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 2057378d3d..4b80bb70b9 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
+ /*- CIPHER TEST DATA */
+ 
+ /* DES3 test data */
++#if 0
+ static const unsigned char des_ede3_cbc_pt[] = {
+     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
+     0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
+     0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
+ };
+-
++#endif
+ /* AES-256 GCM test data */
+ static const unsigned char aes_256_gcm_key[] = {
+     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
+@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {
+ # endif /* OPENSSL_NO_EC2M */
+ #endif /* OPENSSL_NO_EC */
+ 
+-#ifndef OPENSSL_NO_DSA
+ /* dsa 2048 */
++#if 0
++#ifndef OPENSSL_NO_DSA
+ static const unsigned char dsa_p[] = {
+     0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
+     0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
+@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
+     ST_KAT_PARAM_END()
+ };
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ /* Hash DRBG inputs for signature KATs */
+ static const unsigned char sig_kat_entropyin[] = {
+@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+     },
+ # endif
+ #endif /* OPENSSL_NO_EC */
++#if 0
+ #ifndef OPENSSL_NO_DSA
+     {
+         OSSL_SELF_TEST_DESC_SIGN_DSA,
+@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         ITM(dsa_expected_sig)
+     },
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ };
+ 
+ static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index d4261e8f7d..2a5504d104 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -689,6 +689,19 @@ static int rsa_verify_recover(void *vprsactx,
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     int ret;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+@@ -777,6 +790,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     size_t rslen;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index a5e60e8839..f9af07d12b 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
+     ctx->disabled_mkey_mask = 0;
+     ctx->disabled_auth_mask = 0;
+ 
++    if (EVP_default_properties_is_fips_enabled(ctx->libctx))
++        ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
++
+     /*
+      * We ignore any errors from the fetches below. They are expected to fail
+      * if theose algorithms are not available.
+diff --git a/test/acvp_test.c b/test/acvp_test.c
+index fee880d441..13d7a0ea8b 100644
+--- a/test/acvp_test.c
++++ b/test/acvp_test.c
+@@ -1476,6 +1476,7 @@ int setup_tests(void)
+                   OSSL_NELEM(dh_safe_prime_keyver_data));
+ #endif /* OPENSSL_NO_DH */
+ 
++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
+ #ifndef OPENSSL_NO_DSA
+     ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
+     ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
+@@ -1483,6 +1484,7 @@ int setup_tests(void)
+     ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
+     ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
+ #endif /* OPENSSL_NO_DSA */
++#endif
+ 
+ #ifndef OPENSSL_NO_EC
+     ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 9a437d8c64..53385028fc 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -1407,6 +1407,7 @@ int setup_tests(void)
+          * so no legacy tests.
+          */
+ #endif
++    if (is_fips == 0) {
+ #ifndef OPENSSL_NO_DSA
+         ADD_TEST_SUITE(DSA);
+         ADD_TEST_SUITE_PARAMS(DSA);
+@@ -1417,6 +1418,7 @@ int setup_tests(void)
+         ADD_TEST_SUITE_PROTECTED_PVK(DSA);
+ # endif
+ #endif
++    }
+ #ifndef OPENSSL_NO_EC
+         ADD_TEST_SUITE(EC);
+         ADD_TEST_SUITE_PARAMS(EC);
+@@ -1431,10 +1433,12 @@ int setup_tests(void)
+         ADD_TEST_SUITE(ECExplicitTri2G);
+         ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
+ # endif
++    if (is_fips == 0) {
+         ADD_TEST_SUITE(ED25519);
+         ADD_TEST_SUITE(ED448);
+         ADD_TEST_SUITE(X25519);
+         ADD_TEST_SUITE(X448);
++    }
+         /*
+          * ED25519, ED448, X25519 and X448 have no support for
+          * PEM_write_bio_PrivateKey_traditional(), so no legacy tests.
+diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
+index 2448c35a14..a7913cda4c 100644
+--- a/test/evp_libctx_test.c
++++ b/test/evp_libctx_test.c
+@@ -21,6 +21,7 @@
+  */
+ #include "internal/deprecated.h"
+ #include <assert.h>
++#include <string.h>
+ #include <openssl/evp.h>
+ #include <openssl/provider.h>
+ #include <openssl/dsa.h>
+@@ -726,7 +727,9 @@ int setup_tests(void)
+         return 0;
+ 
+ #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH)
+-    ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3);
++    }
+ #endif
+ #ifndef OPENSSL_NO_DH
+     ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3);
+@@ -746,7 +749,9 @@ int setup_tests(void)
+     ADD_TEST(kem_invalid_keytype);
+ #endif
+ #ifndef OPENSSL_NO_DES
+-    ADD_TEST(test_cipher_tdes_randkey);
++    if (strcmp(prov_name, "fips") != 0) {
++        ADD_TEST(test_cipher_tdes_randkey);
++    }
+ #endif
+     return 1;
+ }
+diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t
+index b495b08bda..69bd299521 100644
+--- a/test/recipes/15-test_gendsa.t
++++ b/test/recipes/15-test_gendsa.t
+@@ -24,7 +24,7 @@ use lib bldtop_dir('.');
+ plan skip_all => "This test is unsupported in a no-dsa build"
+     if disabled("dsa");
+ 
+-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
++my $no_fips = 1;
+ 
+ plan tests =>
+     ($no_fips ? 0 : 2)          # FIPS related tests
+diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t
+index 6d3c5ba1bb..2ba47b5fca 100644
+--- a/test/recipes/20-test_cli_fips.t
++++ b/test/recipes/20-test_cli_fips.t
+@@ -273,8 +273,7 @@ SKIP: {
+ }
+ 
+ SKIP : {
+-    skip "FIPS DSA tests because of no dsa in this build", 1
+-        if disabled("dsa");
++    skip "FIPS DSA tests because of no dsa in this build", 1;
+ 
+     subtest DSA => sub {
+         my $testtext_prefix = 'DSA';
+diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
+index 9d7040ced2..f8beb538d4 100644
+--- a/test/recipes/30-test_evp.t
++++ b/test/recipes/30-test_evp.t
+@@ -42,10 +42,8 @@ my @files = qw(
+                 evpciph_aes_cts.txt
+                 evpciph_aes_wrap.txt
+                 evpciph_aes_stitched.txt
+-                evpciph_des3_common.txt
+                 evpkdf_hkdf.txt
+                 evpkdf_kbkdf_counter.txt
+-                evpkdf_kbkdf_kmac.txt
+                 evpkdf_pbkdf1.txt
+                 evpkdf_pbkdf2.txt
+                 evpkdf_ss.txt
+@@ -65,12 +63,6 @@ push @files, qw(
+                 evppkey_ffdhe.txt
+                 evppkey_dh.txt
+                ) unless $no_dh;
+-push @files, qw(
+-                evpkdf_x942_des.txt
+-                evpmac_cmac_des.txt
+-               ) unless $no_des;
+-push @files, qw(evppkey_dsa.txt) unless $no_dsa;
+-push @files, qw(evppkey_ecx.txt) unless $no_ec;
+ push @files, qw(
+                 evppkey_ecc.txt
+                 evppkey_ecdh.txt
+@@ -91,6 +83,7 @@ my @defltfiles = qw(
+                      evpciph_cast5.txt
+                      evpciph_chacha.txt
+                      evpciph_des.txt
++                     evpciph_des3_common.txt
+                      evpciph_idea.txt
+                      evpciph_rc2.txt
+                      evpciph_rc4.txt
+@@ -114,10 +107,17 @@ my @defltfiles = qw(
+                      evpmd_whirlpool.txt
+                      evppbe_scrypt.txt
+                      evppbe_pkcs12.txt
++                     evpkdf_kbkdf_kmac.txt
+                      evppkey_kdf_scrypt.txt
+                      evppkey_kdf_tls1_prf.txt
+                      evppkey_rsa.txt
+                     );
++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa;
++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec;
++push @defltfiles, qw(
++                evpkdf_x942_des.txt
++                evpmac_cmac_des.txt
++               ) unless $no_des;
+ push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
+ push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
+ 
+diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
+index 93195df97c..315413cd9b 100644
+--- a/test/recipes/30-test_evp_data/evpmac_common.txt
++++ b/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C
+ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007
+ Result = MAC_INIT_ERROR
+ 
++Availablein = default
+ Title = KMAC Tests (From NIST)
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+@@ -350,12 +351,14 @@ Ctrl = xof:0
+ OutputSize = 32
+ BlockSize = 168
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Custom = "My Tagged Application"
+ Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -363,6 +366,7 @@ Custom = "My Tagged Application"
+ Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC
+ OutputSize = 64
+ BlockSize = 136
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+ Custom = ""
+ Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -386,12 +392,14 @@ Ctrl = size:64
+ 
+ Title = KMAC XOF Tests (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -399,6 +407,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ XOF = 1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -414,6 +424,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -421,6 +432,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ XOF = 1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -431,6 +443,7 @@ XOF = 1
+ 
+ Title = KMAC long customisation string (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -441,12 +454,14 @@ XOF = 1
+ 
+ Title = KMAC XOF Tests via ctrl (From NIST)
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+ Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -454,6 +469,7 @@ Custom = "My Tagged Application"
+ Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F
+ Ctrl = xof:1
+ Ctrl = size:32
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 00010203
+@@ -469,6 +486,7 @@ Custom = "My Tagged Application"
+ Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -476,6 +494,7 @@ Custom = ""
+ Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B
+ Ctrl = xof:1
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -486,6 +505,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string via ctrl (from NIST ACVP)
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3
+ Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D
+@@ -496,6 +516,7 @@ Ctrl = xof:1
+ 
+ Title = KMAC long customisation string negative test
+ 
++Availablein = default
+ MAC = KMAC128
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR
+ 
+ Title = KMAC output is too large
+ 
++Availablein = default
+ MAC = KMAC256
+ Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
+ Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 40dd585c18..cbec426137 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content DER format, DSA key",
++    [ "signed content DER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, DSA key",
++    [ "signed detached content DER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed detached content DER format, add RSA signer (with DSA existing)",
++    [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
+@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, DSA key",
++    [ "signed content test streaming BER format, DSA key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-noattr", "-nodetach", "-stream",
+         "-signer", $smrsa1,
+@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = (
+       \&zero_compare
+     ],
+ 
+-    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont,
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = (
+ 
+ my @smime_cms_tests = (
+ 
+-    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
++    [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-nodetach", "-keyid",
+         "-signer", $smrsa1,
+@@ -261,7 +261,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
++    [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+@@ -371,7 +371,7 @@ my @smime_cms_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "encrypted content test streaming PEM format, triple DES key",
++    [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
+         "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
+         "-stream", "-out", "{output}.cms" ],
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 50b74a1e29..e2dcb68fb5 100644
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -436,7 +436,7 @@ sub testssl {
+         my @exkeys = ();
+         my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
+ 
+-        if (!$no_dsa) {
++        if (!$no_dsa && $provider ne "fips") {
+             push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
+         }
+ 
+-- 
+2.41.0
+

0047-FIPS-early-KATS.patch

@@ -0,0 +1,57 @@
+From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 19 Oct 2023 13:12:40 +0200
+Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch
+
+Patch-name: 0047-FIPS-early-KATS.patch
+Patch-id: 47
+Patch-status: |
+    # # Execute KATS before HMAC verification
+From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
+---
+ providers/fips/self_test.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index e3a629018a..3c09bd8638 100644
+--- a/providers/fips/self_test.c
++++ b/providers/fips/self_test.c
+@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+     if (ev == NULL)
+         goto end;
+ 
++    /*
++     * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
++     */
++    if (kats_already_passed == 0) {
++        if (!SELF_TEST_kats(ev, st->libctx)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
++            goto end;
++        }
++    }
++
+     module_checksum = fips_hmac_container;
+     checksum_len = sizeof(fips_hmac_container);
+ 
+@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+         }
+     }
+ 
+-    /*
+-     * Only runs the KAT's during installation OR on_demand().
+-     * NOTE: If the installation option 'self_test_onload' is chosen then this
+-     * path will always be run, since kats_already_passed will always be 0.
+-     */
+-    if (on_demand_test || kats_already_passed == 0) {
+-        if (!SELF_TEST_kats(ev, st->libctx)) {
+-            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+-            goto end;
+-        }
+-    }
+-
+     /* Verify that the RNG has been restored properly */
+     rng = ossl_rand_get0_private_noncreating(st->libctx);
+     if (rng != NULL)
+-- 
+2.41.0
+

0049-Allow-disabling-of-SHA1-signatures.patch

@@ -0,0 +1,525 @@
+From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 13:07:07 +0200
+Subject: [PATCH 23/48] 0049-Allow-disabling-of-SHA1-signatures.patch
+
+Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
+Patch-id: 49
+Patch-status: |
+    # Selectively disallow SHA1 signatures rhbz#2070977
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/context.c                              | 14 ++++
+ crypto/evp/evp_cnf.c                          | 13 +++
+ crypto/evp/m_sigver.c                         | 79 +++++++++++++++++++
+ crypto/evp/pmeth_lib.c                        | 15 ++++
+ doc/man5/config.pod                           | 13 +++
+ include/crypto/context.h                      |  3 +
+ include/internal/cryptlib.h                   |  3 +-
+ include/internal/sslconf.h                    |  4 +
+ providers/common/securitycheck.c              | 20 +++++
+ providers/common/securitycheck_default.c      |  9 ++-
+ providers/implementations/signature/dsa_sig.c | 11 ++-
+ .../implementations/signature/ecdsa_sig.c     |  4 +
+ providers/implementations/signature/rsa_sig.c | 20 ++++-
+ ssl/t1_lib.c                                  |  8 ++
+ util/libcrypto.num                            |  2 +
+ 15 files changed, 209 insertions(+), 9 deletions(-)
+
+diff --git a/crypto/context.c b/crypto/context.c
+index 51002ba79a..e697974c9d 100644
+--- a/crypto/context.c
++++ b/crypto/context.c
+@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
+     void *fips_prov;
+ #endif
+ 
++    void *legacy_digest_signatures;
++
+     unsigned int ischild:1;
+ };
+ 
+@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
+         goto err;
+ #endif
+ 
++    ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);
++    if (ctx->legacy_digest_signatures == NULL)
++        goto err;
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     ctx->child_provider = ossl_child_prov_ctx_new(ctx);
+@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
+     }
+ #endif
+ 
++    if (ctx->legacy_digest_signatures != NULL) {
++        ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);
++        ctx->legacy_digest_signatures = NULL;
++    }
++
+     /* Low priority. */
+ #ifndef FIPS_MODULE
+     if (ctx->child_provider != NULL) {
+@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
+         return ctx->fips_prov;
+ #endif
+ 
++    case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:
++        return ctx->legacy_digest_signatures;
++
+     default:
+         return NULL;
+     }
+diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
+index 0e7fe64cf9..b9d3b6d226 100644
+--- a/crypto/evp/evp_cnf.c
++++ b/crypto/evp/evp_cnf.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <openssl/crypto.h>
+ #include "internal/cryptlib.h"
++#include "internal/sslconf.h"
+ #include <openssl/conf.h>
+ #include <openssl/x509.h>
+ #include <openssl/x509v3.h>
+@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
+                 ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
+                 return 0;
+             }
++        } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
++            int m;
++
++            /* Detailed error already reported. */
++            if (!X509V3_get_value_bool(oval, &m))
++                return 0;
++
++            if (!ossl_ctx_legacy_digest_signatures_allowed_set(
++                    NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
++                ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
++                return 0;
++            }
+         } else {
+             ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
+                            "name=%s, value=%s", oval->name, oval->value);
+diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
+index 630d339c35..6e4e9f5ae7 100644
+--- a/crypto/evp/m_sigver.c
++++ b/crypto/evp/m_sigver.c
+@@ -15,6 +15,73 @@
+ #include "internal/provider.h"
+ #include "internal/numbers.h"   /* includes SIZE_MAX */
+ #include "evp_local.h"
++#include "crypto/context.h"
++
++typedef struct ossl_legacy_digest_signatures_st {
++    int allowed;
++} OSSL_LEGACY_DIGEST_SIGNATURES;
++
++void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
++
++    if (ldsigs != NULL) {
++        OPENSSL_free(ldsigs);
++    }
++}
++
++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
++    /* Warning: This patch differs from the same patch in CentOS and RHEL here,
++     * because the default on Fedora is to allow SHA-1 and support disabling
++     * it, while CentOS/RHEL disable it by default and allow enabling it. */
++    ldsigs->allowed = 1;
++    return ldsigs;
++}
++
++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
++        OSSL_LIB_CTX *libctx, int loadconfig)
++{
++#ifndef FIPS_MODULE
++    if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
++        return NULL;
++#endif
++
++    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++#ifndef FIPS_MODULE
++    if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
++        /* used in tests */
++        return 1;
++#endif
++
++    /* Warning: This patch differs from the same patch in CentOS and RHEL here,
++     * because the default on Fedora is to allow SHA-1 and support disabling
++     * it, while CentOS/RHEL disable it by default and allow enabling it. */
++    return ldsigs != NULL ? ldsigs->allowed : 1;
++}
++
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig)
++{
++    OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
++        = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
++
++    if (ldsigs == NULL) {
++        ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
++        return 0;
++    }
++
++    ldsigs->allowed = allow;
++    return 1;
++}
+ 
+ #ifndef FIPS_MODULE
+ 
+@@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+         }
+     }
+ 
++    if (ctx->reqdigest != NULL
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(ctx->reqdigest);
++        if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
++                && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            goto err;
++        }
++    }
++
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
+index ce6e1a1ccb..003926247b 100644
+--- a/crypto/evp/pmeth_lib.c
++++ b/crypto/evp/pmeth_lib.c
+@@ -33,6 +33,7 @@
+ #include "internal/ffc.h"
+ #include "internal/numbers.h"
+ #include "internal/provider.h"
++#include "internal/sslconf.h"
+ #include "evp_local.h"
+ 
+ #ifndef FIPS_MODULE
+@@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+         return -2;
+     }
+ 
++    if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
++            && md != NULL
++            && ctx->pkey != NULL
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
++            && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
++            ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
++            return -1;
++        }
++    }
++
+     if (fallback)
+         return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
+ 
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index bd05736220..ed34ff4b9c 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning:
+ The value may be anything that is acceptable as a property query
+ string for EVP_set_default_properties().
+ 
++=item B<rh-allow-sha1-signatures>
++
++The value is a boolean that can be B<yes> or B<no>.  If the value is not set,
++it behaves as if it was set to B<yes>.
++
++When set to B<no>, any attempt to create or verify a signature with a SHA1
++digest will fail.  To test whether your software will work with future versions
++of OpenSSL, set this option to B<no>.  This setting also affects TLS, where
++signature algorithms that use SHA1 as digest will no longer be supported if
++this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
++pseudorandom function (PRF) to derive key material, disabling
++B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
++
+ =item B<fips_mode> (deprecated)
+ 
+ The value is a boolean that can be B<yes> or B<no>.  If the value is
+diff --git a/include/crypto/context.h b/include/crypto/context.h
+index cc06c71be8..e9f74a414d 100644
+--- a/include/crypto/context.h
++++ b/include/crypto/context.h
+@@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *);
+ void ossl_thread_event_ctx_free(void *);
+ void ossl_fips_prov_ossl_ctx_free(void *);
+ void ossl_release_default_drbg_ctx(void);
++
++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *);
++void ossl_ctx_legacy_digest_signatures_free(void *);
+diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
+index ac50eb3bbd..3b115cc7df 100644
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
+ # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX           16
+ # define OSSL_LIB_CTX_BIO_CORE_INDEX                17
+ # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX          18
+-# define OSSL_LIB_CTX_MAX_INDEXES                   19
++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19
++# define OSSL_LIB_CTX_MAX_INDEXES                   20
+ 
+ OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
+ int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
+diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
+index fd7f7e3331..05464b0655 100644
+--- a/include/internal/sslconf.h
++++ b/include/internal/sslconf.h
+@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
+ void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                       char **arg);
+ 
++/* Methods to support disabling all signatures with legacy digests */
++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
++                                                  int loadconfig);
+ #endif
+diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
+index 699ada7c52..e534ad0a5f 100644
+--- a/providers/common/securitycheck.c
++++ b/providers/common/securitycheck.c
+@@ -19,6 +19,7 @@
+ #include <openssl/core_names.h>
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
++#include "internal/sslconf.h"
+ 
+ /*
+  * FIPS requires a minimum security strength of 112 bits (for encryption or
+@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+             mdnid = -1; /* disallowed by security checks */
+     }
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
++
++#ifndef FIPS_MODULE
++    if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
++        /* SHA1 is globally disabled, check whether we want to locally allow
++         * it. */
++        if (mdnid == NID_sha1 && !sha1_allowed)
++            mdnid = -1;
++#endif
++
+     return mdnid;
+ }
+ 
+@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
+     if (ossl_securitycheck_enabled(ctx))
+         return ossl_digest_get_approved_nid(md) != NID_undef;
+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
++
++#ifndef FIPS_MODULE
++    {
++        int mdnid = EVP_MD_nid(md);
++        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
++                && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
++            return 0;
++    }
++#endif
++
+     return 1;
+ }
+diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
+index 246323493e..2ca7a59f39 100644
+--- a/providers/common/securitycheck_default.c
++++ b/providers/common/securitycheck_default.c
+@@ -15,6 +15,7 @@
+ #include <openssl/obj_mac.h>
+ #include "prov/securitycheck.h"
+ #include "internal/nelem.h"
++#include "internal/sslconf.h"
+ 
+ /* Disable the security checks in the default provider */
+ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
+@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)
+ }
+ 
+ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+-                                    ossl_unused int sha1_allowed)
++                                    int sha1_allowed)
+ {
+     int mdnid;
++    int ldsigs_allowed;
+ 
+     static const OSSL_ITEM name_to_nid[] = {
+         { NID_md5,       OSSL_DIGEST_NAME_MD5       },
+@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
+         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
+     };
+ 
+-    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
++    mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
+     if (mdnid == NID_undef)
+         mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
++    if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
++        mdnid = -1;
+     return mdnid;
+ }
+diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
+index 70d0ea5d24..3c482e0181 100644
+--- a/providers/implementations/signature/dsa_sig.c
++++ b/providers/implementations/signature/dsa_sig.c
+@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
+         mdprops = ctx->propq;
+ 
+     if (mdname != NULL) {
+-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+         WPACKET pkt;
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+-        int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+-                                                            sha1_allowed);
++        int md_nid;
+         size_t mdname_len = strlen(mdname);
++#ifdef FIPS_MODULE
++        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
++#else
++        int sha1_allowed = 0;
++#endif
++        md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
++                                                            sha1_allowed);
+ 
+         if (md == NULL || md_nid < 0) {
+             if (md == NULL)
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index ebeb30e002..c874f87bd5 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
+                        "%s could not be fetched", mdname);
+         return 0;
+     }
++#ifdef FIPS_MODULE
+     sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
++#else
++    sha1_allowed = 0;
++#endif
+     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                     sha1_allowed);
+     if (md_nid < 0) {
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 2a5504d104..5f3a029566 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -25,6 +25,7 @@
+ #include "internal/cryptlib.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
++#include "internal/sslconf.h"
+ #include "crypto/rsa.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -33,6 +34,7 @@
+ #include "prov/securitycheck.h"
+ 
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
+ 
+ OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+ 
+     if (mdname != NULL) {
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
++        int md_nid;
++        size_t mdname_len = strlen(mdname);
++#ifdef FIPS_MODULE
+         int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-        int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
++#else
++        int sha1_allowed = 0;
++#endif
++        md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+                                                      sha1_allowed);
+-        size_t mdname_len = strlen(mdname);
+ 
+         if (md == NULL
+             || md_nid <= 0
+@@ -1396,8 +1403,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+     prsactx->pad_mode = pad_mode;
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+-        && pad_mode == RSA_PKCS1_PSS_PADDING)
++        && pad_mode == RSA_PKCS1_PSS_PADDING) {
+         pmdname = RSA_DEFAULT_DIGEST_NAME;
++#ifndef FIPS_MODULE
++        if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
++            pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++        }
++#endif
++    }
++
+ 
+     if (pmgf1mdname != NULL
+         && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index e6f4bcc045..8bc550ea5b 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+ #include "internal/tlsgroups.h"
+@@ -1151,11 +1152,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
+         = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
+     EVP_PKEY *tmpkey = EVP_PKEY_new();
+     int ret = 0;
++    int ldsigs_allowed;
+ 
+     if (cache == NULL || tmpkey == NULL)
+         goto err;
+ 
+     ERR_set_mark();
++    ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
+     for (i = 0, lu = sigalg_lookup_tbl;
+          i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+         EVP_PKEY_CTX *pctx;
+@@ -1175,6 +1178,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
+             cache[i].enabled = 0;
+             continue;
+         }
++        if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++                && !ldsigs_allowed) {
++            cache[i].enabled = 0;
++            continue;
++        }
+ 
+         if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
+             cache[i].enabled = 0;
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index 9cb8a4dda2..feb660d030 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5436,3 +5436,5 @@ EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
+ BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
+ OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
+ ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
++ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
+-- 
+2.41.0
+

0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch

@@ -0,0 +1,221 @@
+From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 1 Mar 2022 15:44:18 +0100
+Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =
+ yes
+
+NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
+in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
+on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
+to 2.
+
+On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
+level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
+we want the legacy crypto policy to allow SHA-1 in TLS, the only option
+to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
+SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
+allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
+will allow SHA-1 in OpenSSL 3).
+
+The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
+rh-allow-sha1-signatures will default to yes in Fedora (according to our
+current plans including until F38), and the security level in the
+DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
+default configuration.
+
+Related: rhbz#2055796
+Related: rhbz#2070977
+---
+ crypto/x509/x509_vfy.c        | 20 ++++++++++-
+ doc/man5/config.pod           |  7 ++++
+ ssl/t1_lib.c                  | 67 ++++++++++++++++++++++++++++-------
+ test/recipes/25-test_verify.t |  4 +--
+ 4 files changed, 82 insertions(+), 16 deletions(-)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 2f175ca517..bf0c608839 100644
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -25,6 +25,7 @@
+ #include <openssl/objects.h>
+ #include <openssl/core_names.h>
+ #include "internal/dane.h"
++#include "internal/sslconf.h"
+ #include "crypto/x509.h"
+ #include "x509_local.h"
+ 
+@@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
+ {
+     int secbits = -1;
+     int level = ctx->param->auth_level;
++    int nid;
++    OSSL_LIB_CTX *libctx = NULL;
+ 
+     if (level <= 0)
+         return 1;
+     if (level > NUM_AUTH_LEVELS)
+         level = NUM_AUTH_LEVELS;
+ 
+-    if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
++    if (ctx->libctx)
++        libctx = ctx->libctx;
++    else if (cert->libctx)
++        libctx = cert->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
+         return 0;
+ 
++    if ((nid == NID_sha1 || nid == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ctx->param->auth_level < 2)
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++
+     return secbits >= minbits_table[level - 1];
+ }
+diff --git a/doc/man5/config.pod b/doc/man5/config.pod
+index 0c9110d28a..e0516d20b8 100644
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -309,6 +309,13 @@ this option is set to B<no>.  Because TLS 1.1 or lower use MD5-SHA1 as
+ pseudorandom function (PRF) to derive key material, disabling
+ B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+ 
++Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
++algorithms that use SHA1 in security level 1, despite the definition of
++security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
++This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
++Fedora without requiring to set the security level to 0, which would include
++further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
++
+ =item B<fips_mode> (deprecated)
+ 
+ The value is a boolean that can be B<yes> or B<no>.  If the value is
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index dcd487ec2e..0b50266b69 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -20,6 +20,7 @@
+ #include <openssl/bn.h>
+ #include <openssl/provider.h>
+ #include <openssl/param_build.h>
++#include "crypto/x509.h"
+ #include "internal/sslconf.h"
+ #include "internal/nelem.h"
+ #include "internal/sizes.h"
+@@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
+         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
+         return 0;
+     }
+-    /*
+-     * Make sure security callback allows algorithm. For historical
+-     * reasons we have to pass the sigalg as a two byte char array.
+-     */
+-    sigalgstr[0] = (sig >> 8) & 0xff;
+-    sigalgstr[1] = sig & 0xff;
+-    secbits = sigalg_security_bits(s->ctx, lu);
+-    if (secbits == 0 ||
+-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+-                      md != NULL ? EVP_MD_get_type(md) : NID_undef,
+-                      (void *)sigalgstr)) {
+-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+-        return 0;
++
++    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
++            && SSL_get_security_level(s) < 2) {
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++    } else {
++        /*
++         * Make sure security callback allows algorithm. For historical
++         * reasons we have to pass the sigalg as a two byte char array.
++         */
++        sigalgstr[0] = (sig >> 8) & 0xff;
++        sigalgstr[1] = sig & 0xff;
++        secbits = sigalg_security_bits(s->ctx, lu);
++        if (secbits == 0 ||
++            !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
++                          md != NULL ? EVP_MD_get_type(md) : NID_undef,
++                          (void *)sigalgstr)) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
++            return 0;
++        }
+     }
+     /* Store the sigalg the peer uses */
+     s->s3.tmp.peer_sigalg = lu;
+@@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
+         }
+     }
+ 
++    if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
++            && SSL_get_security_level(s) < 2) {
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++    }
++
+     /* Finally see if security callback allows it */
+     secbits = sigalg_security_bits(s->ctx, lu);
+     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
+@@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+ {
+     /* Lookup signature algorithm digest */
+     int secbits, nid, pknid;
++    OSSL_LIB_CTX *libctx = NULL;
++
+     /* Don't check signature if self signed */
+     if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
+         return 1;
+@@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op)
+     /* If digest NID not defined use signature NID */
+     if (nid == NID_undef)
+         nid = pknid;
++
++    if (x && x->libctx)
++        libctx = x->libctx;
++    else if (ctx && ctx->libctx)
++        libctx = ctx->libctx;
++    else if (s && s->ctx && s->ctx->libctx)
++        libctx = s->ctx->libctx;
++    else
++        libctx = OSSL_LIB_CTX_get0_global_default();
++
++    if ((nid == NID_sha1 || nid == NID_md5_sha1)
++            && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
++            && ((s != NULL && SSL_get_security_level(s) < 2)
++                || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
++            ))
++        /* When rh-allow-sha1-signatures = yes and security level <= 1,
++         * explicitly allow SHA1 for backwards compatibility. Also allow
++         * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
++        return 1;
++
+     if (s)
+         return ssl_security(s, op, secbits, nid, x);
+     else
+diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
+index 700bbd849c..280477bc9d 100644
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -387,8 +387,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
+-    "Reject PSS signature using SHA1 and auth level 1");
++ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
++    "Reject PSS signature using SHA1 and auth level 2");
+ 
+ ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");
+-- 
+2.35.1
+

0056-strcasecmp.patch

@@ -0,0 +1,78 @@
+From 8545e0c4c38934fda47b701043dd5ce89c99fe81 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 25/35] 0056-strcasecmp.patch
+
+Patch-name: 0056-strcasecmp.patch
+Patch-id: 56
+Patch-status: |
+    # https://github.com/openssl/openssl/pull/18103
+    # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
+    # so the patch should persist
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/o_str.c                         | 14 ++++++++++++--
+ test/recipes/01-test_symbol_presence.t |  1 +
+ util/libcrypto.num                     |  2 ++
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 3354ce0927..95b9538471 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ #endif
+ }
+ 
+-int OPENSSL_strcasecmp(const char *s1, const char *s2)
++int
++#ifndef FIPS_MODULE
++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
++                    symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strcasecmp(const char *s1, const char *s2)
+ {
+     int t;
+ 
+@@ -352,7 +357,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
+     return t;
+ }
+ 
+-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
++int
++#ifndef FIPS_MODULE
++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
++                    symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
++#endif
++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n)
+ {
+     int t;
+     size_t i;
+diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
+index 5530ade0ad..238a8d762e 100644
+--- a/test/recipes/01-test_symbol_presence.t
++++ b/test/recipes/01-test_symbol_presence.t
+@@ -77,6 +77,7 @@ foreach my $libname (@libnames) {
+                 s| .*||;
+                 # Drop OpenSSL dynamic version information if there is any
+                 s|\@\@.+$||;
++                s|\@.+$||;
+                 # Return the result
+                 $_
+             }
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index feb660d030..639074c5d0 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5435,6 +5435,8 @@ EVP_MD_CTX_dup                          5562	3_1_0	EXIST::FUNCTION:
+ EVP_CIPHER_CTX_dup                      5563	3_1_0	EXIST::FUNCTION:
+ BN_are_coprime                          5564	3_1_0	EXIST::FUNCTION:
+ OSSL_CMP_MSG_update_recipNonce          5565	3_0_9	EXIST::FUNCTION:CMP
++OPENSSL_strcasecmp                      ?	3_0_1	EXIST::FUNCTION:
++OPENSSL_strncasecmp                     ? 	3_0_1	EXIST::FUNCTION:
+ ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
+ ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
+-- 
+2.41.0
+

0058-FIPS-limit-rsa-encrypt.patch

@@ -0,0 +1,568 @@
+From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
+
+Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
+Patch-id: 58
+Patch-status: |
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ providers/common/securitycheck.c              |  1 +
+ .../implementations/asymciphers/rsa_enc.c     | 35 +++++++++++
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 58 ++++++++++++++++++-
+ test/recipes/80-test_cms.t                    |  5 +-
+ test/recipes/80-test_ssl_old.t                | 27 +++++++--
+ 5 files changed, 118 insertions(+), 8 deletions(-)
+
+diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
+index e534ad0a5f..c017c658e5 100644
+--- a/providers/common/securitycheck.c
++++ b/providers/common/securitycheck.c
+@@ -27,6 +27,7 @@
+  * Set protect = 1 for encryption or signing operations, or 0 otherwise. See
+  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
+  */
++/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */
+ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation)
+ {
+     int protect = 0;
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index d865968058..872967bcb3 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
+     return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
+ }
+ 
++# ifdef FIPS_MODULE
++static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
++{
++    if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
++        || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
++        return 0;
++
++    return 1;
++}
++# endif
++
+ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+                        size_t outsize, const unsigned char *in, size_t inlen)
+ {
+@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if (fips_padding_allowed(prsactx) == 0) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (out == NULL) {
+         size_t len = RSA_size(prsactx->rsa);
+ 
+@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
++# ifdef FIPS_MODULE
++    if (fips_padding_allowed(prsactx) == 0) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
++        return 0;
++    }
++
++    if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++# endif
++
+     if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) {
+         if (out == NULL) {
+             *outlen = SSL_MAX_MASTER_KEY_LENGTH;
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 8680797b90..95d5d51102 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377
+ Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ 
+ # RSA decrypt
+-
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Output = "Hello World"
+ 
+ # Corrupted ciphertext
+-FIPSversion = <3.2.0
++Availablein = default
+ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
+ Output = "Hello World"
+@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2
+ h90qjKHS9PvY4Q==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a
+ Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44
+ Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb
+ Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755
+ Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439
+ Output=8da89fd9e5f974a29feffb462b49180f6cf9e802
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-1
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8
+ eG2e4XlBcKjI6A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e
+ Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245
+ Output=2d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053
+ Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641
+ Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec
+ Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-2
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z
+ Ya4qnqZe1onjY5o=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80
+ Output=087820b569e8fa8d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5
+ Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a
+ Output=d94cd0e08fa404ed89
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0
+ Output=6cc641b6b61e6f963974dad23a9013284ef1
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60
+ Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-3
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq
+ aD0x7TDrmEvkEro=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8
+ Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e
+ Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065
+ Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4
+ Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2
+ Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-4
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B
+ MSwGUGLx60i3nRyDyw==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5
+ Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad
+ Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967
+ Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf
+ Output=15c5b9ee1185
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723
+ Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-5
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC
+ Yejn5Ly8mU2q+jBcRQ==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3
+ Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f
+ Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65
+ Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8
+ Output=684e3038c5c041f7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab
+ Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-6
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS
+ FMlxv0gq65dqc3DC
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1
+ Output=47aae909
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6
+ Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b
+ Output=d976fc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac
+ Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478
+ Output=bb47231ca5ea1d3ad46c99345d9a8a61
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-7
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM
+ 2MiPa249Z+lh3Luj0A==
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61
+ Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d
+ Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f
+ Output=8604ac56328c1ab5ad917861
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0
+ Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2
+ Output=4a5f4914bee25de3c69341de07
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-8
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo
+ tKo5Eb69iFQvBb4=
+ -----END PRIVATE KEY-----
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72
+ Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8
+ Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3
+ Output=fd326429df9b890e09b54b18b8f34f1e24
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858
+ Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+ Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e
+ Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d
+ 
++Availablein = default
+ Decrypt=RSA-OAEP-9
+ Ctrl = rsa_padding_mode:oaep
+ Ctrl = rsa_mgf1_md:sha1
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index cbec426137..9ba7fbeed2 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = (
+       \&final_compare
+     ],
+ 
+-    [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
++    [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS",
+       [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+         "-aes256", "-stream", "-out", "{output}.cms",
+         $smrsa1,
+@@ -1022,6 +1022,9 @@ sub check_availability {
+     return "$tnam: skipped, DSA disabled\n"
+         if ($no_dsa && $tnam =~ / DSA/);
+ 
++    return "$tnam: skipped, Red Hat FIPS\n"
++        if ($tnam =~ /no Red Hat FIPS/);
++
+     return "";
+ }
+ 
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index e2dcb68fb5..0775112b40 100644
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -493,6 +493,18 @@ sub testssl {
+             # the default choice if TLSv1.3 enabled
+             my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
+             my $ciphersuites = "";
++            my %redhat_skip_cipher = map {$_ => 1} qw(
++AES256-GCM-SHA384:@SECLEVEL=0
++AES256-CCM8:@SECLEVEL=0
++AES256-CCM:@SECLEVEL=0
++AES128-GCM-SHA256:@SECLEVEL=0
++AES128-CCM8:@SECLEVEL=0
++AES128-CCM:@SECLEVEL=0
++AES256-SHA256:@SECLEVEL=0
++AES128-SHA256:@SECLEVEL=0
++AES256-SHA:@SECLEVEL=0
++AES128-SHA:@SECLEVEL=0
++	    );
+             foreach my $cipher (@{$ciphersuites{$protocol}}) {
+                 if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
+                     note "*****SKIPPING $protocol $cipher";
+@@ -504,11 +516,16 @@ sub testssl {
+                     } else {
+                         $cipher = $cipher.':@SECLEVEL=0';
+                     }
+-                    ok(run(test([@ssltest, @exkeys, "-cipher",
+-                                 $cipher,
+-                                 "-ciphersuites", $ciphersuites,
+-                                 $flag || ()])),
+-                       "Testing $cipher");
++                    if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) {
++                        note "*****SKIPPING $cipher in Red Hat FIPS mode";
++                        ok(1);
++                    } else {
++                        ok(run(test([@ssltest, @exkeys, "-cipher",
++                                     $cipher,
++                                     "-ciphersuites", $ciphersuites,
++                                     $flag || ()])),
++                           "Testing $cipher");
++                    }
+                 }
+             }
+             next if $protocol eq "-tls1_3";
+-- 
+2.41.0
+

0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch

@@ -0,0 +1,570 @@
+From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Wed, 18 May 2022 17:25:59 +0200
+Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider
+
+For RHEL, we already disable SHA-1 signatures by default in the default
+provider, so it is unexpected that the FIPS provider would have a more
+lenient configuration in this regard. Additionally, we do not think
+continuing to accept SHA-1 signatures is a good idea due to the
+published chosen-prefix collision attacks.
+
+As a consequence, disable verification of SHA-1 signatures in the FIPS
+provider.
+
+This requires adjusting a few tests that would otherwise fail:
+- 30-test_acvp: Remove the test vectors that use SHA-1.
+- 30-test_evp: Mark tests in evppkey_rsa_common.txt and
+  evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",
+  which will not run them when the FIPS provider is enabled.
+- 80-test_cms: Re-create all certificates in test/smime-certificates
+  with SHA256 signatures while keeping the same private keys. These
+  certificates were signed with SHA-1 and thus fail verification in the
+  FIPS provider.
+  Fix some other tests by explicitly running them in the default
+  provider, where SHA-1 is available.
+- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with
+  the FIPS provider.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ providers/implementations/signature/dsa_sig.c |  4 --
+ .../implementations/signature/ecdsa_sig.c     |  4 --
+ providers/implementations/signature/rsa_sig.c |  8 +--
+ test/acvp_test.inc                            | 20 -------
+ .../30-test_evp_data/evppkey_ecdsa.txt        |  7 +++
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 51 +++++++++++++++-
+ test/recipes/80-test_cms.t                    |  4 +-
+ test/recipes/80-test_ssl_old.t                |  4 ++
+ test/smime-certs/smdh.pem                     | 18 +++---
+ test/smime-certs/smdsa1.pem                   | 60 +++++++++----------
+ test/smime-certs/smdsa2.pem                   | 60 +++++++++----------
+ test/smime-certs/smdsa3.pem                   | 60 +++++++++----------
+ test/smime-certs/smec1.pem                    | 30 +++++-----
+ test/smime-certs/smec2.pem                    | 30 +++++-----
+ test/smime-certs/smec3.pem                    | 30 +++++-----
+ test/smime-certs/smroot.pem                   | 38 ++++++------
+ test/smime-certs/smrsa1.pem                   | 38 ++++++------
+ test/smime-certs/smrsa2.pem                   | 38 ++++++------
+ test/smime-certs/smrsa3.pem                   | 38 ++++++------
+ 19 files changed, 286 insertions(+), 256 deletions(-)
+
+diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
+index fa3822f39f..c365d7b13a 100644
+--- a/providers/implementations/signature/dsa_sig.c
++++ b/providers/implementations/signature/dsa_sig.c
+@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         int md_nid;
+         size_t mdname_len = strlen(mdname);
+-#ifdef FIPS_MODULE
+-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+         int sha1_allowed = 0;
+-#endif
+         md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                             sha1_allowed);
+ 
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 99b228e82c..44a22832ec 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
+                        "%s could not be fetched", mdname);
+         return 0;
+     }
+-#ifdef FIPS_MODULE
+-    sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+     sha1_allowed = 0;
+-#endif
+     md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
+                                                     sha1_allowed);
+     if (md_nid < 0) {
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index f66d7705c3..34f45175e8 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+         EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
+         int md_nid;
+         size_t mdname_len = strlen(mdname);
+-#ifdef FIPS_MODULE
+-        int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
+-#else
+         int sha1_allowed = 0;
+-#endif
+         md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
+                                                      sha1_allowed);
+ 
+@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ 
+     if (prsactx->md == NULL && pmdname == NULL
+         && pad_mode == RSA_PKCS1_PSS_PADDING) {
++#ifdef FIPS_MODULE
++        pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
++#else
+         pmdname = RSA_DEFAULT_DIGEST_NAME;
+-#ifndef FIPS_MODULE
+         if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
+             pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
+         }
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index ad11d3ae1e..73b24bdb0c 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
+         NO_PSS_SALT_LEN,
+         FAIL
+     },
+-    {
+-        "x931",
+-        3072,
+-        "SHA1",
+-        ITM(rsa_sigverx931_0_msg),
+-        ITM(rsa_sigverx931_0_n),
+-        ITM(rsa_sigverx931_0_e),
+-        ITM(rsa_sigverx931_0_sig),
+-        NO_PSS_SALT_LEN,
+-        PASS
+-    },
+     {
+         "x931",
+         3072,
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index f36982845d..51e507a61c 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
+ 
+ Title = ECDSA tests
+ 
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+ 
+ # Digest too long
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF12345"
+@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Digest too short
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF123"
+@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Digest invalid
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1235"
+@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # Invalid signature
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e
+ Result = VERIFY_ERROR
+ 
+ # BER signature
++Availablein = default
+ Verify = P-256
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ Verify = P-256-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index b8d8bb2993..8dd566067b 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -96,6 +96,7 @@ NDL6WCBbets=
+ 
+ Title = RSA tests
+ 
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+ Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Output = "0123456789ABCDEF1234"
+ 
+ # Leading zero in the signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+ Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:SHA1
+ Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ Result = KEYOP_ERROR
+ 
+ # Mismatched digest
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ Result = VERIFY_ERROR
+ 
+ # Corrupted signature
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1233"
+@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ Result = VERIFY_ERROR
+ 
+ # parameter is not NULLt
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7
+ Result = VERIFY_ERROR
+ 
+ # embedded digest too long
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # embedded digest too short
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+ Result = KEYOP_ERROR
+ 
+ # Garbage after DigestInfo
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+ Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = VERIFY_ERROR
+ 
++Availablein = default
+ VerifyRecover = RSA-2048
+ Ctrl = digest:sha1
+ Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+ Result = KEYOP_ERROR
+ 
+ # invalid tag for parameter
++Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:sha1
+ Input = "0123456789ABCDEF1234"
+@@ -195,6 +209,7 @@ Result = VERIFY_ERROR
+ 
+ # Verify using public key
+ 
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = digest:SHA1
+ Input = "0123456789ABCDEF1234"
+@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+ # Verify using salt length auto detect
++# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256
++Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:auto
+@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+ 
+ # Verify using default parameters, explicitly setting parameters
++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which
++# RHEL-9 does not support in FIPS mode; all these tests are thus marked
++# Availablein = default.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:20
+@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify explicitly setting parameters "digest" salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:digest
+@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"
+ Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
+ 
+ # Verify using salt length larger than minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:30
+ Input="0123456789ABCDEF0123"
+ Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
+ 
+ # Verify using maximum salt length
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:max
+ Input="0123456789ABCDEF0123"
+ Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
+ 
+ # Attempt to change salt length below minimum
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_pss_saltlen:0
+ Result = PKEY_CTRL_ERROR
+@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR
+ # Attempt to change padding mode
+ # Note this used to return PKEY_CTRL_INVALID
+ # but it is limited because setparams only returns 0 or 1.
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = rsa_padding_mode:pkcs1
+ Result = PKEY_CTRL_ERROR
+ 
+ # Attempt to change digest
++Availablein = default
+ Verify = RSA-PSS-DEFAULT
+ Ctrl = digest:sha256
+ Result = PKEY_CTRL_ERROR
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+ 
+ # Invalid key: rejected when we try to init
++Availablein = default
+ Verify = RSA-PSS-BAD2
+ Result = KEYOP_INIT_ERROR
+ Reason = invalid salt length
+@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh
+ 4fINDOjP+yJJvZohNwIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e
+ Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd
+ Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0652ec67bcee30f9d2699122b91c19abdba89f91
+ Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=39c21c4cceda9c1adf839c744e1212a6437575ec
+ Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=36dae913b77bd17cae6e7b09453d24544cebb33c
+ Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad
+ 
++Availablein = default
+ Verify=RSA-PSS-1
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh
+ 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0
+ Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=2dac956d53964748ac364d06595827c6b4f143cd
+ Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298
+ Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e
+ Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a
+ Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c
+ 
++Availablein = default
+ Verify=RSA-PSS-9
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu
+ BQIDAQAB
+ -----END PUBLIC KEY-----
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4
+ Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=b503319399277fd6c1c8f1033cbf04199ea21716
+ Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=50aaede8536b2c307208b275a67ae2df196c7628
+ Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294
+ Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+ Input=fad3902c9750622a2bc672622c48270cc57d3ea8
+ Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
+ 
++Availablein = default
+ Verify=RSA-PSS-10
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_mgf1_md:sha1
+@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests
+ 
+ # FIPS tests
+ 
+-# Verifying with SHA1 is permitted in fips mode for older applications
++# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode
++Availablein = fips
+ DigestVerify = SHA1
+ Key = RSA-2048
+ Input = "Hello "
+ Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
++Result = DIGESTVERIFYINIT_ERROR
+ 
+ # Verifying with a 1024 bit key is permitted in fips mode for older applications
+ DigestVerify = SHA256
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 48a92f735d..34afe91b88 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
+         "-certfile", $smroot,
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (
+     [ "signed zero-length content S/MIME format, RSA key SHA1",
+       [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
+         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
++      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&zero_compare
+     ],
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 8c52b637fc..ff75c5b6ec 100644
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -394,6 +394,9 @@ sub testssl {
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+ 
++        SKIP: {
++          skip "SSLv3 is not supported by the FIPS provider", 4
++              if $provider eq "fips";
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
+              'test sslv2/sslv3 with server authentication');
+           ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
+@@ -402,6 +405,7 @@ sub testssl {
+              'test sslv2/sslv3 with both client and server authentication via BIO pair');
+           ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
+              'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
++         }
+ 
+         SKIP: {
+             skip "No IPv4 available on this machine", 4

0062-fips-Expose-a-FIPS-indicator.patch

@@ -0,0 +1,466 @@
+From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Tue, 7 Jun 2022 12:02:49 +0200
+Subject: [PATCH] fips: Expose a FIPS indicator
+
+FIPS 140-3 requires us to indicate whether an operation was using
+approved services or not. The FIPS 140-3 implementation guidelines
+provide two basic approaches to doing this: implicit indicators, and
+explicit indicators.
+
+Implicit indicators are basically the concept of "if the operation
+passes, it was approved". We were originally aiming for implicit
+indicators in our copy of OpenSSL. However, this proved to be a problem,
+because we wanted to certify a signature service, and FIPS 140-3
+requires that a signature service computes the digest to be signed
+within the boundaries of the FIPS module. Since we were planning to
+certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify
+would have to be blocked. Unfortunately, EVP_SignFinal uses
+EVP_PKEY_sign internally, but outside of fips.so and thus outside of the
+FIPS module boundary. This means that using implicit indicators in
+combination with certifying only fips.so would require us to block both
+EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used
+by most users of OpenSSL for signatures.
+
+EVP_DigestSign would be acceptable, but has only been added in 3.0 and
+is thus not yet widely used.
+
+As a consequence, we've decided to introduce explicit indicators so that
+EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but
+FIPS-aware applications can query the explicit indicator to check
+whether the operation was approved.
+
+To avoid affecting the ABI and public API too much, this is implemented
+as an exported symbol in fips.so and a private header, so applications
+that wish to use this will have to dlopen(3) fips.so, locate the
+function using dlsym(3), and then call it. These applications will have
+to build against the private header in order to use the returned
+pointer.
+
+Modify util/mkdef.pl to support exposing a symbol only for a specific
+provider identified by its name and path.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ doc/build.info                      |   6 ++
+ doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++
+ providers/fips/fipsprov.c           |  71 +++++++++++++
+ providers/fips/indicator.h          |  66 ++++++++++++
+ util/mkdef.pl                       |  25 ++++-
+ util/providers.num                  |   1 +
+ 6 files changed, 322 insertions(+), 1 deletion(-)
+ create mode 100644 doc/man7/fips_module_indicators.pod
+ create mode 100644 providers/fips/indicator.h
+
+diff --git a/doc/build.info b/doc/build.info
+index b0aa4297a4..af235113bb 100644
+--- a/doc/build.info
++++ b/doc/build.info
+@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod
+ GENERATE[html/man7/fips_module.html]=man7/fips_module.pod
+ DEPEND[man/man7/fips_module.7]=man7/fips_module.pod
+ GENERATE[man/man7/fips_module.7]=man7/fips_module.pod
++DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
++GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod
++DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
++GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod
+ DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
+ GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod
+ DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod
+@@ -4631,6 +4635,7 @@ html/man7/ct.html \
+ html/man7/des_modes.html \
+ html/man7/evp.html \
+ html/man7/fips_module.html \
++html/man7/fips_module_indicators.html \
+ html/man7/life_cycle-cipher.html \
+ html/man7/life_cycle-digest.html \
+ html/man7/life_cycle-kdf.html \
+@@ -4754,6 +4759,7 @@ man/man7/ct.7 \
+ man/man7/des_modes.7 \
+ man/man7/evp.7 \
+ man/man7/fips_module.7 \
++man/man7/fips_module_indicators.7 \
+ man/man7/life_cycle-cipher.7 \
+ man/man7/life_cycle-digest.7 \
+ man/man7/life_cycle-kdf.7 \
+diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod
+new file mode 100644
+index 0000000000..23db2b395c
+--- /dev/null
++++ b/doc/man7/fips_module_indicators.pod
+@@ -0,0 +1,154 @@
++=pod
++
++=head1 NAME
++
++fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide
++
++=head1 DESCRIPTION
++
++This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider
++implements Approved Security Service Indicators according to the FIPS 140-3
++Implementation Guidelines, section 2.4.C. See
++L<https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>
++for the FIPS 140-3 Implementation Guidelines.
++
++For all approved services except signatures, the Red Hat OpenSSL FIPS provider
++uses the return code as the indicator as understood by FIPS 140-3. That means
++that every operation that succeeds denotes use of an approved security service.
++Operations that do not succeed may not have been approved security services, or
++may have been used incorrectly.
++
++For signatures, an explicit indicator API is available to determine whether
++a selected operation is an approved security service, in combination with the
++return code of the operation. For a signature operation to be approved, the
++explicit indicator must claim it as approved, and it must succeed.
++
++=head2 Querying the explicit indicator
++
++The Red Hat OpenSSL FIPS provider exports a symbol named
++I<redhat_ossl_query_fipsindicator> that provides information on which signature
++operations are approved security functions. To use this function, either link
++against I<fips.so> directly, or load it at runtime using dlopen(3) and
++dlsym(3).
++
++    #include <openssl/core_dispatch.h>
++    #include "providers/fips/indicator.h"
++
++    void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY);
++    if (provider == NULL) {
++        fprintf(stderr, "%s\n", dlerror());
++        // handle error
++    }
++
++    const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \
++        = dlsym(provider, "redhat_ossl_query_fipsindicator");
++    if (redhat_ossl_query_fipsindicator == NULL) {
++        fprintf(stderr, "%s\n", dlerror());
++        fprintf(stderr, "Does your copy of fips.so have the required Red Hat"
++                        " patches?\n");
++        // handle error
++    }
++
++Note that this uses the I<providers/fips/indicator.h> header, which is not
++public. Install the I<openssl-debugsource> package from the I<BaseOS-debuginfo>
++repository using I<dnf debuginfo-install openssl> and include
++I</usr/src/debug/openssl-3.*/> in the compiler's include path.
++
++I<redhat_ossl_query_fipsindicator> expects an operation ID as its only
++argument. Currently, the only supported operation ID is I<OSSL_OP_SIGNATURE> to
++obtain the indicators for signature operations. On success, the return value is
++a pointer to an array of I<OSSL_RH_FIPSINDICATOR_STRUCT>s. On failure, NULL is
++returned. The last entry in the array is indicated by I<algorithm_names> being
++NULL.
++
++    typedef struct ossl_rh_fipsindicator_algorithm_st {
++        const char *algorithm_names;     /* key */
++        const char *property_definition; /* key */
++        const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
++    } OSSL_RH_FIPSINDICATOR_ALGORITHM;
++
++    typedef struct ossl_rh_fipsindicator_dispatch_st {
++        int function_id;
++        int approved;
++    } OSSL_RH_FIPSINDICATOR_DISPATCH;
++
++The I<algorithm_names> field is a colon-separated list of algorithm names from
++one of the I<PROV_NAMES_...> constants, e.g., I<PROV_NAMES_RSA>. strtok(3) can
++be used to locate the appropriate entry. See the example below, where
++I<algorithm> contains the algorithm name to search for:
++
++    const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL;
++    const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator =
++        redhat_ossl_query_fipsindicator(operation_id);
++    if (indicator == NULL) {
++        fprintf(stderr, "No indicator for operation, probably using implicit"
++                        " indicators.\n");
++        // handle error
++    }
++
++    for (; indicator->algorithm_names != NULL; ++indicator) {
++        char *algorithm_names = strdup(indicator->algorithm_names);
++        if (algorithm_names == NULL) {
++            perror("strdup(3)");
++            // handle error
++        }
++
++        const char *algorithm_name = strtok(algorithm_names, ":");
++        for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) {
++            if (strcasecmp(algorithm_name, algorithm) == 0) {
++                indicator_dispatch = indicator->indicators;
++                free(algorithm_names);
++                algorithm_names = NULL;
++                break;
++            }
++        }
++        free(algorithm_names);
++    }
++    if (indicator_dispatch == NULL) {
++        fprintf(stderr, "No indicator for algorithm %s.\n", algorithm);
++        // handle error
++    }
++
++If an appropriate I<OSSL_RH_FIPSINDICATOR_DISPATCH> array is available for the
++given algorithm name, it maps function IDs to their approval status. The last
++entry is indicated by a zero I<function_id>. I<approved> is
++I<OSSL_RH_FIPSINDICATOR_APPROVED> if the operation is an approved security
++service, or part of an approved security service, or
++I<OSSL_RH_FIPSINDICATOR_UNAPPROVED> otherwise. Any other value is invalid.
++Function IDs are I<OSSL_FUNC_*> constants from I<openssl/core_dispatch.h>,
++e.g., I<OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE> or I<OSSL_FUNC_SIGNATURE_SIGN>.
++
++Assuming I<function_id> is the function in question, the following code can be
++used to query the approval status:
++
++    for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) {
++        if (indicator_dispatch->function_id == function_id) {
++            switch (indicator_dispatch->approved) {
++                case OSSL_RH_FIPSINDICATOR_APPROVED:
++                    // approved security service
++                    break;
++                case OSSL_RH_FIPSINDICATOR_UNAPPROVED:
++                    // unapproved security service
++                    break;
++                default:
++                    // invalid result
++                    break;
++            }
++            break;
++        }
++    }
++
++=head1 SEE ALSO
++
++L<fips_module(7)>, L<provider(7)>
++
++=head1 COPYRIGHT
++
++Copyright 2022 Red Hat, Inc. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index de391ce067..1cfd71c5cf 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -23,6 +23,7 @@
+ #include "self_test.h"
+ #include "crypto/context.h"
+ #include "internal/core.h"
++#include "indicator.h"
+ 
+ static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
+ static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
+@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {
+     { NULL, NULL, NULL }
+ };
+ 
++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = {
++    { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
++};
++
++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = {
++    { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED },
++    { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED }
++};
++
++static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = {
++    { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES,
++        redhat_rsa_signature_indicators },
++#ifndef OPENSSL_NO_EC
++    { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES,
++        redhat_ecdsa_signature_indicators },
++#endif
++    { NULL, NULL, NULL }
++};
++
+ static const OSSL_ALGORITHM fips_asym_cipher[] = {
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
+     { NULL, NULL, NULL }
+@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {
+     return NULL;
+ }
+ 
++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) {
++    switch (operation_id) {
++    case OSSL_OP_SIGNATURE:
++        return redhat_indicator_fips_signature;
++    }
++    return NULL;
++}
++
+ static void fips_teardown(void *provctx)
+ {
+     OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
+diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h
+new file mode 100644
+index 0000000000..b323efe44c
+--- /dev/null
++++ b/providers/fips/indicator.h
+@@ -0,0 +1,66 @@
++/*
++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OPENSSL_FIPS_INDICATOR_H
++# define OPENSSL_FIPS_INDICATOR_H
++# pragma once
++
++# ifdef __cplusplus
++extern "C" {
++# endif
++
++# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0)
++# define OSSL_RH_FIPSINDICATOR_APPROVED (1)
++
++/*
++ * FIPS indicator dispatch table element.  function_id numbers and the
++ * functions are defined in core_dispatch.h, see macros with
++ * 'OSSL_CORE_MAKE_FUNC' in their names.
++ *
++ * An array of these is always terminated by function_id == 0
++ */
++typedef struct ossl_rh_fipsindicator_dispatch_st {
++    int function_id;
++    int approved;
++} OSSL_RH_FIPSINDICATOR_DISPATCH;
++
++/*
++ * Type to tie together algorithm names, property definition string and the
++ * algorithm implementation's FIPS indicator status in the form of a FIPS
++ * indicator dispatch table.
++ *
++ * An array of these is always terminated by algorithm_names == NULL
++ */
++typedef struct ossl_rh_fipsindicator_algorithm_st {
++    const char *algorithm_names;     /* key */
++    const char *property_definition; /* key */
++    const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators;
++} OSSL_RH_FIPSINDICATOR_ALGORITHM;
++
++/**
++ * Query FIPS indicator status for the given operation.  Possible values for
++ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms
++ * use implicit indicators.  The return value is an array of
++ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with
++ * algorithm_names == NULL.  'algorithm_names' is a colon-separated list of
++ * algorithm names, 'property_definition' a comma-separated list of properties,
++ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs.  This
++ * list is terminated by function_id == 0.  'function_id' is one of the
++ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL.
++ *
++ * If there is no entry in the returned struct for the given operation_id,
++ * algorithm name, or function_id, the algorithm is unapproved.
++ */
++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id);
++
++# ifdef __cplusplus
++}
++# endif
++
++#endif
+diff --git a/util/mkdef.pl b/util/mkdef.pl
+index a1c76f7c97..eda39b71ee 100755
+--- a/util/mkdef.pl
++++ b/util/mkdef.pl
+@@ -149,7 +149,8 @@ $ordinal_opts{filter} =
+         return
+             $item->exists()
+             && platform_filter($item)
+-            && feature_filter($item);
++            && feature_filter($item)
++            && fips_filter($item, $name);
+     };
+ my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);
+ 
+@@ -205,6 +206,28 @@ sub feature_filter {
+     return $verdict;
+ }
+ 
++sub fips_filter {
++    my $item = shift;
++    my $name = uc(shift);
++    my @features = ( $item->features() );
++
++    # True if no features are defined
++    return 1 if scalar @features == 0;
++
++    my @matches = grep(/^ONLY_.*$/, @features);
++    if (@matches) {
++        # There is at least one only_* flag on this symbol, check if any of
++        # them match the name
++        for (@matches) {
++            if ($_ eq "ONLY_${name}") {
++                return 1;
++            }
++        }
++        return 0;
++    }
++    return 1;
++}
++
+ sub sorter_unix {
+     my $by_name = OpenSSL::Ordinals::by_name();
+     my %weight = (
+diff --git a/util/providers.num b/util/providers.num
+index 4e2fa81b98..77879d0e5f 100644
+--- a/util/providers.num
++++ b/util/providers.num
+@@ -1 +1,2 @@
+ OSSL_provider_init                     1	*	EXIST::FUNCTION:
++redhat_ossl_query_fipsindicator        1	*	EXIST::FUNCTION:ONLY_PROVIDERS/FIPS
+-- 
+2.35.3
+

0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch

@@ -0,0 +1,350 @@
+From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:28 +0200
+Subject: [PATCH 29/35] 
+ 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+
+Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
+Patch-id: 73
+Patch-status: |
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/rsa/rsa_local.h                        |  8 ++
+ crypto/rsa/rsa_oaep.c                         | 34 ++++++--
+ include/openssl/core_names.h                  |  3 +
+ providers/fips/self_test_data.inc             | 79 ++++++++++---------
+ providers/fips/self_test_kats.c               |  7 ++
+ .../implementations/asymciphers/rsa_enc.c     | 41 +++++++++-
+ 6 files changed, 128 insertions(+), 44 deletions(-)
+
+diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
+index ea70da05ad..dde57a1a0e 100644
+--- a/crypto/rsa/rsa_local.h
++++ b/crypto/rsa/rsa_local.h
+@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to
+                                          int tlen, const unsigned char *from,
+                                          int flen);
+ 
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
++                                             unsigned char *to, int tlen,
++                                             const unsigned char *from, int flen,
++                                             const unsigned char *param,
++                                             int plen, const EVP_MD *md,
++                                             const EVP_MD *mgf1md,
++                                             const char *redhat_st_seed);
++
+ #endif /* OSSL_CRYPTO_RSA_LOCAL_H */
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index d9be1a4f98..b2f7f7dc4b 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+                                                    param, plen, NULL, NULL);
+ }
+ 
++#ifdef FIPS_MODULE
++extern int REDHAT_FIPS_asym_cipher_st;
++#endif /* FIPS_MODULE */
++
+ /*
+  * Perform the padding as per NIST 800-56B 7.2.2.3
+  *      from (K) is the key material.
+@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+  * Step numbers are included here but not in the constant time inverse below
+  * to avoid complicating an already difficult enough function.
+  */
+-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+-                                            unsigned char *to, int tlen,
+-                                            const unsigned char *from, int flen,
+-                                            const unsigned char *param,
+-                                            int plen, const EVP_MD *md,
+-                                            const EVP_MD *mgf1md)
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
++                                             unsigned char *to, int tlen,
++                                             const unsigned char *from, int flen,
++                                             const unsigned char *param,
++                                             int plen, const EVP_MD *md,
++                                             const EVP_MD *mgf1md,
++                                             const char *redhat_st_seed)
+ {
+     int rv = 0;
+     int i, emlen = tlen - 1;
+@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+     db[emlen - flen - mdlen - 1] = 0x01;
+     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
+     /* step 3d: generate random byte string */
++#ifdef FIPS_MODULE
++    if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) {
++        memcpy(seed, redhat_st_seed, mdlen);
++    } else
++#endif
+     if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0)
+         goto err;
+ 
+@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
+     return rv;
+ }
+ 
++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
++                                            unsigned char *to, int tlen,
++                                            const unsigned char *from, int flen,
++                                            const unsigned char *param,
++                                            int plen, const EVP_MD *md,
++                                            const EVP_MD *mgf1md)
++{
++    return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from,
++                                                    flen, param, plen, md,
++                                                    mgf1md, NULL);
++}
++
+ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                     const unsigned char *from, int flen,
+                                     const unsigned char *param, int plen,
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 5e3c132f5b..c0cce14297 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -471,6 +471,9 @@ extern "C" {
+ #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL               "oaep-label"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION       "tls-client-version"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION   "tls-negotiated-version"
++#ifdef FIPS_MODULE
++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED     "redhat-kat-oaep-seed"
++#endif
+ 
+ /*
+  * Encoder / decoder parameters
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index e0fdc0daa4..aa2012c04a 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {
+ };
+ 
+ /*-
+- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the
++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the
+  * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient
+  * HP/UX PA-RISC compilers.
+  */
+-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE;
++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP;
++static const char oaep_fixed_seed[] = {
++    0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25,
++    0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab,
++    0x2e, 0x4b, 0x2c, 0xe6
++};
+ 
+ static const ST_KAT_PARAM rsa_enc_params[] = {
+-    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none),
++    ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep),
++    ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED,
++                       oaep_fixed_seed),
+     ST_KAT_PARAM_END()
+ };
+ 
+@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {
+     0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6
+ };
+ 
+-static const unsigned char rsa_asym_plaintext_encrypt[256] = {
++static const unsigned char rsa_asym_plaintext_encrypt[208] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+ };
+ static const unsigned char rsa_asym_expected_encrypt[256] = {
+-    0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b,
+-    0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61,
+-    0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c,
+-    0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc,
+-    0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0,
+-    0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa,
+-    0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a,
+-    0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc,
+-    0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35,
+-    0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a,
+-    0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd,
+-    0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda,
+-    0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18,
+-    0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7,
+-    0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39,
+-    0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87,
+-    0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21,
+-    0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0,
+-    0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8,
+-    0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c,
+-    0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa,
+-    0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69,
+-    0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52,
+-    0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c,
+-    0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6,
+-    0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93,
+-    0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d,
+-    0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5,
+-    0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9,
+-    0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04,
+-    0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa,
+-    0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab,
++    0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74,
++    0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c,
++    0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e,
++    0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b,
++    0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25,
++    0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89,
++    0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1,
++    0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50,
++    0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17,
++    0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2,
++    0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb,
++    0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d,
++    0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e,
++    0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f,
++    0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3,
++    0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06,
++    0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25,
++    0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78,
++    0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04,
++    0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c,
++    0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47,
++    0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce,
++    0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0,
++    0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6,
++    0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99,
++    0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30,
++    0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20,
++    0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb,
++    0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27,
++    0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66,
++    0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a,
++    0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06
+ };
+ 
+ #ifndef OPENSSL_NO_EC
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index 74ee25dcb6..a9bc8be7fa 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+     return ret;
+ }
+ 
++int REDHAT_FIPS_asym_cipher_st = 0;
++
+ static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ {
+     int i, ret = 1;
+ 
++    REDHAT_FIPS_asym_cipher_st = 1;
++
+     for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) {
+         if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
+             ret = 0;
+     }
++
++    REDHAT_FIPS_asym_cipher_st = 0;
++
+     return ret;
+ }
+ 
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index 9cd8904131..40de5ce8fa 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -30,6 +30,9 @@
+ #include "prov/implementations.h"
+ #include "prov/providercommon.h"
+ #include "prov/securitycheck.h"
++#ifdef FIPS_MODULE
++# include "crypto/rsa/rsa_local.h"
++#endif
+ 
+ #include <stdlib.h>
+ 
+@@ -75,6 +78,9 @@ typedef struct {
+     /* TLS padding */
+     unsigned int client_version;
+     unsigned int alt_version;
++#ifdef FIPS_MODULE
++    char *redhat_st_oaep_seed;
++#endif /* FIPS_MODULE */
+ } PROV_RSA_CTX;
+ 
+ static void *rsa_newctx(void *provctx)
+@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+             }
+         }
+         ret =
+-            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,
++#ifdef FIPS_MODULE
++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(
++#else
++            ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(
++#endif
++                                                    prsactx->libctx, tbuf,
+                                                     rsasize, in, inlen,
+                                                     prsactx->oaep_label,
+                                                     prsactx->oaep_labellen,
+                                                     prsactx->oaep_md,
+-                                                    prsactx->mgf1_md);
++                                                    prsactx->mgf1_md
++#ifdef FIPS_MODULE
++                                                    , prsactx->redhat_st_oaep_seed
++#endif
++                                                    );
+ 
+         if (!ret) {
+             OPENSSL_free(tbuf);
+@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)
+     EVP_MD_free(prsactx->oaep_md);
+     EVP_MD_free(prsactx->mgf1_md);
+     OPENSSL_free(prsactx->oaep_label);
++#ifdef FIPS_MODULE
++    OPENSSL_free(prsactx->redhat_st_oaep_seed);
++#endif /* FIPS_MODULE */
+ 
+     OPENSSL_free(prsactx);
+ }
+@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+                     NULL, 0),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++#ifdef FIPS_MODULE
++    OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
++#endif /* FIPS_MODULE */
+     OSSL_PARAM_END
+ };
+ 
+@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx,
+     return known_gettable_ctx_params;
+ }
+ 
++#ifdef FIPS_MODULE
++extern int REDHAT_FIPS_asym_cipher_st;
++#endif /* FIPS_MODULE */
++
+ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+         prsactx->oaep_labellen = tmp_labellen;
+     }
+ 
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED);
++    if (p != NULL && REDHAT_FIPS_asym_cipher_st) {
++        void *tmp_oaep_seed = NULL;
++
++        if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL))
++            return 0;
++        OPENSSL_free(prsactx->redhat_st_oaep_seed);
++        prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed;
++    }
++#endif /* FIPS_MODULE */
++
+     p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION);
+     if (p != NULL) {
+         unsigned int client_version;
+-- 
+2.41.0
+

0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch

@@ -0,0 +1,312 @@
+From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 15 Jul 2022 17:45:40 +0200
+Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test
+
+In review for FIPS 140-3, the lack of a self-test for the digest_sign
+and digest_verify provider functions was highlighted as a problem. NIST
+no longer provides ACVP tests for the RSA SigVer primitive (see
+https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3
+recommends the use of functions that compute the digest and signature
+within the module, we have been advised in our module review that the
+self tests should also use the combined digest and signature APIs, i.e.
+the digest_sign and digest_verify provider functions.
+
+Modify the signature self-test to use these instead by switching to
+EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to
+crypto/evp/m_sigver.c to make these functions usable in the FIPS module.
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ crypto/evp/m_sigver.c           | 43 +++++++++++++++++++++++++++------
+ providers/fips/self_test_kats.c | 37 +++++++++++++++-------------
+ 2 files changed, 56 insertions(+), 24 deletions(-)
+
+diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
+index db1a1d7bc3..c94c3c53bd 100644
+--- a/crypto/evp/m_sigver.c
++++ b/crypto/evp/m_sigver.c
+@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
+     ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);
+     return 0;
+ }
++#endif /* !defined(FIPS_MODULE) */
+ 
+ /*
+  * If we get the "NULL" md then the name comes back as "UNDEF". We want to use
+@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+         reinit = 0;
+         if (e == NULL)
+             ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);
++#ifndef FIPS_MODULE
+         else
+             ctx->pctx = EVP_PKEY_CTX_new(pkey, e);
++#endif /* !defined(FIPS_MODULE) */
+     }
+     if (ctx->pctx == NULL)
+         return 0;
+@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+     locpctx = ctx->pctx;
+     ERR_set_mark();
+ 
++#ifndef FIPS_MODULE
+     if (evp_pkey_ctx_is_legacy(locpctx))
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
+     /* do not reinitialize if pkey is set or operation is different */
+     if (reinit
+@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+             signature =
+                 evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,
+                                               supported_sig, locpctx->propquery);
++#ifndef FIPS_MODULE
+             if (signature == NULL)
+                 goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+             break;
+         }
+         if (signature == NULL)
+@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+             ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
+             if (ctx->fetched_digest != NULL) {
+                 ctx->digest = ctx->reqdigest = ctx->fetched_digest;
++#ifndef FIPS_MODULE
+             } else {
+                 /* legacy engine support : remove the mark when this is deleted */
+                 ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);
+@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+                     ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+                     goto err;
+                 }
++#endif /* !defined(FIPS_MODULE) */
+             }
+             (void)ERR_pop_to_mark();
+         }
+     }
+ 
++#ifndef FIPS_MODULE
+     if (ctx->reqdigest != NULL
+             && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+             && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
+@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+             goto err;
+         }
+     }
++#endif /* !defined(FIPS_MODULE) */
+ 
+     if (ver) {
+         if (signature->digest_verify_init == NULL) {
+@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+     EVP_KEYMGMT_free(tmp_keymgmt);
+     return 0;
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     /*
+      * If we don't have the full support we need with provided methods,
+@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+         ctx->pctx->flag_call_digest_custom = 1;
+ 
+     ret = 1;
++#endif /* !defined(FIPS_MODULE) */
+ 
+  end:
+ #ifndef FIPS_MODULE
+@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+     return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
+                           NULL);
+ }
+-#endif /* FIPS_MDOE */
+ 
+ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
+ {
+@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
+     return EVP_DigestUpdate(ctx, data, dsize);
+ }
+ 
+-#ifndef FIPS_MODULE
+ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+                         size_t *siglen)
+ {
+-    int sctx = 0, r = 0;
+-    EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
++    int r = 0;
++#ifndef FIPS_MODULE
++    int sctx = 0;
++    EVP_PKEY_CTX *dctx;
++#endif /* !defined(FIPS_MODULE) */
++    EVP_PKEY_CTX *pctx = ctx->pctx;
+ 
++#ifndef FIPS_MODULE
+     if (pctx == NULL
+             || pctx->operation != EVP_PKEY_OP_SIGNCTX
+             || pctx->op.sig.algctx == NULL
+             || pctx->op.sig.signature == NULL)
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
+     if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
+         return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx,
+                                                          sigret, siglen,
+                                                          sigret == NULL ? 0 : *siglen);
++#ifndef FIPS_MODULE
+     dctx = EVP_PKEY_CTX_dup(pctx);
+     if (dctx == NULL)
+         return 0;
+@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+                                                   sigret, siglen,
+                                                   *siglen);
+     EVP_PKEY_CTX_free(dctx);
++#endif /* defined(FIPS_MODULE) */
+     return r;
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     if (pctx == NULL || pctx->pmeth == NULL) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+         }
+     }
+     return 1;
++#endif /* !defined(FIPS_MODULE) */
+ }
+ 
+ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+                           size_t siglen)
+ {
+-    unsigned char md[EVP_MAX_MD_SIZE];
+     int r = 0;
++#ifndef FIPS_MODULE
++    unsigned char md[EVP_MAX_MD_SIZE];
+     unsigned int mdlen = 0;
+     int vctx = 0;
+-    EVP_PKEY_CTX *dctx, *pctx = ctx->pctx;
++    EVP_PKEY_CTX *dctx;
++#endif /* !defined(FIPS_MODULE) */
++    EVP_PKEY_CTX *pctx = ctx->pctx;
+ 
++#ifndef FIPS_MODULE
+     if (pctx == NULL
+             || pctx->operation != EVP_PKEY_OP_VERIFYCTX
+             || pctx->op.sig.algctx == NULL
+             || pctx->op.sig.signature == NULL)
+         goto legacy;
++#endif /* !defined(FIPS_MODULE) */
+ 
+     if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0)
+         return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx,
+                                                            sig, siglen);
++#ifndef FIPS_MODULE
+     dctx = EVP_PKEY_CTX_dup(pctx);
+     if (dctx == NULL)
+         return 0;
+@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+     r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,
+                                                     sig, siglen);
+     EVP_PKEY_CTX_free(dctx);
++#endif /* !defined(FIPS_MODULE) */
+     return r;
+ 
++#ifndef FIPS_MODULE
+  legacy:
+     if (pctx == NULL || pctx->pmeth == NULL) {
+         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+     if (vctx || !r)
+         return r;
+     return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);
++#endif /* !defined(FIPS_MODULE) */
+ }
+ 
+ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+         return -1;
+     return EVP_DigestVerifyFinal(ctx, sigret, siglen);
+ }
+-#endif /* FIPS_MODULE */
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index b6d5e8e134..77eec075e6 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+     int ret = 0;
+     OSSL_PARAM *params = NULL, *params_sig = NULL;
+     OSSL_PARAM_BLD *bld = NULL;
++    EVP_MD *md = NULL;
++    EVP_MD_CTX *ctx = NULL;
+     EVP_PKEY_CTX *sctx = NULL, *kctx = NULL;
+     EVP_PKEY *pkey = NULL;
+-    unsigned char sig[256];
+     BN_CTX *bnctx = NULL;
++    const char *msg = "Hello World!";
++    unsigned char sig[256];
+     size_t siglen = sizeof(sig);
+     static const unsigned char dgst[] = {
+         0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
+@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+         || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+         goto err;
+ 
+-    /* Create a EVP_PKEY_CTX to use for the signing operation */
+-    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+-    if (sctx == NULL
+-        || EVP_PKEY_sign_init(sctx) <= 0)
+-        goto err;
+-
+-    /* set signature parameters */
+-    if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
+-                                         t->mdalgorithm,
+-                                         strlen(t->mdalgorithm) + 1))
+-        goto err;
++    /* Create a EVP_MD_CTX to use for the signature operation, assign signature
++     * parameters and sign */
+     params_sig = OSSL_PARAM_BLD_to_param(bld);
+-    if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
++    md = EVP_MD_fetch(libctx, "SHA256", NULL);
++    ctx = EVP_MD_CTX_new();
++    if (md == NULL || ctx == NULL)
++        goto err;
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++    if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0
++        || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0
++        || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0
++        || EVP_MD_CTX_reset(ctx) <= 0)
+         goto err;
+ 
+-    if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
+-        || EVP_PKEY_verify_init(sctx) <= 0
++    /* sctx is not freed automatically inside the FIPS module */
++    EVP_PKEY_CTX_free(sctx);
++    sctx = NULL;
++
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++    if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0
+         || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+         goto err;
+ 
+@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+         goto err;
+ 
+     OSSL_SELF_TEST_oncorrupt_byte(st, sig);
+-    if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0)
++    if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0)
+         goto err;
+     ret = 1;
+ err:
+     BN_CTX_free(bnctx);
+     EVP_PKEY_free(pkey);
+-    EVP_PKEY_CTX_free(kctx);
++    EVP_MD_free(md);
++    EVP_MD_CTX_free(ctx);
++    /* sctx is not freed automatically inside the FIPS module */
+     EVP_PKEY_CTX_free(sctx);
++    EVP_PKEY_CTX_free(kctx);
+     OSSL_PARAM_free(params);
+     OSSL_PARAM_free(params_sig);
+     OSSL_PARAM_BLD_free(bld);
+-- 
+2.37.1
+

0075-FIPS-Use-FFDHE2048-in-self-test.patch

@@ -0,0 +1,378 @@
+From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Fri, 22 Jul 2022 17:51:16 +0200
+Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test
+
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ providers/fips/self_test_data.inc | 342 +++++++++++++++---------------
+ 1 file changed, 172 insertions(+), 170 deletions(-)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index a29cc650b5..1b5623833f 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =
+ 
+ #ifndef OPENSSL_NO_DH
+ /* DH KAT */
++/* RFC7919 FFDHE2048 p */
+ static const unsigned char dh_p[] = {
+-    0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25,
+-    0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0,
+-    0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66,
+-    0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b,
+-    0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe,
+-    0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce,
+-    0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d,
+-    0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d,
+-    0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde,
+-    0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb,
+-    0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17,
+-    0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0,
+-    0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97,
+-    0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9,
+-    0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7,
+-    0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1,
+-    0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d,
+-    0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82,
+-    0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4,
+-    0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c,
+-    0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b,
+-    0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50,
+-    0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31,
+-    0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44,
+-    0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5,
+-    0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80,
+-    0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12,
+-    0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94,
+-    0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7,
+-    0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1,
+-    0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d,
+-    0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69
+-};
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++    0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a,
++    0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++    0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95,
++    0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb,
++    0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++    0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8,
++    0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a,
++    0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++    0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0,
++    0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3,
++    0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++    0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77,
++    0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72,
++    0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++    0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a,
++    0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61,
++    0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++    0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68,
++    0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4,
++    0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++    0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70,
++    0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec,
++    0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++    0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff,
++    0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83,
++    0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++    0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05,
++    0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2,
++    0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++    0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97,
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++/* RFC7919 FFDHE2048 q */
+ static const unsigned char dh_q[] = {
+-    0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e,
+-    0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83,
+-    0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea,
+-    0x11, 0xac, 0xb5, 0x7d
+-};
++    0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++    0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d,
++    0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++    0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a,
++    0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd,
++    0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++    0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec,
++    0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd,
++    0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++    0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68,
++    0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79,
++    0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++    0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb,
++    0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39,
++    0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++    0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd,
++    0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0,
++    0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++    0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34,
++    0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa,
++    0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++    0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8,
++    0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76,
++    0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++    0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff,
++    0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1,
++    0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++    0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02,
++    0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9,
++    0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++    0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b,
++    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
++};
++/* RFC7919 FFDHE2048 g */
+ static const unsigned char dh_g[] = {
+-    0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39,
+-    0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f,
+-    0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0,
+-    0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f,
+-    0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f,
+-    0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a,
+-    0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4,
+-    0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c,
+-    0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20,
+-    0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25,
+-    0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53,
+-    0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9,
+-    0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc,
+-    0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9,
+-    0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43,
+-    0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86,
+-    0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16,
+-    0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40,
+-    0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23,
+-    0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa,
+-    0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6,
+-    0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2,
+-    0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61,
+-    0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a,
+-    0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef,
+-    0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f,
+-    0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3,
+-    0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a,
+-    0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4,
+-    0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74,
+-    0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4,
+-    0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32
++    0x02
+ };
+ static const unsigned char dh_priv[] = {
+-    0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a,
+-    0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70,
+-    0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15,
+-    0x40, 0xb8, 0xfc, 0xe6
++    0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f,
++    0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d,
++    0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d,
++    0x6c, 0xdc, 0x5d, 0x6e, 0x94
+ };
+ static const unsigned char dh_pub[] = {
+-    0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
+-    0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
+-    0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
+-    0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
+-    0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
+-    0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
+-    0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
+-    0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
+-    0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
+-    0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
+-    0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
+-    0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
+-    0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
+-    0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
+-    0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
+-    0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
+-    0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
+-    0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
+-    0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
+-    0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
+-    0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
+-    0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
+-    0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
+-    0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
+-    0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
+-    0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
+-    0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
+-    0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
+-    0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
+-    0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
+-    0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
+-    0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
++    0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05,
++    0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f,
++    0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43,
++    0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23,
++    0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a,
++    0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b,
++    0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c,
++    0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63,
++    0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38,
++    0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6,
++    0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a,
++    0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94,
++    0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92,
++    0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44,
++    0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53,
++    0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13,
++    0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30,
++    0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b,
++    0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01,
++    0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d,
++    0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18,
++    0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81,
++    0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f,
++    0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7,
++    0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39,
++    0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed,
++    0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71,
++    0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce,
++    0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04,
++    0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69,
++    0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed,
++    0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2,
++    0x32
+ };
+ static const unsigned char dh_peer_pub[] = {
+-    0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
+-    0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d,
+-    0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58,
+-    0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32,
+-    0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb,
+-    0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0,
+-    0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0,
+-    0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc,
+-    0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1,
+-    0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e,
+-    0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97,
+-    0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05,
+-    0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3,
+-    0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f,
+-    0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7,
+-    0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1,
+-    0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96,
+-    0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf,
+-    0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22,
+-    0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98,
+-    0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42,
+-    0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c,
+-    0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde,
+-    0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20,
+-    0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22,
+-    0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3,
+-    0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3,
+-    0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2,
+-    0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00,
+-    0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51,
+-    0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f,
+-    0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b
++    0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79,
++    0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda,
++    0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29,
++    0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84,
++    0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57,
++    0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5,
++    0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68,
++    0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c,
++    0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6,
++    0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20,
++    0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d,
++    0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3,
++    0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a,
++    0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77,
++    0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73,
++    0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53,
++    0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1,
++    0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05,
++    0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a,
++    0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5,
++    0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9,
++    0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91,
++    0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31,
++    0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f,
++    0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4,
++    0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e,
++    0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59,
++    0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84,
++    0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a,
++    0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd,
++    0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2,
++    0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87,
++    0x64
+ };
+ 
+ static const unsigned char dh_secret_expected[] = {
+-    0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a,
+-    0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a,
+-    0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c,
+-    0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe,
+-    0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2,
+-    0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21,
+-    0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53,
+-    0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd,
+-    0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87,
+-    0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4,
+-    0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d,
+-    0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd,
+-    0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33,
+-    0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe,
+-    0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a,
+-    0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73,
+-    0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad,
+-    0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0,
+-    0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79,
+-    0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9,
+-    0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2,
+-    0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6,
+-    0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae,
+-    0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57,
+-    0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a,
+-    0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63,
+-    0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9,
+-    0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86,
+-    0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5,
+-    0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00,
+-    0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52,
+-    0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6
++    0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5,
++    0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5,
++    0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93,
++    0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5,
++    0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e,
++    0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39,
++    0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04,
++    0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d,
++    0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c,
++    0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47,
++    0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae,
++    0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08,
++    0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19,
++    0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8,
++    0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f,
++    0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e,
++    0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2,
++    0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d,
++    0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4,
++    0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4,
++    0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66,
++    0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46,
++    0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0,
++    0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70,
++    0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c,
++    0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f,
++    0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25,
++    0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc,
++    0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02,
++    0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04,
++    0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1,
++    0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89
+ };
+ 
+ static const ST_KAT_PARAM dh_group[] = {
+-- 
+2.35.3
+

0076-FIPS-140-3-DRBG.patch

@@ -0,0 +1,184 @@
+From 89c00cc67b9b34bc94f9dc3a9fce9374bbaade03 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:29 +0200
+Subject: [PATCH 32/48] 0076-FIPS-140-3-DRBG.patch
+
+Patch-name: 0076-FIPS-140-3-DRBG.patch
+Patch-id: 76
+Patch-status: |
+    # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/rand/prov_seed.c                       |  9 ++-
+ providers/implementations/rands/crngt.c       |  6 +-
+ providers/implementations/rands/drbg.c        | 11 +++-
+ providers/implementations/rands/drbg_local.h  |  2 +-
+ .../implementations/rands/seeding/rand_unix.c | 64 ++-----------------
+ 5 files changed, 28 insertions(+), 64 deletions(-)
+
+diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
+index 96c499c957..61c4cd8779 100644
+--- a/crypto/rand/prov_seed.c
++++ b/crypto/rand/prov_seed.c
+@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused const OSSL_CORE_HANDLE *handle,
+     size_t entropy_available;
+     RAND_POOL *pool;
+ 
+-    pool = ossl_rand_pool_new(entropy, 1, min_len, max_len);
++    /*
++     * OpenSSL still implements an internal entropy pool of
++     * some size that is hashed to get seed data.
++     * Note that this is a conditioning step for which SP800-90C requires
++     * 64 additional bits from the entropy source to claim the requested
++     * amount of entropy.
++     */
++    pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len);
+     if (pool == NULL) {
+         ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);
+         return 0;
+diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
+index fa4a2db14a..1f13fc759e 100644
+--- a/providers/implementations/rands/crngt.c
++++ b/providers/implementations/rands/crngt.c
+@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,
+      * to the nearest byte.  If the entropy is of less than full quality,
+      * the amount required should be scaled up appropriately here.
+      */
+-    bytes_needed = (entropy + 7) / 8;
++    /*
++     * FIPS 140-3: the yet draft SP800-90C requires requested entropy
++     * + 128 bits during initial seeding
++     */
++    bytes_needed = (entropy + 128 + 7) / 8;
+     if (bytes_needed < min_len)
+         bytes_needed = min_len;
+     if (bytes_needed > max_len)
+diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
+index ea55363bf8..1b2410b3db 100644
+--- a/providers/implementations/rands/drbg.c
++++ b/providers/implementations/rands/drbg.c
+@@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
+ #endif
+     }
+ 
++#ifdef FIPS_MODULE
++    prediction_resistance = 1;
++#endif
+     /* Reseed using our sources in addition */
+     entropylen = get_entropy(drbg, &entropy, drbg->strength,
+                              drbg->min_entropylen, drbg->max_entropylen,
+@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+             reseed_required = 1;
+     }
+     if (drbg->parent != NULL
+-            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++            && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
++#ifdef FIPS_MODULE
++        /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
++        drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
++#else
+         reseed_required = 1;
++#endif
++        }
+ 
+     if (reseed_required || prediction_resistance) {
+         if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
+diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
+index 3b5417b43b..d27c50950b 100644
+--- a/providers/implementations/rands/drbg_local.h
++++ b/providers/implementations/rands/drbg_local.h
+@@ -38,7 +38,7 @@
+  *
+  * The value is in bytes.
+  */
+-#define CRNGT_BUFSIZ    16
++#define CRNGT_BUFSIZ   32
+ 
+ /*
+  * Maximum input size for the DRBG (entropy, nonce, personalization string)
+diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
+index cd02a0236d..98c917b6d8 100644
+--- a/providers/implementations/rands/seeding/rand_unix.c
++++ b/providers/implementations/rands/seeding/rand_unix.c
+@@ -48,6 +48,8 @@
+ # include <fcntl.h>
+ # include <unistd.h>
+ # include <sys/time.h>
++# include <sys/random.h>
++# include <openssl/evp.h>
+ 
+ static uint64_t get_time_stamp(void);
+ 
+@@ -341,66 +343,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
+      * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
+      * between size_t and ssize_t is safe even without a range check.
+      */
+-
+-    /*
+-     * Do runtime detection to find getentropy().
+-     *
+-     * Known OSs that should support this:
+-     * - Darwin since 16 (OSX 10.12, IOS 10.0).
+-     * - Solaris since 11.3
+-     * - OpenBSD since 5.6
+-     * - Linux since 3.17 with glibc 2.25
+-     * - FreeBSD since 12.0 (1200061)
+-     *
+-     * Note: Sometimes getentropy() can be provided but not implemented
+-     * internally. So we need to check errno for ENOSYS
+-     */
+-#  if !defined(__DragonFly__) && !defined(__NetBSD__)
+-#    if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+-    extern int getentropy(void *buffer, size_t length) __attribute__((weak));
+-
+-    if (getentropy != NULL) {
+-        if (getentropy(buf, buflen) == 0)
+-            return (ssize_t)buflen;
+-        if (errno != ENOSYS)
+-            return -1;
+-    }
+-#    elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
+-
+-    if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
+-	    return (ssize_t)buflen;
+-
+-    return -1;
+-#    else
+-    union {
+-        void *p;
+-        int (*f)(void *buffer, size_t length);
+-    } p_getentropy;
+-
+-    /*
+-     * We could cache the result of the lookup, but we normally don't
+-     * call this function often.
+-     */
+-    ERR_set_mark();
+-    p_getentropy.p = DSO_global_lookup("getentropy");
+-    ERR_pop_to_mark();
+-    if (p_getentropy.p != NULL)
+-        return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+-#    endif
+-#  endif /* !__DragonFly__ */
+-
+-    /* Linux supports this since version 3.17 */
+-#  if defined(__linux) && defined(__NR_getrandom)
+-    return syscall(__NR_getrandom, buf, buflen, 0);
+-#  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+-    return sysctl_random(buf, buflen);
+-#  elif (defined(__DragonFly__)  && __DragonFly_version >= 500700) \
+-     || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000)
+-    return getrandom(buf, buflen, 0);
+-#  else
+-    errno = ENOSYS;
+-    return -1;
+-#  endif
++    /* Red Hat uses downstream patch to always seed from getrandom() */
++    return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
+ }
+ #  endif    /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
+ 
+-- 
+2.41.0
+

0077-FIPS-140-3-zeroization.patch

@@ -0,0 +1,102 @@
+From 9c667a7ba589329f3a777b012bf69a0db7f7eda9 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:29 +0200
+Subject: [PATCH 33/35] 0077-FIPS-140-3-zeroization.patch
+
+Patch-name: 0077-FIPS-140-3-zeroization.patch
+Patch-id: 77
+Patch-status: |
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/ec/ec_lib.c                      | 4 ++++
+ crypto/ffc/ffc_params.c                 | 8 ++++----
+ crypto/rsa/rsa_lib.c                    | 4 ++--
+ providers/implementations/kdfs/hkdf.c   | 2 +-
+ providers/implementations/kdfs/pbkdf2.c | 2 +-
+ 5 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
+index 6c37bf78ae..cfbc3c3c1d 100644
+--- a/crypto/ec/ec_lib.c
++++ b/crypto/ec/ec_lib.c
+@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group)
+ 
+ void EC_POINT_free(EC_POINT *point)
+ {
++#ifdef FIPS_MODULE
++    EC_POINT_clear_free(point);
++#else
+     if (point == NULL)
+         return;
+ 
+     if (point->meth->point_finish != 0)
+         point->meth->point_finish(point);
+     OPENSSL_free(point);
++#endif
+ }
+ 
+ void EC_POINT_clear_free(EC_POINT *point)
+diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
+index 3536efd1ad..f3c164b8fc 100644
+--- a/crypto/ffc/ffc_params.c
++++ b/crypto/ffc/ffc_params.c
+@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *params)
+ 
+ void ossl_ffc_params_cleanup(FFC_PARAMS *params)
+ {
+-    BN_free(params->p);
+-    BN_free(params->q);
+-    BN_free(params->g);
+-    BN_free(params->j);
++    BN_clear_free(params->p);
++    BN_clear_free(params->q);
++    BN_clear_free(params->g);
++    BN_clear_free(params->j);
+     OPENSSL_free(params->seed);
+     ossl_ffc_params_init(params);
+ }
+diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
+index 9588a75964..76b4aac6fc 100644
+--- a/crypto/rsa/rsa_lib.c
++++ b/crypto/rsa/rsa_lib.c
+@@ -155,8 +155,8 @@ void RSA_free(RSA *r)
+ 
+     CRYPTO_THREAD_lock_free(r->lock);
+ 
+-    BN_free(r->n);
+-    BN_free(r->e);
++    BN_clear_free(r->n);
++    BN_clear_free(r->e);
+     BN_clear_free(r->d);
+     BN_clear_free(r->p);
+     BN_clear_free(r->q);
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index daa619b8af..5304baa6c9 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)
+     void *provctx = ctx->provctx;
+ 
+     ossl_prov_digest_reset(&ctx->digest);
+-    OPENSSL_free(ctx->salt);
++    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+     OPENSSL_free(ctx->prefix);
+     OPENSSL_free(ctx->label);
+     OPENSSL_clear_free(ctx->data, ctx->data_len);
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index 5c3e7b95ce..349c3dd657 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provctx)
+ static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
+ {
+     ossl_prov_digest_reset(&ctx->digest);
+-    OPENSSL_free(ctx->salt);
++    OPENSSL_clear_free(ctx->salt, ctx->salt_len);
+     OPENSSL_clear_free(ctx->pass, ctx->pass_len);
+     memset(ctx, 0, sizeof(*ctx));
+ }
+-- 
+2.41.0
+

0078-Add-FIPS-indicator-parameter-to-HKDF.patch

@@ -0,0 +1,874 @@
+From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:29 +0200
+Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+
+Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+Patch-id: 78
+Patch-status: |
+    # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ include/crypto/evp.h                      |   7 ++
+ include/openssl/core_names.h              |   1 +
+ include/openssl/kdf.h                     |   4 +
+ providers/implementations/kdfs/hkdf.c     | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/kbkdf.c    |  82 ++++++++++++++++--
+ providers/implementations/kdfs/sshkdf.c   |  75 +++++++++++++++-
+ providers/implementations/kdfs/sskdf.c    | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/tls1_prf.c |  74 +++++++++++++++-
+ providers/implementations/kdfs/x942kdf.c  |  66 +++++++++++++-
+ 9 files changed, 487 insertions(+), 22 deletions(-)
+
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index dbbdcccbda..aa07153441 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -219,6 +219,13 @@ struct evp_mac_st {
+     OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
+ };
+ 
++#ifdef FIPS_MODULE
++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
++ * Additional Keys from a Cryptographic Key, "[t]he length of the
++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_kdf_st {
+     OSSL_PROVIDER *prov;
+     int name_id;
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index c0cce14297..b431b9f871 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -226,6 +226,7 @@ extern "C" {
+ #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO    "supp-pubinfo"
+ #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO   "supp-privinfo"
+ #define OSSL_KDF_PARAM_X942_USE_KEYBITS     "use-keybits"
++#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+ 
+ /* Known KDF names */
+ #define OSSL_KDF_NAME_HKDF           "HKDF"
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
+ 
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV     65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI     66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
+index 5304baa6c9..f9c77f4236 100644
+--- a/providers/implementations/kdfs/hkdf.c
++++ b/providers/implementations/kdfs/hkdf.c
+@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
+ static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+ static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
+ static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
+ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
+@@ -86,6 +87,10 @@ typedef struct {
+     size_t data_len;
+     unsigned char *info;
+     size_t info_len;
++    int is_tls13;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_HKDF;
+ 
+ static void *kdf_hkdf_new(void *provctx)
+@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     switch (ctx->mode) {
+     case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+     default:
+@@ -363,15 +373,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+     if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+         size_t sz = kdf_hkdf_size(ctx);
+ 
+-        if (sz == 0)
++        any_valid = 1;
++
++        if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
+             return 0;
+-        return OSSL_PARAM_set_size_t(p, sz);
+     }
+-    return -2;
++
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++            != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++        const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (ctx->is_tls13) {
++            if (md != NULL
++                    && !EVP_MD_is_a(md, "SHA2-256")
++                    && !EVP_MD_is_a(md, "SHA2-384")) {
++                /* Implementation Guidance for FIPS 140-3 and the Cryptographic
++                 * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
++                 * key derivation function documented in Section 7.1 of RFC
++                 * 8446. This is considered an approved CVL because the
++                 * underlying functions performed within the TLS 1.3 KDF map to
++                 * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
++                 * Option #3), SP 800-56Crev2, and SP 800-108."
++                 *
++                 * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
++                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        } else {
++            if (md != NULL
++                    && (EVP_MD_is_a(md, "SHAKE-128") ||
++                        EVP_MD_is_a(md, "SHAKE-256"))) {
++                /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
++                 * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
++                 * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
++                 * extendable-output functions may only be used as the
++                 * standalone algorithms." */
++                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif /* defined(FIPS_MODULE) */
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -379,6 +452,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+@@ -709,6 +785,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
+     return ret;
+ }
+ 
++static void *kdf_tls1_3_new(void *provctx)
++{
++    KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
++
++    if (hkdf != NULL)
++        hkdf->is_tls13 = 1;
++
++    return hkdf;
++}
++
++
+ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+                              const OSSL_PARAM params[])
+ {
+@@ -724,6 +811,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     switch (ctx->mode) {
+     default:
+         return 0;
+@@ -801,7 +893,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
+ }
+ 
+ const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
+-    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
++    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
+     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
+     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+     { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
+index aa3df15bc7..3f82710061 100644
+--- a/providers/implementations/kdfs/kbkdf.c
++++ b/providers/implementations/kdfs/kbkdf.c
+@@ -59,6 +59,9 @@ typedef struct {
+     kbkdf_mode mode;
+     EVP_MAC_CTX *ctx_init;
+ 
++    /* HMAC digest algorithm, if any; used to compute FIPS indicator */
++    PROV_DIGEST digest;
++
+     /* Names are lowercased versions of those found in SP800-108. */
+     int r;
+     unsigned char *ki;
+@@ -72,6 +75,9 @@ typedef struct {
+     int use_l;
+     int is_kmac;
+     int use_separator;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KBKDF;
+ 
+ /* Definitions needed for typechecking. */
+@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
+     void *provctx = ctx->provctx;
+ 
+     EVP_MAC_CTX_free(ctx->ctx_init);
++    ossl_prov_digest_reset(&ctx->digest);
+     OPENSSL_clear_free(ctx->context, ctx->context_len);
+     OPENSSL_clear_free(ctx->label, ctx->label_len);
+     OPENSSL_clear_free(ctx->ki, ctx->ki_len);
+@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         goto done;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
+     if (h == 0)
+         goto done;
+@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+         }
+     }
+ 
++    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++        return 0;
++
+     p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
+     if (p != NULL
+         && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
+@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+     p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
+-    if (p == NULL)
++    if (p != NULL) {
++        any_valid = 1;
++
++        /* KBKDF can produce results as large as you like. */
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        KBKDF *ctx = (KBKDF *)vctx;
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." Note that the digest is only used when the MAC
++         * algorithm is HMAC. */
++        if (ctx->ctx_init != NULL
++                && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
++            const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++            if (md != NULL
++                    && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
++                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
+         return -2;
+ 
+-    /* KBKDF can produce results as large as you like. */
+-    return OSSL_PARAM_set_size_t(p, SIZE_MAX);
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
+                                                    ossl_unused void *provctx)
+ {
+-    static const OSSL_PARAM known_gettable_ctx_params[] =
+-        { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
++    static const OSSL_PARAM known_gettable_ctx_params[] = {
++        OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
++        OSSL_PARAM_END
++    };
+     return known_gettable_ctx_params;
+ }
+ 
+diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
+index 1afac4e477..389b82b714 100644
+--- a/providers/implementations/kdfs/sshkdf.c
++++ b/providers/implementations/kdfs/sshkdf.c
+@@ -49,6 +49,9 @@ typedef struct {
+     char type; /* X */
+     unsigned char *session_id;
+     size_t session_id_len;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSHKDF;
+ 
+ static void *kdf_sshkdf_new(void *provctx)
+@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
+         return 0;
+     }
++
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     return SSHKDF(md, ctx->key, ctx->key_len,
+                   ctx->xcghash, ctx->xcghash_len,
+                   ctx->session_id, ctx->session_id_len,
+@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        KDF_SSHKDF *ctx = vctx;
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms."
++         *
++         * Additionally, SP 800-135r1 section 5.2 specifies that the hash
++         * function used in SSHKDF "is one of the hash functions specified in
++         * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
++         * */
++        if (ctx->digest.md != NULL
++            && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++            && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
+index ecb98de6fd..98fcc583d8 100644
+--- a/providers/implementations/kdfs/sskdf.c
++++ b/providers/implementations/kdfs/sskdf.c
+@@ -63,6 +63,10 @@ typedef struct {
+     size_t salt_len;
+     size_t out_len; /* optional KMAC parameter */
+     int is_kmac;
++    int is_x963kdf;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSKDF;
+ 
+ #define SSKDF_MAX_INLEN (1<<30)
+@@ -73,6 +77,7 @@ typedef struct {
+ static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
+ 
+ static OSSL_FUNC_kdf_newctx_fn sskdf_new;
++static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
+ static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
+ static OSSL_FUNC_kdf_freectx_fn sskdf_free;
+ static OSSL_FUNC_kdf_reset_fn sskdf_reset;
+@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
+     return ctx;
+ }
+ 
++static void *x963kdf_new(void *provctx)
++{
++    KDF_SSKDF *ctx = sskdf_new(provctx);
++
++    if (ctx)
++        ctx->is_x963kdf = 1;
++
++    return ctx;
++}
++
+ static void sskdf_reset(void *vctx)
+ {
+     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
+     }
+     md = ossl_prov_digest_md(&ctx->digest);
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     if (ctx->macctx != NULL) {
+         /* H(x) = KMAC or H(x) = HMAC */
+         int ret;
+@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         return 0;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+     return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+                           ctx->info, ctx->info_len, 1, key, keylen);
+ }
+@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
++            return 0;
++    }
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
+-    return -2;
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." */
++        if (ctx->macctx == NULL
++                || (ctx->macctx != NULL &&
++                    EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
++            if (ctx->digest.md != NULL
++                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++
++            /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
++             * should only be used for 80-bit key agreement, but FIPS 140-3
++             * requires a security strength of 112 bits, so SHA-1 cannot be
++             * used with X9.63. See the discussion in
++             * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
++             */
++            if (ctx->is_x963kdf
++                    && ctx->digest.md != NULL
++                    && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
++                fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
+ };
+ 
+ const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
+-    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
++    { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
+     { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
+     { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+     { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index 54124ad4cb..25a6c79a2e 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -104,6 +104,13 @@ typedef struct {
+     /* Buffer of concatenated seed data */
+     unsigned char seed[TLS1_PRF_MAXBUF];
+     size_t seedlen;
++
++    /* MAC digest algorithm; used to compute FIPS indicator */
++    PROV_DIGEST digest;
++
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } TLS1_PRF;
+ 
+ static void *kdf_tls1_prf_new(void *provctx)
+@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vctx)
+     EVP_MAC_CTX_free(ctx->P_sha1);
+     OPENSSL_clear_free(ctx->sec, ctx->seclen);
+     OPENSSL_cleanse(ctx->seed, ctx->seedlen);
++    ossl_prov_digest_reset(&ctx->digest);
+     memset(ctx, 0, sizeof(*ctx));
+     ctx->provctx = provctx;
+ }
+@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+         return 0;
+     }
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+ 
+     /*
+      * The seed buffer is prepended with a label.
+@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+         }
+     }
+ 
++    if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++        return 0;
++
+     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
+         OPENSSL_clear_free(ctx->sec, ctx->seclen);
+         ctx->sec = NULL;
+@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
+ static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     OSSL_PARAM *p;
++#ifdef FIPS_MODULE
++    TLS1_PRF *ctx = vctx;
++#endif /* defined(FIPS_MODULE) */
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
++         * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
++        if (ctx->digest.md != NULL
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++                && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
+index 4c274fe27a..5ce23c8eb9 100644
+--- a/providers/implementations/kdfs/x942kdf.c
++++ b/providers/implementations/kdfs/x942kdf.c
+@@ -13,11 +13,13 @@
+ #include <openssl/core_dispatch.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#include <openssl/kdf.h>
+ #include <openssl/params.h>
+ #include <openssl/proverr.h>
+ #include "internal/packet.h"
+ #include "internal/der.h"
+ #include "internal/nelem.h"
++#include "crypto/evp.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -49,6 +51,9 @@ typedef struct {
+     const unsigned char *cek_oid;
+     size_t cek_oid_len;
+     int use_keybits;
++#ifdef FIPS_MODULE
++    int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_X942;
+ 
+ /*
+@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
+         return 0;
+     }
++#ifdef FIPS_MODULE
++    if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++        ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+     ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
+                            der, der_len, ctr, key, keylen);
+     OPENSSL_free(der);
+@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+     KDF_X942 *ctx = (KDF_X942 *)vctx;
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
+-    return -2;
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        any_valid = 1;
++
++        /* According to NIST Special Publication 800-131Ar2, Section 8:
++         * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++         * the key-derivation key [i.e., the input key] shall be at least 112
++         * bits". */
++        if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section D.B and NIST Special Publication
++         * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++         * strength < 112 bits is legacy use only, so all derived keys should
++         * be longer than that. If a derived key has ever been shorter than
++         * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++         * should also set the returned FIPS indicator to unapproved. */
++        if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++         * extendable-output functions may only be used as the standalone
++         * algorithms." */
++        if (ctx->digest.md != NULL
++                && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++                    EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++        }
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+-- 
+2.41.0
+

0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch

@@ -0,0 +1,273 @@
+From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:43:57 +0200
+Subject: [PATCH 37/48] 
+ 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+
+Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+Patch-id: 81
+---
+ providers/implementations/signature/rsa_sig.c |   6 +
+ test/acvp_test.inc                            | 214 ------------------
+ 2 files changed, 6 insertions(+), 214 deletions(-)
+
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 63ee11e566..cfaa4841cb 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -1279,7 +1279,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+             err_extra_text = "No padding not allowed with RSA-PSS";
+             goto cont;
+         case RSA_X931_PADDING:
++#ifndef FIPS_MODULE
+             err_extra_text = "X.931 padding not allowed with RSA-PSS";
++#else /* !defined(FIPS_MODULE) */
++            err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
++                             " since it was removed from FIPS 186-5";
++            goto bad_pad;
++#endif /* !defined(FIPS_MODULE) */
+         cont:
+             if (RSA_test_flags(prsactx->rsa,
+                                RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index 73b24bdb0c..96a72073f9 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
+         ITM(rsa_siggen0_msg),
+         NO_PSS_SALT_LEN,
+     },
+-    {
+-        "x931",
+-        2048,
+-        "SHA384",
+-        ITM(rsa_siggen0_msg),
+-        NO_PSS_SALT_LEN,
+-    },
+     {
+         "pss",
+         2048,
+@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
+     0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
+ };
+ 
+-static const unsigned char rsa_sigverx931_0_n[] = {
+-    0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
+-    0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
+-    0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
+-    0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
+-    0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
+-    0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
+-    0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
+-    0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
+-    0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
+-    0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
+-    0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
+-    0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
+-    0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
+-    0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
+-    0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
+-    0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
+-    0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
+-    0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
+-    0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
+-    0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
+-    0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
+-    0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
+-    0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
+-    0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
+-    0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
+-    0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
+-    0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
+-    0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
+-    0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
+-    0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
+-    0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
+-    0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
+-    0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
+-    0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
+-    0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
+-    0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
+-    0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
+-    0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
+-    0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
+-    0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
+-    0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
+-    0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
+-    0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
+-    0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
+-    0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
+-    0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
+-    0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
+-    0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_e[] = {
+-    0x01, 0x00, 0x01,
+-};
+-static const unsigned char rsa_sigverx931_0_msg[] = {
+-    0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
+-    0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
+-    0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
+-    0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
+-    0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
+-    0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
+-    0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
+-    0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
+-    0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
+-    0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
+-    0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
+-    0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
+-    0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
+-    0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
+-    0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
+-    0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_sig[] = {
+-    0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
+-    0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
+-    0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
+-    0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
+-    0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
+-    0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
+-    0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
+-    0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
+-    0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
+-    0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
+-    0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
+-    0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
+-    0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
+-    0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
+-    0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
+-    0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
+-    0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
+-    0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
+-    0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
+-    0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
+-    0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
+-    0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
+-    0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
+-    0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
+-    0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
+-    0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
+-    0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
+-    0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
+-    0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
+-    0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
+-    0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
+-    0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
+-    0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
+-    0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
+-    0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
+-    0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
+-    0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
+-    0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
+-    0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
+-    0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
+-    0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
+-    0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
+-    0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
+-    0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
+-    0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
+-    0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
+-    0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
+-    0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
+-};
+-
+-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
+-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
+-static const unsigned char rsa_sigverx931_1_msg[] = {
+-    0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
+-    0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
+-    0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
+-    0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
+-    0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
+-    0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
+-    0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
+-    0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
+-    0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
+-    0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
+-    0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
+-    0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
+-    0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
+-    0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
+-    0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
+-    0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
+-};
+-
+-static const unsigned char rsa_sigverx931_1_sig[] = {
+-    0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
+-    0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
+-    0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
+-    0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
+-    0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
+-    0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
+-    0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
+-    0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
+-    0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
+-    0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
+-    0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
+-    0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
+-    0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
+-    0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
+-    0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
+-    0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
+-    0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
+-    0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
+-    0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
+-    0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
+-    0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
+-    0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
+-    0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
+-    0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
+-    0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
+-    0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
+-    0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
+-    0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
+-    0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
+-    0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
+-    0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
+-    0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
+-    0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
+-    0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
+-    0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
+-    0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
+-    0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
+-    0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
+-    0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
+-    0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
+-    0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
+-    0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
+-    0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
+-    0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
+-    0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
+-    0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
+-    0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
+-    0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
+-};
+-
+ static const struct rsa_sigver_st rsa_sigver_data[] = {
+     {
+         "pkcs1", /* pkcs1v1.5 */
+@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
+         NO_PSS_SALT_LEN,
+         FAIL
+     },
+-    {
+-        "x931",
+-        3072,
+-        "SHA256",
+-        ITM(rsa_sigverx931_1_msg),
+-        ITM(rsa_sigverx931_1_n),
+-        ITM(rsa_sigverx931_1_e),
+-        ITM(rsa_sigverx931_1_sig),
+-        NO_PSS_SALT_LEN,
+-        FAIL
+-    },
+     {
+         "pss",
+         4096,
+-- 
+2.41.0
+

0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch

@@ -0,0 +1,104 @@
+From 8e388e194e665286a8996d7d5926bab5c1a6b4f9 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:46:40 +0200
+Subject: [PATCH 38/48] 
+ 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+
+Patch-name: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+Patch-id: 83
+---
+ include/crypto/evp.h                       |  7 +++++++
+ include/openssl/core_names.h               |  1 +
+ include/openssl/evp.h                      |  3 +++
+ providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
+ 4 files changed, 28 insertions(+)
+
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index aa07153441..a13127bd59 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
+ const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
+ const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
+ 
++#ifdef FIPS_MODULE
++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
++ * HMAC verification. */
++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_mac_st {
+     OSSL_PROVIDER *prov;
+     int name_id;
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index f185bc9342..1d1da4d3ca 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -175,6 +175,7 @@ extern "C" {
+ #define OSSL_MAC_PARAM_SIZE             "size"                    /* size_t */
+ #define OSSL_MAC_PARAM_BLOCK_SIZE       "block-size"              /* size_t */
+ #define OSSL_MAC_PARAM_TLS_DATA_SIZE    "tls-data-size"           /* size_t */
++#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+ 
+ /* Known MAC names */
+ #define OSSL_MAC_NAME_BLAKE2BMAC    "BLAKE2BMAC"
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 86f4e22c70..615857caf5 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1194,6 +1194,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+                             void *arg);
+ 
+ /* MAC stuff */
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+ 
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+                        const char *properties);
+diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
+index 52ebb08b8f..cf5c3ecbe7 100644
+--- a/providers/implementations/macs/hmac_prov.c
++++ b/providers/implementations/macs/hmac_prov.c
+@@ -21,6 +21,8 @@
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
+ 
++#include "crypto/evp.h"
++
+ #include "prov/implementations.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/provider_util.h"
+@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+     OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
+     OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
++#ifdef FIPS_MODULE
++    OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+     OSSL_PARAM_END
+ };
+ static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
+@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
+             && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
++        int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
++        /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
++         * specifies key lengths < 112 bytes are disallowed for HMAC generation
++         * and legacy use for HMAC verification. */
++        if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
++            fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++        return OSSL_PARAM_set_int(p, fips_indicator);
++    }
++#endif /* defined(FIPS_MODULE) */
++
+     return 1;
+ }
+ 
+-- 
+2.41.0
+

0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch

@@ -0,0 +1,69 @@
+From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:47:55 +0200
+Subject: [PATCH 39/48] 
+ 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+
+Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+Patch-id: 84
+---
+ providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index 349c3dd657..11820d1e69 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -35,6 +35,21 @@
+ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
+ #define KDF_PBKDF2_MIN_ITERATIONS 1000
+ #define KDF_PBKDF2_MIN_SALT_LEN   (128 / 8)
++/* The Implementation Guidance for FIPS 140-3 says in section D.N
++ * "Password-Based Key Derivation for Storage Applications" that "the vendor
++ * shall document in the module’s Security Policy the length of
++ * a password/passphrase used in key derivation and establish an upper bound
++ * for the probability of having this parameter guessed at random. This
++ * probability shall take into account not only the length of the
++ * password/passphrase, but also the difficulty of guessing it. The decision on
++ * the minimum length of a password used for key derivation is the vendor’s,
++ * but the vendor shall at a minimum informally justify the decision."
++ *
++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
++ * testing uses passwords as short as 8 bytes, and requiring longer passwords
++ * combined with an implicit indicator (i.e., returning an error) would cause
++ * the module to fail ACVP testing. */
++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+ 
+ static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
+ static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
+@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+         ctx->lower_bound_checks = pkcs5 == 0;
+     }
+ 
+-    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
++    if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
++        if (ctx->lower_bound_checks != 0
++            && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
+         if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
+             return 0;
++    }
+ 
+     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
+         if (ctx->lower_bound_checks != 0
+@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
+     }
+ 
+     if (lower_bound_checks) {
++        if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
+         if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
+             ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+             return 0;
+-- 
+2.41.0
+

0085-FIPS-RSA-disable-shake.patch

@@ -0,0 +1,101 @@
+From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:51:55 +0200
+Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch
+
+Patch-name: 0085-FIPS-RSA-disable-shake.patch
+Patch-id: 85
+---
+ crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
+ crypto/rsa/rsa_pss.c  | 16 ++++++++++++++++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index b2f7f7dc4b..af2b0b026c 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+         return 0;
+ #endif
+     }
++
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return 0;
++    }
++#endif
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return 0;
++    }
++#endif
++
+     mdlen = EVP_MD_get_size(md);
+     if (mdlen <= 0) {
+         ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
+@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ #endif
+     }
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return -1;
++    }
++#endif
++
+     if (mgf1md == NULL)
+         mgf1md = md;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++        return -1;
++    }
++#endif
++
+     mdlen = EVP_MD_get_size(md);
+ 
+     if (tlen <= 0 || flen <= 0)
+diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
+index bb46ec64c7..c0fdf232da 100644
+--- a/crypto/rsa/rsa_pss.c
++++ b/crypto/rsa/rsa_pss.c
+@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen < 0)
+         goto err;
+@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+     if (mgf1Hash == NULL)
+         mgf1Hash = Hash;
+ 
++#ifdef FIPS_MODULE
++    if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++        goto err;
++
++    if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++        goto err;
++#endif
++
+     hLen = EVP_MD_get_size(Hash);
+     if (hLen < 0)
+         goto err;
+-- 
+2.41.0
+

0088-signature-Add-indicator-for-PSS-salt-length.patch

@@ -0,0 +1,82 @@
+From 98ee6faef3da1439c04f11cd2796132d27d1e607 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:58:07 +0200
+Subject: [PATCH 41/48] 0088-signature-Add-indicator-for-PSS-salt-length.patch
+
+Patch-name: 0088-signature-Add-indicator-for-PSS-salt-length.patch
+Patch-id: 88
+---
+ include/openssl/core_names.h                  |  1 +
+ include/openssl/evp.h                         |  4 ++++
+ providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 1d1da4d3ca..48af87e236 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -458,6 +458,7 @@ extern "C" {
+ #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES    \
+     OSSL_PKEY_PARAM_MGF1_PROPERTIES
+ #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE        OSSL_PKEY_PARAM_DIGEST_SIZE
++#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+ 
+ /* Asym cipher parameters */
+ #define OSSL_ASYM_CIPHER_PARAM_DIGEST                   OSSL_PKEY_PARAM_DIGEST
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 615857caf5..05f2d0f75a 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -799,6 +799,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+                               int *outl);
+ 
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+                          EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index cfaa4841cb..851671cfb1 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -1173,6 +1173,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+         }
+     }
+ 
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
++        if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
++            if (prsactx->md == NULL) {
++                fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
++            } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
++                fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++            }
++        } else if (prsactx->pad_mode == RSA_NO_PADDING) {
++            if (prsactx->md == NULL) /* Should always be the case */
++                fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++        }
++        return OSSL_PARAM_set_int(p, fips_indicator);
++    }
++#endif
++
+     return 1;
+ }
+ 
+@@ -1182,6 +1200,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
+     OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
++#ifdef FIPS_MODULE
++    OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif
+     OSSL_PARAM_END
+ };
+ 
+-- 
+2.41.0
+

0091-FIPS-RSA-encapsulate.patch

@@ -0,0 +1,47 @@
+From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:01:48 +0200
+Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
+
+Patch-name: 0091-FIPS-RSA-encapsulate.patch
+Patch-id: 91
+---
+ providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
+index 365ae3d7d6..8a6f585d0b 100644
+--- a/providers/implementations/kem/rsa_kem.c
++++ b/providers/implementations/kem/rsa_kem.c
+@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
+             *secretlen = nlen;
+         return 1;
+     }
++
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /*
+      * Step (2): Generate a random byte string z of nlen bytes where
+      *            1 < z < n - 1
+@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
+         return 1;
+     }
+ 
++#ifdef FIPS_MODULE
++    if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     /* Step (2): check the input ciphertext 'inlen' matches the nlen */
+     if (inlen != nlen) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
+-- 
+2.41.0
+

0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch

@@ -0,0 +1,330 @@
+From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:07:18 +0200
+Subject: [PATCH 43/48] 
+ 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+
+Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+Patch-id: 93
+---
+ crypto/dh/dh_backend.c                       | 10 ++++
+ crypto/dh/dh_check.c                         | 12 ++--
+ crypto/dh/dh_gen.c                           | 12 +++-
+ crypto/dh/dh_key.c                           | 13 ++--
+ crypto/dh/dh_pmeth.c                         | 10 +++-
+ providers/implementations/keymgmt/dh_kmgmt.c |  5 ++
+ test/endecode_test.c                         |  4 +-
+ test/evp_libctx_test.c                       |  2 +-
+ test/helpers/predefined_dhparams.c           | 62 ++++++++++++++++++++
+ test/helpers/predefined_dhparams.h           |  1 +
+ test/recipes/80-test_cms.t                   |  4 +-
+ test/recipes/80-test_ssl_old.t               |  3 +
+ 12 files changed, 118 insertions(+), 20 deletions(-)
+
+diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
+index 726843fd30..24c65ca84f 100644
+--- a/crypto/dh/dh_backend.c
++++ b/crypto/dh/dh_backend.c
+@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
+     if (!dh_ffc_params_fromdata(dh, params))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    if (!ossl_dh_is_named_safe_prime_group(dh)) {
++        ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                       "FIPS 186-4 type domain parameters no longer allowed in"
++                       " FIPS mode, since the required validation routines"
++                       " were removed from FIPS 186-5");
++        return 0;
++    }
++#endif
++
+     param_priv_len =
+         OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+     if (param_priv_len != NULL
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 0b391910d6..75581ca347 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
+     nid = DH_get_nid((DH *)dh);
+     if (nid != NID_undef)
+         return 1;
++
+     /*
+-     * OR
+-     * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+-     * validity tests.
++     * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
+      */
+-    return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
+-                                              FFC_PARAM_TYPE_DH, ret, NULL);
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required validation routines were"
++                   " removed from FIPS 186-5");
++    return 0;
+ }
+ #else
+ int DH_check_params(const DH *dh, int *ret)
+diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
+index 204662a81c..9961f21920 100644
+--- a/crypto/dh/dh_gen.c
++++ b/crypto/dh/dh_gen.c
+@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
+ int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
+                                     BN_GENCB *cb)
+ {
+-    int ret, res;
++    int ret = 0;
+ 
+ #ifndef FIPS_MODULE
++    int res;
++
+     if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
+         ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
+     else
+-#endif
+         ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
+                                                  FFC_PARAM_TYPE_DH,
+                                                  pbits, qbits, &res, cb);
++#else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++#endif
+     if (ret > 0)
+         dh->dirty_cnt++;
+     return ret;
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 83773cceea..7e988368d3 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
+                 goto err;
+         } else {
+ #ifdef FIPS_MODULE
+-            if (dh->params.q == NULL)
+-                goto err;
++            ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                           "FIPS 186-4 type domain parameters no longer"
++                           " allowed in FIPS mode, since the required"
++                           " generation routines were removed from FIPS"
++                           " 186-5");
++            goto err;
+ #else
+             if (dh->params.q == NULL) {
+                 /* secret exponent length, must satisfy 2^(l-1) <= p */
+@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
+                     if (!BN_clear_bit(priv_key, 0))
+                         goto err;
+                 }
+-            } else
+-#endif
+-            {
++            } else {
+                 /* Do a partial check for invalid p, q, g */
+                 if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
+                                                      FFC_PARAM_TYPE_DH, NULL))
+@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
+                                                    priv_key))
+                     goto err;
+             }
++#endif
+         }
+     }
+ 
+diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
+index f201eede0d..30f90d15be 100644
+--- a/crypto/dh/dh_pmeth.c
++++ b/crypto/dh/dh_pmeth.c
+@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
+     else
+-# endif
+-    /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
+-    if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
+         rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+                                                 FFC_PARAM_TYPE_DH,
+                                                 prime_len, subprime_len, &res,
+                                                 pcb);
++# else
++    /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++    ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++                   "FIPS 186-4 type domain parameters no longer allowed in"
++                   " FIPS mode, since the required generation routines were"
++                   " removed from FIPS 186-5");
++# endif
+     if (rv <= 0) {
+         DH_free(ret);
+         return NULL;
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index 9a7dde7c66..b3e7bca5ac 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
++++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
+     if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+         return 1; /* nothing to validate */
+ 
++#ifdef FIPS_MODULE
++    /* In FIPS provider, always check the domain parameters to disallow
++     * operations on keys with FIPS 186-4 params. */
++    selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
++#endif
+     if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+         /*
+          * Both of these functions check parameters. DH_check_params_ex()
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 53385028fc..169f3ccd73 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
+      * for testing only. Use a minimum key size of 2048 for security purposes.
+      */
+     if (strcmp(type, "DH") == 0)
+-        return get_dh512(keyctx);
++        return get_dh2048(keyctx);
+ 
+     if (strcmp(type, "X9.42 DH") == 0)
+-        return get_dhx512(keyctx);
++        return get_dhx_ffdhe2048(keyctx);
+ # endif
+ 
+     /*
+diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
+index a7913cda4c..96a35ac1cc 100644
+--- a/test/evp_libctx_test.c
++++ b/test/evp_libctx_test.c
+@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
+ 
+     if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
+         || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
+-        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
++        || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
+         goto err;
+ 
+     if (expected) {
+diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
+index 4bdadc4143..e5186e4b4a 100644
+--- a/test/helpers/predefined_dhparams.c
++++ b/test/helpers/predefined_dhparams.c
+@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
+                           dhx512_q, sizeof(dhx512_q));
+ }
+ 
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
++{
++    /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
++     * non-well-known groups in FIPS mode. */
++    static unsigned char dhx_p[] = {
++        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
++        0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++        0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
++        0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++        0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
++        0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++        0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
++        0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++        0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
++        0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++        0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
++        0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++        0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
++        0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++        0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
++        0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++        0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
++        0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++        0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
++        0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++        0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++    static unsigned char dhx_g[] = {
++        0x02
++    };
++    static unsigned char dhx_q[] = {
++        0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
++        0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++        0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
++        0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++        0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
++        0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++        0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
++        0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++        0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
++        0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++        0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
++        0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++        0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
++        0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++        0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
++        0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++        0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
++        0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++        0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
++        0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++        0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
++        0xff, 0xff, 0xff, 0xff
++    };
++
++    return get_dh_from_pg(libctx, "X9.42 DH",
++                          dhx_p, sizeof(dhx_p),
++                          dhx_g, sizeof(dhx_g),
++                          dhx_q, sizeof(dhx_q));
++}
++
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
+ {
+     static unsigned char dh1024_p[] = {
+diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
+index f0e8709062..2ff6d6e721 100644
+--- a/test/helpers/predefined_dhparams.h
++++ b/test/helpers/predefined_dhparams.h
+@@ -12,6 +12,7 @@
+ #ifndef OPENSSL_NO_DH
+ EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
+ EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 2a459856f0..afac836fa3 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
+     ],
+ 
+     [ "enveloped content test streaming S/MIME format, X9.42 DH",
+-      [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
++      [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
+         "-stream", "-out", "{output}.cms",
+         "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
+-      [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
++      [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+         "-in", "{output}.cms", "-out", "{output}.txt" ],
+       \&final_compare
+     ]
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 527abcea6e..e1d38b1e62 100644
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -390,6 +390,9 @@ sub testssl {
+             skip "skipping dhe1024dsa test", 1
+                 if ($no_dh);
+ 
++            skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
++                if $provider eq "fips";
++
+             ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
+                'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+           }
+-- 
+2.41.0
+

0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch

@@ -0,0 +1,96 @@
+From 5db03a4d024f1e396ff54d38ac70d9890b034074 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:10:11 +0200
+Subject: [PATCH 45/48] 
+ 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+
+Patch-name: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+Patch-id: 110
+---
+ include/openssl/core_names.h                  |  1 +
+ include/openssl/evp.h                         |  4 +++
+ .../implementations/ciphers/ciphercommon.c    |  4 +++
+ .../ciphers/ciphercommon_gcm.c                | 25 +++++++++++++++++++
+ 4 files changed, 34 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 48af87e236..29459049ad 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -99,6 +99,7 @@ extern "C" {
+ #define OSSL_CIPHER_PARAM_CTS_MODE             "cts_mode"     /* utf8_string */
+ /* For passing the AlgorithmIdentifier parameter in DER form */
+ #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS  "alg_id_param" /* octet_string */
++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
+ 
+ #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT                    \
+     "tls1multi_maxsndfrag" /* uint */
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 05f2d0f75a..f1a33ff6f2 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -748,6 +748,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+ 
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                            const unsigned char *key, const unsigned char *iv);
+ /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
+index fa383165d8..716add7339 100644
+--- a/providers/implementations/ciphers/ciphercommon.c
++++ b/providers/implementations/ciphers/ciphercommon.c
+@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
++    /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
++     * not work in ciphercommon.c because it is compiled only once into
++     * libcommon.a */
++    OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+     OSSL_PARAM_END
+ };
+ const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
+diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
+index ed95c97ff4..db7910eb0e 100644
+--- a/providers/implementations/ciphers/ciphercommon_gcm.c
++++ b/providers/implementations/ciphers/ciphercommon_gcm.c
+@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+             || !getivgen(ctx, p->data, p->data_size))
+             return 0;
+     }
++
++    /* We would usually hide this under #ifdef FIPS_MODULE, but
++     * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
++     * not work here. */
++    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++         * Verification Program, Section C.H requires guarantees about the
++         * uniqueness of key/iv pairs, and proposes a few approaches to ensure
++         * this. This provides an indicator for option 2 "The IV may be
++         * generated internally at its entirety randomly." Note that one of the
++         * conditions of this option is that "The IV length shall be at least
++         * 96 bits (per SP 800-38D)." We do not specically check for this
++         * condition here, because gcm_iv_generate will fail in this case. */
++        if (ctx->enc && !ctx->iv_gen_rand)
++            fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator)) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
++            return 0;
++        }
++    }
++
+     return 1;
+ }
+ 
+-- 
+2.41.0
+

0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch

@@ -0,0 +1,75 @@
+From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:12:33 +0200
+Subject: [PATCH 46/48] 
+ 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+
+Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+Patch-id: 112
+---
+ providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index 11820d1e69..bae2238ab5 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
+ 
+ static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
++#ifdef FIPS_MODULE
++    KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
++#endif /* defined(FIPS_MODULE) */
+     OSSL_PARAM *p;
++    int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++        any_valid = 1;
++
++        if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++            return 0;
++    }
++
++#ifdef FIPS_MODULE
++    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++            != NULL) {
++        int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        /* The lower_bound_checks parameter enables checks required by FIPS. If
++         * those checks are disabled, the PBKDF2 implementation will also
++         * support non-approved parameters (e.g., salt lengths < 16 bytes, see
++         * NIST SP 800-132 section 5.1). */
++        if (!ctx->lower_bound_checks)
++            fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ 
+-    if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+-        return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+-    return -2;
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++
++        any_valid = 1;
++    }
++#endif /* defined(FIPS_MODULE) */
++
++    if (!any_valid)
++        return -2;
++
++    return 1;
+ }
+ 
+ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+ {
+     static const OSSL_PARAM known_gettable_ctx_params[] = {
+         OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++        OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+         OSSL_PARAM_END
+     };
+     return known_gettable_ctx_params;
+-- 
+2.41.0
+

0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch

@@ -0,0 +1,137 @@
+From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:13:46 +0200
+Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+
+Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+Patch-id: 113
+---
+ include/openssl/core_names.h                  |  2 ++
+ include/openssl/evp.h                         |  4 +++
+ .../implementations/asymciphers/rsa_enc.c     | 22 ++++++++++++++
+ providers/implementations/kem/rsa_kem.c       | 30 ++++++++++++++++++-
+ 4 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 29459049ad..9af0b1847d 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -480,6 +480,7 @@ extern "C" {
+ #ifdef FIPS_MODULE
+ #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED     "redhat-kat-oaep-seed"
+ #endif
++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR    "redhat-fips-indicator"
+ 
+ /*
+  * Encoder / decoder parameters
+@@ -514,6 +515,7 @@ extern "C" {
+ 
+ /* KEM parameters */
+ #define OSSL_KEM_PARAM_OPERATION            "operation"
++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
+ 
+ /* OSSL_KEM_PARAM_OPERATION values */
+ #define OSSL_KEM_PARAM_OPERATION_RSASVE     "RSASVE"
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index f1a33ff6f2..dadbf46a5a 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
+ # endif
+ 
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED     1
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+                                const char *properties);
+ int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index d169bfd396..bd4dcb4e27 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
+         return 0;
+ 
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
++
++        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
++         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
++         * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
++         * explicit key confirmation is not implemented here and cannot be
++         * implemented without protocol changes, and the FIPS provider does not
++         * implement trusted third party validation, since it relies on its
++         * callers to do that. We must thus mark RSA-OAEP as unapproved until
++         * we have received clarification from NIST on how library modules such
++         * as OpenSSL should implement TTP validation. */
++        fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif /* defined(FIPS_MODULE) */
++
+     return 1;
+ }
+ 
+@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+ #ifdef FIPS_MODULE
+     OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
++    OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+ #endif /* FIPS_MODULE */
+     OSSL_PARAM_END
+ };
+diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
+index 8a6f585d0b..f4b7415074 100644
+--- a/providers/implementations/kem/rsa_kem.c
++++ b/providers/implementations/kem/rsa_kem.c
+@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
+ static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+ {
+     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
++#ifdef FIPS_MODULE
++    OSSL_PARAM *p;
++#endif /* defined(FIPS_MODULE) */
++
++    if (ctx == NULL)
++        return 0;
++
++#ifdef FIPS_MODULE
++    p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
++    if (p != NULL) {
++        /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
++         * confirmation (section 6.4.2.3.2), or assurance from a trusted third
++         * party (section 6.4.2.3.1) for key agreement or key transport, but
++         * explicit key confirmation is not implemented here and cannot be
++         * implemented without protocol changes, and the FIPS provider does not
++         * implement trusted third party validation, since it relies on its
++         * callers to do that. We must thus mark RSASVE unapproved until we
++         * have received clarification from NIST on how library modules such as
++         * OpenSSL should implement TTP validation. */
++        int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++        if (!OSSL_PARAM_set_int(p, fips_indicator))
++            return 0;
++    }
++#endif /* defined(FIPS_MODULE) */
+ 
+-    return ctx != NULL;
++    return 1;
+ }
+ 
+ static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
++#ifdef FIPS_MODULE
++    OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+     OSSL_PARAM_END
+ };
+ 
+-- 
+2.41.0
+

0114-FIPS-enforce-EMS-support.patch

@@ -0,0 +1,251 @@
+From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:40:56 +0200
+Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
+
+Patch-name: 0114-FIPS-enforce-EMS-support.patch
+Patch-id: 114
+Patch-status: |
+    # We believe that some changes present in CentOS are not necessary
+    # because ustream has a check for FIPS version
+---
+ doc/man3/SSL_CONF_cmd.pod                     |  3 +++
+ doc/man5/fips_config.pod                      | 13 +++++++++++
+ include/openssl/fips_names.h                  |  8 +++++++
+ include/openssl/ssl.h.in                      |  1 +
+ providers/fips/fipsprov.c                     |  2 +-
+ providers/implementations/kdfs/tls1_prf.c     | 22 +++++++++++++++++++
+ ssl/ssl_conf.c                                |  1 +
+ ssl/statem/extensions_srvr.c                  |  8 ++++++-
+ ssl/t1_enc.c                                  | 11 ++++++++--
+ .../30-test_evp_data/evpkdf_tls12_prf.txt     | 10 +++++++++
+ test/sslapitest.c                             |  2 +-
+ 11 files changed, 76 insertions(+), 5 deletions(-)
+
+diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
+index ae6ca43282..b83c04a308 100644
+--- a/doc/man3/SSL_CONF_cmd.pod
++++ b/doc/man3/SSL_CONF_cmd.pod
+@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
+ default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
+ B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+ 
++B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
++
+ B<CANames>: use CA names extension, enabled by
+ default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
+ B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index 1c15e32a5c..f2cedaf88d 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -15,6 +15,19 @@ for more information.
+ 
+ This functionality was added in OpenSSL 3.0.
+ 
++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
++OpenSSL configuration directory and managed by crypto policies. If present, it
++should have format
++
++ [fips_sect]
++ tls1-prf-ems-check = 0
++ activate = 1
++
++The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
++presence of extended master secret or not.
++
++The B<activate> option enforces FIPS provider activation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
+index 5c77f6d691..8cdd5a6bf7 100644
+--- a/include/openssl/fips_names.h
++++ b/include/openssl/fips_names.h
+@@ -70,6 +70,14 @@ extern "C" {
+  */
+ # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST  "drbg-no-trunc-md"
+ 
++/*
++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
++ * This is disabled by default.
++ *
++ * Type: OSSL_PARAM_UTF8_STRING
++ */
++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
++
+ # ifdef __cplusplus
+ }
+ # endif
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 0b6de603e2..26a69ca282 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
+      * interoperability with CryptoPro CSP 3.x
+      */
+ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)
++# define SSL_OP_RH_PERMIT_NOEMS_FIPS                     SSL_OP_BIT(48)
+ 
+ /*
+  * Option "collections."
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 5ff9872bd8..eb9653a9df 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
+     if (fgbl == NULL)
+         return NULL;
+     init_fips_option(&fgbl->fips_security_checks, 1);
+-    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
++    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
+     init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
+     return fgbl;
+ }
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index 25a6c79a2e..79bc7a9719 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
+ static void kdf_tls1_prf_free(void *vctx)
+ {
+     TLS1_PRF *ctx = (TLS1_PRF *)vctx;
++    OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+ 
+     if (ctx != NULL) {
+         kdf_tls1_prf_reset(ctx);
+@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+         }
+     }
+ 
++    /*
++     * The seed buffer is prepended with a label.
++     * If EMS mode is enforced then the label "master secret" is not allowed,
++     * We do the check this way since the PRF is used for other purposes, as well
++     * as "extended master secret".
++     */
++#ifdef FIPS_MODULE
++    if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
++            && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
++                      TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++    ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++    if (ossl_tls1_prf_ems_check_enabled(libctx)) {
++        if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
++                && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
++                          TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
++            ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
++            return 0;
++        }
++    }
++
+     return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
+                         ctx->sec, ctx->seclen,
+                         ctx->seed, ctx->seedlen,
+diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
+index 5146cedb96..086db98c33 100644
+--- a/ssl/ssl_conf.c
++++ b/ssl/ssl_conf.c
+@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+         SSL_FLAG_TBL("ClientRenegotiation",
+                      SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
+         SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
++        SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
+         SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
+         SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+         SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 00b1ee531e..22cdabb308 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -11,6 +11,7 @@
+ #include "../ssl_local.h"
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
++#include <openssl/fips.h>
+ 
+ #define COOKIE_STATE_FORMAT_VERSION     1
+ 
+@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+ EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+                                   X509 *x, size_t chainidx)
+ {
+-    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
++    if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
++        if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++            return EXT_RETURN_FAIL;
++        }
+         return EXT_RETURN_NOT_SENT;
++    }
+ 
+     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
+             || !WPACKET_put_bytes_u16(pkt, 0)) {
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 91238e6457..e8ad8ecd9e 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -20,6 +20,7 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/core_names.h>
+ #include <openssl/trace.h>
++#include <openssl/fips.h>
+ 
+ /* seed1 through seed5 are concatenated */
+ static int tls1_PRF(SSL *s,
+@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
+     }
+ 
+  err:
+-    if (fatal)
+-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    if (fatal) {
++        /* The calls to this function are local so it's safe to implement the check */
++        if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
++            && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++	else
++            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++    }
+     else
+         ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+     EVP_KDF_CTX_free(kctx);
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index 44040ff66b..deb6bf3fcb 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+ Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ 
++Availablein = fips
++KDF = TLS1-PRF
++Ctrl.digest = digest:SHA256
++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Result = KDF_DERIVE_ERROR
++
+ FIPSversion = <=3.1.0
+ KDF = TLS1-PRF
+ Ctrl.digest = digest:SHA256
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 169e3c7466..e67b5bb44c 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
+     STACK_OF(X509) *server_chain;
+     SSL_CTX *cctx = NULL, *sctx = NULL;
+     SSL *clientssl = NULL, *serverssl = NULL;
+-    int testresult = 0;
++    int testresult = 0, status;
+ 
+     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+                                        TLS_client_method(), TLS1_VERSION, 0,
+-- 
+2.41.0
+

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

configuration-prefix.h

@@ -0,0 +1,7 @@
+/* Prepended at openssl package build-time.  Don't include this file directly,
+ * use <openssl/opensslconf.h> instead. */
+
+#ifndef openssl_conf_multilib_redirection_h
+#error "Don't include this file directly, use <openssl/opensslconf.h> instead!"
+#endif
+

configuration-switch.h

@@ -0,0 +1,47 @@
+/* This file is here to prevent a file conflict on multiarch systems.  A
+ * conflict will frequently occur because arch-specific build-time
+ * configuration options are stored (and used, so they can't just be stripped
+ * out) in configuration.h.  The original configuration.h has been renamed.
+ * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */
+
+#ifdef openssl_conf_multilib_redirection_h
+#error "Do not define openssl_conf_multilib_redirection_h!"
+#endif
+#define openssl_conf_multilib_redirection_h
+
+#if defined(__i386__)
+#include "configuration-i386.h"
+#elif defined(__ia64__)
+#include "configuration-ia64.h"
+#elif defined(__mips64) && defined(__MIPSEL__)
+#include "configuration-mips64el.h"
+#elif defined(__mips64)
+#include "configuration-mips64.h"
+#elif defined(__mips) && defined(__MIPSEL__)
+#include "configuration-mipsel.h"
+#elif defined(__mips)
+#include "configuration-mips.h"
+#elif defined(__powerpc64__)
+#include <endian.h>
+#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+#include "configuration-ppc64.h"
+#else
+#include "configuration-ppc64le.h"
+#endif
+#elif defined(__powerpc__)
+#include "configuration-ppc.h"
+#elif defined(__s390x__)
+#include "configuration-s390x.h"
+#elif defined(__s390__)
+#include "configuration-s390.h"
+#elif defined(__sparc__) && defined(__arch64__)
+#include "configuration-sparc64.h"
+#elif defined(__sparc__)
+#include "configuration-sparc.h"
+#elif defined(__x86_64__)
+#include "configuration-x86_64.h"
+#else
+#error "The openssl-devel package does not work your architecture?"
+#endif
+
+#undef openssl_conf_multilib_redirection_h

ec_curve.c

@@ -1,582 +0,0 @@
-/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
- *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include "ec_local.h"
-#include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/opensslconf.h>
-#include "internal/nelem.h"
-
-typedef struct {
-    int field_type,             /* either NID_X9_62_prime_field or
-                                 * NID_X9_62_characteristic_two_field */
-     seed_len, param_len;
-    unsigned int cofactor;      /* promoted to BN_ULONG */
-} EC_CURVE_DATA;
-
-/* the nist prime curves */
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 28 * 6];
-} _EC_NIST_PRIME_224 = {
-    {
-        NID_X9_62_prime_field, 20, 28, 1
-    },
-    {
-        /* seed */
-        0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F,
-        0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x01,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE,
-        /* b */
-        0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
-        0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
-        0x23, 0x55, 0xFF, 0xB4,
-        /* x */
-        0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
-        0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
-        0x11, 0x5C, 0x1D, 0x21,
-        /* y */
-        0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
-        0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
-        0x85, 0x00, 0x7e, 0x34,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
-        0x5C, 0x5C, 0x2A, 0x3D
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 48 * 6];
-} _EC_NIST_PRIME_384 = {
-    {
-        NID_X9_62_prime_field, 20, 48, 1
-    },
-    {
-        /* seed */
-        0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A,
-        0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
-        0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
-        0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
-        0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
-        /* x */
-        0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
-        0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
-        0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
-        0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
-        /* y */
-        0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
-        0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
-        0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
-        0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
-        0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 66 * 6];
-} _EC_NIST_PRIME_521 = {
-    {
-        NID_X9_62_prime_field, 20, 66, 1
-    },
-    {
-        /* seed */
-        0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17,
-        0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA,
-        /* p */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
-        0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
-        0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
-        0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
-        0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
-        0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
-        /* x */
-        0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
-        0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
-        0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
-        0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
-        0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
-        0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
-        /* y */
-        0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
-        0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
-        0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
-        0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
-        0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
-        0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
-        /* order */
-        0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
-        0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09,
-        0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F,
-        0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[20 + 32 * 6];
-} _EC_X9_62_PRIME_256V1 = {
-    {
-        NID_X9_62_prime_field, 20, 32, 1
-    },
-    {
-        /* seed */
-        0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1,
-        0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90,
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        /* a */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
-        /* b */
-        0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
-        0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
-        0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
-        /* x */
-        0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
-        0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
-        0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
-        /* y */
-        0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
-        0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
-        0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
-        0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
-    }
-};
-
-static const struct {
-    EC_CURVE_DATA h;
-    unsigned char data[0 + 32 * 6];
-} _EC_SECG_PRIME_256K1 = {
-    {
-        NID_X9_62_prime_field, 0, 32, 1
-    },
-    {
-        /* no seed */
-        /* p */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
-        /* a */
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        /* b */
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
-        /* x */
-        0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95,
-        0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9,
-        0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98,
-        /* y */
-        0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc,
-        0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19,
-        0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8,
-        /* order */
-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-        0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B,
-        0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41
-    }
-};
-
-typedef struct _ec_list_element_st {
-    int nid;
-    const EC_CURVE_DATA *data;
-    const EC_METHOD *(*meth) (void);
-    const char *comment;
-} ec_list_element;
-
-static const ec_list_element curve_list[] = {
-    /* prime field curves */
-    /* secg curves */
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-     "NIST/SECG curve over a 224 bit prime field"},
-#else
-    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
-     "NIST/SECG curve over a 224 bit prime field"},
-#endif
-    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
-     "SECG curve over a 256 bit prime field"},
-    /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
-    {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
-     "NIST/SECG curve over a 384 bit prime field"},
-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
-     "NIST/SECG curve over a 521 bit prime field"},
-#else
-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
-     "NIST/SECG curve over a 521 bit prime field"},
-#endif
-    /* X9.62 curves */
-    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
-#if defined(ECP_NISTZ256_ASM)
-     EC_GFp_nistz256_method,
-#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
-     EC_GFp_nistp256_method,
-#else
-     0,
-#endif
-     "X9.62/SECG curve over a 256 bit prime field"},
-};
-
-#define curve_list_length OSSL_NELEM(curve_list)
-
-static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
-{
-    EC_GROUP *group = NULL;
-    EC_POINT *P = NULL;
-    BN_CTX *ctx = NULL;
-    BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order =
-        NULL;
-    int ok = 0;
-    int seed_len, param_len;
-    const EC_METHOD *meth;
-    const EC_CURVE_DATA *data;
-    const unsigned char *params;
-
-    /* If no curve data curve method must handle everything */
-    if (curve.data == NULL)
-        return EC_GROUP_new(curve.meth != NULL ? curve.meth() : NULL);
-
-    if ((ctx = BN_CTX_new()) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    data = curve.data;
-    seed_len = data->seed_len;
-    param_len = data->param_len;
-    params = (const unsigned char *)(data + 1); /* skip header */
-    params += seed_len;         /* skip seed */
-
-    if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL
-        || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL
-        || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-
-    if (curve.meth != 0) {
-        meth = curve.meth();
-        if (((group = EC_GROUP_new(meth)) == NULL) ||
-            (!(group->meth->group_set_curve(group, p, a, b, ctx)))) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    } else if (data->field_type == NID_X9_62_prime_field) {
-        if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-#ifndef OPENSSL_NO_EC2M
-    else {                      /* field_type ==
-                                 * NID_X9_62_characteristic_two_field */
-
-        if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-#endif
-
-    EC_GROUP_set_curve_name(group, curve.nid);
-
-    if ((P = EC_POINT_new(group)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-
-    if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL
-        || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-    if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-    if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL
-        || !BN_set_word(x, (BN_ULONG)data->cofactor)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
-        goto err;
-    }
-    if (!EC_GROUP_set_generator(group, P, order, x)) {
-        ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-        goto err;
-    }
-    if (seed_len) {
-        if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) {
-            ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
-            goto err;
-        }
-    }
-    ok = 1;
- err:
-    if (!ok) {
-        EC_GROUP_free(group);
-        group = NULL;
-    }
-    EC_POINT_free(P);
-    BN_CTX_free(ctx);
-    BN_free(p);
-    BN_free(a);
-    BN_free(b);
-    BN_free(order);
-    BN_free(x);
-    BN_free(y);
-    return group;
-}
-
-EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
-{
-    size_t i;
-    EC_GROUP *ret = NULL;
-
-    if (nid <= 0)
-        return NULL;
-
-    for (i = 0; i < curve_list_length; i++)
-        if (curve_list[i].nid == nid) {
-            ret = ec_group_new_from_data(curve_list[i]);
-            break;
-        }
-
-    if (ret == NULL) {
-        ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP);
-        return NULL;
-    }
-
-    return ret;
-}
-
-size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
-{
-    size_t i, min;
-
-    if (r == NULL || nitems == 0)
-        return curve_list_length;
-
-    min = nitems < curve_list_length ? nitems : curve_list_length;
-
-    for (i = 0; i < min; i++) {
-        r[i].nid = curve_list[i].nid;
-        r[i].comment = curve_list[i].comment;
-    }
-
-    return curve_list_length;
-}
-
-/* Functions to translate between common NIST curve names and NIDs */
-
-typedef struct {
-    const char *name;           /* NIST Name of curve */
-    int nid;                    /* Curve NID */
-} EC_NIST_NAME;
-
-static EC_NIST_NAME nist_curves[] = {
-    {"B-163", NID_sect163r2},
-    {"B-233", NID_sect233r1},
-    {"B-283", NID_sect283r1},
-    {"B-409", NID_sect409r1},
-    {"B-571", NID_sect571r1},
-    {"K-163", NID_sect163k1},
-    {"K-233", NID_sect233k1},
-    {"K-283", NID_sect283k1},
-    {"K-409", NID_sect409k1},
-    {"K-571", NID_sect571k1},
-    {"P-192", NID_X9_62_prime192v1},
-    {"P-224", NID_secp224r1},
-    {"P-256", NID_X9_62_prime256v1},
-    {"P-384", NID_secp384r1},
-    {"P-521", NID_secp521r1}
-};
-
-const char *EC_curve_nid2nist(int nid)
-{
-    size_t i;
-    for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
-        if (nist_curves[i].nid == nid)
-            return nist_curves[i].name;
-    }
-    return NULL;
-}
-
-int EC_curve_nist2nid(const char *name)
-{
-    size_t i;
-    for (i = 0; i < OSSL_NELEM(nist_curves); i++) {
-        if (strcmp(nist_curves[i].name, name) == 0)
-            return nist_curves[i].nid;
-    }
-    return NID_undef;
-}
-
-#define NUM_BN_FIELDS 6
-/*
- * Validates EC domain parameter data for known named curves.
- * This can be used when a curve is loaded explicitly (without a curve
- * name) or to validate that domain parameters have not been modified.
- *
- * Returns: The nid associated with the found named curve, or NID_undef
- *          if not found. If there was an error it returns -1.
- */
-int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
-{
-    int ret = -1, nid, len, field_type, param_len;
-    size_t i, seed_len;
-    const unsigned char *seed, *params_seed, *params;
-    unsigned char *param_bytes = NULL;
-    const EC_CURVE_DATA *data;
-    const EC_POINT *generator = NULL;
-    const EC_METHOD *meth;
-    const BIGNUM *cofactor = NULL;
-    /* An array of BIGNUMs for (p, a, b, x, y, order) */
-    BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
-
-    meth = EC_GROUP_method_of(group);
-    if (meth == NULL)
-        return -1;
-    /* Use the optional named curve nid as a search field */
-    nid = EC_GROUP_get_curve_name(group);
-    field_type = EC_METHOD_get_field_type(meth);
-    seed_len = EC_GROUP_get_seed_len(group);
-    seed = EC_GROUP_get0_seed(group);
-    cofactor = EC_GROUP_get0_cofactor(group);
-
-    BN_CTX_start(ctx);
-
-    /*
-     * The built-in curves contains data fields (p, a, b, x, y, order) that are
-     * all zero-padded to be the same size. The size of the padding is
-     * determined by either the number of bytes in the field modulus (p) or the
-     * EC group order, whichever is larger.
-     */
-    param_len = BN_num_bytes(group->order);
-    len = BN_num_bytes(group->field);
-    if (len > param_len)
-        param_len = len;
-
-    /* Allocate space to store the padded data for (p, a, b, x, y, order)  */
-    param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
-    if (param_bytes == NULL)
-        goto end;
-
-    /* Create the bignums */
-    for (i = 0; i < NUM_BN_FIELDS; ++i) {
-        if ((bn[i] = BN_CTX_get(ctx)) == NULL)
-            goto end;
-    }
-    /*
-     * Fill in the bn array with the same values as the internal curves
-     * i.e. the values are p, a, b, x, y, order.
-     */
-    /* Get p, a & b */
-    if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
-        && ((generator = EC_GROUP_get0_generator(group)) != NULL)
-        /* Get x & y */
-        && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
-        /* Get order */
-        && EC_GROUP_get_order(group, bn[5], ctx)))
-        goto end;
-
-   /*
-     * Convert the bignum array to bytes that are joined together to form
-     * a single buffer that contains data for all fields.
-     * (p, a, b, x, y, order) are all zero padded to be the same size.
-     */
-    for (i = 0; i < NUM_BN_FIELDS; ++i) {
-        if (BN_bn2binpad(bn[i], &param_bytes[i*param_len], param_len) <= 0)
-            goto end;
-    }
-
-    for (i = 0; i < curve_list_length; i++) {
-        const ec_list_element curve = curve_list[i];
-
-        data = curve.data;
-        /* Get the raw order byte data */
-        params_seed = (const unsigned char *)(data + 1); /* skip header */
-        params = params_seed + data->seed_len;
-
-        /* Look for unique fields in the fixed curve data */
-        if (data->field_type == field_type
-            && param_len == data->param_len
-            && (nid <= 0 || nid == curve.nid)
-            /* check the optional cofactor (ignore if its zero) */
-            && (BN_is_zero(cofactor)
-                || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
-            /* Check the optional seed (ignore if its not set) */
-            && (data->seed_len == 0 || seed_len == 0
-                || ((size_t)data->seed_len == seed_len
-                     && memcmp(params_seed, seed, seed_len) == 0))
-            /* Check that the groups params match the built-in curve params */
-            && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
-                             == 0) {
-            ret = curve.nid;
-            goto end;
-        }
-    }
-    /* Gets here if the group was not found */
-    ret = NID_undef;
-end:
-    OPENSSL_free(param_bytes);
-    BN_CTX_end(ctx);
-    return ret;
-}

genpatches

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+if [ $# -ne 2 ] ; then
+    echo "Usage:"
+    echo "   $0 <git-dir> <base-tag>"
+    exit 1
+fi
+
+git_dir="$1"
+base_tag="$2"
+
+target_dir="$(pwd)"
+
+pushd "$git_dir" >/dev/null
+git format-patch -k -o "$target_dir" "$base_tag" >/dev/null
+popd >/dev/null
+
+echo "# Patches exported from source git"
+
+i=1
+for p in *.patch ; do
+    printf "# "
+    sed '/^Subject:/{s/^Subject: //;p};d' "$p"
+    printf "Patch%s: %s\n" $i "$p"
+    i=$(($i + 1))
+done

hobble-openssl

@@ -1,40 +0,0 @@
-#!/bin/sh
-
-# Quit out if anything fails.
-set -e
-
-# Clean out patent-or-otherwise-encumbered code.
-# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
-# IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
-# RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
-# EC:    ????????? ??/??/2020
-# SRP:   ????????? ??/??/2017 - expired, we do not remove it anymore
-
-# Remove assembler portions of IDEA, MDC2, and RC5.
-# (find crypto/rc5/asm -type f | xargs -r rm -fv)
-
-for c in `find crypto/bn -name "*gf2m.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for c in `find test -name "ectest.c"`; do
-	echo Destroying $c
-	> $c
-done
-
-for h in `find crypto ssl apps test -name "*.h"` ; do
-	echo Removing EC2M references from $h
-	cat $h | \
-	awk    'BEGIN {ech=1;} \
-		/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
-                /^#[ \t]*if/ {if(ech < 1) ech--;} \
-		{if(ech>0) {;print $0};} \
-		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
-	mv $h.hobbled $h
-done

openssl-1.1.0-issuer-hash.patch

@@ -1,11 +0,0 @@
-diff -up openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash openssl-1.1.0-pre5/crypto/x509/x509_cmp.c
---- openssl-1.1.0-pre5/crypto/x509/x509_cmp.c.issuer-hash	2016-07-18 15:16:32.788881100 +0200
-+++ openssl-1.1.0-pre5/crypto/x509/x509_cmp.c	2016-07-18 15:17:16.671871840 +0200
-@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
- 
-     if (ctx == NULL)
-         goto err;
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
-     if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
-         goto err;

openssl-1.1.1-alpn-cb.patch

@@ -1,27 +0,0 @@
-commit 9e885a707d604e9528b5491b78fb9c00f41193fc
-Author: Tomas Mraz <tmraz@fedoraproject.org>
-Date:   Thu Mar 26 15:59:00 2020 +0100
-
-    s_server: Properly indicate ALPN protocol mismatch
-    
-    Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
-    an alert is sent to the client on ALPN protocol mismatch.
-    
-    Fixes: #2708
-    
-    Reviewed-by: Matt Caswell <matt@openssl.org>
-    (Merged from https://github.com/openssl/openssl/pull/11415)
-
-diff --git a/apps/s_server.c b/apps/s_server.c
-index bcc83e562c..591c6c19c5 100644
---- a/apps/s_server.c
-+++ b/apps/s_server.c
-@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
-     if (SSL_select_next_proto
-         ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
-          inlen) != OPENSSL_NPN_NEGOTIATED) {
--        return SSL_TLSEXT_ERR_NOACK;
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-     }
- 
-     if (!s_quiet) {

openssl-1.1.1-apps-dgst.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
---- openssl-1.1.1b/apps/ca.c.dgst	2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/apps/ca.c	2019-03-15 15:53:46.622267688 +0100
-@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
-     {"enddate", OPT_ENDDATE, 's',
-      "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
-     {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
--    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
-+    {"md", OPT_MD, 's', "md to use; see openssl help for list"},
-     {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
-     {"keyfile", OPT_KEYFILE, 's', "Private key"},
-     {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},

openssl-1.1.1-build.patch

@@ -1,40 +0,0 @@
-diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
---- openssl-1.1.1f/Configurations/10-main.conf.build	2020-03-31 14:17:45.000000000 +0200
-+++ openssl-1.1.1f/Configurations/10-main.conf	2020-04-07 16:42:10.920546387 +0200
-@@ -678,6 +678,7 @@ my %targets = (
-         cxxflags         => add("-m64"),
-         lib_cppflags     => add("-DL_ENDIAN"),
-         perlasm_scheme   => "linux64le",
-+        multilib         => "64",
-     },
- 
-     "linux-armv4" => {
-@@ -718,6 +719,7 @@ my %targets = (
-     "linux-aarch64" => {
-         inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
-         perlasm_scheme   => "linux64",
-+        multilib         => "64",
-     },
-     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
-         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build	2020-04-07 16:42:10.920546387 +0200
-+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:44:23.539142108 +0200
-@@ -823,7 +823,7 @@ uninstall_runtime_libs:
- install_man_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
- 
- uninstall_man_docs:
-@@ -835,7 +835,7 @@ uninstall_man_docs:
- install_html_docs:
- 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- 	@$(ECHO) "*** Installing HTML manpages"
--	$(PERL) $(SRCDIR)/util/process_docs.pl \
-+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- 		"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
- 
- uninstall_html_docs:

openssl-1.1.1-conf-paths.patch

@@ -1,56 +0,0 @@
-diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
---- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths	2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/apps/CA.pl.in	2018-07-25 17:26:58.388624296 +0200
-@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
- my $PKCS12 = "$openssl pkcs12";
- 
- # default openssl.cnf file has setup as per the following
--my $CATOP = "./demoCA";
-+my $CATOP = "/etc/pki/CA";
- my $CAKEY = "cakey.pem";
- my $CAREQ = "careq.pem";
- my $CACERT = "cacert.pem";
-diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
---- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths	2018-07-25 17:26:58.378624057 +0200
-+++ openssl-1.1.1-pre8/apps/openssl.cnf	2018-07-27 13:20:08.198513471 +0200
-@@ -23,6 +23,22 @@ oid_section		= new_oids
- # (Alternatively, use a configuration file that has only
- # X.509v3 extensions in its main [= default] section.)
- 
-+# Load default TLS policy configuration
-+
-+openssl_conf = default_modules
-+
-+[ default_modules ]
-+
-+ssl_conf = ssl_module
-+
-+[ ssl_module ]
-+
-+system_default = crypto_policy
-+
-+[ crypto_policy ]
-+
-+.include = /etc/crypto-policies/back-ends/opensslcnf.config
-+
- [ new_oids ]
- 
- # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-@@ -43,7 +59,7 @@ default_ca	= CA_default		# The default c
- ####################################################################
- [ CA_default ]
- 
--dir		= ./demoCA		# Where everything is kept
-+dir		= /etc/pki/CA		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.
-@@ -329,7 +345,7 @@ default_tsa = tsa_config1	# the default
- [ tsa_config1 ]
- 
- # These are used by the TSA reply generation only.
--dir		= ./demoCA		# TSA root directory
-+dir		= /etc/pki/CA		# TSA root directory
- serial		= $dir/tsaserial	# The current serial number (mandatory)
- crypto_device	= builtin		# OpenSSL engine to use for signing
- signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

openssl-1.1.1-disable-ssl3.patch

@@ -1,91 +0,0 @@
-diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c
---- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3	2018-07-16 18:08:20.000487628 +0200
-+++ openssl-1.1.1-pre8/apps/s_client.c	2018-07-16 18:16:40.070186323 +0200
-@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv)
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
- 
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (!config_ctx(cctx, ssl_args, ctx))
-         goto end;
- 
-diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c
---- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3	2018-07-16 18:08:20.000487628 +0200
-+++ openssl-1.1.1-pre8/apps/s_server.c	2018-07-16 18:17:17.300055551 +0200
-@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[]
-     if (sdebug)
-         ssl_ctx_security_debug(ctx, sdebug);
- 
-+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
-     if (!config_ctx(cctx, ssl_args, ctx))
-         goto end;
- 
-diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
---- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3	2018-06-20 16:48:13.000000000 +0200
-+++ openssl-1.1.1-pre8/ssl/ssl_lib.c	2018-07-16 18:08:20.001487652 +0200
-@@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
-      */
-     ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
- 
-+    if (meth->version != SSL3_VERSION) {
-+        /*
-+         * Disable SSLv3 by default.  Applications can
-+         * re-enable it by configuring
-+         * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+         * or by using the SSL_CONF API.
-+         */
-+        ret->options |= SSL_OP_NO_SSLv3;
-+    }
-+
-     ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
- 
-     /*
-diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c
---- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3	2018-06-20 16:48:15.000000000 +0200
-+++ openssl-1.1.1-pre8/test/ssl_test.c	2018-07-16 18:18:34.806865121 +0200
-@@ -443,6 +443,7 @@ static int test_handshake(int idx)
-             SSL_TEST_SERVERNAME_CB_NONE) {
-             if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
-                 goto err;
-+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
-             if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
-                                                          TLS_MAX_VERSION)))
-                 goto err;
-@@ -464,6 +465,8 @@ static int test_handshake(int idx)
-             if (!TEST_ptr(resume_server_ctx)
-                     || !TEST_ptr(resume_client_ctx))
-                 goto err;
-+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
-         }
-     }
- 
-@@ -477,6 +480,9 @@ static int test_handshake(int idx)
-             || !TEST_int_gt(CONF_modules_load(conf, test_app, 0),  0))
-         goto err;
- 
-+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
-+
-     if (!SSL_CTX_config(server_ctx, "server")
-         || !SSL_CTX_config(client_ctx, "client")) {
-         goto err;
-diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c
---- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3	2018-06-20 16:48:15.000000000 +0200
-+++ openssl-1.1.1-pre8/test/ssltest_old.c	2018-07-16 18:08:20.002487676 +0200
-@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[])
-         ERR_print_errors(bio_err);
-         goto end;
-     }
-+
-+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
-     /*
-      * Since we will use low security ciphersuites and keys for testing set
-      * security level to zero by default. Tests can override this by adding

openssl-1.1.1-ec-curves.patch

@@ -1,266 +0,0 @@
-diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
---- openssl-1.1.1h/apps/speed.c.curves	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/apps/speed.c	2020-11-06 13:27:15.659288431 +0100
-@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
- #endif /* OPENSSL_NO_RSA */
- 
- enum {
--    R_EC_P160,
--    R_EC_P192,
-     R_EC_P224,
-     R_EC_P256,
-     R_EC_P384,
-     R_EC_P521,
--#ifndef OPENSSL_NO_EC2M
--    R_EC_K163,
--    R_EC_K233,
--    R_EC_K283,
--    R_EC_K409,
--    R_EC_K571,
--    R_EC_B163,
--    R_EC_B233,
--    R_EC_B283,
--    R_EC_B409,
--    R_EC_B571,
--#endif
--    R_EC_BRP256R1,
--    R_EC_BRP256T1,
--    R_EC_BRP384R1,
--    R_EC_BRP384T1,
--    R_EC_BRP512R1,
--    R_EC_BRP512T1,
-     R_EC_X25519,
-     R_EC_X448
- };
- 
- #ifndef OPENSSL_NO_EC
- static OPT_PAIR ecdsa_choices[] = {
--    {"ecdsap160", R_EC_P160},
--    {"ecdsap192", R_EC_P192},
-     {"ecdsap224", R_EC_P224},
-     {"ecdsap256", R_EC_P256},
-     {"ecdsap384", R_EC_P384},
-     {"ecdsap521", R_EC_P521},
--# ifndef OPENSSL_NO_EC2M
--    {"ecdsak163", R_EC_K163},
--    {"ecdsak233", R_EC_K233},
--    {"ecdsak283", R_EC_K283},
--    {"ecdsak409", R_EC_K409},
--    {"ecdsak571", R_EC_K571},
--    {"ecdsab163", R_EC_B163},
--    {"ecdsab233", R_EC_B233},
--    {"ecdsab283", R_EC_B283},
--    {"ecdsab409", R_EC_B409},
--    {"ecdsab571", R_EC_B571},
--# endif
--    {"ecdsabrp256r1", R_EC_BRP256R1},
--    {"ecdsabrp256t1", R_EC_BRP256T1},
--    {"ecdsabrp384r1", R_EC_BRP384R1},
--    {"ecdsabrp384t1", R_EC_BRP384T1},
--    {"ecdsabrp512r1", R_EC_BRP512R1},
--    {"ecdsabrp512t1", R_EC_BRP512T1}
- };
- # define ECDSA_NUM       OSSL_NELEM(ecdsa_choices)
- 
- static double ecdsa_results[ECDSA_NUM][2];    /* 2 ops: sign then verify */
- 
- static const OPT_PAIR ecdh_choices[] = {
--    {"ecdhp160", R_EC_P160},
--    {"ecdhp192", R_EC_P192},
-     {"ecdhp224", R_EC_P224},
-     {"ecdhp256", R_EC_P256},
-     {"ecdhp384", R_EC_P384},
-     {"ecdhp521", R_EC_P521},
--# ifndef OPENSSL_NO_EC2M
--    {"ecdhk163", R_EC_K163},
--    {"ecdhk233", R_EC_K233},
--    {"ecdhk283", R_EC_K283},
--    {"ecdhk409", R_EC_K409},
--    {"ecdhk571", R_EC_K571},
--    {"ecdhb163", R_EC_B163},
--    {"ecdhb233", R_EC_B233},
--    {"ecdhb283", R_EC_B283},
--    {"ecdhb409", R_EC_B409},
--    {"ecdhb571", R_EC_B571},
--# endif
--    {"ecdhbrp256r1", R_EC_BRP256R1},
--    {"ecdhbrp256t1", R_EC_BRP256T1},
--    {"ecdhbrp384r1", R_EC_BRP384R1},
--    {"ecdhbrp384t1", R_EC_BRP384T1},
--    {"ecdhbrp512r1", R_EC_BRP512R1},
--    {"ecdhbrp512t1", R_EC_BRP512T1},
-     {"ecdhx25519", R_EC_X25519},
-     {"ecdhx448", R_EC_X448}
- };
-@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
-         unsigned int bits;
-     } test_curves[] = {
-         /* Prime Curves */
--        {"secp160r1", NID_secp160r1, 160},
--        {"nistp192", NID_X9_62_prime192v1, 192},
-         {"nistp224", NID_secp224r1, 224},
-         {"nistp256", NID_X9_62_prime256v1, 256},
-         {"nistp384", NID_secp384r1, 384},
-         {"nistp521", NID_secp521r1, 521},
--# ifndef OPENSSL_NO_EC2M
--        /* Binary Curves */
--        {"nistk163", NID_sect163k1, 163},
--        {"nistk233", NID_sect233k1, 233},
--        {"nistk283", NID_sect283k1, 283},
--        {"nistk409", NID_sect409k1, 409},
--        {"nistk571", NID_sect571k1, 571},
--        {"nistb163", NID_sect163r2, 163},
--        {"nistb233", NID_sect233r1, 233},
--        {"nistb283", NID_sect283r1, 283},
--        {"nistb409", NID_sect409r1, 409},
--        {"nistb571", NID_sect571r1, 571},
--# endif
--        {"brainpoolP256r1", NID_brainpoolP256r1, 256},
--        {"brainpoolP256t1", NID_brainpoolP256t1, 256},
--        {"brainpoolP384r1", NID_brainpoolP384r1, 384},
--        {"brainpoolP384t1", NID_brainpoolP384t1, 384},
--        {"brainpoolP512r1", NID_brainpoolP512r1, 512},
--        {"brainpoolP512t1", NID_brainpoolP512t1, 512},
-         /* Other and ECDH only ones */
-         {"X25519", NID_X25519, 253},
-         {"X448", NID_X448, 448}
-@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
- #  endif
- 
- #  ifndef OPENSSL_NO_EC
--    ecdsa_c[R_EC_P160][0] = count / 1000;
--    ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
--    for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+    ecdsa_c[R_EC_P224][0] = count / 1000;
-+    ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
-+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
-         ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
-         ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
-         if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
-@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
-             }
-         }
-     }
--#   ifndef OPENSSL_NO_EC2M
-+#   if 0
-     ecdsa_c[R_EC_K163][0] = count / 1000;
-     ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
-     for (i = R_EC_K233; i <= R_EC_K571; i++) {
-@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
-     }
- #   endif
- 
--    ecdh_c[R_EC_P160][0] = count / 1000;
--    for (i = R_EC_P192; i <= R_EC_P521; i++) {
-+    ecdh_c[R_EC_P224][0] = count / 1000;
-+    for (i = R_EC_P256; i <= R_EC_P521; i++) {
-         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-         if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
-             ecdh_doit[i] = 0;
-@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
-             }
-         }
-     }
--#   ifndef OPENSSL_NO_EC2M
-+#   if 0
-     ecdh_c[R_EC_K163][0] = count / 1000;
-     for (i = R_EC_K233; i <= R_EC_K571; i++) {
-         ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
-diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
---- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c	2020-11-06 13:27:15.659288431 +0100
-@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
-         return 0;
-     }
- 
-+    if (BN_num_bits(p) < 224) {
-+        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+        return 0;
-+    }
-+
-     if (ctx == NULL) {
-         ctx = new_ctx = BN_CTX_new();
-         if (ctx == NULL)
-diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
---- openssl-1.1.1h/test/ecdsatest.h.curves	2020-11-06 13:27:15.627288114 +0100
-+++ openssl-1.1.1h/test/ecdsatest.h	2020-11-06 13:27:15.660288441 +0100
-@@ -32,23 +32,6 @@ typedef struct {
- } ecdsa_cavs_kat_t;
- 
- static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
--    /* prime KATs from X9.62 */
--    {NID_X9_62_prime192v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
--     "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
--     "5ca5c0d69716dfcb3474373902",
--     "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
--     "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
--     "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
--    {NID_X9_62_prime239v1, NID_sha1,
--     "616263",                  /* "abc" */
--     "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
--     "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
--     "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
--     "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
--     "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
--     "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
-     /* prime KATs from NIST CAVP */
-     {NID_secp224r1, NID_sha224,
-      "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
---- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves	2020-11-06 13:58:36.402895540 +0100
-+++ openssl-1.1.1h/test/recipes/15-test_genec.t	2020-11-06 13:59:38.508484498 +0100
-@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
-     if disabled("ec");
- 
- my @prime_curves = qw(
--    secp112r1
--    secp112r2
--    secp128r1
--    secp128r2
--    secp160k1
--    secp160r1
--    secp160r2
--    secp192k1
--    secp224k1
-     secp224r1
-     secp256k1
-     secp384r1
-     secp521r1
--    prime192v1
--    prime192v2
--    prime192v3
--    prime239v1
--    prime239v2
--    prime239v3
-     prime256v1
--    wap-wsg-idm-ecid-wtls6
--    wap-wsg-idm-ecid-wtls7
--    wap-wsg-idm-ecid-wtls8
--    wap-wsg-idm-ecid-wtls9
--    wap-wsg-idm-ecid-wtls12
--    brainpoolP160r1
--    brainpoolP160t1
--    brainpoolP192r1
--    brainpoolP192t1
--    brainpoolP224r1
--    brainpoolP224t1
--    brainpoolP256r1
--    brainpoolP256t1
--    brainpoolP320r1
--    brainpoolP320t1
--    brainpoolP384r1
--    brainpoolP384t1
--    brainpoolP512r1
--    brainpoolP512t1
- );
- 
- my @binary_curves = qw(
-@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
-     if !disabled("sm2");
- 
- my @curve_aliases = qw(
--    P-192
-     P-224
-     P-256
-     P-384

openssl-1.1.1-edk2-build.patch

@@ -1,57 +0,0 @@
-diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
---- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build	2020-05-18 12:55:53.299548432 +0200
-+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c	2020-05-18 12:55:53.340548788 +0200
-@@ -12,6 +12,7 @@
- #include <openssl/evp.h>
- #include <openssl/err.h>
- #include <openssl/kdf.h>
-+#include "internal/numbers.h"
- #include "crypto/evp.h"
- 
- static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
-diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
---- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build	2020-05-18 12:55:53.340548788 +0200
-+++ openssl-1.1.1g/crypto/kdf/hkdf.c	2020-05-18 12:57:18.648288904 +0200
-@@ -13,6 +13,7 @@
- #include <openssl/hmac.h>
- #include <openssl/kdf.h>
- #include <openssl/evp.h>
-+#include "internal/numbers.h"
- #include "internal/cryptlib.h"
- #include "crypto/evp.h"
- #include "kdf_local.h"
-diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
---- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build	2020-05-18 12:56:05.646655554 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_unix.c	2020-05-18 12:58:51.088090896 +0200
-@@ -20,7 +20,7 @@
- #include "crypto/fips.h"
- #include <stdio.h>
- #include "internal/dso.h"
--#ifdef __linux
-+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
- # include <sys/syscall.h>
- # include <sys/random.h>
- # ifdef DEVRANDOM_WAIT
-diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
---- openssl-1.1.1g/include/crypto/fips.h.edk2-build	2020-05-18 12:55:53.296548406 +0200
-+++ openssl-1.1.1g/include/crypto/fips.h	2020-05-18 12:55:53.340548788 +0200
-@@ -50,10 +50,6 @@
- #include <openssl/opensslconf.h>
- #include <openssl/evp.h>
- 
--#ifndef OPENSSL_FIPS
--# error FIPS is disabled.
--#endif
--
- #ifdef OPENSSL_FIPS
- 
- int FIPS_module_mode_set(int onoff);
-@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
- 
- void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
- 
-+#else
-+
-+# define fips_in_post() 0
-+
- #endif

openssl-1.1.1-fips-crng-test.patch

@@ -1,408 +0,0 @@
-diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
---- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200
-+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200
-@@ -1,6 +1,6 @@
- LIBS=../../libcrypto
- SOURCE[../../libcrypto]=\
--        randfile.c rand_lib.c rand_err.c rand_egd.c \
-+        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
-         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
- 
- INCLUDE[drbg_ctr.o]=../modes
-diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
---- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200
-+++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200
-@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
- 
- 
- /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
--static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
-+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
- 
- static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
- 
-@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
-     drbg->parent = parent;
- 
-     if (parent == NULL) {
-+#ifdef OPENSSL_FIPS
-+        drbg->get_entropy = rand_crngt_get_entropy;
-+        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
-+#else
-         drbg->get_entropy = rand_drbg_get_entropy;
-         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
-+#endif
- #ifndef RAND_DRBG_GET_RANDOM_NONCE
-         drbg->get_nonce = rand_drbg_get_nonce;
-         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
---- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200
-@@ -0,0 +1,118 @@
-+/*
-+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+/*
-+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
-+ */
-+
-+#include <string.h>
-+#include <openssl/evp.h>
-+#include "crypto/rand.h"
-+#include "internal/thread_once.h"
-+#include "rand_local.h"
-+
-+static RAND_POOL *crngt_pool;
-+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
-+
-+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
-+    = &rand_crngt_get_entropy_cb;
-+
-+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
-+                              unsigned int *md_size)
-+{
-+    int r;
-+    size_t n;
-+    unsigned char *p;
-+
-+    n = rand_pool_acquire_entropy(crngt_pool);
-+    if (n >= CRNGT_BUFSIZ) {
-+        p = rand_pool_detach(crngt_pool);
-+        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
-+        if (r != 0)
-+            memcpy(buf, p, CRNGT_BUFSIZ);
-+        rand_pool_reattach(crngt_pool, p);
-+        return r;
-+    }
-+    return 0;
-+}
-+
-+void rand_crngt_cleanup(void)
-+{
-+    rand_pool_free(crngt_pool);
-+    crngt_pool = NULL;
-+}
-+
-+int rand_crngt_init(void)
-+{
-+    unsigned char buf[CRNGT_BUFSIZ];
-+
-+    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
-+        return 0;
-+    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
-+        OPENSSL_cleanse(buf, sizeof(buf));
-+        return 1;
-+    }
-+    rand_crngt_cleanup();
-+    return 0;
-+}
-+
-+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
-+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
-+{
-+    return OPENSSL_init_crypto(0, NULL)
-+        && rand_crngt_init()
-+        && OPENSSL_atexit(&rand_crngt_cleanup);
-+}
-+
-+int rand_crngt_single_init(void)
-+{
-+    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
-+}
-+
-+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
-+                              unsigned char **pout,
-+                              int entropy, size_t min_len, size_t max_len,
-+                              int prediction_resistance)
-+{
-+    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
-+    unsigned int sz;
-+    RAND_POOL *pool;
-+    size_t q, r = 0, s, t = 0;
-+    int attempts = 3;
-+
-+    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
-+        return 0;
-+
-+    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
-+        return 0;
-+
-+    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
-+        s = q > sizeof(buf) ? sizeof(buf) : q;
-+        if (!crngt_get_entropy(buf, md, &sz)
-+            || memcmp(crngt_prev, md, sz) == 0
-+            || !rand_pool_add(pool, buf, s, s * 8))
-+            goto err;
-+        memcpy(crngt_prev, md, sz);
-+        t += s;
-+        attempts++;
-+    }
-+    r = t;
-+    *pout = rand_pool_detach(pool);
-+err:
-+    OPENSSL_cleanse(buf, sizeof(buf));
-+    rand_pool_free(pool);
-+    return r;
-+}
-+
-+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
-+                                unsigned char *out, size_t outlen)
-+{
-+    OPENSSL_secure_clear_free(out, outlen);
-+}
-diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
---- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200
-+++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200
-@@ -33,7 +33,15 @@
- # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
- # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
- 
--
-+/*
-+ * The number of bytes that constitutes an atomic lump of entropy with respect
-+ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
-+ * arbitrary, the smaller the value, the less entropy is consumed on first
-+ * read but the higher the probability of the test failing by accident.
-+ *
-+ * The value is in bytes.
-+ */
-+#define CRNGT_BUFSIZ    16
- 
- /*
-  * Maximum input size for the DRBG (entropy, nonce, personalization string)
-@@ -44,6 +52,8 @@
-  */
- # define DRBG_MAX_LENGTH                         INT32_MAX
- 
-+/* The default nonce */
-+# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
- 
- /*
-  * Maximum allocation size for RANDOM_POOL buffers
-@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
- /* initializes the AES-CTR DRBG implementation */
- int drbg_ctr_init(RAND_DRBG *drbg);
- 
-+/*
-+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
-+ * These need to be exposed for the unit tests.
-+ */
-+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
-+                              unsigned int *md_size);
-+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
-+                                unsigned int *md_size);
-+int rand_crngt_init(void);
-+void rand_crngt_cleanup(void);
-+
-+/*
-+ * Expose the run once initialisation function for the unit tests because.
-+ * they need to restart from scratch to validate the first block is skipped
-+ * properly.
-+ */
-+int rand_crngt_single_init(void);
-+
- #endif
-diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
---- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200
-+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200
-@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
- 
- void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
- 
-+/* CRNG test entropy filter callbacks. */
-+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
-+                              unsigned char **pout,
-+                              int entropy, size_t min_len, size_t max_len,
-+                              int prediction_resistance);
-+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
-+                                unsigned char *out, size_t outlen);
-+
- /*
-  * RAND_POOL functions
-  */
-diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
---- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200
-@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
-     return t->noncelen;
- }
- 
-+ /*
-+ * Disable CRNG testing if it is enabled.
-+ * If the DRBG is ready or in an error state, this means an instantiate cycle
-+ * for which the default personalisation string is used.
-+ */
-+static int disable_crngt(RAND_DRBG *drbg)
-+{
-+    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
-+    const int instantiate = drbg->state != DRBG_UNINITIALISED;
-+
-+    if (drbg->get_entropy != rand_crngt_get_entropy)
-+        return 1;
-+
-+     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
-+        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
-+                                              &rand_drbg_cleanup_entropy,
-+                                              &rand_drbg_get_nonce,
-+                                              &rand_drbg_cleanup_nonce))
-+        || (instantiate
-+            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
-+                                      sizeof(pers) - 1)))
-+        return 0;
-+    return 1;
-+}
-+
- static int uninstantiate(RAND_DRBG *drbg)
- {
-     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
-@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
-     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
-         return 0;
-     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
--                                           kat_nonce, NULL))) {
-+                                           kat_nonce, NULL))
-+        || !TEST_true(disable_crngt(drbg))) {
-         failures++;
-         goto err;
-     }
-@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
-     unsigned int reseed_counter_tmp;
-     int ret = 0;
- 
--    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
-+    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
-+	|| !TEST_true(disable_crngt(drbg)))
-         goto err;
- 
-     /*
-@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
-         || !TEST_ptr_eq(private->parent, master))
-         return 0;
- 
-+    /* Disable CRNG testing for the master DRBG */
-+    if (!TEST_true(disable_crngt(master)))
-+        return 0;
-+
-     /* uninstantiate the three global DRBGs */
-     RAND_DRBG_uninstantiate(private);
-     RAND_DRBG_uninstantiate(public);
-@@ -964,7 +995,8 @@ static int test_rand_seed(void)
-     size_t rand_buflen;
-     size_t required_seed_buflen = 0;
- 
--    if (!TEST_ptr(master = RAND_DRBG_get0_master()))
-+    if (!TEST_ptr(master = RAND_DRBG_get0_master())
-+        || !TEST_true(disable_crngt(master)))
-         return 0;
- 
- #ifdef OPENSSL_RAND_SEED_NONE
-@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
-     return 1;
- }
- 
-+/*
-+ * A list of the FIPS DRGB types.
-+ */
-+static const struct s_drgb_types {
-+    int nid;
-+    int flags;
-+} drgb_types[] = {
-+    { NID_aes_128_ctr,  0                   },
-+    { NID_aes_192_ctr,  0                   },
-+    { NID_aes_256_ctr,  0                   },
-+};
-+
-+/* Six cases for each covers seed sizes up to 32 bytes */
-+static const size_t crngt_num_cases = 6;
-+
-+static size_t crngt_case, crngt_idx;
-+
-+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
-+                            unsigned int *md_size)
-+{
-+    size_t i, z;
-+
-+    if (!TEST_int_lt(crngt_idx, crngt_num_cases))
-+        return 0;
-+    /* Generate a block of unique data unless this is the duplication point */
-+    z = crngt_idx++;
-+    if (z > 0 && crngt_case == z)
-+        z--;
-+    for (i = 0; i < CRNGT_BUFSIZ; i++)
-+        buf[i] = (unsigned char)(i + 'A' + z);
-+    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
-+}
-+
-+static int test_crngt(int n)
-+{
-+    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char buff[100];
-+    size_t ent;
-+    int res = 0;
-+    int expect;
-+
-+    if (!TEST_true(rand_crngt_single_init()))
-+        return 0;
-+    rand_crngt_cleanup();
-+
-+    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
-+        return 0;
-+    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
-+    crngt_case = n % crngt_num_cases;
-+    crngt_idx = 0;
-+    crngt_get_entropy = &crngt_entropy_cb;
-+    if (!TEST_true(rand_crngt_init()))
-+        goto err;
-+#ifndef OPENSSL_FIPS
-+    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
-+                                           &rand_crngt_cleanup_entropy,
-+                                           &rand_drbg_get_nonce,
-+                                           &rand_drbg_cleanup_nonce)))
-+        goto err;
-+#endif
-+    expect = crngt_case == 0 || crngt_case > ent;
-+    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
-+        goto err;
-+    if (!expect)
-+        goto fin;
-+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
-+        goto err;
-+
-+    expect = crngt_case == 0 || crngt_case > 2 * ent;
-+    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
-+        goto err;
-+    if (!expect)
-+        goto fin;
-+    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
-+        goto err;
-+
-+fin:
-+    res = 1;
-+err:
-+    if (!res)
-+        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
-+                  crngt_case, crngt_idx);
-+    uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    crngt_get_entropy = &rand_crngt_get_entropy_cb;
-+    return res;
-+}
-+
- int setup_tests(void)
- {
-     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-@@ -1025,5 +1146,6 @@ int setup_tests(void)
- #if defined(OPENSSL_THREADS)
-     ADD_TEST(test_multi_thread);
- #endif
-+    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
-     return 1;
- }

openssl-1.1.1-fips-curves.patch

@@ -1,200 +0,0 @@
-diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
---- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves	2020-05-18 12:59:54.839643980 +0200
-+++ openssl-1.1.1g/crypto/ec/ec_curve.c	2020-05-18 12:59:54.852644093 +0200
-@@ -13,6 +13,7 @@
- #include <openssl/err.h>
- #include <openssl/obj_mac.h>
- #include <openssl/opensslconf.h>
-+#include <openssl/crypto.h>
- #include "internal/nelem.h"
- 
- typedef struct {
-@@ -237,6 +238,7 @@ static const struct {
- 
- typedef struct _ec_list_element_st {
-     int nid;
-+    int fips_allowed;
-     const EC_CURVE_DATA *data;
-     const EC_METHOD *(*meth) (void);
-     const char *comment;
-@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
-     /* prime field curves */
-     /* secg curves */
- #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
--    {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
-      "NIST/SECG curve over a 224 bit prime field"},
- #else
--    {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
-+    {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
-      "NIST/SECG curve over a 224 bit prime field"},
- #endif
--    {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
-+    {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
-      "SECG curve over a 256 bit prime field"},
-     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
--    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
-+    {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
- # if defined(S390X_EC_ASM)
-      EC_GFp_s390x_nistp384_method,
- # else
-      0,
- # endif
-      "NIST/SECG curve over a 384 bit prime field"},
--    {NID_secp521r1, &_EC_NIST_PRIME_521.h,
-+    {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
- # if defined(S390X_EC_ASM)
-      EC_GFp_s390x_nistp521_method,
- # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
-@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
- # endif
-      "NIST/SECG curve over a 521 bit prime field"},
-     /* X9.62 curves */
--    {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
-+    {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
- #if defined(ECP_NISTZ256_ASM)
-      EC_GFp_nistz256_method,
- # elif defined(S390X_EC_ASM)
-@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
- 
-     for (i = 0; i < curve_list_length; i++)
-         if (curve_list[i].nid == nid) {
-+            if (!curve_list[i].fips_allowed && FIPS_mode()) {
-+                ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
-+                return NULL;
-+            }
-             ret = ec_group_new_from_data(curve_list[i]);
-             break;
-         }
-@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
- 
- size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
- {
--    size_t i, min;
-+    size_t i, j, num;
-+    int fips_mode = FIPS_mode();
- 
--    if (r == NULL || nitems == 0)
--        return curve_list_length;
-+    num = curve_list_length;
-+    if (fips_mode)
-+        for (i = 0; i < curve_list_length; i++) {
-+            if (!curve_list[i].fips_allowed)
-+                --num;
-+        }
- 
--    min = nitems < curve_list_length ? nitems : curve_list_length;
-+    if (r == NULL || nitems == 0) {
-+        return num;
-+    }
- 
--    for (i = 0; i < min; i++) {
--        r[i].nid = curve_list[i].nid;
--        r[i].comment = curve_list[i].comment;
-+    for (i = 0, j = 0; i < curve_list_length; i++) {
-+        if (j >= nitems)
-+            break;
-+        if (!fips_mode || curve_list[i].fips_allowed) {
-+            r[j].nid = curve_list[i].nid;
-+            r[j].comment = curve_list[i].comment;
-+            ++j;
-+        }
-     }
- 
--    return curve_list_length;
-+    return num;
- }
- 
- /* Functions to translate between common NIST curve names and NIDs */
-diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.fips-curves	2020-05-18 12:59:54.797643616 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c	2020-05-18 13:03:54.748725463 +0200
-@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
- #endif
- };
- 
-+static const uint16_t tls12_fips_sigalgs[] = {
-+#ifndef OPENSSL_NO_EC
-+    TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
-+    TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
-+    TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
-+#endif
-+
-+    TLSEXT_SIGALG_rsa_pss_pss_sha256,
-+    TLSEXT_SIGALG_rsa_pss_pss_sha384,
-+    TLSEXT_SIGALG_rsa_pss_pss_sha512,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha256,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha384,
-+    TLSEXT_SIGALG_rsa_pss_rsae_sha512,
-+
-+    TLSEXT_SIGALG_rsa_pkcs1_sha256,
-+    TLSEXT_SIGALG_rsa_pkcs1_sha384,
-+    TLSEXT_SIGALG_rsa_pkcs1_sha512,
-+
-+#ifndef OPENSSL_NO_EC
-+    TLSEXT_SIGALG_ecdsa_sha224,
-+#endif
-+    TLSEXT_SIGALG_rsa_pkcs1_sha224,
-+#ifndef OPENSSL_NO_DSA
-+    TLSEXT_SIGALG_dsa_sha224,
-+    TLSEXT_SIGALG_dsa_sha256,
-+    TLSEXT_SIGALG_dsa_sha384,
-+    TLSEXT_SIGALG_dsa_sha512,
-+#endif
-+};
-+
- #ifndef OPENSSL_NO_EC
- static const uint16_t suiteb_sigalgs[] = {
-     TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
-@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
-     }
-     if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
-         return NULL;
-+    if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
-+        return NULL;
-     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
-         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
- 
-@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
-     } else if (s->cert->conf_sigalgs) {
-         *psigs = s->cert->conf_sigalgs;
-         return s->cert->conf_sigalgslen;
-+    } else if (FIPS_mode()) {
-+        *psigs = tls12_fips_sigalgs;
-+        return OSSL_NELEM(tls12_fips_sigalgs);
-     } else {
-         *psigs = tls12_sigalgs;
-         return OSSL_NELEM(tls12_sigalgs);
-@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
-     if (s->cert->conf_sigalgs) {
-         sigs = s->cert->conf_sigalgs;
-         siglen = s->cert->conf_sigalgslen;
-+    } else if (FIPS_mode()) {
-+        sigs = tls12_fips_sigalgs;
-+        siglen = OSSL_NELEM(tls12_fips_sigalgs);
-     } else {
-         sigs = tls12_sigalgs;
-         siglen = OSSL_NELEM(tls12_sigalgs);
-@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
-     if (lu->sig == NID_id_GostR3410_2012_256
-             || lu->sig == NID_id_GostR3410_2012_512
-             || lu->sig == NID_id_GostR3410_2001) {
-+        if (FIPS_mode())
-+            return 0;
-         /* We never allow GOST sig algs on the server with TLSv1.3 */
-         if (s->server && SSL_IS_TLS13(s))
-             return 0;
-@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
-                 const uint16_t *sent_sigs;
-                 size_t sent_sigslen;
- 
-+                if (fatalerrs && FIPS_mode()) {
-+                    /* There are no suitable legacy algorithms in FIPS mode */
-+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
-+                             SSL_F_TLS_CHOOSE_SIGALG,
-+                             SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
-+                    return 0;
-+                }
-                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
-                     if (!fatalerrs)
-                         return 1;

openssl-1.1.1-fips-drbg-selftest.patch

@@ -1,587 +0,0 @@
-diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
---- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest	2020-04-23 13:33:12.500624151 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-04-23 13:33:12.618621925 +0200
-@@ -67,12 +67,18 @@
- 
- # include <openssl/fips.h>
- # include "crypto/fips.h"
-+# include "crypto/rand.h"
- # include "fips_locl.h"
- 
- /* Run all selftests */
- int FIPS_selftest(void)
- {
-     int rv = 1;
-+    if (!rand_drbg_selftest()) {
-+        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
-+        ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
-+        rv = 0;
-+    }
-     if (!FIPS_selftest_drbg())
-         rv = 0;
-     if (!FIPS_selftest_sha1())
-diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
---- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
-+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:34:10.857523497 +0200
-@@ -1,6 +1,6 @@
- LIBS=../../libcrypto
- SOURCE[../../libcrypto]=\
-         randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
--        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-+        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
- 
- INCLUDE[drbg_ctr.o]=../modes
-diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
---- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest	2020-04-23 13:33:12.619621907 +0200
-+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c	2020-04-23 13:33:12.619621907 +0200
-@@ -0,0 +1,537 @@
-+/*
-+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <string.h>
-+#include <stddef.h>
-+#include "internal/nelem.h"
-+#include <openssl/crypto.h>
-+#include <openssl/err.h>
-+#include <openssl/rand_drbg.h>
-+#include <openssl/obj_mac.h>
-+#include "internal/thread_once.h"
-+#include "crypto/rand.h"
-+
-+typedef struct test_ctx_st {
-+    const unsigned char *entropy;
-+    size_t entropylen;
-+    int entropycnt;
-+    const unsigned char *nonce;
-+    size_t noncelen;
-+    int noncecnt;
-+} TEST_CTX;
-+
-+static int app_data_index = -1;
-+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
-+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
-+{
-+    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
-+
-+    return 1;
-+}
-+
-+enum drbg_kat_type {
-+    NO_RESEED,
-+    PR_FALSE,
-+    PR_TRUE
-+};
-+
-+enum drbg_df {
-+    USE_DF,
-+    NO_DF,
-+    NA
-+};
-+
-+struct drbg_kat_no_reseed {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *addin1;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat_pr_false {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *entropyinreseed;
-+    const unsigned char *addinreseed;
-+    const unsigned char *addin1;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat_pr_true {
-+    size_t count;
-+    const unsigned char *entropyin;
-+    const unsigned char *nonce;
-+    const unsigned char *persstr;
-+    const unsigned char *entropyinpr1;
-+    const unsigned char *addin1;
-+    const unsigned char *entropyinpr2;
-+    const unsigned char *addin2;
-+    const unsigned char *retbytes;
-+};
-+
-+struct drbg_kat {
-+    enum drbg_kat_type type;
-+    enum drbg_df df;
-+    int nid;
-+
-+    size_t entropyinlen;
-+    size_t noncelen;
-+    size_t persstrlen;
-+    size_t addinlen;
-+    size_t retbyteslen;
-+
-+    const void *t;
-+};
-+
-+/*
-+ * Excerpt from test/drbg_cavs_data.c
-+ * DRBG test vectors from:
-+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
-+ */
-+
-+static const unsigned char kat1308_entropyin[] = {
-+    0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
-+    0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
-+    0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
-+    0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
-+};
-+static const unsigned char kat1308_nonce[] = {0};
-+static const unsigned char kat1308_persstr[] = {
-+    0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
-+    0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
-+    0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
-+    0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
-+};
-+static const unsigned char kat1308_addin0[] = {
-+    0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
-+    0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
-+    0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
-+    0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
-+};
-+static const unsigned char kat1308_addin1[] = {
-+    0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
-+    0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
-+    0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
-+    0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
-+};
-+static const unsigned char kat1308_retbits[] = {
-+    0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
-+    0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
-+    0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
-+    0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
-+    0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
-+    0x26, 0x32, 0xd0, 0xb8,
-+};
-+static const struct drbg_kat_no_reseed kat1308_t = {
-+    2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
-+    kat1308_addin0, kat1308_addin1, kat1308_retbits
-+};
-+static const struct drbg_kat kat1308 = {
-+    NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
-+};
-+
-+static const unsigned char kat1465_entropyin[] = {
-+    0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
-+    0x87, 0xbe, 0xaa, 0xc0,
-+};
-+static const unsigned char kat1465_nonce[] = {
-+    0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
-+};
-+static const unsigned char kat1465_persstr[] = {0};
-+static const unsigned char kat1465_entropyinreseed[] = {
-+    0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
-+    0x1f, 0x4b, 0x7b, 0x51,
-+};
-+static const unsigned char kat1465_addinreseed[] = {
-+    0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
-+    0x61, 0x9f, 0x26, 0x5f,
-+};
-+static const unsigned char kat1465_addin0[] = {
-+    0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
-+    0x10, 0x5a, 0x73, 0x9c,
-+};
-+static const unsigned char kat1465_addin1[] = {
-+    0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
-+    0x47, 0x99, 0x1f, 0xeb,
-+};
-+static const unsigned char kat1465_retbits[] = {
-+    0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
-+    0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
-+    0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
-+    0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
-+    0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
-+    0x58, 0xdb, 0x27, 0xba,
-+};
-+static const struct drbg_kat_pr_false kat1465_t = {
-+    9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
-+    kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
-+    kat1465_addin1, kat1465_retbits
-+};
-+static const struct drbg_kat kat1465 = {
-+    PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
-+};
-+
-+static const unsigned char kat3146_entropyin[] = {
-+    0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
-+    0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
-+};
-+static const unsigned char kat3146_nonce[] = {
-+    0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
-+    0x50, 0x86, 0xca, 0xca,
-+};
-+static const unsigned char kat3146_persstr[] = {0};
-+static const unsigned char kat3146_entropyinpr1[] = {
-+    0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
-+    0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
-+};
-+static const unsigned char kat3146_addinpr1[] = {
-+    0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
-+    0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
-+    0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
-+};
-+static const unsigned char kat3146_entropyinpr2[] = {
-+    0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
-+    0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
-+};
-+static const unsigned char kat3146_addinpr2[] = {
-+    0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
-+    0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
-+    0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
-+};
-+static const unsigned char kat3146_retbits[] = {
-+    0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
-+    0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
-+    0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
-+    0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
-+    0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
-+    0xd4, 0x30, 0x73, 0xbb,
-+};
-+static const struct drbg_kat_pr_true kat3146_t = {
-+    10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
-+    kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
-+    kat3146_addinpr2, kat3146_retbits
-+};
-+static const struct drbg_kat kat3146 = {
-+    PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
-+};
-+
-+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
-+
-+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
-+
-+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
-+                          int entropy, size_t min_len, size_t max_len,
-+                          int prediction_resistance)
-+{
-+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
-+
-+    t->entropycnt++;
-+    *pout = (unsigned char *)t->entropy;
-+    return t->entropylen;
-+}
-+
-+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
-+                        int entropy, size_t min_len, size_t max_len)
-+{
-+    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
-+
-+    t->noncecnt++;
-+    *pout = (unsigned char *)t->nonce;
-+    return t->noncelen;
-+}
-+
-+/*
-+ * Do a single NO_RESEED KAT:
-+ *
-+ * Instantiate
-+ * Generate Random Bits (pr=false)
-+ * Generate Random Bits (pr=false)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_no_reseed(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin1, td->addinlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+/*-
-+ * Do a single PR_FALSE KAT:
-+ *
-+ * Instantiate
-+ * Reseed
-+ * Generate Random Bits (pr=false)
-+ * Generate Random Bits (pr=false)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_pr_false(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinreseed;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin1, td->addinlen)
-+        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
-+                               data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+/*-
-+ * Do a single PR_TRUE KAT:
-+ *
-+ * Instantiate
-+ * Generate Random Bits (pr=true)
-+ * Generate Random Bits (pr=true)
-+ * Uninstantiate
-+ *
-+ * Return 0 on failure.
-+ */
-+static int single_kat_pr_true(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned char *buff = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    t.entropy = data->entropyin;
-+    t.entropylen = td->entropyinlen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    buff = OPENSSL_malloc(td->retbyteslen);
-+    if (buff == NULL) {
-+        failures++;
-+        goto err;
-+    }
-+
-+    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinpr1;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
-+                            data->addin1, td->addinlen))
-+        failures++;
-+
-+    t.entropy = data->entropyinpr2;
-+    t.entropylen = td->entropyinlen;
-+
-+    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
-+                            data->addin2, td->addinlen)
-+        || memcmp(data->retbytes, buff,
-+                  td->retbyteslen) != 0)
-+        failures++;
-+
-+err:
-+    OPENSSL_free(buff);
-+    RAND_DRBG_uninstantiate(drbg);
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+static int test_kats(int i)
-+{
-+    const struct drbg_kat *td = drbg_test[i];
-+    int rv = 0;
-+
-+    switch (td->type) {
-+    case NO_RESEED:
-+        if (!single_kat_no_reseed(td))
-+            goto err;
-+        break;
-+    case PR_FALSE:
-+        if (!single_kat_pr_false(td))
-+            goto err;
-+        break;
-+    case PR_TRUE:
-+        if (!single_kat_pr_true(td))
-+            goto err;
-+        break;
-+    default:	/* cant happen */
-+        goto err;
-+    }
-+    rv = 1;
-+err:
-+    return rv;
-+}
-+
-+/*-
-+ * Do one expected-error test:
-+ *
-+ * Instantiate with no entropy supplied
-+ *
-+ * Return 0 on failure.
-+ */
-+static int test_drbg_sanity(const struct drbg_kat *td)
-+{
-+    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
-+    RAND_DRBG *drbg = NULL;
-+    unsigned int flags = 0;
-+    int failures = 0;
-+    TEST_CTX t;
-+
-+    if (td->df != USE_DF)
-+        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
-+
-+    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
-+        return 0;
-+
-+    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
-+                                 kat_nonce, NULL)) {
-+        failures++;
-+        goto err;
-+    }
-+    memset(&t, 0, sizeof(t));
-+    t.entropy = data->entropyin;
-+    t.entropylen = 0;     /* No entropy */
-+    t.nonce = data->nonce;
-+    t.noncelen = td->noncelen;
-+    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
-+
-+    ERR_set_mark();
-+    /* This must fail. */
-+    if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
-+        failures++;
-+    RAND_DRBG_uninstantiate(drbg);
-+    ERR_pop_to_mark();
-+
-+err:
-+    RAND_DRBG_free(drbg);
-+    return failures == 0;
-+}
-+
-+
-+int rand_drbg_selftest(void)
-+{
-+    int i;
-+
-+    if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
-+        return 0;
-+
-+    for (i = 0; i < drbg_test_nelem; i++) {
-+        if (test_kats(i) <= 0)
-+            return 0;
-+    }
-+
-+    if (test_drbg_sanity(&kat1465) <= 0)
-+        return 0;
-+
-+    return 1;
-+}
-diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
---- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest	2020-04-23 13:33:12.587622510 +0200
-+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:33:12.619621907 +0200
-@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
-  */
- void rand_pool_keep_random_devices_open(int keep);
- 
-+/*
-+ * Perform the DRBG KAT selftests
-+ */
-+int rand_drbg_selftest(void);
-+
- #endif

openssl-1.1.1-fips-post-rand.patch

@@ -1,189 +0,0 @@
-diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
---- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand	2020-03-17 18:06:16.822418854 +0100
-+++ openssl-1.1.1e/crypto/fips/fips.c	2020-03-17 18:06:16.861418172 +0100
-@@ -68,6 +68,7 @@
- 
- # include <openssl/fips.h>
- # include "internal/thread_once.h"
-+# include "crypto/rand.h"
- 
- # ifndef PATH_MAX
- #  define PATH_MAX 1024
-@@ -76,6 +77,7 @@
- static int fips_selftest_fail = 0;
- static int fips_mode = 0;
- static int fips_started = 0;
-+static int fips_post = 0;
- 
- static int fips_is_owning_thread(void);
- static int fips_set_owning_thread(void);
-@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
-     fips_selftest_fail = 1;
- }
- 
-+int fips_in_post(void)
-+{
-+    return fips_post;
-+}
-+
- /* we implement what libfipscheck does ourselves */
- 
- static int
-@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
-         }
- # endif
- 
-+        fips_post = 1;
-+
-         if (!FIPS_selftest()) {
-             fips_selftest_fail = 1;
-             ret = 0;
-@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
-             goto end;
-         }
- 
-+        fips_post = 0;
-+
-         fips_set_mode(onoff);
-+        /* force RNG reseed with entropy from getrandom() on next call */
-+        rand_force_reseed();
-+
-         ret = 1;
-         goto end;
-     }
-diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
---- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/rand/drbg_lib.c	2020-03-17 18:07:35.305045521 +0100
-@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
-     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
- }
- 
-+void rand_force_reseed(void)
-+{
-+    RAND_DRBG *drbg;
-+
-+    drbg = RAND_DRBG_get0_master();
-+    drbg->fork_id = 0;
-+
-+    drbg = RAND_DRBG_get0_private();
-+    drbg->fork_id = 0;
-+
-+    drbg = RAND_DRBG_get0_public();
-+    drbg->fork_id = 0;
-+}
-+
- /* Implements the default OpenSSL RAND_add() method */
- static int drbg_add(const void *buf, int num, double randomness)
- {
-diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
---- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/rand/rand_unix.c	2020-03-17 18:09:01.503537189 +0100
-@@ -17,10 +17,12 @@
- #include <openssl/crypto.h>
- #include "rand_local.h"
- #include "crypto/rand.h"
-+#include "crypto/fips.h"
- #include <stdio.h>
- #include "internal/dso.h"
- #ifdef __linux
- # include <sys/syscall.h>
-+# include <sys/random.h>
- # ifdef DEVRANDOM_WAIT
- #  include <sys/shm.h>
- #  include <sys/utsname.h>
-@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
-  * syscall_random(): Try to get random data using a system call
-  * returns the number of bytes returned in buf, or < 0 on error.
-  */
--static ssize_t syscall_random(void *buf, size_t buflen)
-+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
- {
-     /*
-      * Note: 'buflen' equals the size of the buffer which is used by the
-@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
-      * - Linux since 3.17 with glibc 2.25
-      * - FreeBSD since 12.0 (1200061)
-      */
-+#  if 0
- #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
-     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
- 
-@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
-     if (p_getentropy.p != NULL)
-         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
- #  endif
--
-+#  endif
-     /* Linux supports this since version 3.17 */
--#  if defined(__linux) && defined(__NR_getrandom)
--    return syscall(__NR_getrandom, buf, buflen, 0);
-+#  if defined(__linux) && defined(SYS_getrandom)
-+    return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
- #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
-     return sysctl_random(buf, buflen);
- #  else
-@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-     size_t entropy_available;
- 
- #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
-+    int in_post;
-+
-+    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
-     {
-         size_t bytes_needed;
-         unsigned char *buffer;
-@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
-         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
-         while (bytes_needed != 0 && attempts-- > 0) {
-             buffer = rand_pool_add_begin(pool, bytes_needed);
--            bytes = syscall_random(buffer, bytes_needed);
-+            bytes = syscall_random(buffer, bytes_needed, in_post);
-             if (bytes > 0) {
-                 rand_pool_add_end(pool, bytes, 8 * bytes);
-                 bytes_needed -= bytes;
-@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
-             int attempts = 3;
-             const int fd = get_random_device(i);
- 
--            if (fd == -1)
-+            if (fd == -1) {
-+                OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
-                 continue;
-+            }
- 
-             while (bytes_needed != 0 && attempts-- > 0) {
-                 buffer = rand_pool_add_begin(pool, bytes_needed);
-@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
-             return entropy_available;
-     }
- #   endif
--
-+#   ifdef OPENSSL_RAND_SEED_GETRANDOM
-+    }
-+#   endif
-     return rand_pool_entropy_available(pool);
- #  endif
- }
-diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
---- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand	2020-03-17 18:06:16.831418696 +0100
-+++ openssl-1.1.1e/include/crypto/fips.h	2020-03-17 18:06:16.861418172 +0100
-@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
- int FIPS_selftest_drbg(void);
- int FIPS_selftest_cmac(void);
- 
-+int fips_in_post(void);
-+
- int fips_pkey_signature_test(EVP_PKEY *pkey,
-                                  const unsigned char *tbs, int tbslen,
-                                  const unsigned char *kat,
-diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
---- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/include/crypto/rand.h	2020-03-17 18:07:35.303045555 +0100
-@@ -24,6 +24,7 @@
- typedef struct rand_pool_st RAND_POOL;
- 
- void rand_cleanup_int(void);
-+void rand_force_reseed(void);
- void rand_drbg_cleanup_int(void);
- void drbg_delete_thread_state(void);
- 

openssl-1.1.1-intel-cet.patch

@@ -1,500 +0,0 @@
-diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
---- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl	2020-03-19 17:07:02.626522694 +0100
-@@ -275,6 +275,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_encrypt:
- .cfi_startproc
-+	endbranch
- 	movups	($inp),$inout0		# load input
- 	mov	240($key),$rounds	# key->rounds
- ___
-@@ -293,6 +294,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_decrypt:
- .cfi_startproc
-+	endbranch
- 	movups	($inp),$inout0		# load input
- 	mov	240($key),$rounds	# key->rounds
- ___
-@@ -613,6 +615,7 @@ $code.=<<___;
- .align	16
- aesni_ecb_encrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -985,6 +988,7 @@ $code.=<<___;
- .align	16
- aesni_ccm64_encrypt_blocks:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -1077,6 +1081,7 @@ $code.=<<___;
- .align	16
- aesni_ccm64_decrypt_blocks:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0x58(%rsp),%rsp
-@@ -1203,6 +1208,7 @@ $code.=<<___;
- .align	16
- aesni_ctr32_encrypt_blocks:
- .cfi_startproc
-+	endbranch
- 	cmp	\$1,$len
- 	jne	.Lctr32_bulk
- 
-@@ -1775,6 +1781,7 @@ $code.=<<___;
- .align	16
- aesni_xts_encrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%r11			# frame pointer
- .cfi_def_cfa_register	%r11
- 	push	%rbp
-@@ -2258,6 +2265,7 @@ $code.=<<___;
- .align	16
- aesni_xts_decrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%r11			# frame pointer
- .cfi_def_cfa_register	%r11
- 	push	%rbp
-@@ -2783,6 +2791,7 @@ $code.=<<___;
- .align	32
- aesni_ocb_encrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%rax
- 	push	%rbx
- .cfi_push	%rbx
-@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
- .align	32
- aesni_ocb_decrypt:
- .cfi_startproc
-+	endbranch
- 	lea	(%rsp),%rax
- 	push	%rbx
- .cfi_push	%rbx
-@@ -3737,6 +3747,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	test	$len,$len		# check length
- 	jz	.Lcbc_ret
- 
-diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
---- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl	2020-03-19 17:00:15.974621757 +0100
-@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
- .align	16
- ${PREFIX}_set_encrypt_key:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -746,6 +747,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_set_decrypt_key:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -801,6 +803,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_encrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -846,6 +849,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_decrypt:
- .cfi_startproc
-+	endbranch
- ___
- $code.=<<___ if ($win64);
- 	lea	-0xb8(%rsp),%rsp
-@@ -897,6 +901,7 @@ $code.=<<___;
- .align	16
- ${PREFIX}_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	xchg	$key,$len
- ___
- ($len,$key)=($key,$len);
-diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
---- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/async/arch/async_posix.c	2020-03-19 17:00:15.974621757 +0100
-@@ -34,7 +34,9 @@ void async_local_cleanup(void)
- 
- int async_fibre_makecontext(async_fibre *fibre)
- {
-+#ifndef USE_SWAPCONTEXT
-     fibre->env_init = 0;
-+#endif
-     if (getcontext(&fibre->fibre) == 0) {
-         fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
-         if (fibre->fibre.uc_stack.ss_sp != NULL) {
-diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
---- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet	2020-03-19 17:00:15.435631166 +0100
-+++ openssl-1.1.1e/crypto/async/arch/async_posix.h	2020-03-19 17:00:15.975621739 +0100
-@@ -25,17 +25,33 @@
- #  define ASYNC_POSIX
- #  define ASYNC_ARCH
- 
-+#  ifdef __CET__
-+/*
-+ * When Intel CET is enabled, makecontext will create a different
-+ * shadow stack for each context.  async_fibre_swapcontext cannot
-+ * use _longjmp.  It must call swapcontext to swap shadow stack as
-+ * well as normal stack.
-+ */
-+#   define USE_SWAPCONTEXT
-+#  endif
- #  include <ucontext.h>
--#  include <setjmp.h>
-+#  ifndef USE_SWAPCONTEXT
-+#   include <setjmp.h>
-+#  endif
- 
- typedef struct async_fibre_st {
-     ucontext_t fibre;
-+#  ifndef USE_SWAPCONTEXT
-     jmp_buf env;
-     int env_init;
-+#  endif
- } async_fibre;
- 
- static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
- {
-+#  ifdef USE_SWAPCONTEXT
-+    swapcontext(&o->fibre, &n->fibre);
-+#  else
-     o->env_init = 1;
- 
-     if (!r || !_setjmp(o->env)) {
-@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
-         else
-             setcontext(&n->fibre);
-     }
-+#  endif
- 
-     return 1;
- }
-diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
---- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
-@@ -685,6 +685,7 @@ $code.=<<___;
- .align	16
- Camellia_cbc_encrypt:
- .cfi_startproc
-+	endbranch
- 	cmp	\$0,%rdx
- 	je	.Lcbc_abort
- 	push	%rbx
-diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
---- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl	2020-03-19 17:00:15.975621739 +0100
-@@ -239,6 +239,7 @@ $code=<<___;
- .align	16
- gcm_gmult_4bit:
- .cfi_startproc
-+	endbranch
- 	push	%rbx
- .cfi_push	%rbx
- 	push	%rbp		# %rbp and others are pushed exclusively in
-@@ -286,6 +287,7 @@ $code.=<<___;
- .align	16
- gcm_ghash_4bit:
- .cfi_startproc
-+	endbranch
- 	push	%rbx
- .cfi_push	%rbx
- 	push	%rbp
-@@ -612,6 +614,7 @@ $code.=<<___;
- .align	16
- gcm_gmult_clmul:
- .cfi_startproc
-+	endbranch
- .L_gmult_clmul:
- 	movdqu		($Xip),$Xi
- 	movdqa		.Lbswap_mask(%rip),$T3
-@@ -663,6 +666,7 @@ $code.=<<___;
- .align	32
- gcm_ghash_clmul:
- .cfi_startproc
-+	endbranch
- .L_ghash_clmul:
- ___
- $code.=<<___ if ($win64);
-@@ -1166,6 +1170,7 @@ $code.=<<___;
- .align	32
- gcm_gmult_avx:
- .cfi_startproc
-+	endbranch
- 	jmp	.L_gmult_clmul
- .cfi_endproc
- .size	gcm_gmult_avx,.-gcm_gmult_avx
-@@ -1177,6 +1182,7 @@ $code.=<<___;
- .align	32
- gcm_ghash_avx:
- .cfi_startproc
-+	endbranch
- ___
- if ($avx) {
- my ($Xip,$Htbl,$inp,$len)=@_4args;
-diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
---- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/cbc.pl	2020-03-19 17:00:15.976621722 +0100
-@@ -165,21 +165,28 @@ sub cbc
- 	&jmp_ptr($count);
- 
- &set_label("ej7");
-+	&endbranch()
- 	&movb(&HB("edx"),	&BP(6,$in,"",0));
- 	&shl("edx",8);
- &set_label("ej6");
-+	&endbranch()
- 	&movb(&HB("edx"),	&BP(5,$in,"",0));
- &set_label("ej5");
-+	&endbranch()
- 	&movb(&LB("edx"),	&BP(4,$in,"",0));
- &set_label("ej4");
-+	&endbranch()
- 	&mov("ecx",		&DWP(0,$in,"",0));
- 	&jmp(&label("ejend"));
- &set_label("ej3");
-+	&endbranch()
- 	&movb(&HB("ecx"),	&BP(2,$in,"",0));
- 	&shl("ecx",8);
- &set_label("ej2");
-+	&endbranch()
- 	&movb(&HB("ecx"),	&BP(1,$in,"",0));
- &set_label("ej1");
-+	&endbranch()
- 	&movb(&LB("ecx"),	&BP(0,$in,"",0));
- &set_label("ejend");
- 
-diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
---- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl	2020-03-19 17:00:15.984621582 +0100
-@@ -101,6 +101,33 @@ elsif (!$gas)
-     $decor="\$L\$";
- }
- 
-+my $cet_property;
-+if ($flavour =~ /elf/) {
-+	# Always generate .note.gnu.property section for ELF outputs to
-+	# mark Intel CET support since all input files must be marked
-+	# with Intel CET support in order for linker to mark output with
-+	# Intel CET support.
-+	my $p2align=3; $p2align=2 if ($flavour eq "elf32");
-+	$cet_property = <<_____;
-+	.section ".note.gnu.property", "a"
-+	.p2align $p2align
-+	.long 1f - 0f
-+	.long 4f - 1f
-+	.long 5
-+0:
-+	.asciz "GNU"
-+1:
-+	.p2align $p2align
-+	.long 0xc0000002
-+	.long 3f - 2f
-+2:
-+	.long 3
-+3:
-+	.p2align $p2align
-+4:
-+_____
-+}
-+
- my $current_segment;
- my $current_function;
- my %globals;
-@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
-     print $line,"\n";
- }
- 
-+print "$cet_property"			if ($cet_property);
- print "\n$current_segment\tENDS\n"	if ($current_segment && $masm);
- print "END\n"				if ($masm);
- 
-diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
---- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl	2020-03-19 17:00:15.985621565 +0100
-@@ -124,6 +124,7 @@ sub ::function_begin_B
-     push(@out,".align\t$align\n");
-     push(@out,"$func:\n");
-     push(@out,"$begin:\n")		if ($global);
-+    &::endbranch();
-     $::stack=4;
- }
- 
-@@ -172,6 +173,26 @@ sub ::file_end
- 	else		{ push (@out,"$tmp\n"); }
-     }
-     push(@out,$initseg) if ($initseg);
-+    if ($::elf) {
-+	push(@out,"
-+	.section \".note.gnu.property\", \"a\"
-+	.p2align 2
-+	.long 1f - 0f
-+	.long 4f - 1f
-+	.long 5
-+0:
-+	.asciz \"GNU\"
-+1:
-+	.p2align 2
-+	.long 0xc0000002
-+	.long 3f - 2f
-+2:
-+	.long 3
-+3:
-+	.p2align 2
-+4:
-+");
-+    }
- }
- 
- sub ::data_byte	{   push(@out,".byte\t".join(',',@_)."\n");   }
-diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
---- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet	2020-03-19 17:00:38.185234015 +0100
-+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl	2020-03-19 17:05:46.575850341 +0100
-@@ -2806,6 +2806,7 @@ $code.=<<___;
- .align	32
- poly1305_blocks_vpmadd52:
- .cfi_startproc
-+	endbranch
- 	shr	\$4,$len
- 	jz	.Lno_data_vpmadd52		# too short
- 
-@@ -3739,6 +3740,7 @@ $code.=<<___;
- .align	32
- poly1305_emit_base2_44:
- .cfi_startproc
-+	endbranch
- 	mov	0($ctx),%r8	# load hash value
- 	mov	8($ctx),%r9
- 	mov	16($ctx),%r10
-diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
---- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet	2020-03-19 17:00:38.190233928 +0100
-+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl	2020-03-19 17:05:02.598618064 +0100
-@@ -140,6 +140,7 @@ $code=<<___;
- .align	16
- RC4:
- .cfi_startproc
-+	endbranch
- 	or	$len,$len
- 	jne	.Lentry
- 	ret
-@@ -455,6 +456,7 @@ $code.=<<___;
- .align	16
- RC4_set_key:
- .cfi_startproc
-+	endbranch
- 	lea	8($dat),$dat
- 	lea	($inp,$len),$inp
- 	neg	$len
-@@ -529,6 +531,7 @@ RC4_set_key:
- .align	16
- RC4_options:
- .cfi_startproc
-+	endbranch
- 	lea	.Lopts(%rip),%rax
- 	mov	OPENSSL_ia32cap_P(%rip),%edx
- 	bt	\$20,%edx
-diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
---- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet	2020-03-17 15:31:17.000000000 +0100
-+++ openssl-1.1.1e/crypto/x86_64cpuid.pl	2020-03-19 17:03:58.172742775 +0100
-@@ -40,6 +40,7 @@ print<<___;
- .align	16
- OPENSSL_atomic_add:
- .cfi_startproc
-+	endbranch
- 	movl	($arg1),%eax
- .Lspin:	leaq	($arg2,%rax),%r8
- 	.byte	0xf0		# lock
-@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
- .align	16
- OPENSSL_rdtsc:
- .cfi_startproc
-+	endbranch
- 	rdtsc
- 	shl	\$32,%rdx
- 	or	%rdx,%rax
-@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
- .align	16
- OPENSSL_ia32_cpuid:
- .cfi_startproc
-+	endbranch
- 	mov	%rbx,%r8		# save %rbx
- .cfi_register	%rbx,%r8
- 
-@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
- .align  16
- OPENSSL_cleanse:
- .cfi_startproc
-+	endbranch
- 	xor	%rax,%rax
- 	cmp	\$15,$arg2
- 	jae	.Lot
-@@ -274,6 +278,7 @@ OPENSSL_cleanse:
- .align  16
- CRYPTO_memcmp:
- .cfi_startproc
-+	endbranch
- 	xor	%rax,%rax
- 	xor	%r10,%r10
- 	cmp	\$0,$arg3
-@@ -312,6 +317,7 @@ print<<___ if (!$win64);
- .align	16
- OPENSSL_wipe_cpu:
- .cfi_startproc
-+	endbranch
- 	pxor	%xmm0,%xmm0
- 	pxor	%xmm1,%xmm1
- 	pxor	%xmm2,%xmm2
-@@ -346,6 +352,8 @@ print<<___ if ($win64);
- .type	OPENSSL_wipe_cpu,\@abi-omnipotent
- .align	16
- OPENSSL_wipe_cpu:
-+.cfi_startproc
-+	endbranch
- 	pxor	%xmm0,%xmm0
- 	pxor	%xmm1,%xmm1
- 	pxor	%xmm2,%xmm2
-@@ -376,6 +384,7 @@ print<<___;
- .align	16
- OPENSSL_instrument_bus:
- .cfi_startproc
-+	endbranch
- 	mov	$arg1,$out	# tribute to Win64
- 	mov	$arg2,$cnt
- 	mov	$arg2,$max
-@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
- .align	16
- OPENSSL_instrument_bus2:
- .cfi_startproc
-+	endbranch
- 	mov	$arg1,$out	# tribute to Win64
- 	mov	$arg2,$cnt
- 	mov	$arg3,$max
-@@ -465,6 +475,7 @@ print<<___;
- .align	16
- OPENSSL_ia32_${rdop}_bytes:
- .cfi_startproc
-+	endbranch
- 	xor	%rax, %rax	# return value
- 	cmp	\$0,$arg2
- 	je	.Ldone_${rdop}_bytes

openssl-1.1.1-kdf-selftest.patch

@@ -1,170 +0,0 @@
-diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
---- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest	2020-06-03 16:08:36.274849058 +0200
-+++ openssl-1.1.1g/crypto/fips/build.info	2020-06-03 16:11:05.609079372 +0200
-@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
-         fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
-         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
-         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
--        fips_dh_selftest.c fips_ers.c
-+        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
- 
- PROGRAMS_NO_INST=\
-           fips_standalone_hmac
-diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
---- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest	2020-06-03 16:08:36.337849577 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c	2020-06-03 16:08:36.337849577 +0200
-@@ -0,0 +1,117 @@
-+/*
-+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
-+ *
-+ * Licensed under the Apache License 2.0 (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include <string.h>
-+#include <openssl/err.h>
-+#include <openssl/fips.h>
-+#include "crypto/fips.h"
-+
-+#include <openssl/evp.h>
-+#include <openssl/kdf.h>
-+
-+#ifdef OPENSSL_FIPS
-+int FIPS_selftest_pbkdf2(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    unsigned char out[32];
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
-+        goto err;
-+    }
-+
-+    {
-+        const unsigned char expected[sizeof(out)] = {
-+            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
-+            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
-+            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
-+            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
-+        };
-+        if (memcmp(out, expected, sizeof(expected))) {
-+            goto err;
-+        }
-+    }
-+    ret = 1;
-+
-+err:
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
-+ * 5) appendix A. */
-+int FIPS_selftest_kbkdf(void)
-+{
-+    int ret = 0;
-+    EVP_KDF_CTX *kctx;
-+    char *label = "prf", *prf_input = "test";
-+    static unsigned char input_key[] = {
-+        0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
-+        0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
-+    };
-+    static unsigned char output[] = {
-+        0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
-+        0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
-+        0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
-+        0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
-+    };
-+    unsigned char result[sizeof(output)] = { 0 };
-+
-+    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
-+        goto err;
-+    }
-+    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
-+        goto err;
-+    }
-+    ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
-+        && memcmp(result, output, sizeof(output)) == 0;
-+err:
-+
-+    if (!ret)
-+        FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
-+    EVP_KDF_CTX_free(kctx);
-+    return ret;
-+}
-+
-+int FIPS_selftest_kdf(void)
-+{
-+    return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
-+}
-+
-+#endif
-diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
---- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest	2020-06-03 16:08:36.332849536 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-03 16:08:36.338849585 +0200
-@@ -111,6 +111,8 @@ int FIPS_selftest(void)
-         rv = 0;
-     if (!FIPS_selftest_ecdh())
-         rv = 0;
-+    if (!FIPS_selftest_kdf())
-+        rv = 0;
-     return rv;
- }
- 
-diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
---- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest	2020-06-03 16:08:36.330849519 +0200
-+++ openssl-1.1.1g/include/crypto/fips.h	2020-06-03 16:08:36.338849585 +0200
-@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
- int FIPS_selftest_hmac(void);
- int FIPS_selftest_drbg(void);
- int FIPS_selftest_cmac(void);
-+int FIPS_selftest_kbkdf(void);
-+int FIPS_selftest_pbkdf2(void);
-+int FIPS_selftest_kdf(void);
- 
- int fips_in_post(void);
- 
-diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
---- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest	2020-06-03 16:08:36.282849124 +0200
-+++ openssl-1.1.1g/include/openssl/fips.h	2020-06-03 16:08:36.338849585 +0200
-@@ -123,6 +123,8 @@ extern "C" {
- # define FIPS_F_FIPS_SELFTEST_DSA                         112
- # define FIPS_F_FIPS_SELFTEST_ECDSA                       133
- # define FIPS_F_FIPS_SELFTEST_HMAC                        113
-+# define FIPS_F_FIPS_SELFTEST_KBKDF                       151
-+# define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
- # define FIPS_F_FIPS_SELFTEST_SHA1                        115
- # define FIPS_F_FIPS_SELFTEST_SHA2                        105
- # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143

openssl-1.1.1-man-rename.patch

@@ -1,19 +0,0 @@
-diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod
---- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename	2018-08-21 14:14:13.000000000 +0200
-+++ openssl-1.1.1-pre9/doc/man1/openssl.pod	2018-08-22 12:13:04.092568064 +0200
-@@ -482,13 +482,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
- L<ec(1)>, L<ecparam(1)>,
- L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
- L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
--L<passwd(1)>,
- L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
- L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
--L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
-+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
- L<rsautl(1)>, L<s_client(1)>,
- L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
- L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
-+L<sslpasswd(1)>, L<sslrand(1)>,
- L<ts(1)>,
- L<verify(1)>, L<version(1)>, L<x509(1)>,
- L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>

openssl-1.1.1-no-brainpool.patch

@@ -1,112 +0,0 @@
-diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in	2019-09-13 15:11:07.358687169 +0200
-@@ -147,22 +147,22 @@ our @tests = (
-     {
-         name => "ECDSA with brainpool",
-         server =>  {
--            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
--            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
--            "Groups" => "brainpoolP256r1",
-+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
-+#            "Groups" => "brainpoolP256r1",
-         },
-         client => {
-             #We don't restrict this to TLSv1.2, although use of brainpool
-             #should force this anyway so that this should succeed
-             "CipherString" => "aECDSA",
-             "RequestCAFile" => test_pem("root-cert.pem"),
--            "Groups" => "brainpoolP256r1",
-+#            "Groups" => "brainpoolP256r1",
-         },
-         test   => {
--            "ExpectedServerCertType" =>, "brainpoolP256r1",
--            "ExpectedServerSignType" =>, "EC",
-+#            "ExpectedServerCertType" =>, "brainpoolP256r1",
-+#            "ExpectedServerSignType" =>, "EC",
-             # Note: certificate_authorities not sent for TLS < 1.3
--            "ExpectedServerCANames" =>, "empty",
-+#            "ExpectedServerCANames" =>, "empty",
-             "ExpectedResult" => "Success"
-         },
-     },
-@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
-     {
-         name => "TLS 1.3 ECDSA with brainpool",
-         server =>  {
--            "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
--            "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
--            "Groups" => "brainpoolP256r1",
-+            "Certificate" => test_pem("server-ecdsa-cert.pem"),
-+            "PrivateKey" => test_pem("server-ecdsa-key.pem"),
-+#            "Groups" => "brainpoolP256r1",
-         },
-         client => {
-             "RequestCAFile" => test_pem("root-cert.pem"),
--            "Groups" => "brainpoolP256r1",
-+#            "Groups" => "brainpoolP256r1",
-             "MinProtocol" => "TLSv1.3",
-             "MaxProtocol" => "TLSv1.3"
-         },
-         test   => {
--            "ExpectedResult" => "ServerFail"
-+            "ExpectedResult" => "Success"
-         },
-     },
- );
-diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf	2019-09-13 15:12:27.380288469 +0200
-@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
- client = 5-ECDSA with brainpool-client
- 
- [5-ECDSA with brainpool-server]
--Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
- CipherString = DEFAULT
--Groups = brainpoolP256r1
--PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
- 
- [5-ECDSA with brainpool-client]
- CipherString = aECDSA
--Groups = brainpoolP256r1
- RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
- VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
- VerifyMode = Peer
- 
- [test-5]
- ExpectedResult = Success
--ExpectedServerCANames = empty
--ExpectedServerCertType = brainpoolP256r1
--ExpectedServerSignType = EC
- 
- 
- # ===========================================================
-@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
- client = 52-TLS 1.3 ECDSA with brainpool-client
- 
- [52-TLS 1.3 ECDSA with brainpool-server]
--Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
- CipherString = DEFAULT
--Groups = brainpoolP256r1
--PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
- 
- [52-TLS 1.3 ECDSA with brainpool-client]
- CipherString = DEFAULT
--Groups = brainpoolP256r1
- MaxProtocol = TLSv1.3
- MinProtocol = TLSv1.3
- RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
- VerifyMode = Peer
- 
- [test-52]
--ExpectedResult = ServerFail
-+ExpectedResult = Success
- 
- 
- # ===========================================================

openssl-1.1.1-no-html.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html	2020-04-07 16:45:21.904083989 +0200
-+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl	2020-04-07 16:45:56.218461895 +0200
-@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
- 
- uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
- 
--install_docs: install_man_docs install_html_docs
-+install_docs: install_man_docs
- 
- uninstall_docs: uninstall_man_docs uninstall_html_docs
- 	$(RM) -r "$(DESTDIR)$(DOCDIR)"

openssl-1.1.1-no-weak-verify.patch

@@ -1,26 +0,0 @@
-diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c
---- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify	2019-02-26 15:15:30.000000000 +0100
-+++ openssl-1.1.1b/crypto/asn1/a_verify.c	2019-02-28 11:25:31.531862873 +0100
-@@ -7,6 +7,9 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
-+/* for secure_getenv */
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <time.h>
- #include <sys/types.h>
-@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
-         if (ret != 2)
-             goto err;
-         ret = -1;
-+    } else if ((mdnid == NID_md5
-+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) ||
-+               mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) {
-+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
-+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
-+        goto err;
-     } else {
-         const EVP_MD *type = EVP_get_digestbynid(mdnid);
- 

openssl-1.1.1-rewire-fips-drbg.patch

@@ -1,170 +0,0 @@
-diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
---- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c	2020-06-22 13:32:47.675852917 +0200
-@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
- int FIPS_drbg_reseed(DRBG_CTX *dctx,
-                      const unsigned char *adin, size_t adinlen)
- {
-+    int len = (int)adinlen;
-+
-+    if (len < 0 || (size_t)len != adinlen) {
-+        FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
-+        return 0;
-+    }
-+    RAND_seed(adin, len);
-+    return 1;
-+}
-+
-+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
-+                     const unsigned char *adin, size_t adinlen)
-+{
-     return drbg_reseed(dctx, adin, adinlen, 1);
- }
- 
-@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
-                        int prediction_resistance,
-                        const unsigned char *adin, size_t adinlen)
- {
-+    int len = (int)outlen;
-+
-+    if (len < 0 || (size_t)len != outlen) {
-+        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
-+        return 0;
-+    }
-+    return RAND_bytes(out, len);
-+}
-+
-+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
-+                       int prediction_resistance,
-+                       const unsigned char *adin, size_t adinlen)
-+{
-     int r = 0;
- 
-     if (FIPS_selftest_failed()) {
-diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
---- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c	2020-06-22 13:32:47.675852917 +0200
-@@ -57,6 +57,8 @@
- #include <openssl/err.h>
- #include <openssl/rand.h>
- #include <openssl/fips.h>
-+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
-+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
- #include <openssl/fips_rand.h>
- #include "fips_rand_lcl.h"
- 
-diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
---- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg	2020-06-22 13:32:47.612852927 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c	2020-06-22 13:32:47.675852917 +0200
-@@ -55,6 +55,8 @@
- #include <openssl/crypto.h>
- #include <openssl/err.h>
- #include <openssl/fips.h>
-+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
-+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
- #include <openssl/fips_rand.h>
- #include "fips_rand_lcl.h"
- #include "fips_locl.h"
-diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
---- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-22 13:32:47.675852917 +0200
-@@ -79,8 +79,6 @@ int FIPS_selftest(void)
-         ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
-         rv = 0;
-     }
--    if (!FIPS_selftest_drbg())
--        rv = 0;
-     if (!FIPS_selftest_sha1())
-         rv = 0;
-     if (!FIPS_selftest_sha2())
-diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
---- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.613852927 +0200
-+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c	2020-06-22 13:36:28.722817967 +0200
-@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
- 
- int FIPS_rand_seed(const void *buf, int num)
- {
-+#if 0
-     if (!fips_approved_rand_meth && FIPS_module_mode()) {
-         FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
-         return 0;
-@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
-     if (fips_rand_meth && fips_rand_meth->seed)
-         fips_rand_meth->seed(buf, num);
-     return 1;
-+#else
-+    RAND_seed(buf, num);
-+    return 1;
-+#endif
- }
- 
- int FIPS_rand_bytes(unsigned char *buf, int num)
- {
-+#if 0
-     if (!fips_approved_rand_meth && FIPS_module_mode()) {
-         FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
-         return 0;
-@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
-     if (fips_rand_meth && fips_rand_meth->bytes)
-         return fips_rand_meth->bytes(buf, num);
-     return 0;
-+#else
-+    return RAND_bytes(buf, num);
-+#endif
- }
- 
- int FIPS_rand_status(void)
- {
-+#if 0
-     if (!fips_approved_rand_meth && FIPS_module_mode()) {
-         FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
-         return 0;
-@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
-     if (fips_rand_meth && fips_rand_meth->status)
-         return fips_rand_meth->status();
-     return 0;
-+#else
-+    return RAND_status();
-+#endif
- }
- 
- /* Return instantiated strength of PRNG. For DRBG this is an internal
-diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
---- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
-+++ openssl-1.1.1g/include/openssl/fips.h	2020-06-22 13:32:47.675852917 +0200
-@@ -64,6 +64,11 @@ extern "C" {
- 
-     int FIPS_selftest(void);
-     int FIPS_selftest_failed(void);
-+
-+    /*
-+     * This function is deprecated as it performs selftest of the old FIPS drbg
-+     * implementation that is not validated.
-+     */
-     int FIPS_selftest_drbg_all(void);
- 
-     int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
-diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
---- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg	2020-06-22 13:32:47.617852926 +0200
-+++ openssl-1.1.1g/include/openssl/fips_rand.h	2020-06-22 13:32:47.675852917 +0200
-@@ -60,6 +60,20 @@
- #  ifdef  __cplusplus
- extern "C" {
- #  endif
-+
-+/*
-+ * IMPORTANT NOTE:
-+ * All functions in this header file are deprecated and should not be used
-+ * as they use the old FIPS_drbg implementation that is not FIPS validated
-+ * anymore.
-+ * To provide backwards compatibility for applications that need FIPS compliant
-+ * RNG number generation and use FIPS_drbg_generate, this function was
-+ * re-wired to call the FIPS validated DRBG instance instead through
-+ * the RAND_bytes() call.
-+ *
-+ * All these functions will be removed in future.
-+ */
-+
-     typedef struct drbg_ctx_st DRBG_CTX;
- /* DRBG external flags */
- /* Flag for CTR mode only: use derivation function ctr_df */

openssl-1.1.1-seclevel.patch

@@ -1,160 +0,0 @@
-diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
---- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
-@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
- }
- 
- static const int minbits_table[] = { 80, 112, 128, 192, 256 };
-+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
- static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
- 
- /*
-@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
- 
-     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
-         return 0;
--
--    return secbits >= minbits_table[level - 1];
-+    /*
-+     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
-+     * disable SHA1 flag is not set.
-+     */
-+    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
-+        return secbits >= minbits_table[level - 1];
-+    return secbits >= minbits_digest_table[level - 1];
- }
-diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
---- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
-@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
- 
- =item B<Level 2>
- 
--Security level set to 112 bits of security. As a result RSA, DSA and DH keys
--shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
-+Security level set to 112 bits of security with the exception of SHA1 allowed
-+for signatures.
-+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
-+shorter than 224 bits are prohibited.
- In addition to the level 1 exclusions any cipher suite using RC4 is also
- prohibited. SSL version 3 is also not allowed. Compression is disabled.
- 
-diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
---- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
-@@ -27,6 +27,7 @@
- static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
-                                          int op, int bits, int nid, void *other,
-                                          void *ex);
-+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
- 
- static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
- static volatile int ssl_x509_store_ctx_idx = -1;
-@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
-     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
- 
-     /* Set suite B flags if needed */
--    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
-+    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
-     if (!X509_STORE_CTX_set_ex_data
-         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
-         goto end;
-@@ -953,12 +954,33 @@ static int ssl_security_default_callback
-             return 0;
-         break;
-     default:
-+        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
-+        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
-+            break;
-         if (bits < minbits)
-             return 0;
-     }
-     return 1;
- }
- 
-+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
-+{
-+    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
-+    const CERT *c;
-+
-+    if (FIPS_mode())
-+        return ret;
-+
-+    if (ctx != NULL) {
-+       c = ctx->cert;
-+    } else {
-+       c = s->cert;
-+    }
-+    if (tls1_cert_sigalgs_have_sha1(c))
-+        return 0;
-+    return ret;
-+}
-+
- int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
- {
-     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
-diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
---- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
-+++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
-@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
- __owur int tls1_process_sigalgs(SSL *s);
- __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
- __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
-+int tls1_cert_sigalgs_have_sha1(const CERT *c);
- __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
- #  ifndef OPENSSL_NO_EC
- __owur int tls_check_sigalg_curve(const SSL *s, int curve);
-diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
---- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
-+++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
-@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
-     return 0;
- }
- 
-+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
-+{
-+    size_t i;
-+
-+    for (i = 0; i < sigalgslen; i++, sigalgs++) {
-+        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
-+
-+        if (lu == NULL)
-+            continue;
-+        if (lu->hash == NID_sha1)
-+            return 1;
-+    }
-+    return 0;
-+}
-+
-+
-+int tls1_cert_sigalgs_have_sha1(const CERT *c)
-+{
-+    if (c->client_sigalgs != NULL) {
-+        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
-+            return 1;
-+    }
-+    if (c->conf_sigalgs != NULL) {
-+        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
-+            return 1;
-+        return 0;
-+    }
-+    return 1;
-+}
-+
- static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
- {
-     int sig_nid, use_pc_sigalgs = 0;
-diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
---- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
-+++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
-@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
- ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
-     "CA with PSS signature using SHA256");
- 
--ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
--    "Reject PSS signature using SHA1 and auth level 2");
-+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
-+    "Reject PSS signature using SHA1 and auth level 3");
- 
- ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
-     "PSS signature using SHA256 and auth level 2");

openssl-1.1.1-ts-sha256-default.patch

@@ -1,70 +0,0 @@
-diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
---- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default	2020-11-06 11:07:28.850100899 +0100
-+++ openssl-1.1.1h/apps/openssl.cnf	2020-11-06 11:11:28.042913791 +0100
-@@ -364,5 +348,5 @@ tsa_name		= yes	# Must the TSA name be i
- 				# (optional, default: no)
- ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
- 				# (optional, default: no)
--ess_cert_id_alg		= sha1	# algorithm to compute certificate
-+ess_cert_id_alg		= sha256	# algorithm to compute certificate
- 				# identifier (optional, default: sha1)
-diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
---- openssl-1.1.1h/apps/ts.c.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/apps/ts.c	2020-11-06 11:07:28.883101220 +0100
-@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
-     ASN1_OBJECT *policy_obj = NULL;
-     ASN1_INTEGER *nonce_asn1 = NULL;
- 
--    if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
-+    if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
-         goto err;
-     if ((ts_req = TS_REQ_new()) == NULL)
-         goto err;
-diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
---- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default	2020-11-06 12:03:51.226372867 +0100
-+++ openssl-1.1.1h/crypto/ts/ts_conf.c	2020-11-06 12:04:01.713488990 +0100
-@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
-     const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
- 
-     if (md == NULL)
--        md = "sha1";
-+        md = "sha256";
- 
-     cert_md = EVP_get_digestbyname(md);
-     if (cert_md == NULL) {
-diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
---- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default	2020-09-22 14:55:07.000000000 +0200
-+++ openssl-1.1.1h/doc/man1/ts.pod	2020-11-06 11:07:28.883101220 +0100
-@@ -518,7 +518,7 @@ included. Default is no. (Optional)
- =item B<ess_cert_id_alg>
- 
- This option specifies the hash function to be used to calculate the TSA's
--public key certificate identifier. Default is sha1. (Optional)
-+public key certificate identifier. Default is sha256. (Optional)
- 
- =back
- 
-@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
- 
- =head2 Time Stamp Request
- 
--To create a timestamp request for design1.txt with SHA-1
-+To create a timestamp request for design1.txt with SHA-256
- without nonce and policy and no certificate is required in the response:
- 
-   openssl ts -query -data design1.txt -no_nonce \
-@@ -546,12 +546,12 @@ To print the content of the previous req
- 
-   openssl ts -query -in design1.tsq -text
- 
--To create a timestamp request which includes the MD-5 digest
-+To create a timestamp request which includes the SHA-512 digest
- of design2.txt, requests the signer certificate and nonce,
- specifies a policy id (assuming the tsa_policy1 name is defined in the
- OID section of the config file):
- 
--  openssl ts -query -data design2.txt -md5 \
-+  openssl ts -query -data design2.txt -sha512 \
-         -tspolicy tsa_policy1 -cert -out design2.tsq
- 
- =head2 Time Stamp Response

openssl-1.1.1-version-add-engines.patch

@@ -1,38 +0,0 @@
-diff -up openssl-1.1.1-pre8/apps/version.c.version-add-engines openssl-1.1.1-pre8/apps/version.c
---- openssl-1.1.1-pre8/apps/version.c.version-add-engines	2018-06-20 16:48:09.000000000 +0200
-+++ openssl-1.1.1-pre8/apps/version.c	2018-07-16 18:00:40.608624346 +0200
-@@ -64,7 +64,7 @@ int version_main(int argc, char **argv)
- {
-     int ret = 1, dirty = 0, seed = 0;
-     int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
--    int engdir = 0;
-+    int engdir = 0, engines = 0;
-     char *prog;
-     OPTION_CHOICE o;
- 
-@@ -106,7 +106,7 @@ opthelp:
-             break;
-         case OPT_A:
-             seed = options = cflags = version = date = platform = dir = engdir
--                = 1;
-+                = engines = 1;
-             break;
-         }
-     }
-@@ -188,6 +188,16 @@ opthelp:
- #endif
-         printf("\n");
-     }
-+    if (engines) {
-+        ENGINE *e;
-+        printf("engines:  ");
-+        e = ENGINE_get_first();
-+        while (e) {
-+            printf("%s ", ENGINE_get_id(e));
-+            e = ENGINE_get_next(e);
-+        }
-+        printf("\n");
-+    }
-     ret = 0;
-  end:
-     return ret;

openssl-1.1.1-version-override.patch

@@ -1,12 +0,0 @@
-diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
---- openssl-1.1.1g/include/openssl/opensslv.h.version-override	2020-04-23 13:29:37.802673513 +0200
-+++ openssl-1.1.1g/include/openssl/opensslv.h	2020-04-23 13:30:13.064008458 +0200
-@@ -40,7 +40,7 @@ extern "C" {
-  *  major minor fix final patch/beta)
-  */
- # define OPENSSL_VERSION_NUMBER  0x1010108fL
--# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h  22 Sep 2020"
-+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1h FIPS 22 Sep 2020"
- 
- /*-
-  * The macros below are to be used for shared library (.so, .dll, ...)

openssl-1.1.1-weak-ciphers.patch

@@ -1,57 +0,0 @@
-diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
---- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers	2018-09-11 14:48:23.000000000 +0200
-+++ openssl-1.1.1/ssl/s3_lib.c	2018-09-17 12:53:33.850637181 +0200
-@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      SSL_GOST89MAC,
-      TLS1_VERSION, TLS1_2_VERSION,
-      0, 0,
--     SSL_HIGH,
-+     SSL_MEDIUM,
-      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
-      256,
-      256,
-@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      SSL_GOST89MAC12,
-      TLS1_VERSION, TLS1_2_VERSION,
-      0, 0,
--     SSL_HIGH,
-+     SSL_MEDIUM,
-      SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
-      256,
-      256,
-@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      },
- #endif                          /* OPENSSL_NO_SEED */
- 
--#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-+#if 0 /* No MD5 ciphersuites */
-     {
-      1,
-      SSL3_TXT_RSA_RC4_128_MD5,
-@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      SSL3_TXT_RSA_RC4_128_SHA,
-@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
-+#if 0
-     {
-      1,
-      SSL3_TXT_ADH_RC4_128_MD5,
-@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
-      128,
-      128,
-      },
-+#endif
-+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
-     {
-      1,
-      TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,

openssl.rpmlintrc

@@ -0,0 +1,9 @@
+# capi.so is a dummy only used on Windows, it doesn't need dependency information
+addFilter("E: shared-lib(rary)?-without-dependency-information /usr/lib64/engines-3/capi.so")
+
+# The sources are hobbled and thus not a valid URL. That's expected.
+addFilter("W: invalid-url Source0: openssl-[0-9\\.]+-hobbled.tar.gz")
+
+# Technically this warning is correct, but in the case of the openssl binary we
+# want to allow SSL_CTX_set_cipher_list
+addFilter("W: crypto-policy-non-compliance-openssl /usr/bin/openssl SSL_CTX_set_cipher_list")

plans/gnutls-2way.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-2way tests
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-gnutls-2way
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-openssl & tag: interop-gnutls & tag: interop-2way'
+execute:
+    how: tmt

plans/nss-2way.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-2way tests
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-nss-2way
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-2way'
+execute:
+    how: tmt

plans/nss-reneg.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-2way tests
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-nss-reneg
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-reneg'
+execute:
+    how: tmt

plans/python.fmf

@@ -0,0 +1,11 @@
+summary: Python self-test.	
+contact: python maintainers <python-maint@redhat.com>	
+discover:	
+  - name: python-selftest
+    how: fmf
+    url: https://src.fedoraproject.org/tests/python.git
+    filter: 'test: ./parallel.sh'
+environment:
+    X: "test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc"
+execute:
+    how: tmt

plans/short-interop-tests.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop tests - short tests which do not need to run in parallel
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-other+basic
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-openssl & tag: -interop-slow'
+execute:
+    how: tmt

sources

@@ -1 +1 @@
-SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
+SHA512 (openssl-3.1.4.tar.gz) = 4cd204b934cf3250dad985438d7ffd98e17f5d79086b379a0022d92c66e340b0b3a0357aaf606004d7f50cfc4c8964ac34c45d7cb0735cfa68f4fec65bd9d18f

tests/simple-rsapss-test/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
-#   Description: Test if RSA-PSS signature scheme is supported
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
--include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     Test if RSA-PSS signature scheme is supported" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        1m" >> $(METADATA)
-	@echo "RunFor:          openssl" >> $(METADATA)
-	@echo "Requires:        openssl man man-db" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/simple-rsapss-test/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
-Description: Test if RSA-PSS signature scheme is supported
-Author: Hubert Kario <hkario@redhat.com>

tests/simple-rsapss-test/runtest.sh

@@ -1,74 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
-#   Description: Test if RSA-PSS signature scheme is supported
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="openssl"
-
-PUB_KEY="rsa_pubkey.pem"
-PRIV_KEY="rsa_key.pem"
-FILE="text.txt"
-SIG="text.sig"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm $PACKAGE
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
-        rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
-        rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
-        rlAssertExists $FILE
-        rlAssertExists $PRIV_KEY
-        rlAssertExists $PUB_KEY
-    rlPhaseEnd
-
-    rlPhaseStartTest "Test RSA-PSS padding mode"
-        set -o pipefail
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
-        set +o pipefail
-        rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
-        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Documentation check"
-        [ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
-        rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd

tests/tests.yml

@@ -1,15 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    - container
-    tests:
-    - simple-rsapss-test
-    required_packages:
-    - findutils         # beakerlib needs find command
-    - man               # needed by simple-rsapss-test
-    - man-db            # needed by simple-rsapss-test
-    - openssl           # needed by simple-rsapss-test