PR#48: Remove redundant source files - rpms/openssl

rpms / openssl

#48 Remove redundant source files

Closed 8 months ago by clang. Opened 8 months ago by packit.

rpms/ packit/openssl 3.0.8-rawhide-src-1 into rawhide

Packit • 8 months ago

1a3c94a

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

file modified

+28 -32

		`@@ -1,14 +1,10 @@`
		`- From 66b728801f141c9db8e647ab02421c83694ade79 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:27 +0200`
		`- Subject: [PATCH 07/35]`
		`- 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch`
		`+ From 7984f486b421b9d83c3cc7b42dd71345d69978ba Mon Sep 17 00:00:00 2001`
		`+ From: Tomas Mraz <tmraz@fedoraproject.org>`
		`+ Date: Thu, 24 Sep 2020 10:16:46 +0200`
		`+ Subject: [PATCH 07/42] Add support for PROFILE=SYSTEM system default`
		`+ cipherlist`

		`- Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch`
		`- Patch-id: 7`
		`- Patch-status: \|`
		`- # Add support for PROFILE=SYSTEM system default cipherlist`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ (was openssl-1.1.1-system-cipherlist.patch)`
		`---`
		`Configurations/unix-Makefile.tmpl \| 5 ++`
		`Configure \| 11 +++-`
		`@@ -21,7 +17,7 @@`
		`8 files changed, 110 insertions(+), 14 deletions(-)`

		`diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl`
		`- index f29cdc7f38..c0df026de3 100644`
		`+ index 631640f523..f1af271992 100644`
		`--- a/Configurations/unix-Makefile.tmpl`
		`+++ b/Configurations/unix-Makefile.tmpl`
		`@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man`
		`@@ -44,7 +40,7 @@`
		`@{$config{CPPFLAGS}}) -}`
		`CFLAGS={- join(' ', @{$config{CFLAGS}}) -}`
		`diff --git a/Configure b/Configure`
		`- index 456995240b..93be83be94 100755`
		`+ index 5ac4b5222e..2b379443a9 100755`
		`--- a/Configure`
		`+++ b/Configure`
		`@@ -27,7 +27,7 @@ use OpenSSL::config;`
		`@@ -107,10 +103,10 @@`

		`"High" encryption cipher suites. This currently means those with key lengths`
		`diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in`
		`- index f03f52fbd8..0b6de603e2 100644`
		`+ index 105b4a4a3c..98196e87eb 100644`
		`--- a/include/openssl/ssl.h.in`
		`+++ b/include/openssl/ssl.h.in`
		`- @@ -208,6 +208,11 @@ extern "C" {`
		`+ @@ -205,6 +205,11 @@ extern "C" {`
		`* throwing out anonymous and unencrypted ciphersuites! (The latter are not`
		`* actually enabled by ALL, but "ALL:RSA" would enable some of them.)`
		`*/`
		`@@ -123,10 +119,10 @@`
		`/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */`
		`# define SSL_SENT_SHUTDOWN 1`
		`diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c`
		`- index 93de9cf8fd..a5e60e8839 100644`
		`+ index 73a821289d..2b64fa5e2b 100644`
		`--- a/ssl/ssl_ciph.c`
		`+++ b/ssl/ssl_ciph.c`
		`- @@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL s, const char str)`
		`+ @@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL s, const char str)`
		`return ret;`
		`}`

		`@@ -180,7 +176,7 @@`
		`STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`STACK_OF(SSL_CIPHER) *tls13_ciphersuites,`
		`STACK_OF(SSL_CIPHER) **cipher_list,`
		`- @@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`CIPHER_ORDER co_list = NULL, head = NULL, tail = NULL, curr;`
		`const SSL_CIPHER **ca_list = NULL;`
		`const SSL_METHOD *ssl_method = ctx->method;`
		`@@ -208,7 +204,7 @@`

		`/*`
		`* To reduce the work to do we only want to process the compiled`
		`- @@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`co_list = OPENSSL_malloc(sizeof(co_list) num_of_ciphers);`
		`if (co_list == NULL) {`
		`ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);`
		`@@ -217,7 +213,7 @@`
		`}`

		`ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,`
		`- @@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`* in force within each class`
		`*/`
		`if (!ssl_cipher_strength_sort(&head, &tail)) {`
		`@@ -227,7 +223,7 @@`
		`}`

		`/*`
		`- @@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;`
		`ca_list = OPENSSL_malloc(sizeof(ca_list) num_of_alias_max);`
		`if (ca_list == NULL) {`
		`@@ -238,7 +234,7 @@`
		`}`
		`ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,`
		`disabled_mkey, disabled_auth, disabled_enc,`
		`- @@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1621,8 +1676,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`OPENSSL_free(ca_list); /* Not needed anymore */`

		`if (!ok) { /* Rule processing failure */`
		`@@ -248,7 +244,7 @@`
		`}`

		`/*`
		`- @@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1630,10 +1684,13 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`* if we cannot get one.`
		`*/`
		`if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {`
		`@@ -264,7 +260,7 @@`
		`/* Add TLSv1.3 ciphers first - we always prefer those if possible */`
		`for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {`
		`const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);`
		`- @@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`+ @@ -1685,6 +1742,14 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(SSL_CTX ctx,`
		`*cipher_list = cipherstack;`

		`return cipherstack;`
		`@@ -280,10 +276,10 @@`

		`char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)`
		`diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c`
		`- index f12ad6d034..a059bcd83b 100644`
		`+ index 214884b0f1..109f7fc4a4 100644`
		`--- a/ssl/ssl_lib.c`
		`+++ b/ssl/ssl_lib.c`
		`- @@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX ctx, const SSL_METHOD meth)`
		`+ @@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX ctx, const SSL_METHOD meth)`
		`ctx->tls13_ciphersuites,`
		`&(ctx->cipher_list),`
		`&(ctx->cipher_list_by_id),`
		`@@ -292,7 +288,7 @@`
		`if ((sk == NULL) \|\| (sk_SSL_CIPHER_num(sk) <= 0)) {`
		`ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);`
		`return 0;`
		`- @@ -3286,7 +3286,7 @@ SSL_CTX SSL_CTX_new_ex(OSSL_LIB_CTX libctx, const char *propq,`
		`+ @@ -3285,7 +3285,7 @@ SSL_CTX SSL_CTX_new_ex(OSSL_LIB_CTX libctx, const char *propq,`
		`if (!ssl_create_cipher_list(ret,`
		`ret->tls13_ciphersuites,`
		`&ret->cipher_list, &ret->cipher_list_by_id,`
		`@@ -316,14 +312,14 @@`
		`ADD_TEST(test_default_cipherlist_clear);`
		`return 1;`
		`diff --git a/util/libcrypto.num b/util/libcrypto.num`
		`- index 406392a7d9..9cb8a4dda2 100644`
		`+ index 716aa0cb13..4e729be97d 100644`
		`--- a/util/libcrypto.num`
		`+++ b/util/libcrypto.num`
		`- @@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION:`
		`- EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:`
		`- BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:`
		`- OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP`
		`+ @@ -5428,3 +5428,4 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:`
		`+ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:`
		`+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:`
		`+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP`
		`+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0009-Add-Kernel-FIPS-mode-flag-support.patch

file modified

+23 -22

		`@@ -1,25 +1,21 @@`
		`- From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:27 +0200`
		`- Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch`
		`+ From c9d5c2d46fad9bfb72baeca08b510e3196add03c Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 18:32:12 +0200`
		`+ Subject: [PATCH 09/42] Add Kernel FIPS mode flag support`

		`- Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch`
		`- Patch-id: 9`
		`- Patch-status: \|`
		`- # Add check to see if fips flag is enabled in kernel`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`crypto/context.c \| 36 ++++++++++++++++++++++++++++++++++++`
		`include/internal/provider.h \| 3 +++`
		`2 files changed, 39 insertions(+)`

		`diff --git a/crypto/context.c b/crypto/context.c`
		`- index e294ea1512..51002ba79a 100644`
		`+ index 548665fba2..24ab43d6d1 100644`
		`--- a/crypto/context.c`
		`+++ b/crypto/context.c`
		`- @@ -16,6 +16,41 @@`
		`- #include "internal/provider.h"`
		`- #include "crypto/context.h"`
		`+ @@ -17,11 +17,46 @@`
		`+ #include "crypto/ctype.h"`
		`+ #include "crypto/rand.h"`

		`+# include <sys/types.h>`
		`+# include <sys/stat.h>`
		`@@ -27,6 +23,11 @@`
		`+# include <unistd.h>`
		`+# include <openssl/evp.h>`
		`+`
		`+ struct ossl_lib_ctx_onfree_list_st {`
		`+ ossl_lib_ctx_onfree_fn *fn;`
		`+ struct ossl_lib_ctx_onfree_list_st *next;`
		`+ };`
		`+`
		`+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"`
		`+`
		`+static int kernel_fips_flag;`
		`@@ -57,21 +58,21 @@`
		`+`
		`+`
		`struct ossl_lib_ctx_st {`
		`- CRYPTO_RWLOCK lock, rand_crngt_lock;`
		`- OSSL_EX_DATA_GLOBAL global;`
		`- @@ -336,6 +371,7 @@ static int default_context_inited = 0;`
		`+ CRYPTO_RWLOCK *lock;`
		`+ CRYPTO_EX_DATA data;`
		`+ @@ -151,6 +186,7 @@ static CRYPTO_THREAD_LOCAL default_context_thread_local;`

		`DEFINE_RUN_ONCE_STATIC(default_context_do_init)`
		`{`
		`+ read_kernel_fips_flag();`
		`- if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))`
		`- goto err;`
		`-`
		`+ return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)`
		`+ && context_init(&default_context_int);`
		`+ }`
		`diff --git a/include/internal/provider.h b/include/internal/provider.h`
		`- index 18937f84c7..1446bf7afb 100644`
		`+ index a0d9b8f868..4f4537e4fd 100644`
		`--- a/include/internal/provider.h`
		`+++ b/include/internal/provider.h`
		`- @@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,`
		`+ @@ -113,6 +113,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,`
		`const OSSL_DISPATCH *in);`
		`void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);`

		`@@ -82,5 +83,5 @@`
		`}`
		`# endif`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0010-Add-changes-to-ectest.c-and-eccurve.c.patch ~~0010-Add-changes-to-ectest-and-eccurve.patch~~

file renamed

+8 -12

		`@@ -1,14 +1,10 @@`
		`- From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:27 +0200`
		`- Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch`
		`+ From 560de9b2a5677f130eb90dc1a33a1e40a7c1c80d Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 18:47:46 +0200`
		`+ Subject: [PATCH 10/42] Add changes to ectest.c and eccurve.c Patch-name:`
		`+ 0010-Add-changes-to-ectest-and-eccurve. Signed-off-by: Sahana Prasad`
		`+ <sahana@redhat.com>`

		`- Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch`
		`- Patch-id: 10`
		`- Patch-status: \|`
		`- # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so`
		`- # that new modifications made to these files by upstream are not lost.`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`---`
		`crypto/ec/ec_curve.c \| 844 -------------------------------------------`
		`test/ectest.c \| 174 +--------`
		`@@ -939,7 +935,7 @@`
		`"RFC 5639 curve over a 256 bit prime field"},`
		`{NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0,`
		`diff --git a/test/ectest.c b/test/ectest.c`
		`- index afef85b0e6..4890b0555e 100644`
		`+ index 946973c2f4..3ab2d2fbb7 100644`
		`--- a/test/ectest.c`
		`+++ b/test/ectest.c`
		`@@ -175,184 +175,26 @@ static int prime_field_tests(void)`
		`@@ -1144,5 +1140,5 @@`
		`ADD_TEST(prime_field_tests);`
		`#ifndef OPENSSL_NO_EC2M`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0012-Disable-ec-curves-explicitly.patch

file added

+141

		`@@ -0,0 +1,141 @@`
		`+ From 2f580a801e5f051f48e239bec3b049387a5c2e5d Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 19:01:33 +0200`
		`+ Subject: [PATCH 12/42] Disable ec curves explicitly Patch-name:`
		`+ 0012-Disable-explicit-ec.patch`
		`+`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`+ ---`
		`+ crypto/ec/ec_asn1.c \| 11 ++++++++++`
		`+ test/endecode_test.c \| 20 +++++++++----------`
		`+ .../30-test_evp_data/evppkey_ecdsa.txt \| 12 -----------`
		`+ 3 files changed, 21 insertions(+), 22 deletions(-)`
		`+`
		`+ diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c`
		`+ index 7a0b35a594..d19d57344e 100644`
		`+ --- a/crypto/ec/ec_asn1.c`
		`+ +++ b/crypto/ec/ec_asn1.c`
		`+ @@ -905,6 +905,12 @@ EC_GROUP d2i_ECPKParameters(EC_GROUP a, const unsigned char *in, long len)`
		`+ if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)`
		`+ group->decoded_from_explicit_params = 1;`
		`+`
		`+ + if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {`
		`+ + EC_GROUP_free(group);`
		`+ + ECPKPARAMETERS_free(params);`
		`+ + return NULL;`
		`+ + }`
		`+ +`
		`+ if (a) {`
		`+ EC_GROUP_free(*a);`
		`+ *a = group;`
		`+ @@ -964,6 +970,11 @@ EC_KEY d2i_ECPrivateKey(EC_KEY a, const unsigned char *in, long len)`
		`+ goto err;`
		`+ }`
		`+`
		`+ + if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {`
		`+ + ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);`
		`+ + goto err;`
		`+ + }`
		`+ +`
		`+ ret->version = priv_key->version;`
		`+`
		`+ if (priv_key->privateKey) {`
		`+ diff --git a/test/endecode_test.c b/test/endecode_test.c`
		`+ index e3f7b81f69..b0770e652e 100644`
		`+ --- a/test/endecode_test.c`
		`+ +++ b/test/endecode_test.c`
		`+ @@ -58,7 +58,7 @@ static BN_CTX *bnctx = NULL;`
		`+ static OSSL_PARAM_BLD *bld_prime_nc = NULL;`
		`+ static OSSL_PARAM_BLD *bld_prime = NULL;`
		`+ static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;`
		`+ -static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;`
		`+ +/static OSSL_PARAM ec_explicit_prime_params_explicit = NULL;*/`
		`+`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ static OSSL_PARAM_BLD *bld_tri_nc = NULL;`
		`+ @@ -1005,9 +1005,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")`
		`+ DOMAIN_KEYS(ECExplicitPrimeNamedCurve);`
		`+ IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)`
		`+ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")`
		`+ -DOMAIN_KEYS(ECExplicitPrime2G);`
		`+ -IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)`
		`+ -IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")`
		`+ +/DOMAIN_KEYS(ECExplicitPrime2G);/`
		`+ +/IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)/`
		`+ +/IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")/`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ DOMAIN_KEYS(ECExplicitTriNamedCurve);`
		`+ IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)`
		`+ @@ -1338,7 +1338,7 @@ int setup_tests(void)`
		`+ \|\| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)`
		`+ \|\| !create_ec_explicit_prime_params(bld_prime)`
		`+ \|\| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))`
		`+ - \|\| !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))`
		`+ +/* \|\| !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ \|\| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())`
		`+ \|\| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())`
		`+ @@ -1366,7 +1366,7 @@ int setup_tests(void)`
		`+ TEST_info("Generating EC keys...");`
		`+ MAKE_DOMAIN_KEYS(EC, "EC", EC_params);`
		`+ MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);`
		`+ - MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);`
		`+ +/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);`
		`+ MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);`
		`+ @@ -1409,8 +1409,8 @@ int setup_tests(void)`
		`+ ADD_TEST_SUITE_LEGACY(EC);`
		`+ ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);`
		`+ ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);`
		`+ - ADD_TEST_SUITE(ECExplicitPrime2G);`
		`+ - ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);`
		`+ +/* ADD_TEST_SUITE(ECExplicitPrime2G);*/`
		`+ +/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ ADD_TEST_SUITE(ECExplicitTriNamedCurve);`
		`+ ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);`
		`+ @@ -1447,7 +1447,7 @@ void cleanup_tests(void)`
		`+ {`
		`+ #ifndef OPENSSL_NO_EC`
		`+ OSSL_PARAM_free(ec_explicit_prime_params_nc);`
		`+ - OSSL_PARAM_free(ec_explicit_prime_params_explicit);`
		`+ +/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/`
		`+ OSSL_PARAM_BLD_free(bld_prime_nc);`
		`+ OSSL_PARAM_BLD_free(bld_prime);`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ @@ -1469,7 +1469,7 @@ void cleanup_tests(void)`
		`+ #ifndef OPENSSL_NO_EC`
		`+ FREE_DOMAIN_KEYS(EC);`
		`+ FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);`
		`+ - FREE_DOMAIN_KEYS(ECExplicitPrime2G);`
		`+ +/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);`
		`+ FREE_DOMAIN_KEYS(ECExplicitTri2G);`
		`+ diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`+ index ec3c032aba..584ecee0eb 100644`
		`+ --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`+ +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`+ @@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj`
		`+ 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl`
		`+ -----END PRIVATE KEY-----`
		`+`
		`+ -PrivateKey = EC_EXPLICIT`
		`+ ------BEGIN PRIVATE KEY-----`
		`+ -MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB`
		`+ -AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA`
		`+ -///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV`
		`+ -AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG`
		`+ -l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A`
		`+ -AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk`
		`+ -OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL`
		`+ -46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg`
		`+ ------END PRIVATE KEY-----`
		`+ -`
		`+ PrivateKey = B-163`
		`+ -----BEGIN PRIVATE KEY-----`
		`+ MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K`
		`+ --`
		`+ 2.39.3`
		`+`

0012-Disable-explicit-ec.patch

file removed

-235

		`@@ -1,235 +0,0 @@`
		`- From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch`
		`-`
		`- Patch-name: 0012-Disable-explicit-ec.patch`
		`- Patch-id: 12`
		`- Patch-status: \|`
		`- # Disable explicit EC curves`
		`- # https://bugzilla.redhat.com/show_bug.cgi?id=2066412`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`- ---`
		`- crypto/ec/ec_asn1.c \| 11 ++++++++++`
		`- crypto/ec/ec_lib.c \| 6 +++++`
		`- test/ectest.c \| 22 ++++++++++---------`
		`- test/endecode_test.c \| 20 ++++++++---------`
		`- .../30-test_evp_data/evppkey_ecdsa.txt \| 12 ----------`
		`- 5 files changed, 39 insertions(+), 32 deletions(-)`
		`-`
		`- diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c`
		`- index 7a0b35a594..d19d57344e 100644`
		`- --- a/crypto/ec/ec_asn1.c`
		`- +++ b/crypto/ec/ec_asn1.c`
		`- @@ -905,6 +905,12 @@ EC_GROUP d2i_ECPKParameters(EC_GROUP a, const unsigned char *in, long len)`
		`- if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)`
		`- group->decoded_from_explicit_params = 1;`
		`-`
		`- + if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {`
		`- + EC_GROUP_free(group);`
		`- + ECPKPARAMETERS_free(params);`
		`- + return NULL;`
		`- + }`
		`- +`
		`- if (a) {`
		`- EC_GROUP_free(*a);`
		`- *a = group;`
		`- @@ -964,6 +970,11 @@ EC_KEY d2i_ECPrivateKey(EC_KEY a, const unsigned char *in, long len)`
		`- goto err;`
		`- }`
		`-`
		`- + if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) {`
		`- + ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);`
		`- + goto err;`
		`- + }`
		`- +`
		`- ret->version = priv_key->version;`
		`-`
		`- if (priv_key->privateKey) {`
		`- diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c`
		`- index a84e088c19..6c37bf78ae 100644`
		`- --- a/crypto/ec/ec_lib.c`
		`- +++ b/crypto/ec/ec_lib.c`
		`- @@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],`
		`- goto err;`
		`- }`
		`- if (named_group == group) {`
		`- + if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {`
		`- + ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);`
		`- + goto err;`
		`- + }`
		`- +#if 0`
		`- /*`
		`- * If we did not find a named group then the encoding should be explicit`
		`- * if it was specified`
		`- @@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],`
		`- goto err;`
		`- }`
		`- EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);`
		`- +#endif`
		`- } else {`
		`- EC_GROUP_free(group);`
		`- group = named_group;`
		`- diff --git a/test/ectest.c b/test/ectest.c`
		`- index 4890b0555e..e11aec5b3b 100644`
		`- --- a/test/ectest.c`
		`- +++ b/test/ectest.c`
		`- @@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP group, BN_CTX ctx,`
		`- if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))`
		`- \|\| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))`
		`- \|\| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)`
		`- - \|\| !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,`
		`- + \|\| !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,`
		`- EVP_PKEY_KEY_PARAMETERS, params), 0))`
		`- goto err;`
		`- -`
		`- +/* As creating the key should fail, the rest of the test is pointless */`
		`- +# if 0`
		`- /- Check that all the set values are retrievable -/`
		`-`
		`- /* There should be no match to a group name since the generator changed */`
		`- @@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP group, BN_CTX ctx,`
		`- #endif`
		`- )`
		`- goto err;`
		`- +#endif`
		`- ret = 1;`
		`- err:`
		`- BN_free(order_out);`
		`- @@ -2714,21 +2716,21 @@ static int custom_params_test(int id)`
		`-`
		`- /* Compute keyexchange in both directions */`
		`- if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)`
		`- + \|\| !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)`
		`- +/* \|\| !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)`
		`- \|\| !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)`
		`- \|\| !TEST_int_gt(bsize, sslen)`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))`
		`- + \|\| !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)`
		`- goto err;`
		`- if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)`
		`- + \|\| !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)`
		`- +/* \|\| !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)`
		`- \|\| !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)`
		`- \|\| !TEST_int_gt(bsize, t)`
		`- \|\| !TEST_int_le(sslen, t)`
		`- - \|\| !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))`
		`- + \|\| !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)`
		`- goto err;`
		`- -`
		`- +#if 0`
		`- /* Both sides should expect the same shared secret */`
		`- if (!TEST_mem_eq(buf1, sslen, buf2, t))`
		`- goto err;`
		`- @@ -2780,7 +2782,7 @@ static int custom_params_test(int id)`
		`- /* compare with previous result */`
		`- \|\| !TEST_mem_eq(buf1, t, buf2, sslen))`
		`- goto err;`
		`- -`
		`- +#endif`
		`- ret = 1;`
		`-`
		`- err:`
		`- diff --git a/test/endecode_test.c b/test/endecode_test.c`
		`- index 14648287eb..9a437d8c64 100644`
		`- --- a/test/endecode_test.c`
		`- +++ b/test/endecode_test.c`
		`- @@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL;`
		`- static OSSL_PARAM_BLD *bld_prime_nc = NULL;`
		`- static OSSL_PARAM_BLD *bld_prime = NULL;`
		`- static OSSL_PARAM *ec_explicit_prime_params_nc = NULL;`
		`- -static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;`
		`- +/static OSSL_PARAM ec_explicit_prime_params_explicit = NULL;*/`
		`-`
		`- # ifndef OPENSSL_NO_EC2M`
		`- static OSSL_PARAM_BLD *bld_tri_nc = NULL;`
		`- @@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")`
		`- DOMAIN_KEYS(ECExplicitPrimeNamedCurve);`
		`- IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)`
		`- IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")`
		`- -DOMAIN_KEYS(ECExplicitPrime2G);`
		`- -IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)`
		`- -IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")`
		`- +/DOMAIN_KEYS(ECExplicitPrime2G);/`
		`- +/IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)/`
		`- +/IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")/`
		`- # ifndef OPENSSL_NO_EC2M`
		`- DOMAIN_KEYS(ECExplicitTriNamedCurve);`
		`- IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)`
		`- @@ -1352,7 +1352,7 @@ int setup_tests(void)`
		`- \|\| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)`
		`- \|\| !create_ec_explicit_prime_params(bld_prime)`
		`- \|\| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))`
		`- - \|\| !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))`
		`- +/* \|\| !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/`
		`- # ifndef OPENSSL_NO_EC2M`
		`- \|\| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())`
		`- \|\| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())`
		`- @@ -1380,7 +1380,7 @@ int setup_tests(void)`
		`- TEST_info("Generating EC keys...");`
		`- MAKE_DOMAIN_KEYS(EC, "EC", EC_params);`
		`- MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);`
		`- - MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);`
		`- +/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/`
		`- # ifndef OPENSSL_NO_EC2M`
		`- MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);`
		`- MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);`
		`- @@ -1423,8 +1423,8 @@ int setup_tests(void)`
		`- ADD_TEST_SUITE_LEGACY(EC);`
		`- ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);`
		`- ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);`
		`- - ADD_TEST_SUITE(ECExplicitPrime2G);`
		`- - ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);`
		`- +/* ADD_TEST_SUITE(ECExplicitPrime2G);*/`
		`- +/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/`
		`- # ifndef OPENSSL_NO_EC2M`
		`- ADD_TEST_SUITE(ECExplicitTriNamedCurve);`
		`- ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);`
		`- @@ -1461,7 +1461,7 @@ void cleanup_tests(void)`
		`- {`
		`- #ifndef OPENSSL_NO_EC`
		`- OSSL_PARAM_free(ec_explicit_prime_params_nc);`
		`- - OSSL_PARAM_free(ec_explicit_prime_params_explicit);`
		`- +/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/`
		`- OSSL_PARAM_BLD_free(bld_prime_nc);`
		`- OSSL_PARAM_BLD_free(bld_prime);`
		`- # ifndef OPENSSL_NO_EC2M`
		`- @@ -1483,7 +1483,7 @@ void cleanup_tests(void)`
		`- #ifndef OPENSSL_NO_EC`
		`- FREE_DOMAIN_KEYS(EC);`
		`- FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);`
		`- - FREE_DOMAIN_KEYS(ECExplicitPrime2G);`
		`- +/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/`
		`- # ifndef OPENSSL_NO_EC2M`
		`- FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);`
		`- FREE_DOMAIN_KEYS(ECExplicitTri2G);`
		`- diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- index ec3c032aba..584ecee0eb 100644`
		`- --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- @@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj`
		`- 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl`
		`- -----END PRIVATE KEY-----`
		`-`
		`- -PrivateKey = EC_EXPLICIT`
		`- ------BEGIN PRIVATE KEY-----`
		`- -MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB`
		`- -AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA`
		`- -///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV`
		`- -AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG`
		`- -l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A`
		`- -AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk`
		`- -OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL`
		`- -46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg`
		`- ------END PRIVATE KEY-----`
		`- -`
		`- PrivateKey = B-163`
		`- -----BEGIN PRIVATE KEY-----`
		`- MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K`
		`- --`
		`- 2.41.0`
		`-`

0013-Skip-ec-tests.patch ~~0013-skipped-tests-EC-curves.patch~~

file renamed

+7 -10

		`@@ -1,13 +1,10 @@`
		`- From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch`
		`+ From b346742397ebbd62b581f2535c8736c4fab02e1c Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 19:03:23 +0200`
		`+ Subject: [PATCH 13/42] Skip ec tests Patch-name:`
		`+ 0013-skipped-tests-EC-curves.patch`

		`- Patch-name: 0013-skipped-tests-EC-curves.patch`
		`- Patch-id: 13`
		`- Patch-status: \|`
		`- # Skipped tests from former 0011-Remove-EC-curves.patch`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`test/recipes/15-test_ec.t \| 2 +-`
		`test/recipes/65-test_cmp_protect.t \| 2 +-`
		`@@ -54,5 +51,5 @@`
		`my @basic_cmd = ("cmp_vfy_test",`
		`data_file("server.crt"), data_file("client.crt"),`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0014-loads-the-legacy-provider.patch ~~0024-load-legacy-prov.patch~~

file renamed

+9 -12

		`@@ -1,20 +1,17 @@`
		`- From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 14/35] 0024-load-legacy-prov.patch`
		`+ From f38876b4801ab641156a58b2eb3f293ba6f4f9ed Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 19:46:44 +0200`
		`+ Subject: [PATCH 14/42] loads the legacy provider Patch-name:`
		`+ 0024-load-legacy-prov.patch`

		`- Patch-name: 0024-load-legacy-prov.patch`
		`- Patch-id: 24`
		`- Patch-status: \|`
		`- # Instructions to load legacy provider in openssl.cnf`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`apps/openssl.cnf \| 37 +++++++++++++++----------------------`
		`doc/man5/config.pod \| 8 ++++++++`
		`2 files changed, 23 insertions(+), 22 deletions(-)`

		`diff --git a/apps/openssl.cnf b/apps/openssl.cnf`
		`- index 3956235fda..bddb6bc029 100644`
		`+ index 7c03a22b09..f388436451 100644`
		`--- a/apps/openssl.cnf`
		`+++ b/apps/openssl.cnf`
		`@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1`
		`@@ -70,7 +67,7 @@`
		`[ ssl_module ]`

		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 8d312c661f..714a10437b 100644`
		`+ index 77a8055e81..a84113287c 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`@@ -273,6 +273,14 @@ significant.`
		`@@ -89,5 +86,5 @@`

		`If no providers are activated explicitly, the default one is activated implicitly.`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0015-Add-the-default-provider.patch ~~0025-for-tests.patch~~

file renamed

+19 -4

		`@@ -1,7 +1,19 @@`
		`- diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf`
		`- --- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100`
		`- +++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100`
		`- @@ -55,11 +55,11 @@ providers = provider_sect`
		`+ From 01affe768a6e9756fede331b30f50d0c93319922 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:05:14 +0200`
		`+ Subject: [PATCH 15/42] Add the default provider Patch-name:`
		`+ 0025-for-tests.patch`
		`+`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`+ ---`
		`+ apps/openssl.cnf \| 6 +++---`
		`+ 1 file changed, 3 insertions(+), 3 deletions(-)`
		`+`
		`+ diff --git a/apps/openssl.cnf b/apps/openssl.cnf`
		`+ index f388436451..63725925a7 100644`
		`+ --- a/apps/openssl.cnf`
		`+ +++ b/apps/openssl.cnf`
		`+ @@ -57,11 +57,11 @@ ssl_conf = ssl_module`
		`# to side-channel attacks and as such have been deprecated.`

		`[provider_sect]`
		`@@ -16,3 +28,6 @@`

		`##[legacy_sect]`
		`##activate = 1`
		`+ --`
		`+ 2.39.3`
		`+`

0016-Fix-test-names.patch ~~0031-tmp-Fix-test-names.patch~~

file renamed

+31 -3

		`@@ -1,8 +1,33 @@`
		`+ From 370f85d4f36fe43095cb46b449e4dc85ceaf660c Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:06:56 +0200`
		`+ Subject: [PATCH 16/42] Fix test names Patch-name:`
		`+ 0031-tmp-Fix-test-names.patch`
		`+`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`+ ---`
		`+ test/recipes/90-test_sslapi.t \| 2 +-`
		`+ test/sslapitest.c \| 10 ++++++++++`
		`+ 2 files changed, 11 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t`
		`+ index 70fa7e50e2..854c8d075f 100644`
		`+ --- a/test/recipes/90-test_sslapi.t`
		`+ +++ b/test/recipes/90-test_sslapi.t`
		`+ @@ -48,7 +48,7 @@ unless ($no_fips) {`
		`+ "recipes",`
		`+ "90-test_sslapi_data",`
		`+ "dhparams.pem")])),`
		`+ - "running sslapitest");`
		`+ + "running sslapitest - FIPS");`
		`+ }`
		`+`
		`+ unlink $tmpfilename;`
		`diff --git a/test/sslapitest.c b/test/sslapitest.c`
		`- index e95d2657f46c..7af0eab3fce0 100644`
		`+ index 1f63212f90..bda24c8342 100644`
		`--- a/test/sslapitest.c`
		`+++ b/test/sslapitest.c`
		`- @@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,`
		`+ @@ -1171,6 +1171,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,`
		`goto end;`
		`}`

		`@@ -14,7 +39,7 @@`
		`/* Create a session based on SHA-256 */`
		`if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),`
		`TLS_client_method(),`
		`- @@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)`
		`+ @@ -1310,6 +1315,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)`
		`goto end;`
		`}`

		`@@ -26,3 +51,6 @@`
		`/* Create a session based on SHA-256 */`
		`if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),`
		`TLS_client_method(),`
		`+ --`
		`+ 2.39.3`
		`+`

0017-Force-FIPS.patch

file added

+181

		`@@ -0,0 +1,181 @@`
		`+ From 781b1e5eeb855e3ddda51a2ec09d482895a2b978 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:08:15 +0200`
		`+ Subject: [PATCH 17/42] Force FIPS Patch-name: 0032-Force-fips.patch`
		`+`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`+ ---`
		`+ crypto/provider_conf.c \| 123 +++++++++++++++++++++++++----------------`
		`+ 1 file changed, 74 insertions(+), 49 deletions(-)`
		`+`
		`+ diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c`
		`+ index c13c887c3d..feffdb9688 100644`
		`+ --- a/crypto/provider_conf.c`
		`+ +++ b/crypto/provider_conf.c`
		`+ @@ -10,6 +10,7 @@`
		`+ #include <string.h>`
		`+ #include <openssl/trace.h>`
		`+ #include <openssl/err.h>`
		`+ +#include <openssl/evp.h>`
		`+ #include <openssl/conf.h>`
		`+ #include <openssl/safestack.h>`
		`+ #include <openssl/provider.h>`
		`+ @@ -136,58 +137,18 @@ static int prov_already_activated(const char *name,`
		`+ return 0;`
		`+ }`
		`+`
		`+ -static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,`
		`+ - const char value, const CONF cnf)`
		`+ +static int provider_conf_activate(OSSL_LIB_CTX libctx,const char name,`
		`+ + const char value, const char path,`
		`+ + int soft, const CONF *cnf)`
		`+ {`
		`+ - int i;`
		`+ - STACK_OF(CONF_VALUE) *ecmds;`
		`+ - int soft = 0;`
		`+ - OSSL_PROVIDER prov = NULL, actual = NULL;`
		`+ - const char *path = NULL;`
		`+ - long activate = 0;`
		`+ int ok = 0;`
		`+ -`
		`+ - name = skip_dot(name);`
		`+ - OSSL_TRACE1(CONF, "Configuring provider %s\n", name);`
		`+ - /* Value is a section containing PROVIDER commands */`
		`+ - ecmds = NCONF_get_section(cnf, value);`
		`+ -`
		`+ - if (!ecmds) {`
		`+ - ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,`
		`+ - "section=%s not found", value);`
		`+ - return 0;`
		`+ - }`
		`+ -`
		`+ - /* Find the needed data first */`
		`+ - for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {`
		`+ - CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);`
		`+ - const char *confname = skip_dot(ecmd->name);`
		`+ - const char *confvalue = ecmd->value;`
		`+ -`
		`+ - OSSL_TRACE2(CONF, "Provider command: %s = %s\n",`
		`+ - confname, confvalue);`
		`+ -`
		`+ - /* First handle some special pseudo confs */`
		`+ -`
		`+ - /* Override provider name to use */`
		`+ - if (strcmp(confname, "identity") == 0)`
		`+ - name = confvalue;`
		`+ - else if (strcmp(confname, "soft_load") == 0)`
		`+ - soft = 1;`
		`+ - /* Load a dynamic PROVIDER */`
		`+ - else if (strcmp(confname, "module") == 0)`
		`+ - path = confvalue;`
		`+ - else if (strcmp(confname, "activate") == 0)`
		`+ - activate = 1;`
		`+ - }`
		`+ -`
		`+ - if (activate) {`
		`+ - PROVIDER_CONF_GLOBAL *pcgbl`
		`+ - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,`
		`+ - &provider_conf_ossl_ctx_method);`
		`+ + OSSL_PROVIDER prov = NULL, actual = NULL;`
		`+ + PROVIDER_CONF_GLOBAL *pcgbl`
		`+ + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,`
		`+ + &provider_conf_ossl_ctx_method);`
		`+`
		`+ if (pcgbl == NULL \|\| !CRYPTO_THREAD_write_lock(pcgbl->lock)) {`
		`+ - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);`
		`+ + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);`
		`+ return 0;`
		`+ }`
		`+ if (!prov_already_activated(name, pcgbl->activated_providers)) {`
		`+ @@ -216,7 +177,7 @@ static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,`
		`+ if (path != NULL)`
		`+ ossl_provider_set_module_path(prov, path);`
		`+`
		`+ - ok = provider_conf_params(prov, NULL, NULL, value, cnf);`
		`+ + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;`
		`+`
		`+ if (ok) {`
		`+ if (!ossl_provider_activate(prov, 1, 0)) {`
		`+ @@ -244,8 +205,59 @@ static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,`
		`+ }`
		`+ if (!ok)`
		`+ ossl_provider_free(prov);`
		`+ + } else { /* No reason to activate the provider twice, returning OK */`
		`+ + ok = 1;`
		`+ }`
		`+ CRYPTO_THREAD_unlock(pcgbl->lock);`
		`+ + return ok;`
		`+ +}`
		`+ +`
		`+ +static int provider_conf_load(OSSL_LIB_CTX libctx, const char name,`
		`+ + const char value, const CONF cnf)`
		`+ +{`
		`+ + int i;`
		`+ + STACK_OF(CONF_VALUE) *ecmds;`
		`+ + int soft = 0;`
		`+ + const char *path = NULL;`
		`+ + long activate = 0;`
		`+ + int ok = 0;`
		`+ +`
		`+ + name = skip_dot(name);`
		`+ + OSSL_TRACE1(CONF, "Configuring provider %s\n", name);`
		`+ + /* Value is a section containing PROVIDER commands */`
		`+ + ecmds = NCONF_get_section(cnf, value);`
		`+ +`
		`+ + if (!ecmds) {`
		`+ + ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,`
		`+ + "section=%s not found", value);`
		`+ + return 0;`
		`+ + }`
		`+ +`
		`+ + /* Find the needed data first */`
		`+ + for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {`
		`+ + CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);`
		`+ + const char *confname = skip_dot(ecmd->name);`
		`+ + const char *confvalue = ecmd->value;`
		`+ +`
		`+ + OSSL_TRACE2(CONF, "Provider command: %s = %s\n",`
		`+ + confname, confvalue);`
		`+ +`
		`+ + /* First handle some special pseudo confs */`
		`+ +`
		`+ + /* Override provider name to use */`
		`+ + if (strcmp(confname, "identity") == 0)`
		`+ + name = confvalue;`
		`+ + else if (strcmp(confname, "soft_load") == 0)`
		`+ + soft = 1;`
		`+ + /* Load a dynamic PROVIDER */`
		`+ + else if (strcmp(confname, "module") == 0)`
		`+ + path = confvalue;`
		`+ + else if (strcmp(confname, "activate") == 0)`
		`+ + activate = 1;`
		`+ + }`
		`+ +`
		`+ + if (activate) {`
		`+ + ok = provider_conf_activate(libctx, name, value, path, soft, cnf);`
		`+ } else {`
		`+ OSSL_PROVIDER_INFO entry;`
		`+`
		`+ @@ -306,6 +318,19 @@ static int provider_conf_init(CONF_IMODULE md, const CONF cnf)`
		`+ return 0;`
		`+ }`
		`+`
		`+ + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */`
		`+ + OSSL_LIB_CTX libctx = NCONF_get0_libctx((CONF )cnf);`
		`+ + PROVIDER_CONF_GLOBAL *pcgbl`
		`+ + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,`
		`+ + &provider_conf_ossl_ctx_method);`
		`+ + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)`
		`+ + return 0;`
		`+ + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)`
		`+ + return 0;`
		`+ + if (EVP_default_properties_enable_fips(libctx, 1) != 1)`
		`+ + return 0;`
		`+ + }`
		`+ +`
		`+ return 1;`
		`+ }`
		`+`
		`+ --`
		`+ 2.39.3`
		`+`

0018-FIPS-embed-hmac.patch ~~0033-FIPS-embed-hmac.patch~~

file renamed

+25 -42

		`@@ -1,32 +1,26 @@`
		`- From 538665f6c210f876bf2733afe63460b36f2c9929 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 17/35] 0033-FIPS-embed-hmac.patch`
		`+ From 8e1c16a417a5838d53fed0cf78dfc9b7f278a2eb Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:09:47 +0200`
		`+ Subject: [PATCH 18/42] FIPS embed hmac Patch-name: 0033-FIPS-embed-hmac.patch`

		`- Patch-name: 0033-FIPS-embed-hmac.patch`
		`- Patch-id: 33`
		`- Patch-status: \|`
		`- # Embed HMAC into the fips.so`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`providers/fips/self_test.c \| 69 ++++++++++++++++++++++++---`
		`- test/fipsmodule.cnf \| 2 +`
		`test/recipes/00-prep_fipsmodule_cnf.t \| 2 +-`
		`test/recipes/01-test_fipsmodule_cnf.t \| 2 +-`
		`test/recipes/03-test_fipsinstall.t \| 2 +-`
		`test/recipes/30-test_defltfips.t \| 2 +-`
		`test/recipes/80-test_ssl_new.t \| 2 +-`
		`test/recipes/90-test_sslapi.t \| 2 +-`
		`- 8 files changed, 70 insertions(+), 13 deletions(-)`
		`- create mode 100644 test/fipsmodule.cnf`
		`+ 7 files changed, 68 insertions(+), 13 deletions(-)`

		`diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c`
		`- index 10804d9f59..ef56002854 100644`
		`+ index 80d048a847..2050a7eb3e 100644`
		`--- a/providers/fips/self_test.c`
		`+++ b/providers/fips/self_test.c`
		`- @@ -231,11 +231,27 @@ err:`
		`- return ok;`
		`+ @@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)`
		`}`
		`+ #endif`

		`+#define HMAC_LEN 32`
		`+/*`
		`@@ -52,7 +46,7 @@`
		`static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,`
		`unsigned char *expected, size_t expected_len,`
		`OSSL_LIB_CTX libctx, OSSL_SELF_TEST ev,`
		`- @@ -248,12 +264,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex`
		`+ @@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex`
		`EVP_MAC *mac = NULL;`
		`EVP_MAC_CTX *ctx = NULL;`
		`OSSL_PARAM params[2], *p = params;`
		`@@ -62,9 +56,6 @@`
		`+ unsigned long paddr;`
		`+ unsigned long off = 0;`

		`- if (!integrity_self_test(ev, libctx))`
		`- goto err;`
		`-`
		`OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);`

		`+ if (!dladdr1 ((const void *)fips_hmac_container,`
		`@@ -76,7 +67,7 @@`
		`mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);`
		`if (mac == NULL)`
		`goto err;`
		`- @@ -267,13 +294,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex`
		`+ @@ -205,13 +232,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex`
		`if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))`
		`goto err;`

		`@@ -121,7 +112,7 @@`
		`if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))`
		`goto err;`

		`- @@ -349,8 +405,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ @@ -285,8 +341,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`CRYPTO_THREAD_unlock(fips_state_lock);`
		`}`

		`@@ -131,7 +122,7 @@`
		`ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);`
		`goto end;`
		`}`
		`- @@ -359,8 +414,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ @@ -295,8 +350,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`if (ev == NULL)`
		`goto end;`

		`@@ -143,24 +134,16 @@`
		`if (module_checksum == NULL) {`
		`ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);`
		`goto end;`
		`- @@ -434,7 +490,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ @@ -358,7 +414,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ ok = 1;`
		`end:`
		`- EVP_RAND_free(testrand);`
		`OSSL_SELF_TEST_free(ev);`
		`- OPENSSL_free(module_checksum);`
		`OPENSSL_free(indicator_checksum);`

		`if (st != NULL) {`
		`- diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf`
		`- new file mode 100644`
		`- index 0000000000..f05d0dedbe`
		`- --- /dev/null`
		`- +++ b/test/fipsmodule.cnf`
		`- @@ -0,0 +1,2 @@`
		`- +[fips_sect]`
		`- +activate = 1`
		`diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t`
		`- index 4e3a6d85e8..e8255ba974 100644`
		`+ index 8d53e8a40f..13b2dc3637 100644`
		`--- a/test/recipes/00-prep_fipsmodule_cnf.t`
		`+++ b/test/recipes/00-prep_fipsmodule_cnf.t`
		`@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations');`
		`@@ -186,7 +169,7 @@`
		`if $no_check;`
		`plan tests => 1;`
		`diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t`
		`- index b8b136d110..8242f4ebc3 100644`
		`+ index c39b2cee09..e6ff95c5c6 100644`
		`--- a/test/recipes/03-test_fipsinstall.t`
		`+++ b/test/recipes/03-test_fipsinstall.t`
		`@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations');`
		`@@ -196,8 +179,8 @@`
		`-plan skip_all => "Test only supported in a fips build" if disabled("fips");`
		`+plan skip_all => "Test only supported in a fips build" if 1;`

		`- # Compatible options for pedantic FIPS compliance`
		`- my @pedantic_okay =`
		`+ plan tests => 29;`
		`+`
		`diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t`
		`index 426bd660d1..6dc514936b 100644`
		`--- a/test/recipes/30-test_defltfips.t`
		`@@ -212,7 +195,7 @@`
		`plan tests =>`
		`($no_fips ? 1 : 5);`
		`diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t`
		`- index 0c6d6402d9..e45f9cb560 100644`
		`+ index fe03607419..46ee670398 100644`
		`--- a/test/recipes/80-test_ssl_new.t`
		`+++ b/test/recipes/80-test_ssl_new.t`
		`@@ -27,7 +27,7 @@ setup("test_ssl_new");`
		`@@ -225,18 +208,18 @@`
		`$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");`

		`diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t`
		`- index 9e9e32b51e..1a1a7159b5 100644`
		`+ index 854c8d075f..3d23f080bb 100644`
		`--- a/test/recipes/90-test_sslapi.t`
		`+++ b/test/recipes/90-test_sslapi.t`
		`- @@ -17,7 +17,7 @@ setup("test_sslapi");`
		`+ @@ -18,7 +18,7 @@ setup("test_sslapi");`
		`use lib srctop_dir('Configurations');`
		`use lib bldtop_dir('.');`

		`-my $no_fips = disabled('fips') \|\| ($ENV{NO_FIPS} // 0);`
		`+my $no_fips = 1; #disabled('fips') \|\| ($ENV{NO_FIPS} // 0);`
		`- my $fipsmodcfg_filename = "fipsmodule.cnf";`
		`- my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);`

		`+ plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"`
		`+ if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0019-Disable-fipsinstall.patch ~~0034.fipsinstall_disable.patch~~

file renamed

+21 -63

		`@@ -1,27 +1,24 @@`
		`- From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch`
		`+ From e2455ce4e6357ad8796095ea4c16ab4c70493348 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:20:41 +0200`
		`+ Subject: [PATCH 19/42] Disable fipsinstall Patch-name:`
		`+ 0034.fipsinstall_disable.patch`

		`- Patch-name: 0034.fipsinstall_disable.patch`
		`- Patch-id: 34`
		`- Patch-status: \|`
		`- # Comment out fipsinstall command-line utility`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`apps/fipsinstall.c \| 3 +`
		`- doc/man1/openssl-fipsinstall.pod.in \| 272 +---------------------------`
		`+ doc/man1/openssl-fipsinstall.pod.in \| 231 +---------------------------`
		`doc/man1/openssl.pod \| 4 -`
		`doc/man5/config.pod \| 1 -`
		`- doc/man5/fips_config.pod \| 104 +----------`
		`+ doc/man5/fips_config.pod \| 104 +------------`
		`doc/man7/OSSL_PROVIDER-FIPS.pod \| 1 -`
		`- 6 files changed, 10 insertions(+), 375 deletions(-)`
		`+ 6 files changed, 10 insertions(+), 334 deletions(-)`

		`diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c`
		`- index e1ef645b60..db92cb5fb2 100644`
		`+ index d0efdf7643..e978057fd4 100644`
		`--- a/apps/fipsinstall.c`
		`+++ b/apps/fipsinstall.c`
		`- @@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv)`
		`+ @@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **argv)`
		`EVP_MAC *mac = NULL;`
		`CONF *conf = NULL;`

		`@@ -32,10 +29,10 @@`
		`goto end;`

		`diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in`
		`- index b1768b7f91..b6b00e27d8 100644`
		`+ index 97e2ae910c..6067623209 100644`
		`--- a/doc/man1/openssl-fipsinstall.pod.in`
		`+++ b/doc/man1/openssl-fipsinstall.pod.in`
		`- @@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation`
		`+ @@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS configuration installation`
		`=head1 SYNOPSIS`

		`B<openssl fipsinstall>`
		`@@ -50,18 +47,14 @@`
		`-[B<-macopt> I<nm>:I<v>]`
		`-[B<-noout>]`
		`-[B<-quiet>]`
		`- -[B<-pedantic>]`
		`-[B<-no_conditional_errors>]`
		`-[B<-no_security_checks>]`
		`- -[B<-ems_check>]`
		`- -[B<-no_drbg_truncated_digests>]`
		`-[B<-self_test_onload>]`
		`- -[B<-self_test_oninstall>]`
		`-[B<-corrupt_desc> I<selftest_description>]`
		`-[B<-corrupt_type> I<selftest_type>]`
		`-[B<-config> I<parent_config>]`
		`- -`
		`- -=head1 DESCRIPTION`
		`+`
		`+ =head1 DESCRIPTION`
		`-`
		`-This command is used to generate a FIPS module configuration file.`
		`-This configuration file can be used each time a FIPS module is loaded`
		`@@ -190,14 +183,6 @@`
		`-`
		`-Disable logging of the self tests.`
		`-`
		`- -=item B<-pedantic>`
		`- -`
		`- -Configure the module so that it is strictly FIPS compliant rather`
		`- -than being backwards compatible. This enables conditional errors,`
		`- -security checks etc. Note that any previous configuration options will`
		`- -be overwritten and any subsequent configuration options that violate`
		`- -FIPS compliance will result in an error.`
		`- -`
		`-=item B<-no_conditional_errors>`
		`-`
		`-Configure the module to not enter an error state if a conditional self test`
		`@@ -207,20 +192,6 @@`
		`-`
		`-Configure the module to not perform run-time security checks as described above.`
		`-`
		`- -Enabling the configuration option "no-fips-securitychecks" provides another way to`
		`- -turn off the check at compile time.`
		`- -`
		`- -=item B<-ems_check>`
		`- -`
		`- -Configure the module to enable a run-time Extended Master Secret (EMS) check`
		`- -when using the TLS1_PRF KDF algorithm. This check is disabled by default.`
		`- -See RFC 7627 for information related to EMS.`
		`- -`
		`- -=item B<-no_drbg_truncated_digests>`
		`- -`
		`- -Configure the module to not allow truncated digests to be used with Hash and`
		`- -HMAC DRBGs. See FIPS 140-3 IG D.R for details.`
		`- -`
		`-=item B<-self_test_onload>`
		`-`
		`-Do not write the two fields related to the "test status indicator" and`
		`@@ -231,14 +202,6 @@`
		`-could possibly then add the 2 fields into the configuration using some other`
		`-mechanism.`
		`-`
		`- -This is the default.`
		`- -`
		`- -=item B<-self_test_oninstall>`
		`- -`
		`- -The converse of B<-self_test_oninstall>. The two fields related to the`
		`- -"test status indicator" and "MAC status indicator" are written to the`
		`- -output configuration file.`
		`- -`
		`-=item B<-quiet>`
		`-`
		`-Do not output pass/fail messages. Implies B<-noout>.`
		`@@ -274,11 +237,6 @@`
		`-For normal usage the base configuration file should use the default provider`
		`-when generating the fips configuration file.`
		`-`
		`- -The B<-self_test_oninstall> option was added and the`
		`- -B<-self_test_onload> option was made the default in OpenSSL 3.1.`
		`- -`
		`- -The command and all remaining options were added in OpenSSL 3.0.`
		`- -`
		`-=head1 EXAMPLES`
		`-`
		`-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test`
		`@@ -315,7 +273,7 @@`
		`=head1 COPYRIGHT`

		`diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod`
		`- index d9c22a580f..d5ec3b9a6a 100644`
		`+ index 869e8e5ad8..60c37cf0a2 100644`
		`--- a/doc/man1/openssl.pod`
		`+++ b/doc/man1/openssl.pod`
		`@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation.`
		`@@ -330,7 +288,7 @@`

		`Generation of DSA Private Key from Parameters. Superseded by`
		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 714a10437b..bd05736220 100644`
		`+ index a84113287c..7624c97225 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified.`
		`@@ -342,7 +300,7 @@`
		`L<EVP_set_default_properties(3)>,`
		`L<CONF_modules_load(3)>,`
		`diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod`
		`- index 2255464304..1c15e32a5c 100644`
		`+ index cd0012a73a..8f032ac6a3 100644`
		`--- a/doc/man5/fips_config.pod`
		`+++ b/doc/man5/fips_config.pod`
		`@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration`
		`@@ -457,10 +415,10 @@`
		`=head1 HISTORY`

		`diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod`
		`- index 4f908888ba..ef00247770 100644`
		`+ index 58008ae59f..fef82baef6 100644`
		`--- a/doc/man7/OSSL_PROVIDER-FIPS.pod`
		`+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod`
		`- @@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are:`
		`+ @@ -394,7 +394,6 @@ A simple self test callback is shown below for illustrative purposes.`

		`=head1 SEE ALSO`

		`@@ -469,5 +427,5 @@`
		`L<OSSL_SELF_TEST_set_callback(3)>,`
		`L<OSSL_SELF_TEST_new(3)>,`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0020-Skip-unavailable-digests.patch ~~0035-speed-skip-unavailable-dgst.patch~~

file renamed

+9 -12

		`@@ -1,22 +1,19 @@`
		`- From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch`
		`+ From b9ea7b850049ed1b81b377d6141508adc2df6810 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:25:45 +0200`
		`+ Subject: [PATCH 20/42] Skip unavailable digests Patch-name:`
		`+ 0035-speed-skip-unavailable-dgst.patch`

		`- Patch-name: 0035-speed-skip-unavailable-dgst.patch`
		`- Patch-id: 35`
		`- Patch-status: \|`
		- # Skip unavailable algorithms running `openssl speed`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`apps/speed.c \| 3 +++`
		`1 file changed, 3 insertions(+)`

		`diff --git a/apps/speed.c b/apps/speed.c`
		`- index d527f12f18..2ff3eb53bd 100644`
		`+ index 86b0b45ca6..41de9d3eab 100644`
		`--- a/apps/speed.c`
		`+++ b/apps/speed.c`
		`- @@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args)`
		`+ @@ -591,6 +591,9 @@ static int EVP_MAC_loop(int algindex, void *args)`
		`for (count = 0; COND(c[algindex][testnum]); count++) {`
		`size_t outl;`

		`@@ -27,5 +24,5 @@`
		`\|\| !EVP_MAC_update(mctx, buf, lengths[testnum])`
		`\|\| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0021-FIPS-140-3-keychecks.patch ~~0044-FIPS-140-3-keychecks.patch~~

file renamed

+27 -13

		`@@ -1,18 +1,16 @@`
		`- From bdf751d87be5dfb3164264ebcdbc0c0374d3eabf Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 20/35] 0044-FIPS-140-3-keychecks.patch`
		`+ From ee9b38bd20a0df12e7e191e44510588fb342ac03 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:27:00 +0200`
		`+ Subject: [PATCH 21/42] FIPS 140-3 keychecks Patch-name:`
		`+ 0044-FIPS-140-3-keychecks.patch`

		`- Patch-name: 0044-FIPS-140-3-keychecks.patch`
		`- Patch-id: 44`
		`- Patch-status: \|`
		`- # Extra public/private key checks required by FIPS-140-3`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`crypto/dh/dh_key.c \| 28 ++++++++++++`
		`+ crypto/ec/ec_key.c \| 5 +++`
		`crypto/rsa/rsa_gen.c \| 44 ++++++++-----------`
		`.../implementations/exchange/ecdh_exch.c \| 19 ++++++++`
		`- 3 files changed, 65 insertions(+), 26 deletions(-)`
		`+ 4 files changed, 70 insertions(+), 26 deletions(-)`

		`diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c`
		`index 4e9705beef..cb9e641f54 100644`
		`@@ -76,6 +74,22 @@`
		`dh->dirty_cnt++;`
		`ok = 1;`
		`err:`
		`+ diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c`
		`+ index 729d338b33..75c0a1b39d 100644`
		`+ --- a/crypto/ec/ec_key.c`
		`+ +++ b/crypto/ec/ec_key.c`
		`+ @@ -333,6 +333,11 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test)`
		`+`
		`+ OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);`
		`+ ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);`
		`+ +`
		`+ +#ifdef FIPS_MODULE`
		`+ + ok &= ossl_ec_key_public_check(eckey, ctx);`
		`+ + ok &= ossl_ec_key_pairwise_check(eckey, ctx);`
		`+ +#endif /* FIPS_MODULE */`
		`+ }`
		`+ err:`
		`+ /* Step (9): If there is an error return an invalid keypair. */`
		`diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c`
		`index e0d139d312..de9cedb64b 100644`
		`--- a/crypto/rsa/rsa_gen.c`
		`@@ -159,10 +173,10 @@`
		`return ret;`
		`}`
		`diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c`
		`- index 43caedb6df..73873f9758 100644`
		`+ index 35d665fb91..9220e455ee 100644`
		`--- a/providers/implementations/exchange/ecdh_exch.c`
		`+++ b/providers/implementations/exchange/ecdh_exch.c`
		`- @@ -489,6 +489,25 @@ int ecdh_plain_derive(void vpecdhctx, unsigned char secret,`
		`+ @@ -488,6 +488,25 @@ int ecdh_plain_derive(void vpecdhctx, unsigned char secret,`
		`}`

		`ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);`
		`@@ -189,5 +203,5 @@`
		`retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);`

		`--`
		`- 2.41.0`
		`+ 2.39.3`

0022-minimize-services-in-FIPS-mode.patch ~~0045-FIPS-services-minimize.patch~~

file renamed

+97 -81

		`@@ -1,19 +1,16 @@`
		`- From 8da97ba910507ea36fecd374ab896f80d150a7e7 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 21/35] 0045-FIPS-services-minimize.patch`
		`+ From 2e9a0383e2e42313b33d7298e92baa390960196a Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:28:04 +0200`
		`+ Subject: [PATCH 22/42] minimize services in FIPS mode Patch-name:`
		`+ 0045-FIPS-services-minimize.patch`

		`- Patch-name: 0045-FIPS-services-minimize.patch`
		`- Patch-id: 45`
		`- Patch-status: \|`
		`- # Minimize fips services`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`apps/ecparam.c \| 3 ++`
		`apps/req.c \| 2 +-`
		`providers/common/capabilities.c \| 2 +-`
		`providers/fips/fipsprov.c \| 45 +++++++++++--------`
		`- providers/fips/self_test_data.inc \| 12 +++--`
		`+ providers/fips/self_test_data.inc \| 14 ++++--`
		`providers/implementations/signature/rsa_sig.c \| 13 ++++++`
		`ssl/ssl_ciph.c \| 3 ++`
		`test/acvp_test.c \| 2 +`
		`@@ -21,11 +18,11 @@`
		`test/evp_libctx_test.c \| 9 +++-`
		`test/recipes/15-test_gendsa.t \| 2 +-`
		`test/recipes/20-test_cli_fips.t \| 3 +-`
		`- test/recipes/30-test_evp.t \| 16 +++----`
		`+ test/recipes/30-test_evp.t \| 14 +++---`
		`.../30-test_evp_data/evpmac_common.txt \| 22 +++++++++`
		`test/recipes/80-test_cms.t \| 22 ++++-----`
		`test/recipes/80-test_ssl_old.t \| 2 +-`
		`- 16 files changed, 112 insertions(+), 50 deletions(-)`
		`+ 16 files changed, 113 insertions(+), 49 deletions(-)`

		`diff --git a/apps/ecparam.c b/apps/ecparam.c`
		`index 9e9ad13683..fc125a45c9 100644`
		`@@ -55,7 +52,7 @@`

		`prog = opt_init(argc, argv, req_options);`
		`diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c`
		`- index ed37e76969..eb836dfa6a 100644`
		`+ index 7223d55164..af2cf6dc37 100644`
		`--- a/providers/common/capabilities.c`
		`+++ b/providers/common/capabilities.c`
		`@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = {`
		`@@ -70,11 +67,19 @@`
		`# ifndef OPENSSL_NO_DH`
		`/* Security bit values for FFDHE groups are as per RFC 7919 */`
		`diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c`
		`- index 518226dfc6..73bb96dece 100644`
		`+ index 6a88039423..cdcfcb7284 100644`
		`--- a/providers/fips/fipsprov.c`
		`+++ b/providers/fips/fipsprov.c`
		`- @@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])`
		`- OSSL_LIB_CTX_FIPS_PROV_INDEX);`
		`+ @@ -38,7 +38,6 @@ static OSSL_FUNC_provider_query_operation_fn fips_query;`
		`+`
		`+ #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }`
		`+ #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)`
		`+ -`
		`+ extern OSSL_FUNC_core_thread_start_fn *c_thread_start;`
		`+ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);`
		`+`
		`+ @@ -175,13 +174,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])`
		`+ &fips_prov_ossl_ctx_method);`

		`p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);`
		`- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))`
		`@@ -90,7 +95,7 @@`
		`return 0;`
		`p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);`
		`if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))`
		`- @@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = {`
		`+ @@ -265,10 +264,11 @@ static const OSSL_ALGORITHM fips_digests[] = {`
		`* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for`
		`* KMAC128 and KMAC256.`
		`*/`
		`@@ -104,19 +109,19 @@`
		`{ NULL, NULL, NULL }`
		`};`

		`- @@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {`
		`+ @@ -327,8 +327,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {`
		`ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,`
		`ossl_cipher_capable_aes_cbc_hmac_sha256),`
		`#ifndef OPENSSL_NO_DES`
		`- - UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),`
		`- - UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),`
		`+ - ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),`
		`+ - ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),`
		`+ /* We don't certify 3DES in our FIPS provider */`
		`+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),`
		`+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */`
		`#endif /* OPENSSL_NO_DES */`
		`{ { NULL, NULL, NULL }, NULL }`
		`};`
		`- @@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = {`
		`+ @@ -340,8 +341,9 @@ static const OSSL_ALGORITHM fips_macs[] = {`
		`#endif`
		`{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },`
		`{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },`
		`@@ -128,7 +133,7 @@`
		`{ NULL, NULL, NULL }`
		`};`

		`- @@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {`
		`+ @@ -376,8 +378,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = {`
		`#endif`
		`#ifndef OPENSSL_NO_EC`
		`{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },`
		`@@ -140,7 +145,7 @@`
		`#endif`
		`{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,`
		`ossl_kdf_tls1_prf_keyexch_functions },`
		`- @@ -420,13 +424,14 @@ static const OSSL_ALGORITHM fips_keyexch[] = {`
		`+ @@ -387,12 +390,14 @@ static const OSSL_ALGORITHM fips_keyexch[] = {`

		`static const OSSL_ALGORITHM fips_signature[] = {`
		`#ifndef OPENSSL_NO_DSA`
		`@@ -150,16 +155,15 @@`
		`#endif`
		`{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },`
		`#ifndef OPENSSL_NO_EC`
		`- - { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,`
		`- - ossl_ed25519_signature_functions },`
		`- - { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },`
		`+ - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },`
		`+ - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },`
		`+ /* We don't certify Edwards curves in our FIPS provider */`
		`+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },`
		`+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */`
		`{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },`
		`#endif`
		`{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,`
		`- @@ -456,8 +461,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {`
		`+ @@ -422,8 +427,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {`
		`PROV_DESCS_DHX },`
		`#endif`
		`#ifndef OPENSSL_NO_DSA`
		`@@ -171,7 +175,7 @@`
		`#endif`
		`{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,`
		`PROV_DESCS_RSA },`
		`- @@ -466,14 +472,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {`
		`+ @@ -432,14 +438,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {`
		`#ifndef OPENSSL_NO_EC`
		`{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,`
		`PROV_DESCS_EC },`
		`@@ -181,19 +185,19 @@`
		`PROV_DESCS_X25519 },`
		`{ PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,`
		`PROV_DESCS_X448 },`
		`- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,`
		`+ { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,`
		`PROV_DESCS_ED25519 },`
		`- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,`
		`+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,`
		`- PROV_DESCS_ED448 },`
		`+ PROV_DESCS_ED448 }, */`
		`#endif`
		`{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,`
		`PROV_DESCS_TLS1_PRF_SIGN },`
		`diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc`
		`- index 2057378d3d..e0fdc0daa4 100644`
		`+ index 8ae8cd6f4a..27c32f7561 100644`
		`--- a/providers/fips/self_test_data.inc`
		`+++ b/providers/fips/self_test_data.inc`
		`- @@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =`
		`+ @@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =`
		`/- CIPHER TEST DATA /`

		`/* DES3 test data */`
		`@@ -201,7 +205,7 @@`
		`static const unsigned char des_ede3_cbc_pt[] = {`
		`0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,`
		`0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,`
		`- @@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = {`
		`+ @@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_ct[] = {`
		`0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,`
		`0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7`
		`};`
		`@@ -210,7 +214,23 @@`
		`/* AES-256 GCM test data */`
		`static const unsigned char aes_256_gcm_key[] = {`
		`0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,`
		`- @@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {`
		`+ @@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_ct[] = {`
		`+ };`
		`+`
		`+ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {`
		`+ +#if 0`
		`+ #ifndef OPENSSL_NO_DES`
		`+ {`
		`+ {`
		`+ @@ -247,6 +249,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {`
		`+ ITM(des_ede3_cbc_key),`
		`+ ITM(des_ede3_cbc_iv),`
		`+ },`
		`+ +#endif`
		`+ #endif`
		`+ {`
		`+ {`
		`+ @@ -1430,8 +1433,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = {`
		`# endif /* OPENSSL_NO_EC2M */`
		`#endif /* OPENSSL_NO_EC */`

		`@@ -221,7 +241,7 @@`
		`static const unsigned char dsa_p[] = {`
		`0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,`
		`0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,`
		`- @@ -1589,8 +1591,8 @@ static const ST_KAT_PARAM dsa_key[] = {`
		`+ @@ -1555,8 +1559,8 @@ static const ST_KAT_PARAM dsa_key[] = {`
		`ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv),`
		`ST_KAT_PARAM_END()`
		`};`
		`@@ -229,10 +249,10 @@`
		`-`
		`+#endif`
		`+#endif`
		`- /* Hash DRBG inputs for signature KATs */`
		`- static const unsigned char sig_kat_entropyin[] = {`
		`- 0x06, 0x6d, 0xc8, 0xce, 0x75, 0xb2, 0x89, 0x66, 0xa6, 0x85, 0x16, 0x3f,`
		`- @@ -1642,6 +1644,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`+ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`+ {`
		`+ OSSL_SELF_TEST_DESC_SIGN_RSA,`
		`+ @@ -1589,6 +1593,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`},`
		`# endif`
		`#endif /* OPENSSL_NO_EC */`
		`@@ -240,8 +260,8 @@`
		`#ifndef OPENSSL_NO_DSA`
		`{`
		`OSSL_SELF_TEST_DESC_SIGN_DSA,`
		`- @@ -1654,6 +1657,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`- ITM(dsa_expected_sig)`
		`+ @@ -1601,6 +1606,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`+ */`
		`},`
		`#endif /* OPENSSL_NO_DSA */`
		`+#endif`
		`@@ -249,10 +269,10 @@`

		`static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {`
		`diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c`
		`- index cd5de6bd51..07824e558c 100644`
		`+ index 7023a86613..7e2cd252bb 100644`
		`--- a/providers/implementations/signature/rsa_sig.c`
		`+++ b/providers/implementations/signature/rsa_sig.c`
		`- @@ -777,6 +777,19 @@ static int rsa_verify(void vprsactx, const unsigned char sig, size_t siglen,`
		`+ @@ -763,6 +763,19 @@ static int rsa_verify(void vprsactx, const unsigned char sig, size_t siglen,`
		`{`
		`PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;`
		`size_t rslen;`
		`@@ -273,7 +293,7 @@`
		`if (!ossl_prov_is_running())`
		`return 0;`
		`diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c`
		`- index a5e60e8839..f9af07d12b 100644`
		`+ index 2b64fa5e2b..6bd0201c96 100644`
		`--- a/ssl/ssl_ciph.c`
		`+++ b/ssl/ssl_ciph.c`
		`@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)`
		`@@ -307,10 +327,10 @@`
		`#ifndef OPENSSL_NO_EC`
		`ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));`
		`diff --git a/test/endecode_test.c b/test/endecode_test.c`
		`- index 9a437d8c64..53385028fc 100644`
		`+ index b0770e652e..4bfcba46ec 100644`
		`--- a/test/endecode_test.c`
		`+++ b/test/endecode_test.c`
		`- @@ -1407,6 +1407,7 @@ int setup_tests(void)`
		`+ @@ -1393,6 +1393,7 @@ int setup_tests(void)`
		`* so no legacy tests.`
		`*/`
		`#endif`
		`@@ -318,7 +338,7 @@`
		`#ifndef OPENSSL_NO_DSA`
		`ADD_TEST_SUITE(DSA);`
		`ADD_TEST_SUITE_PARAMS(DSA);`
		`- @@ -1417,6 +1418,7 @@ int setup_tests(void)`
		`+ @@ -1403,6 +1404,7 @@ int setup_tests(void)`
		`ADD_TEST_SUITE_PROTECTED_PVK(DSA);`
		`# endif`
		`#endif`
		`@@ -326,7 +346,7 @@`
		`#ifndef OPENSSL_NO_EC`
		`ADD_TEST_SUITE(EC);`
		`ADD_TEST_SUITE_PARAMS(EC);`
		`- @@ -1431,10 +1433,12 @@ int setup_tests(void)`
		`+ @@ -1417,10 +1419,12 @@ int setup_tests(void)`
		`ADD_TEST_SUITE(ECExplicitTri2G);`
		`ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);`
		`# endif`
		`@@ -401,21 +421,18 @@`
		`subtest DSA => sub {`
		`my $testtext_prefix = 'DSA';`
		`diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t`
		`- index 9d7040ced2..3be2549cb5 100644`
		`+ index 0a036b7da0..3bcb624c64 100644`
		`--- a/test/recipes/30-test_evp.t`
		`+++ b/test/recipes/30-test_evp.t`
		`- @@ -42,10 +42,8 @@ my @files = qw(`
		`+ @@ -42,7 +42,6 @@ my @files = qw(`
		`evpciph_aes_cts.txt`
		`evpciph_aes_wrap.txt`
		`evpciph_aes_stitched.txt`
		`- evpciph_des3_common.txt`
		`evpkdf_hkdf.txt`
		`- evpkdf_kbkdf_counter.txt`
		`- - evpkdf_kbkdf_kmac.txt`
		`evpkdf_pbkdf1.txt`
		`evpkdf_pbkdf2.txt`
		`- evpkdf_ss.txt`
		`- @@ -65,12 +63,6 @@ push @files, qw(`
		`+ @@ -63,12 +62,6 @@ push @files, qw(`
		`evppkey_ffdhe.txt`
		`evppkey_dh.txt`
		`) unless $no_dh;`
		`@@ -428,16 +445,15 @@`
		`push @files, qw(`
		`evppkey_ecc.txt`
		`evppkey_ecdh.txt`
		`- @@ -91,6 +83,8 @@ my @defltfiles = qw(`
		`+ @@ -89,6 +82,7 @@ my @defltfiles = qw(`
		`evpciph_cast5.txt`
		`evpciph_chacha.txt`
		`evpciph_des.txt`
		`+ evpciph_des3_common.txt`
		`- + evpkdf_kbkdf_kmac.txt`
		`evpciph_idea.txt`
		`evpciph_rc2.txt`
		`evpciph_rc4.txt`
		`- @@ -118,6 +112,12 @@ my @defltfiles = qw(`
		`+ @@ -116,6 +110,12 @@ my @defltfiles = qw(`
		`evppkey_kdf_tls1_prf.txt`
		`evppkey_rsa.txt`
		`);`
		`@@ -451,18 +467,18 @@`
		`push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;`

		`diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt`
		`- index 93195df97c..315413cd9b 100644`
		`+ index a7300fd017..7304e38725 100644`
		`--- a/test/recipes/30-test_evp_data/evpmac_common.txt`
		`+++ b/test/recipes/30-test_evp_data/evpmac_common.txt`
		`- @@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C`
		`- Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007`
		`- Result = MAC_INIT_ERROR`
		`+ @@ -327,6 +327,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C`
		`+ Output = 00BDA1B7E87608BCBF470F12157F4C07`
		`+`

		`+Availablein = default`
		`Title = KMAC Tests (From NIST)`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`- @@ -350,12 +351,14 @@ Ctrl = xof:0`
		`+ @@ -337,12 +338,14 @@ Ctrl = xof:0`
		`OutputSize = 32`
		`BlockSize = 168`

		`@@ -477,7 +493,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -363,6 +366,7 @@ Custom = "My Tagged Application"`
		`+ @@ -350,6 +353,7 @@ Custom = "My Tagged Application"`
		`Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230`
		`Ctrl = size:32`

		`@@ -485,7 +501,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 00010203`
		`- @@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC`
		`+ @@ -358,12 +362,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC`
		`OutputSize = 64`
		`BlockSize = 136`

		`@@ -500,7 +516,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -386,12 +392,14 @@ Ctrl = size:64`
		`+ @@ -373,12 +379,14 @@ Ctrl = size:64`

		`Title = KMAC XOF Tests (From NIST)`

		`@@ -515,7 +531,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 00010203`
		`- @@ -399,6 +407,7 @@ Custom = "My Tagged Application"`
		`+ @@ -386,6 +394,7 @@ Custom = "My Tagged Application"`
		`Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C`
		`XOF = 1`

		`@@ -523,7 +539,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F`
		`+ @@ -394,6 +403,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F`
		`XOF = 1`
		`Ctrl = size:32`

		`@@ -531,7 +547,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 00010203`
		`- @@ -414,6 +424,7 @@ Custom = "My Tagged Application"`
		`+ @@ -401,6 +411,7 @@ Custom = "My Tagged Application"`
		`Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B`
		`XOF = 1`

		`@@ -539,7 +555,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -421,6 +432,7 @@ Custom = ""`
		`+ @@ -408,6 +419,7 @@ Custom = ""`
		`Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B`
		`XOF = 1`

		`@@ -547,7 +563,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -431,6 +443,7 @@ XOF = 1`
		`+ @@ -418,6 +430,7 @@ XOF = 1`

		`Title = KMAC long customisation string (from NIST ACVP)`

		`@@ -555,7 +571,7 @@`
		`MAC = KMAC256`
		`Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3`
		`Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D`
		`- @@ -441,12 +454,14 @@ XOF = 1`
		`+ @@ -428,12 +441,14 @@ XOF = 1`

		`Title = KMAC XOF Tests via ctrl (From NIST)`

		`@@ -570,7 +586,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 00010203`
		`- @@ -454,6 +469,7 @@ Custom = "My Tagged Application"`
		`+ @@ -441,6 +456,7 @@ Custom = "My Tagged Application"`
		`Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C`
		`Ctrl = xof:1`

		`@@ -578,7 +594,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F`
		`+ @@ -449,6 +465,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F`
		`Ctrl = xof:1`
		`Ctrl = size:32`

		`@@ -586,7 +602,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 00010203`
		`- @@ -469,6 +486,7 @@ Custom = "My Tagged Application"`
		`+ @@ -456,6 +473,7 @@ Custom = "My Tagged Application"`
		`Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B`
		`Ctrl = xof:1`

		`@@ -594,7 +610,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -476,6 +494,7 @@ Custom = ""`
		`+ @@ -463,6 +481,7 @@ Custom = ""`
		`Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B`
		`Ctrl = xof:1`

		`@@ -602,7 +618,7 @@`
		`MAC = KMAC256`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -486,6 +505,7 @@ Ctrl = xof:1`
		`+ @@ -473,6 +492,7 @@ Ctrl = xof:1`

		`Title = KMAC long customisation string via ctrl (from NIST ACVP)`

		`@@ -610,7 +626,7 @@`
		`MAC = KMAC256`
		`Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3`
		`Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D`
		`- @@ -496,6 +516,7 @@ Ctrl = xof:1`
		`+ @@ -483,6 +503,7 @@ Ctrl = xof:1`

		`Title = KMAC long customisation string negative test`

		`@@ -618,7 +634,7 @@`
		`MAC = KMAC128`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`- @@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR`
		`+ @@ -491,6 +512,7 @@ Result = MAC_INIT_ERROR`

		`Title = KMAC output is too large`

		`@@ -627,7 +643,7 @@`
		`Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F`
		`Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7`
		`diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t`
		`- index 40dd585c18..cbec426137 100644`
		`+ index abe299b6a2..cbe7ae768d 100644`
		`--- a/test/recipes/80-test_cms.t`
		`+++ b/test/recipes/80-test_cms.t`
		`@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = (`
		`@@ -730,7 +746,7 @@`
		`"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",`
		`"-stream", "-out", "{output}.cms" ],`
		`diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t`
		`- index 50b74a1e29..e2dcb68fb5 100644`
		`+ index 8c52b637fc..116cd594c0 100644`
		`--- a/test/recipes/80-test_ssl_old.t`
		`+++ b/test/recipes/80-test_ssl_old.t`
		`@@ -436,7 +436,7 @@ sub testssl {`
		`@@ -743,5 +759,5 @@`
		`}`

		`--`
		`- 2.41.0`
		`+ 2.39.3`

0023-Patch-anme-0047-FIPS-early-KATS.patch.patch ~~0047-FIPS-early-KATS.patch~~

file renamed

+14 -18

		`@@ -1,22 +1,18 @@`
		`- From 0242c0317b7c7874148c456aaab1e8eeb156d7c1 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 22/35] 0047-FIPS-early-KATS.patch`
		`+ From 7de9992d9c181e914d64356e534c152b9ebf5301 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Mon, 5 Jun 2023 20:36:24 +0200`
		`+ Subject: [PATCH 23/42] Patch anme: 0047-FIPS-early-KATS.patch`

		`- Patch-name: 0047-FIPS-early-KATS.patch`
		`- Patch-id: 47`
		`- Patch-status: \|`
		`- # Execute KATS before HMAC verification`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`providers/fips/self_test.c \| 22 ++++++++++------------`
		`1 file changed, 10 insertions(+), 12 deletions(-)`

		`diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c`
		`- index ef56002854..062d9df84a 100644`
		`+ index 2050a7eb3e..f2221998b3 100644`
		`--- a/providers/fips/self_test.c`
		`+++ b/providers/fips/self_test.c`
		`- @@ -414,6 +414,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ @@ -350,6 +350,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`if (ev == NULL)`
		`goto end;`

		`@@ -33,10 +29,11 @@`
		`module_checksum = fips_hmac_container;`
		`checksum_len = sizeof(fips_hmac_container);`

		`- @@ -464,18 +474,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ @@ -399,18 +409,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)`
		`+ kats_already_passed = 1;`
		`}`
		`}`
		`-`
		`+ -`
		`- /*`
		`- * Only runs the KAT's during installation OR on_demand().`
		`- * NOTE: If the installation option 'self_test_onload' is chosen then this`
		`@@ -48,10 +45,9 @@`
		`- goto end;`
		`- }`
		`- }`
		`- -`
		`- /* Verify that the RNG has been restored properly */`
		`- testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL);`
		`- if (testrand == NULL`
		`+ ok = 1;`
		`+ end:`
		`+ OSSL_SELF_TEST_free(ev);`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0024-Allow-disabling-of-SHA1-signatures.patch ~~0049-Allow-disabling-of-SHA1-signatures.patch~~

file renamed

+45 -98

		`@@ -1,7 +1,7 @@`
		`- From 51d52096122cc73413d55aac06d5e0641f58ffcb Mon Sep 17 00:00:00 2001`
		`+ From 8a834a3d609f115fbd1223de268ea7c6232b52b6 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Mon, 21 Feb 2022 17:24:44 +0100`
		`- Subject: [PATCH] Allow disabling of SHA1 signatures`
		`+ Subject: [PATCH 24/42] Allow disabling of SHA1 signatures`
		`MIME-Version: 1.0`
		`Content-Type: text/plain; charset=UTF-8`
		`Content-Transfer-Encoding: 8bit`
		`@@ -40,69 +40,21 @@`
		`implementation does not know that it is signing a SHA1 hash (it could be`
		`signing arbitrary data).`
		`---`
		`- crypto/context.c \| 14 ++++`
		`crypto/evp/evp_cnf.c \| 13 +++`
		`- crypto/evp/m_sigver.c \| 79 +++++++++++++++++++`
		`+ crypto/evp/m_sigver.c \| 85 +++++++++++++++++++`
		`crypto/evp/pmeth_lib.c \| 15 ++++`
		`doc/man5/config.pod \| 13 +++`
		`- include/crypto/context.h \| 3 +`
		`include/internal/cryptlib.h \| 3 +-`
		`include/internal/sslconf.h \| 4 +`
		`providers/common/securitycheck.c \| 20 +++++`
		`- providers/common/securitycheck_default.c \| 9 ++-`
		`+ providers/common/securitycheck_default.c \| 9 +-`
		`providers/implementations/signature/dsa_sig.c \| 11 ++-`
		`.../implementations/signature/ecdsa_sig.c \| 4 +`
		`providers/implementations/signature/rsa_sig.c \| 20 ++++-`
		`ssl/t1_lib.c \| 8 ++`
		`util/libcrypto.num \| 2 +`
		`- 15 files changed, 209 insertions(+), 9 deletions(-)`
		`+ 13 files changed, 198 insertions(+), 9 deletions(-)`

		`- diff --git a/crypto/context.c b/crypto/context.c`
		`- index e294ea1512..ab6abf44ab 100644`
		`- --- a/crypto/context.c`
		`- +++ b/crypto/context.c`
		`- @@ -43,6 +43,8 @@ struct ossl_lib_ctx_st {`
		`- void *fips_prov;`
		`- #endif`
		`-`
		`- + void *legacy_digest_signatures;`
		`- +`
		`- unsigned int ischild:1;`
		`- };`
		`-`
		`- @@ -171,6 +173,10 @@ static int context_init(OSSL_LIB_CTX *ctx)`
		`- goto err;`
		`- #endif`
		`-`
		`- + ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx);`
		`- + if (ctx->legacy_digest_signatures == NULL)`
		`- + goto err;`
		`- +`
		`- /* Low priority. */`
		`- #ifndef FIPS_MODULE`
		`- ctx->child_provider = ossl_child_prov_ctx_new(ctx);`
		`- @@ -299,6 +305,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)`
		`- }`
		`- #endif`
		`-`
		`- + if (ctx->legacy_digest_signatures != NULL) {`
		`- + ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures);`
		`- + ctx->legacy_digest_signatures = NULL;`
		`- + }`
		`- +`
		`- /* Low priority. */`
		`- #ifndef FIPS_MODULE`
		`- if (ctx->child_provider != NULL) {`
		`- @@ -589,6 +600,9 @@ void ossl_lib_ctx_get_data(OSSL_LIB_CTX ctx, int index)`
		`- return ctx->fips_prov;`
		`- #endif`
		`-`
		`- + case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX:`
		`- + return ctx->legacy_digest_signatures;`
		`- +`
		`- default:`
		`- return NULL;`
		`- }`
		`diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c`
		`index 0e7fe64cf9..b9d3b6d226 100644`
		`--- a/crypto/evp/evp_cnf.c`
		`@@ -135,20 +87,18 @@`
		`ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,`
		`"name=%s, value=%s", oval->name, oval->value);`
		`diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c`
		`- index 630d339c35..6e4e9f5ae7 100644`
		`+ index 76a6814b42..8da2183ce0 100644`
		`--- a/crypto/evp/m_sigver.c`
		`+++ b/crypto/evp/m_sigver.c`
		`- @@ -15,6 +15,73 @@`
		`- #include "internal/provider.h"`
		`+ @@ -16,6 +16,79 @@`
		`#include "internal/numbers.h" /* includes SIZE_MAX */`
		`#include "evp_local.h"`
		`- +#include "crypto/context.h"`
		`- +`
		`+`
		`+typedef struct ossl_legacy_digest_signatures_st {`
		`+ int allowed;`
		`+} OSSL_LEGACY_DIGEST_SIGNATURES;`
		`+`
		`- +void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)`
		`+ +static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)`
		`+{`
		`+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;`
		`+`
		`@@ -157,7 +107,7 @@`
		`+ }`
		`+}`
		`+`
		`- +void ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX ctx)`
		`+ +static void ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX ctx)`
		`+{`
		`+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));`
		`+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,`
		`@@ -167,6 +117,12 @@`
		`+ return ldsigs;`
		`+}`
		`+`
		`+ +static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {`
		`+ + OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,`
		`+ + ossl_ctx_legacy_digest_signatures_new,`
		`+ + ossl_ctx_legacy_digest_signatures_free,`
		`+ +};`
		`+ +`
		`+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(`
		`+ OSSL_LIB_CTX *libctx, int loadconfig)`
		`+{`
		`@@ -175,7 +131,8 @@`
		`+ return NULL;`
		`+#endif`
		`+`
		`- + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX);`
		`+ + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,`
		`+ + &ossl_ctx_legacy_digest_signatures_method);`
		`+}`
		`+`
		`+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)`
		`@@ -209,10 +166,11 @@`
		`+ ldsigs->allowed = allow;`
		`+ return 1;`
		`+}`
		`-`
		`+ +`
		`#ifndef FIPS_MODULE`

		`- @@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ static int update(EVP_MD_CTX ctx, const void data, size_t datalen)`
		`+ @@ -258,6 +331,18 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`}`
		`}`

		`@@ -232,7 +190,7 @@`
		`if (signature->digest_verify_init == NULL) {`
		`ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);`
		`diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c`
		`- index ce6e1a1ccb..003926247b 100644`
		`+ index da367ed05f..ee6edf1e85 100644`
		`--- a/crypto/evp/pmeth_lib.c`
		`+++ b/crypto/evp/pmeth_lib.c`
		`@@ -33,6 +33,7 @@`
		`@@ -243,7 +201,7 @@`
		`#include "evp_local.h"`

		`#ifndef FIPS_MODULE`
		`- @@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX ctx, const EVP_MD md,`
		`+ @@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX ctx, const EVP_MD md,`
		`return -2;`
		`}`

		`@@ -265,10 +223,10 @@`
		`return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));`

		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 8d312c661f..979683e0a5 100644`
		`+ index 7624c97225..19bad84e80 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`- @@ -296,6 +296,19 @@ Within the algorithm properties section, the following names have meaning:`
		`+ @@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning:`
		`The value may be anything that is acceptable as a property query`
		`string for EVP_set_default_properties().`

		`@@ -288,19 +246,8 @@`
		`=item B<fips_mode> (deprecated)`

		`The value is a boolean that can be B<yes> or B<no>. If the value is`
		`- diff --git a/include/crypto/context.h b/include/crypto/context.h`
		`- index cc06c71be8..e9f74a414d 100644`
		`- --- a/include/crypto/context.h`
		`- +++ b/include/crypto/context.h`
		`- @@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *);`
		`- void ossl_thread_event_ctx_free(void *);`
		`- void ossl_fips_prov_ossl_ctx_free(void *);`
		`- void ossl_release_default_drbg_ctx(void);`
		`- +`
		`- +void ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX );`
		`- +void ossl_ctx_legacy_digest_signatures_free(void *);`
		`diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h`
		`- index ac50eb3bbd..3b115cc7df 100644`
		`+ index 934d4b089c..45346d7d0b 100644`
		`--- a/include/internal/cryptlib.h`
		`+++ b/include/internal/cryptlib.h`
		`@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {`
		`@@ -308,11 +255,11 @@`
		`# define OSSL_LIB_CTX_BIO_CORE_INDEX 17`
		`# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18`
		`-# define OSSL_LIB_CTX_MAX_INDEXES 19`
		`- +# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 19`
		`+ +# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19`
		`+# define OSSL_LIB_CTX_MAX_INDEXES 20`

		`- OSSL_LIB_CTX ossl_lib_ctx_get_concrete(OSSL_LIB_CTX ctx);`
		`- int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);`
		`+ # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1`
		`+ # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0`
		`diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h`
		`index fd7f7e3331..05464b0655 100644`
		`--- a/include/internal/sslconf.h`
		`@@ -371,7 +318,7 @@`
		`return 1;`
		`}`
		`diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c`
		`- index 246323493e..2ca7a59f39 100644`
		`+ index de7f0d3a0a..ce54a94fbc 100644`
		`--- a/providers/common/securitycheck_default.c`
		`+++ b/providers/common/securitycheck_default.c`
		`@@ -15,6 +15,7 @@`
		`@@ -382,7 +329,7 @@`

		`/* Disable the security checks in the default provider */`
		`int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)`
		`- @@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx)`
		`+ @@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)`
		`}`

		`int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`@@ -394,7 +341,7 @@`

		`static const OSSL_ITEM name_to_nid[] = {`
		`{ NID_md5, OSSL_DIGEST_NAME_MD5 },`
		`- @@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`+ @@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },`
		`};`

		`@@ -408,10 +355,10 @@`
		`return mdnid;`
		`}`
		`diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c`
		`- index 70d0ea5d24..3c482e0181 100644`
		`+ index 28fd7c498e..fa3822f39f 100644`
		`--- a/providers/implementations/signature/dsa_sig.c`
		`+++ b/providers/implementations/signature/dsa_sig.c`
		`- @@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,`
		`+ @@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,`
		`mdprops = ctx->propq;`

		`if (mdname != NULL) {`
		`@@ -449,7 +396,7 @@`
		`sha1_allowed);`
		`if (md_nid < 0) {`
		`diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c`
		`- index cd5de6bd51..25a51df878 100644`
		`+ index 7e2cd252bb..277b7da9f6 100644`
		`--- a/providers/implementations/signature/rsa_sig.c`
		`+++ b/providers/implementations/signature/rsa_sig.c`
		`@@ -25,6 +25,7 @@`
		`@@ -468,7 +415,7 @@`

		`static OSSL_FUNC_signature_newctx_fn rsa_newctx;`
		`static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;`
		`- @@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX ctx, const char mdname,`
		`+ @@ -288,10 +290,15 @@ static int rsa_setup_md(PROV_RSA_CTX ctx, const char mdname,`

		`if (mdname != NULL) {`
		`EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);`
		`@@ -486,7 +433,7 @@`

		`if (md == NULL`
		`\|\| md_nid <= 0`
		`- @@ -1370,8 +1377,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`+ @@ -1360,8 +1367,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`prsactx->pad_mode = pad_mode;`

		`if (prsactx->md == NULL && pmdname == NULL`
		`@@ -504,7 +451,7 @@`
		`if (pmgf1mdname != NULL`
		`&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index e6f4bcc045..8bc550ea5b 100644`
		`+ index 51c2283db9..89c1dd31c7 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -515,7 +462,7 @@`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`#include "internal/tlsgroups.h"`
		`- @@ -1151,11 +1152,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`+ @@ -1150,11 +1151,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`= OPENSSL_malloc(sizeof(lu) OSSL_NELEM(sigalg_lookup_tbl));`
		`EVP_PKEY *tmpkey = EVP_PKEY_new();`
		`int ret = 0;`
		`@@ -529,7 +476,7 @@`
		`for (i = 0, lu = sigalg_lookup_tbl;`
		`i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {`
		`EVP_PKEY_CTX *pctx;`
		`- @@ -1175,6 +1178,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`+ @@ -1174,6 +1177,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)`
		`cache[i].enabled = 0;`
		`continue;`
		`}`
		`@@ -542,15 +489,15 @@`
		`if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {`
		`cache[i].enabled = 0;`
		`diff --git a/util/libcrypto.num b/util/libcrypto.num`
		`- index 9cb8a4dda2..feb660d030 100644`
		`+ index 4e729be97d..2ad515028a 100644`
		`--- a/util/libcrypto.num`
		`+++ b/util/libcrypto.num`
		`- @@ -5436,3 +5436,5 @@ EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:`
		`- BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:`
		`- OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP`
		`+ @@ -5429,3 +5429,5 @@ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:`
		`+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:`
		`+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP`
		`ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:`
		`+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:`
		`+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:`
		`--`
		`- 2.40.1`
		`+ 2.39.3`

0025-Support-different-R_BITS-lengths-for-KBKDF.patch

file added

+2154

The added file is too large to be shown here, see it at: 0025-Support-different-R_BITS-lengths-for-KBKDF.patch

0026-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch ~~0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch~~

file renamed

+14 -14

		`@@ -1,7 +1,7 @@`
		`- From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001`
		`+ From 9ce817e779d1b494242589c7a2bcd560e895d29f Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Tue, 1 Mar 2022 15:44:18 +0100`
		`- Subject: [PATCH 2/2] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =`
		`+ Subject: [PATCH 26/42] Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures =`
		`yes`

		`NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1`
		`@@ -33,7 +33,7 @@`
		`4 files changed, 82 insertions(+), 16 deletions(-)`

		`diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`- index 2f175ca517..bf0c608839 100644`
		`+ index 9384f1da9b..8f4c0b8c0b 100644`
		`--- a/crypto/x509/x509_vfy.c`
		`+++ b/crypto/x509/x509_vfy.c`
		`@@ -25,6 +25,7 @@`
		`@@ -44,7 +44,7 @@`
		`#include "crypto/x509.h"`
		`#include "x509_local.h"`

		`- @@ -3441,14 +3442,31 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+ @@ -3430,14 +3431,31 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`{`
		`int secbits = -1;`
		`int level = ctx->param->auth_level;`
		`@@ -78,10 +78,10 @@`
		`return secbits >= minbits_table[level - 1];`
		`}`
		`diff --git a/doc/man5/config.pod b/doc/man5/config.pod`
		`- index 0c9110d28a..e0516d20b8 100644`
		`+ index 19bad84e80..b27f793af0 100644`
		`--- a/doc/man5/config.pod`
		`+++ b/doc/man5/config.pod`
		`- @@ -309,6 +309,13 @@ this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as`
		`+ @@ -317,6 +317,13 @@ this option is set to B<no>. Because TLS 1.1 or lower use MD5-SHA1 as`
		`pseudorandom function (PRF) to derive key material, disabling`
		`B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.`

		`@@ -96,7 +96,7 @@`

		`The value is a boolean that can be B<yes> or B<no>. If the value is`
		`diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`- index dcd487ec2e..0b50266b69 100644`
		`+ index 89c1dd31c7..5d47058b68 100644`
		`--- a/ssl/t1_lib.c`
		`+++ b/ssl/t1_lib.c`
		`@@ -20,6 +20,7 @@`
		`@@ -107,7 +107,7 @@`
		`#include "internal/sslconf.h"`
		`#include "internal/nelem.h"`
		`#include "internal/sizes.h"`
		`- @@ -1561,19 +1562,28 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ @@ -1566,19 +1567,28 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);`
		`return 0;`
		`}`
		`@@ -149,7 +149,7 @@`
		`}`
		`/* Store the sigalg the peer uses */`
		`s->s3.tmp.peer_sigalg = lu;`
		`- @@ -2106,6 +2116,15 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ @@ -2116,6 +2126,15 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`}`
		`}`

		`@@ -165,7 +165,7 @@`
		`/* Finally see if security callback allows it */`
		`secbits = sigalg_security_bits(s->ctx, lu);`
		`sigalgstr[0] = (lu->sigalg >> 8) & 0xff;`
		`- @@ -2977,6 +2996,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2985,6 +3004,8 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`{`
		`/* Lookup signature algorithm digest */`
		`int secbits, nid, pknid;`
		`@@ -174,7 +174,7 @@`
		`/* Don't check signature if self signed */`
		`if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)`
		`return 1;`
		`- @@ -2985,6 +3006,26 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ @@ -2993,6 +3014,26 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`/* If digest NID not defined use signature NID */`
		`if (nid == NID_undef)`
		`nid = pknid;`
		`@@ -202,10 +202,10 @@`
		`return ssl_security(s, op, secbits, nid, x);`
		`else`
		`diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t`
		`- index 700bbd849c..280477bc9d 100644`
		`+ index 2a4c36e86d..4a30edfc32 100644`
		`--- a/test/recipes/25-test_verify.t`
		`+++ b/test/recipes/25-test_verify.t`
		`- @@ -387,8 +387,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"`
		`+ @@ -419,8 +419,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "0"`
		`ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),`
		`"CA with PSS signature using SHA256");`

		`@@ -217,5 +217,5 @@`
		`ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),`
		`"PSS signature using SHA256 and auth level 2");`
		`--`
		`- 2.35.1`
		`+ 2.39.3`

0027-Instrument-SHA-1-signatures-with-USDT-probes.patch

file added

+238

		`@@ -0,0 +1,238 @@`
		`+ From 82922a270f5c8148e40f1c18ac6b6b04e6646314 Mon Sep 17 00:00:00 2001`
		`+ From: Clemens Lang <cllang@redhat.com>`
		`+ Date: Mon, 25 Apr 2022 15:21:46 +0200`
		`+ Subject: [PATCH 27/42] Instrument SHA-1 signatures with USDT probes`
		`+`
		`+ In order to discover remaining uses of SHA-1 in signatures without`
		`+ forcefully breaking the code paths, add USDT probes that can be queried`
		`+ with systemtap at runtime.`
		`+`
		`+ This should allow identifying components that still use SHA-1 signatures`
		`+ in production so that they can be transitioned to more modern hash`
		`+ algorithms.`
		`+ ---`
		`+ crypto/evp/m_sigver.c \| 13 +++++++++----`
		`+ crypto/evp/pmeth_lib.c \| 13 +++++++++----`
		`+ crypto/x509/x509_vfy.c \| 6 +++++-`
		`+ providers/common/securitycheck.c \| 22 +++++++++++++++-------`
		`+ providers/common/securitycheck_default.c \| 13 +++++++++++--`
		`+ ssl/t1_lib.c \| 8 +++++++-`
		`+ 6 files changed, 56 insertions(+), 19 deletions(-)`
		`+`
		`+ diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c`
		`+ index 8da2183ce0..c17cdfa5d5 100644`
		`+ --- a/crypto/evp/m_sigver.c`
		`+ +++ b/crypto/evp/m_sigver.c`
		`+ @@ -16,6 +16,8 @@`
		`+ #include "internal/numbers.h" /* includes SIZE_MAX */`
		`+ #include "evp_local.h"`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ typedef struct ossl_legacy_digest_signatures_st {`
		`+ int allowed;`
		`+ } OSSL_LEGACY_DIGEST_SIGNATURES;`
		`+ @@ -336,10 +338,13 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)`
		`+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {`
		`+ int mdnid = EVP_MD_nid(ctx->reqdigest);`
		`+ - if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)`
		`+ - && (mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1)) {`
		`+ - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);`
		`+ - goto err;`
		`+ + if (mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1) {`
		`+ + if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)) {`
		`+ + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);`
		`+ + goto err;`
		`+ + } else {`
		`+ + DTRACE_PROBE1(libcrypto, fedora_do_sigver_init_1, mdnid);`
		`+ + }`
		`+ }`
		`+ }`
		`+`
		`+ diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c`
		`+ index ee6edf1e85..cd5e3eb85e 100644`
		`+ --- a/crypto/evp/pmeth_lib.c`
		`+ +++ b/crypto/evp/pmeth_lib.c`
		`+ @@ -36,6 +36,8 @@`
		`+ #include "internal/sslconf.h"`
		`+ #include "evp_local.h"`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ #ifndef FIPS_MODULE`
		`+`
		`+ static int evp_pkey_ctx_store_cached_data(EVP_PKEY_CTX *ctx,`
		`+ @@ -954,10 +956,13 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX ctx, const EVP_MD md,`
		`+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)`
		`+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {`
		`+ int mdnid = EVP_MD_nid(md);`
		`+ - if ((mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1)`
		`+ - && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {`
		`+ - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);`
		`+ - return -1;`
		`+ + if (mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1) {`
		`+ + if (!ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {`
		`+ + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);`
		`+ + return -1;`
		`+ + } else {`
		`+ + DTRACE_PROBE1(libcrypto, fedora_evp_pkey_ctx_set_md_1, mdnid);`
		`+ + }`
		`+ }`
		`+ }`
		`+`
		`+ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c`
		`+ index 8f4c0b8c0b..6212fcbd92 100644`
		`+ --- a/crypto/x509/x509_vfy.c`
		`+ +++ b/crypto/x509/x509_vfy.c`
		`+ @@ -29,6 +29,8 @@`
		`+ #include "crypto/x509.h"`
		`+ #include "x509_local.h"`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ /* CRL score values */`
		`+`
		`+ #define CRL_SCORE_NOCRITICAL 0x100 /* No unhandled critical extensions */`
		`+ @@ -3451,11 +3453,13 @@ static int check_sig_level(X509_STORE_CTX ctx, X509 cert)`
		`+`
		`+ if ((nid == NID_sha1 \|\| nid == NID_md5_sha1)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ - && ctx->param->auth_level < 2)`
		`+ + && ctx->param->auth_level < 2) {`
		`+ + DTRACE_PROBE1(libcrypto, fedora_check_sig_level_1, nid);`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ return 1;`
		`+ + }`
		`+`
		`+ return secbits >= minbits_table[level - 1];`
		`+ }`
		`+ diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c`
		`+ index e534ad0a5f..bf496450cf 100644`
		`+ --- a/providers/common/securitycheck.c`
		`+ +++ b/providers/common/securitycheck.c`
		`+ @@ -21,6 +21,8 @@`
		`+ #include "prov/securitycheck.h"`
		`+ #include "internal/sslconf.h"`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ /*`
		`+ * FIPS requires a minimum security strength of 112 bits (for encryption or`
		`+ * signing), and for legacy purposes 80 bits (for decryption or verifying).`
		`+ @@ -238,11 +240,14 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`+ # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */`
		`+`
		`+ #ifndef FIPS_MODULE`
		`+ - if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))`
		`+ - /* SHA1 is globally disabled, check whether we want to locally allow`
		`+ - * it. */`
		`+ - if (mdnid == NID_sha1 && !sha1_allowed)`
		`+ + if (mdnid == NID_sha1 && !sha1_allowed) {`
		`+ + if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))`
		`+ + /* SHA1 is globally disabled, check whether we want to locally allow`
		`+ + * it. */`
		`+ mdnid = -1;`
		`+ + else`
		`+ + DTRACE_PROBE1(libcrypto, fedora_ossl_digest_get_approved_nid_with_sha1_1, mdnid);`
		`+ + }`
		`+ #endif`
		`+`
		`+ return mdnid;`
		`+ @@ -258,9 +263,12 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX ctx, const EVP_MD md)`
		`+ #ifndef FIPS_MODULE`
		`+ {`
		`+ int mdnid = EVP_MD_nid(md);`
		`+ - if ((mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1)`
		`+ - && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))`
		`+ - return 0;`
		`+ + if (mdnid == NID_sha1 \|\| mdnid == NID_md5_sha1) {`
		`+ + if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))`
		`+ + return 0;`
		`+ + else`
		`+ + DTRACE_PROBE1(libcrypto, fedora_ossl_digest_is_allowed_1, mdnid);`
		`+ + }`
		`+ }`
		`+ #endif`
		`+`
		`+ diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c`
		`+ index ce54a94fbc..2d21e4a7df 100644`
		`+ --- a/providers/common/securitycheck_default.c`
		`+ +++ b/providers/common/securitycheck_default.c`
		`+ @@ -17,6 +17,8 @@`
		`+ #include "internal/nelem.h"`
		`+ #include "internal/sslconf.h"`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ /* Disable the security checks in the default provider */`
		`+ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)`
		`+ {`
		`+ @@ -40,9 +42,16 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX ctx, const EVP_MD md,`
		`+`
		`+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);`
		`+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed \|\| ldsigs_allowed);`
		`+ + if (mdnid == NID_sha1)`
		`+ + /* This will only happen if SHA1 is allowed, otherwise mdnid is -1. */`
		`+ + DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_1, mdnid);`
		`+ if (mdnid == NID_undef)`
		`+ mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));`
		`+ - if (mdnid == NID_md5_sha1 && !ldsigs_allowed)`
		`+ - mdnid = -1;`
		`+ + if (mdnid == NID_md5_sha1) {`
		`+ + if (ldsigs_allowed)`
		`+ + DTRACE_PROBE1(libcrypto, fedora_ossl_digest_rsa_sign_get_md_nid_2, mdnid);`
		`+ + else`
		`+ + mdnid = -1;`
		`+ + }`
		`+ return mdnid;`
		`+ }`
		`+ diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c`
		`+ index 5d47058b68..3d46c570ee 100644`
		`+ --- a/ssl/t1_lib.c`
		`+ +++ b/ssl/t1_lib.c`
		`+ @@ -28,6 +28,8 @@`
		`+ #include "ssl_local.h"`
		`+ #include <openssl/ct.h>`
		`+`
		`+ +#include <sys/sdt.h>`
		`+ +`
		`+ static const SIGALG_LOOKUP find_sig_alg(SSL s, X509 x, EVP_PKEY pkey);`
		`+ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu);`
		`+`
		`+ @@ -1574,6 +1576,7 @@ int tls12_check_peer_sigalg(SSL s, uint16_t sig, EVP_PKEY pkey)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ + DTRACE_PROBE1(libssl, fedora_tls12_check_peer_sigalg_1, lu->hash);`
		`+ } else {`
		`+ /*`
		`+ * Make sure security callback allows algorithm. For historical`
		`+ @@ -2132,6 +2135,7 @@ static int tls12_sigalg_allowed(const SSL s, int op, const SIGALG_LOOKUP lu)`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ + DTRACE_PROBE1(libssl, fedora_tls12_sigalg_allowed_1, lu->hash);`
		`+ return 1;`
		`+ }`
		`+`
		`+ @@ -3028,11 +3032,13 @@ static int ssl_security_cert_sig(SSL s, SSL_CTX ctx, X509 *x, int op)`
		`+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)`
		`+ && ((s != NULL && SSL_get_security_level(s) < 2)`
		`+ \|\| (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)`
		`+ - ))`
		`+ + )) {`
		`+ /* When rh-allow-sha1-signatures = yes and security level <= 1,`
		`+ * explicitly allow SHA1 for backwards compatibility. Also allow`
		`+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */`
		`+ + DTRACE_PROBE1(libssl, fedora_ssl_security_cert_sig_1, nid);`
		`+ return 1;`
		`+ + }`
		`+`
		`+ if (s)`
		`+ return ssl_security(s, op, secbits, nid, x);`
		`+ --`
		`+ 2.39.3`
		`+`

0028-Patch-name-0056-strcasecmp.patch.patch ~~0056-strcasecmp.patch~~

file renamed

+12 -18

		`@@ -1,15 +1,9 @@`
		`- From 8545e0c4c38934fda47b701043dd5ce89c99fe81 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 25/35] 0056-strcasecmp.patch`
		`+ From 6bd99bb29f609f2ba625e2c80fa70f6935429022 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:20:16 +0200`
		`+ Subject: [PATCH 28/42] Patch-name: 0056-strcasecmp.patch`

		`- Patch-name: 0056-strcasecmp.patch`
		`- Patch-id: 56`
		`- Patch-status: \|`
		`- # https://github.com/openssl/openssl/pull/18103`
		`- # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1`
		`- # so the patch should persist`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`crypto/o_str.c \| 14 ++++++++++++--`
		`test/recipes/01-test_symbol_presence.t \| 1 +`
		`@@ -17,7 +11,7 @@`
		`3 files changed, 15 insertions(+), 2 deletions(-)`

		`diff --git a/crypto/o_str.c b/crypto/o_str.c`
		`- index 3354ce0927..95b9538471 100644`
		`+ index 7fa487dd5f..be3d60bbaf 100644`
		`--- a/crypto/o_str.c`
		`+++ b/crypto/o_str.c`
		`@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)`
		`@@ -61,18 +55,18 @@`
		`$_`
		`}`
		`diff --git a/util/libcrypto.num b/util/libcrypto.num`
		`- index feb660d030..639074c5d0 100644`
		`+ index 2ad515028a..5c1710eb0b 100644`
		`--- a/util/libcrypto.num`
		`+++ b/util/libcrypto.num`
		`- @@ -5435,6 +5435,8 @@ EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION:`
		`- EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:`
		`- BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:`
		`- OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP`
		`+ @@ -5428,6 +5428,8 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:`
		`+ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:`
		`+ OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:`
		`+ OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP`
		`+OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION:`
		`+OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION:`
		`ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:`
		`ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:`
		`ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0029-Patch-name-0058-FIPS-limit-rsa-encrypt.patch.patch ~~0058-FIPS-limit-rsa-encrypt.patch~~

file renamed

+14 -20

		`@@ -1,15 +1,9 @@`
		`- From 7a6ade7947ceea6ca367afa0427f61a9505e37a5 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 26/35] 0058-FIPS-limit-rsa-encrypt.patch`
		`+ From 64f5d841d1f51d60c787cac0006506f3651acf5a Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:21:29 +0200`
		`+ Subject: [PATCH 29/42] Patch-name: 0058-FIPS-limit-rsa-encrypt.patch`

		`- Patch-name: 0058-FIPS-limit-rsa-encrypt.patch`
		`- Patch-id: 58`
		`- Patch-status: \|`
		`- # https://github.com/openssl/openssl/pull/18175`
		`- # Patch57: 0057-strcasecmp-fix.patch`
		`- # https://bugzilla.redhat.com/show_bug.cgi?id=2053289`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`providers/common/securitycheck.c \| 1 +`
		`.../implementations/asymciphers/rsa_enc.c \| 35 +++++++++++`
		`@@ -19,10 +13,10 @@`
		`5 files changed, 118 insertions(+), 8 deletions(-)`

		`diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c`
		`- index e534ad0a5f..c017c658e5 100644`
		`+ index bf496450cf..7a72c12cc8 100644`
		`--- a/providers/common/securitycheck.c`
		`+++ b/providers/common/securitycheck.c`
		`- @@ -27,6 +27,7 @@`
		`+ @@ -29,6 +29,7 @@`
		`* Set protect = 1 for encryption or signing operations, or 0 otherwise. See`
		`* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.`
		`*/`
		`@@ -31,7 +25,7 @@`
		`{`
		`int protect = 0;`
		`diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c`
		`- index d865968058..9cd8904131 100644`
		`+ index 568452ec56..12780f6936 100644`
		`--- a/providers/implementations/asymciphers/rsa_enc.c`
		`+++ b/providers/implementations/asymciphers/rsa_enc.c`
		`@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void vprsactx, void vrsa,`
		`@@ -71,7 +65,7 @@`
		`if (out == NULL) {`
		`size_t len = RSA_size(prsactx->rsa);`

		`- @@ -204,6 +227,18 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`+ @@ -202,6 +225,18 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`if (!ossl_prov_is_running())`
		`return 0;`

		`@@ -91,7 +85,7 @@`
		`if (out == NULL) {`
		`*outlen = SSL_MAX_MASTER_KEY_LENGTH;`
		`diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- index 8680797b90..95d5d51102 100644`
		`+ index 24ec6a4f77..f2f686be16 100644`
		`--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377`
		`@@ -498,7 +492,7 @@`
		`Ctrl = rsa_padding_mode:oaep`
		`Ctrl = rsa_mgf1_md:sha1`
		`diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t`
		`- index cbec426137..9ba7fbeed2 100644`
		`+ index cbe7ae768d..69a6123fa7 100644`
		`--- a/test/recipes/80-test_cms.t`
		`+++ b/test/recipes/80-test_cms.t`
		`@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = (`
		`@@ -510,7 +504,7 @@`
		`[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,`
		`"-aes256", "-stream", "-out", "{output}.cms",`
		`$smrsa1,`
		`- @@ -1022,6 +1022,9 @@ sub check_availability {`
		`+ @@ -970,6 +970,9 @@ sub check_availability {`
		`return "$tnam: skipped, DSA disabled\n"`
		`if ($no_dsa && $tnam =~ / DSA/);`

		`@@ -521,7 +515,7 @@`
		`}`

		`diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t`
		`- index e2dcb68fb5..0775112b40 100644`
		`+ index 116cd594c0..124693d6e9 100644`
		`--- a/test/recipes/80-test_ssl_old.t`
		`+++ b/test/recipes/80-test_ssl_old.t`
		`@@ -493,6 +493,18 @@ sub testssl {`
		`@@ -566,5 +560,5 @@`
		`}`
		`next if $protocol eq "-tls1_3";`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0030-Patch-name-0060-FIPS-KAT-signature-tests.patch.patch

file added

+450

		`@@ -0,0 +1,450 @@`
		`+ From 5ef9b7bebbd8182ebe7bc12516a184dffdd54c13 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:22:18 +0200`
		`+ Subject: [PATCH 30/42] Patch-name: 0060-FIPS-KAT-signature-tests.patch`
		`+`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`+ ---`
		`+ crypto/ec/ec_backend.c \| 20 ++-`
		`+ crypto/ec/ec_key.c \| 3 +`
		`+ crypto/ec/ec_local.h \| 3 +`
		`+ crypto/ec/ecdsa_ossl.c \| 13 +-`
		`+ crypto/ec/ecp_s390x_nistp.c \| 14 ++`
		`+ include/openssl/core_names.h \| 1 +`
		`+ providers/fips/self_test_data.inc \| 180 ++++++++++++++++++-`
		`+ providers/fips/self_test_kats.c \| 11 ++`
		`+ providers/implementations/keymgmt/ec_kmgmt.c \| 3 +-`
		`+ 9 files changed, 244 insertions(+), 4 deletions(-)`
		`+`
		`+ diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c`
		`+ index 98e2c418e4..2f8663f97c 100644`
		`+ --- a/crypto/ec/ec_backend.c`
		`+ +++ b/crypto/ec/ec_backend.c`
		`+ @@ -398,6 +398,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_priv`
		`+ const OSSL_PARAM param_priv_key = NULL, param_pub_key = NULL;`
		`+ BN_CTX *ctx = NULL;`
		`+ BIGNUM *priv_key = NULL;`
		`+ +#ifdef FIPS_MODULE`
		`+ + const OSSL_PARAM *param_sign_kat_k = NULL;`
		`+ + BIGNUM *sign_kat_k = NULL;`
		`+ +#endif`
		`+ unsigned char *pub_key = NULL;`
		`+ size_t pub_key_len;`
		`+ const EC_GROUP *ecg = NULL;`
		`+ @@ -413,7 +417,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_priv`
		`+ if (include_private)`
		`+ param_priv_key =`
		`+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);`
		`+ -`
		`+ +#ifdef FIPS_MODULE`
		`+ + param_sign_kat_k =`
		`+ + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K);`
		`+ +#endif`
		`+ ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));`
		`+ if (ctx == NULL)`
		`+ goto err;`
		`+ @@ -486,6 +493,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, const OSSL_PARAM params[], int include_priv`
		`+ && !EC_KEY_set_public_key(ec, pub_point))`
		`+ goto err;`
		`+`
		`+ +#ifdef FIPS_MODULE`
		`+ + if (param_sign_kat_k) {`
		`+ + if ((sign_kat_k = BN_secure_new()) == NULL)`
		`+ + goto err;`
		`+ + BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME);`
		`+ +`
		`+ + if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k))`
		`+ + goto err;`
		`+ + ec->sign_kat_k = sign_kat_k;`
		`+ + }`
		`+ +#endif`
		`+ ok = 1;`
		`+`
		`+ err:`
		`+ diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c`
		`+ index 75c0a1b39d..c676516c37 100644`
		`+ --- a/crypto/ec/ec_key.c`
		`+ +++ b/crypto/ec/ec_key.c`
		`+ @@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r)`
		`+ EC_GROUP_free(r->group);`
		`+ EC_POINT_free(r->pub_key);`
		`+ BN_clear_free(r->priv_key);`
		`+ +#ifdef FIPS_MODULE`
		`+ + BN_clear_free(r->sign_kat_k);`
		`+ +#endif`
		`+ OPENSSL_free(r->propq);`
		`+`
		`+ OPENSSL_clear_free((void *)r, sizeof(EC_KEY));`
		`+ diff --git a/crypto/ec/ec_local.h b/crypto/ec/ec_local.h`
		`+ index f34e06aea8..e2ea276f1b 100644`
		`+ --- a/crypto/ec/ec_local.h`
		`+ +++ b/crypto/ec/ec_local.h`
		`+ @@ -297,6 +297,9 @@ struct ec_key_st {`
		`+ int flags;`
		`+ #ifndef FIPS_MODULE`
		`+ CRYPTO_EX_DATA ex_data;`
		`+ +#endif`
		`+ +#ifdef FIPS_MODULE`
		`+ + BIGNUM *sign_kat_k;`
		`+ #endif`
		`+ CRYPTO_RWLOCK *lock;`
		`+ OSSL_LIB_CTX *libctx;`
		`+ diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c`
		`+ index fe9b3cf593..620cd9407a 100644`
		`+ --- a/crypto/ec/ecdsa_ossl.c`
		`+ +++ b/crypto/ec/ecdsa_ossl.c`
		`+ @@ -20,6 +20,10 @@`
		`+ #include "crypto/bn.h"`
		`+ #include "ec_local.h"`
		`+`
		`+ +#ifdef FIPS_MODULE`
		`+ +extern int REDHAT_FIPS_signature_st;`
		`+ +#endif`
		`+ +`
		`+ int ossl_ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in, BIGNUM **kinvp,`
		`+ BIGNUM **rp)`
		`+ {`
		`+ @@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in,`
		`+ goto err;`
		`+`
		`+ do {`
		`+ +#ifdef FIPS_MODULE`
		`+ + if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {`
		`+ + BN_copy(k, eckey->sign_kat_k);`
		`+ + } else {`
		`+ +#endif`
		`+ /* get random k */`
		`+ do {`
		`+ if (dgst != NULL) {`
		`+ @@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY eckey, BN_CTX ctx_in,`
		`+ }`
		`+ }`
		`+ } while (BN_is_zero(k));`
		`+ -`
		`+ +#ifdef FIPS_MODULE`
		`+ + }`
		`+ +#endif`
		`+ /* compute r the x-coordinate of generator * k */`
		`+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {`
		`+ ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);`
		`+ diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c`
		`+ index 0c10196ea3..ea16e5b7e1 100644`
		`+ --- a/crypto/ec/ecp_s390x_nistp.c`
		`+ +++ b/crypto/ec/ecp_s390x_nistp.c`
		`+ @@ -44,6 +44,10 @@`
		`+ #define S390X_OFF_RN(n) (4 * n)`
		`+ #define S390X_OFF_Y(n) (4 * n)`
		`+`
		`+ +#ifdef FIPS_MODULE`
		`+ +extern int REDHAT_FIPS_signature_st;`
		`+ +#endif`
		`+ +`
		`+ static int ec_GFp_s390x_nistp_mul(const EC_GROUP group, EC_POINT r,`
		`+ const BIGNUM *scalar,`
		`+ size_t num, const EC_POINT *points[],`
		`+ @@ -183,11 +187,21 @@ static ECDSA_SIG ecdsa_s390x_nistp_sign_sig(const unsigned char dgst,`
		`+ * because kdsa instruction constructs an in-range, invertible nonce`
		`+ * internally implementing counter-measures for RNG weakness.`
		`+ */`
		`+ +#ifdef FIPS_MODULE`
		`+ + if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) {`
		`+ + BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len);`
		`+ + /* Turns KDSA internal nonce-generation off. */`
		`+ + fc \|= S390X_KDSA_D;`
		`+ + } else {`
		`+ +#endif`
		`+ if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len),`
		`+ (size_t)len, 0) != 1) {`
		`+ ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);`
		`+ goto ret;`
		`+ }`
		`+ +#ifdef FIPS_MODULE`
		`+ + }`
		`+ +#endif`
		`+ } else {`
		`+ /* Reconstruct k = (k^-1)^-1. */`
		`+ if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0`
		`+ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h`
		`+ index d595248d8d..c58a799466 100644`
		`+ --- a/include/openssl/core_names.h`
		`+ +++ b/include/openssl/core_names.h`
		`+ @@ -293,6 +293,7 @@ extern "C" {`
		`+ #define OSSL_PKEY_PARAM_DIST_ID "distid"`
		`+ #define OSSL_PKEY_PARAM_PUB_KEY "pub"`
		`+ #define OSSL_PKEY_PARAM_PRIV_KEY "priv"`
		`+ +#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k"`
		`+`
		`+ /* Diffie-Hellman/DSA Parameters */`
		`+ #define OSSL_PKEY_PARAM_FFC_P "p"`
		`+ diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc`
		`+ index 27c32f7561..ddb1671466 100644`
		`+ --- a/providers/fips/self_test_data.inc`
		`+ +++ b/providers/fips/self_test_data.inc`
		`+ @@ -1405,7 +1405,151 @@ static const ST_KAT_PARAM ecdsa_prime_key[] = {`
		`+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv),`
		`+ ST_KAT_PARAM_END()`
		`+ };`
		`+ +static const unsigned char ec224r1_kat_sig[] = {`
		`+ +0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0,`
		`+ +0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce,`
		`+ +0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22,`
		`+ +0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c`
		`+ +};`
		`+`
		`+ +static const char ecd_prime_curve_name384[] = "secp384r1";`
		`+ +/*`
		`+ +priv:`
		`+ + 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34:`
		`+ + 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a:`
		`+ + ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87:`
		`+ + 4c:91:87`
		`+ +pub:`
		`+ + 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92:`
		`+ + 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23:`
		`+ + 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43:`
		`+ + 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7:`
		`+ + 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3:`
		`+ + 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f:`
		`+ + 11:f2:a3:bf:e8:0e:88`
		`+ +*/`
		`+ +static const unsigned char ecd_prime_priv384[] = {`
		`+ + 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34,`
		`+ + 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a,`
		`+ + 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87,`
		`+ + 0x4c, 0x91, 0x87`
		`+ +};`
		`+ +static const unsigned char ecd_prime_pub384[] = {`
		`+ + 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92,`
		`+ + 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23,`
		`+ + 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43,`
		`+ + 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7,`
		`+ + 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3,`
		`+ + 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f,`
		`+ + 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88`
		`+ +};`
		`+ +static const ST_KAT_PARAM ecdsa_prime_key384[] = {`
		`+ + ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384),`
		`+ + ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384),`
		`+ + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384),`
		`+ + ST_KAT_PARAM_END()`
		`+ +};`
		`+ +static const unsigned char ec384r1_kat_sig[] = {`
		`+ +0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98,`
		`+ +0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b,`
		`+ +0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79,`
		`+ +0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7,`
		`+ +0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33,`
		`+ +0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30,`
		`+ +0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f`
		`+ +};`
		`+ +static const char ecd_prime_curve_name521[] = "secp521r1";`
		`+ +/*`
		`+ +priv:`
		`+ + 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae:`
		`+ + 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20:`
		`+ + 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69:`
		`+ + ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2:`
		`+ + af:fe:6d:cb:c2:3b`
		`+ +pub:`
		`+ + 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3:`
		`+ + 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5:`
		`+ + 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5:`
		`+ + 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c:`
		`+ + e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2:`
		`+ + 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7:`
		`+ + 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de:`
		`+ + c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f:`
		`+ + 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d`
		`+ +*/`
		`+ +static const unsigned char ecd_prime_priv521[] = {`
		`+ + 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae,`
		`+ + 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20,`
		`+ + 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69,`
		`+ + 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2,`
		`+ + 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b`
		`+ +};`
		`+ +static const unsigned char ecd_prime_pub521[] = {`
		`+ + 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3,`
		`+ + 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5,`
		`+ + 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5,`
		`+ + 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c,`
		`+ + 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2,`
		`+ + 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7,`
		`+ + 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde,`
		`+ + 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f,`
		`+ + 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d`
		`+ +};`
		`+ +static const ST_KAT_PARAM ecdsa_prime_key521[] = {`
		`+ + ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521),`
		`+ + ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521),`
		`+ + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521),`
		`+ + ST_KAT_PARAM_END()`
		`+ +};`
		`+ +static const unsigned char ec521r1_kat_sig[] = {`
		`+ +0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e,`
		`+ +0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65,`
		`+ +0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8,`
		`+ +0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89,`
		`+ +0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2,`
		`+ +0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f,`
		`+ +0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a,`
		`+ +0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9,`
		`+ +0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e`
		`+ +};`
		`+ +static const char ecd_prime_curve_name256[] = "prime256v1";`
		`+ +/*`
		`+ +priv:`
		`+ + 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88:`
		`+ + 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7:`
		`+ + 30:fa`
		`+ +pub:`
		`+ + 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73:`
		`+ + cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34:`
		`+ + 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6:`
		`+ + 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74:`
		`+ + 98:66:c4:63:a6`
		`+ +*/`
		`+ +static const unsigned char ecd_prime_priv256[] = {`
		`+ + 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88,`
		`+ + 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7,`
		`+ + 0x30, 0xfa`
		`+ +};`
		`+ +static const unsigned char ecd_prime_pub256[] = {`
		`+ + 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73,`
		`+ + 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34,`
		`+ + 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6,`
		`+ + 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74,`
		`+ + 0x98, 0x66, 0xc4, 0x63, 0xa6`
		`+ +};`
		`+ +static const ST_KAT_PARAM ecdsa_prime_key256[] = {`
		`+ + ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256),`
		`+ + ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256),`
		`+ + ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256),`
		`+ + ST_KAT_PARAM_END()`
		`+ +};`
		`+ +static const unsigned char ec256v1_kat_sig[] = {`
		`+ +0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6,`
		`+ +0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f,`
		`+ +0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21,`
		`+ +0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b,`
		`+ +0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66`
		`+ +};`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ static const char ecd_bin_curve_name[] = "sect233r1";`
		`+ static const unsigned char ecd_bin_priv[] = {`
		`+ @@ -1577,8 +1721,42 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {`
		`+ ecdsa_prime_key,`
		`+ /*`
		`+ * The ECDSA signature changes each time due to it using a random k.`
		`+ - * So there is no expected KAT for this case.`
		`+ + * We provide this value in our build`
		`+ + */`
		`+ + ITM(ec224r1_kat_sig)`
		`+ + },`
		`+ + {`
		`+ + OSSL_SELF_TEST_DESC_SIGN_ECDSA,`
		`+ + "EC",`
		`+ + "SHA-256",`
		`+ + ecdsa_prime_key384,`
		`+ + /*`
		`+ + * The ECDSA signature changes each time due to it using a random k.`
		`+ + * We provide this value in our build`
		`+ + */`
		`+ + ITM(ec384r1_kat_sig)`
		`+ + },`
		`+ + {`
		`+ + OSSL_SELF_TEST_DESC_SIGN_ECDSA,`
		`+ + "EC",`
		`+ + "SHA-256",`
		`+ + ecdsa_prime_key521,`
		`+ + /*`
		`+ + * The ECDSA signature changes each time due to it using a random k.`
		`+ + * We provide this value in our build`
		`+ + */`
		`+ + ITM(ec521r1_kat_sig)`
		`+ + },`
		`+ + {`
		`+ + OSSL_SELF_TEST_DESC_SIGN_ECDSA,`
		`+ + "EC",`
		`+ + "SHA-256",`
		`+ + ecdsa_prime_key256,`
		`+ + /*`
		`+ + * The ECDSA signature changes each time due to it using a random k.`
		`+ + * We provide this value in our build`
		`+ */`
		`+ + ITM(ec256v1_kat_sig)`
		`+ },`
		`+ # ifndef OPENSSL_NO_EC2M`
		`+ {`
		`+ diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c`
		`+ index ad896e40d2..52565c2dcf 100644`
		`+ --- a/providers/fips/self_test_kats.c`
		`+ +++ b/providers/fips/self_test_kats.c`
		`+ @@ -17,6 +17,8 @@`
		`+ #include "self_test.h"`
		`+ #include "self_test_data.inc"`
		`+`
		`+ +int REDHAT_FIPS_signature_st = 0;`
		`+ +`
		`+ static int self_test_digest(const ST_KAT_DIGEST t, OSSL_SELF_TEST st,`
		`+ OSSL_LIB_CTX *libctx)`
		`+ {`
		`+ @@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`+ EVP_PKEY *pkey = NULL;`
		`+ unsigned char sig[256];`
		`+ BN_CTX *bnctx = NULL;`
		`+ + BIGNUM *K = NULL;`
		`+ size_t siglen = sizeof(sig);`
		`+ static const unsigned char dgst[] = {`
		`+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,`
		`+ @@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`+ bnctx = BN_CTX_new_ex(libctx);`
		`+ if (bnctx == NULL)`
		`+ goto err;`
		`+ + K = BN_CTX_get(bnctx);`
		`+ + if (K == NULL \|\| BN_bin2bn(dgst, sizeof(dgst), K) == NULL)`
		`+ + goto err;`
		`+`
		`+ bld = OSSL_PARAM_BLD_new();`
		`+ if (bld == NULL)`
		`+ @@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`+`
		`+ if (!add_params(bld, t->key, bnctx))`
		`+ goto err;`
		`+ + /* set K for ECDSA KAT tests */`
		`+ + if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K))`
		`+ + goto err;`
		`+ params = OSSL_PARAM_BLD_to_param(bld);`
		`+`
		`+ /* Create a EVP_PKEY_CTX to load the DSA key into */`
		`+ @@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST st, OSSL_LIB_CTX libctx)`
		`+ static int self_test_signatures(OSSL_SELF_TEST st, OSSL_LIB_CTX libctx)`
		`+ {`
		`+ int i, ret = 1;`
		`+ + REDHAT_FIPS_signature_st = 1;`
		`+`
		`+ for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {`
		`+ if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))`
		`+ ret = 0;`
		`+ }`
		`+ + REDHAT_FIPS_signature_st = 0;`
		`+ return ret;`
		`+ }`
		`+`
		`+ diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c`
		`+ index 3f1dc9e191..7bcdba0345 100644`
		`+ --- a/providers/implementations/keymgmt/ec_kmgmt.c`
		`+ +++ b/providers/implementations/keymgmt/ec_kmgmt.c`
		`+ @@ -539,7 +539,8 @@ end:`
		`+ # define EC_IMEXPORTABLE_PUBLIC_KEY \`
		`+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)`
		`+ # define EC_IMEXPORTABLE_PRIVATE_KEY \`
		`+ - OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)`
		`+ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \`
		`+ + OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0)`
		`+ # define EC_IMEXPORTABLE_OTHER_PARAMETERS \`
		`+ OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \`
		`+ OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL)`
		`+ --`
		`+ 2.39.3`
		`+`

0031-Deny-SHA-1-signature-verification-in-FIPS-provider.patch

file added

+1430

The added file is too large to be shown here, see it at: 0031-Deny-SHA-1-signature-verification-in-FIPS-provider.patch

0032-Force-fips.patch

file removed

-55

		`@@ -1,55 +0,0 @@`
		`- From 8c6dffe2347fc801a2b285d79dd99b8739414bc3 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 16/35] 0032-Force-fips.patch`
		`-`
		`- Patch-name: 0032-Force-fips.patch`
		`- Patch-id: 32`
		`- Patch-status: \|`
		`- # We load FIPS provider and set FIPS properties implicitly`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`- ---`
		`- crypto/provider_conf.c \| 13 ++++++++++++-`
		`- 1 file changed, 12 insertions(+), 1 deletion(-)`
		`-`
		`- diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c`
		`- index 058fb58837..ad0b29c954 100644`
		`- --- a/crypto/provider_conf.c`
		`- +++ b/crypto/provider_conf.c`
		`- @@ -10,6 +10,7 @@`
		`- #include <string.h>`
		`- #include <openssl/trace.h>`
		`- #include <openssl/err.h>`
		`- +#include <openssl/evp.h>`
		`- #include <openssl/conf.h>`
		`- #include <openssl/safestack.h>`
		`- #include <openssl/provider.h>`
		`- @@ -169,7 +170,7 @@ static int provider_conf_activate(OSSL_LIB_CTX libctx, const char name,`
		`- if (path != NULL)`
		`- ossl_provider_set_module_path(prov, path);`
		`-`
		`- - ok = provider_conf_params(prov, NULL, NULL, value, cnf);`
		`- + ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;`
		`-`
		`- if (ok) {`
		`- if (!ossl_provider_activate(prov, 1, 0)) {`
		`- @@ -309,6 +310,16 @@ static int provider_conf_init(CONF_IMODULE md, const CONF cnf)`
		`- return 0;`
		`- }`
		`-`
		`- + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */`
		`- + OSSL_LIB_CTX libctx = NCONF_get0_libctx((CONF )cnf);`
		`- + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)`
		`- + return 0;`
		`- + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)`
		`- + return 0;`
		`- + if (EVP_default_properties_enable_fips(libctx, 1) != 1)`
		`- + return 0;`
		`- + }`
		`- +`
		`- return 1;`
		`- }`
		`-`
		`- --`
		`- 2.41.0`
		`-`

0032-fips-Expose-a-FIPS-indicator.patch ~~0062-fips-Expose-a-FIPS-indicator.patch~~

file renamed

+14 -14

		`@@ -1,7 +1,7 @@`
		`- From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001`
		`+ From 86c8e19df515887632ef8b8e64a8a7feea102b2a Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Tue, 7 Jun 2022 12:02:49 +0200`
		`- Subject: [PATCH] fips: Expose a FIPS indicator`
		`+ Subject: [PATCH 32/42] fips: Expose a FIPS indicator`

		`FIPS 140-3 requires us to indicate whether an operation was using`
		`approved services or not. The FIPS 140-3 implementation guidelines`
		`@@ -53,10 +53,10 @@`
		`create mode 100644 providers/fips/indicator.h`

		`diff --git a/doc/build.info b/doc/build.info`
		`- index b0aa4297a4..af235113bb 100644`
		`+ index ec8778f2ac..8269406ecf 100644`
		`--- a/doc/build.info`
		`+++ b/doc/build.info`
		`- @@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod`
		`+ @@ -4453,6 +4453,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod`
		`GENERATE[html/man7/fips_module.html]=man7/fips_module.pod`
		`DEPEND[man/man7/fips_module.7]=man7/fips_module.pod`
		`GENERATE[man/man7/fips_module.7]=man7/fips_module.pod`
		`@@ -67,7 +67,7 @@`
		`DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod`
		`GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod`
		`DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod`
		`- @@ -4631,6 +4635,7 @@ html/man7/ct.html \`
		`+ @@ -4696,6 +4700,7 @@ html/man7/ct.html \`
		`html/man7/des_modes.html \`
		`html/man7/evp.html \`
		`html/man7/fips_module.html \`
		`@@ -75,7 +75,7 @@`
		`html/man7/life_cycle-cipher.html \`
		`html/man7/life_cycle-digest.html \`
		`html/man7/life_cycle-kdf.html \`
		`- @@ -4754,6 +4759,7 @@ man/man7/ct.7 \`
		`+ @@ -4820,6 +4825,7 @@ man/man7/ct.7 \`
		`man/man7/des_modes.7 \`
		`man/man7/evp.7 \`
		`man/man7/fips_module.7 \`
		`@@ -244,18 +244,18 @@`
		`+`
		`+=cut`
		`diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c`
		`- index de391ce067..1cfd71c5cf 100644`
		`+ index cdcfcb7284..de60949565 100644`
		`--- a/providers/fips/fipsprov.c`
		`+++ b/providers/fips/fipsprov.c`
		`@@ -23,6 +23,7 @@`
		`+ #include "prov/seeding.h"`
		`#include "self_test.h"`
		`- #include "crypto/context.h"`
		`#include "internal/core.h"`
		`+#include "indicator.h"`

		`static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";`
		`static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";`
		`- @@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = {`
		`+ @@ -409,6 +410,68 @@ static const OSSL_ALGORITHM fips_signature[] = {`
		`{ NULL, NULL, NULL }`
		`};`

		`@@ -324,7 +324,7 @@`
		`static const OSSL_ALGORITHM fips_asym_cipher[] = {`
		`{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },`
		`{ NULL, NULL, NULL }`
		`- @@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) {`
		`+ @@ -494,6 +557,14 @@ static const OSSL_ALGORITHM fips_query(void provctx, int operation_id,`
		`return NULL;`
		`}`

		`@@ -412,10 +412,10 @@`
		`+`
		`+#endif`
		`diff --git a/util/mkdef.pl b/util/mkdef.pl`
		`- index a1c76f7c97..eda39b71ee 100755`
		`+ index d9534674cd..5b3f342016 100755`
		`--- a/util/mkdef.pl`
		`+++ b/util/mkdef.pl`
		`- @@ -149,7 +149,8 @@ $ordinal_opts{filter} =`
		`+ @@ -153,7 +153,8 @@ $ordinal_opts{filter} =`
		`return`
		`$item->exists()`
		`&& platform_filter($item)`
		`@@ -425,7 +425,7 @@`
		`};`
		`my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file);`

		`- @@ -205,6 +206,28 @@ sub feature_filter {`
		`+ @@ -209,6 +210,28 @@ sub feature_filter {`
		`return $verdict;`
		`}`

		`@@ -462,5 +462,5 @@`
		`OSSL_provider_init 1 * EXIST::FUNCTION:`
		`+redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS`
		`--`
		`- 2.35.3`
		`+ 2.39.3`

0033-AES-GCM-performance-optimization.patch

file added

+1654

The added file is too large to be shown here, see it at: 0033-AES-GCM-performance-optimization.patch

0034-ChaCha20-performance-optimizations-for-ppc64le.patch

file added

+1509

The added file is too large to be shown here, see it at: 0034-ChaCha20-performance-optimizations-for-ppc64le.patch

0035-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch ~~0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch~~

file renamed

+42 -25

		`@@ -1,14 +1,31 @@`
		`- From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:28 +0200`
		`- Subject: [PATCH 29/35]`
		`- 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch`
		`+ From b3176f73b5f824d111264c50e4f7e498457647aa Mon Sep 17 00:00:00 2001`
		`+ From: Clemens Lang <cllang@redhat.com>`
		`+ Date: Fri, 22 Jul 2022 13:59:37 +0200`
		`+ Subject: [PATCH 35/42] FIPS: Use OAEP in KATs, support fixed OAEP seed`

		`- Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch`
		`- Patch-id: 73`
		`- Patch-status: \|`
		`- # https://bugzilla.redhat.com/show_bug.cgi?id=2102535`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Review by our lab for FIPS 140-3 certification expects the RSA`
		`+ encryption and decryption tests to use a supported padding mode, not raw`
		`+ RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that.`
		`+`
		`+ The FIPS 140-3 Implementation Guidance specifies in section 10.3.A`
		`+ "Cryptographic Algorithm Self-Test Requirements" that a self-test may be`
		`+ a known-answer test, a comparison test, or a fault-detection test.`
		`+`
		`+ Comparison tests are not an option, because they would require`
		`+ a separate implementation of RSA-OAEP, which we do not have. Fault`
		`+ detection tests require implementing fault detection mechanisms into the`
		`+ cryptographic algorithm implementation, we we also do not have.`
		`+`
		`+ As a consequence, a known-answer test must be used to test RSA`
		`+ encryption and decryption, but RSA encryption with OAEP padding is not`
		`+ deterministic, and thus encryption will always yield different results`
		`+ that could not be compared to known answers. For this reason, this`
		`+ change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1),`
		`+ which is the source of randomness for RSA-OAEP, to a fixed value. This`
		`+ setting is only available during self-test execution, and the parameter`
		`+ set using EVP_PKEY_CTX_set_params() will be ignored otherwise.`
		`+`
		`+ Signed-off-by: Clemens Lang <cllang@redhat.com>`
		`---`
		`crypto/rsa/rsa_local.h \| 8 ++`
		`crypto/rsa/rsa_oaep.c \| 34 ++++++--`
		`@@ -102,10 +119,10 @@`
		`const unsigned char *from, int flen,`
		`const unsigned char *param, int plen,`
		`diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h`
		`- index 5e3c132f5b..c0cce14297 100644`
		`+ index c58a799466..de6c5fdb23 100644`
		`--- a/include/openssl/core_names.h`
		`+++ b/include/openssl/core_names.h`
		`- @@ -471,6 +471,9 @@ extern "C" {`
		`+ @@ -469,6 +469,9 @@ extern "C" {`
		`#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"`
		`#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"`
		`#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"`
		`@@ -116,10 +133,10 @@`
		`/*`
		`* Encoder / decoder parameters`
		`diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc`
		`- index e0fdc0daa4..aa2012c04a 100644`
		`+ index ddb1671466..54742751bc 100644`
		`--- a/providers/fips/self_test_data.inc`
		`+++ b/providers/fips/self_test_data.inc`
		`- @@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {`
		`+ @@ -1295,14 +1295,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = {`
		`};`

		`/*-`
		`@@ -144,7 +161,7 @@`
		`ST_KAT_PARAM_END()`
		`};`

		`- @@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = {`
		`+ @@ -1341,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = {`
		`0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6`
		`};`

		`@@ -222,10 +239,10 @@`

		`#ifndef OPENSSL_NO_EC`
		`diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c`
		`- index 74ee25dcb6..a9bc8be7fa 100644`
		`+ index 52565c2dcf..3f0a14396c 100644`
		`--- a/providers/fips/self_test_kats.c`
		`+++ b/providers/fips/self_test_kats.c`
		`- @@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST st, OSSL_LIB_CTX libctx)`
		`+ @@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST st, OSSL_LIB_CTX libctx)`
		`return ret;`
		`}`

		`@@ -248,7 +265,7 @@`
		`}`

		`diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c`
		`- index 9cd8904131..40de5ce8fa 100644`
		`+ index 12780f6936..b85ced362e 100644`
		`--- a/providers/implementations/asymciphers/rsa_enc.c`
		`+++ b/providers/implementations/asymciphers/rsa_enc.c`
		`@@ -30,6 +30,9 @@`
		`@@ -271,8 +288,8 @@`
		`} PROV_RSA_CTX;`

		`static void rsa_newctx(void provctx)`
		`- @@ -192,12 +198,21 @@ static int rsa_encrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`- }`
		`+ @@ -190,12 +196,21 @@ static int rsa_encrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`+ return 0;`
		`}`
		`ret =`
		`- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf,`
		`@@ -295,7 +312,7 @@`

		`if (!ret) {`
		`OPENSSL_free(tbuf);`
		`- @@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx)`
		`+ @@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx)`
		`EVP_MD_free(prsactx->oaep_md);`
		`EVP_MD_free(prsactx->mgf1_md);`
		`OPENSSL_free(prsactx->oaep_label);`
		`@@ -305,7 +322,7 @@`

		`OPENSSL_free(prsactx);`
		`}`
		`- @@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {`
		`+ @@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {`
		`NULL, 0),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),`
		`@@ -315,7 +332,7 @@`
		`OSSL_PARAM_END`
		`};`

		`- @@ -456,6 +477,10 @@ static const OSSL_PARAM rsa_gettable_ctx_params(ossl_unused void vprsactx,`
		`+ @@ -454,6 +475,10 @@ static const OSSL_PARAM rsa_gettable_ctx_params(ossl_unused void vprsactx,`
		`return known_gettable_ctx_params;`
		`}`

		`@@ -326,7 +343,7 @@`
		`static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`{`
		`PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;`
		`- @@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`+ @@ -565,6 +590,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`prsactx->oaep_labellen = tmp_labellen;`
		`}`

		`@@ -346,5 +363,5 @@`
		`if (p != NULL) {`
		`unsigned int client_version;`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0036-FIPS-Use-digest_sign-digest_verify-in-self-test.patch ~~0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch~~

file renamed

+28 -27

		`@@ -1,7 +1,7 @@`
		`- From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001`
		`+ From d096788fc08a84a9a5565bf4718b77a484f7903d Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Fri, 15 Jul 2022 17:45:40 +0200`
		`- Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test`
		`+ Subject: [PATCH 36/42] FIPS: Use digest_sign & digest_verify in self test`

		`In review for FIPS 140-3, the lack of a self-test for the digest_sign`
		`and digest_verify provider functions was highlighted as a problem. NIST`
		`@@ -19,14 +19,14 @@`
		`Signed-off-by: Clemens Lang <cllang@redhat.com>`
		`---`
		`crypto/evp/m_sigver.c \| 43 +++++++++++++++++++++++++++------`
		`- providers/fips/self_test_kats.c \| 37 +++++++++++++++-------------`
		`- 2 files changed, 56 insertions(+), 24 deletions(-)`
		`+ providers/fips/self_test_kats.c \| 43 ++++++++++++++++++++-------------`
		`+ 2 files changed, 62 insertions(+), 24 deletions(-)`

		`diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c`
		`- index db1a1d7bc3..c94c3c53bd 100644`
		`+ index c17cdfa5d5..9889e4c66f 100644`
		`--- a/crypto/evp/m_sigver.c`
		`+++ b/crypto/evp/m_sigver.c`
		`- @@ -88,6 +88,7 @@ static int update(EVP_MD_CTX ctx, const void data, size_t datalen)`
		`+ @@ -98,6 +98,7 @@ static int update(EVP_MD_CTX ctx, const void data, size_t datalen)`
		`ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED);`
		`return 0;`
		`}`
		`@@ -34,7 +34,7 @@`

		`/*`
		`* If we get the "NULL" md then the name comes back as "UNDEF". We want to use`
		`- @@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -140,8 +141,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`reinit = 0;`
		`if (e == NULL)`
		`ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props);`
		`@@ -45,7 +45,7 @@`
		`}`
		`if (ctx->pctx == NULL)`
		`return 0;`
		`- @@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -149,8 +152,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`locpctx = ctx->pctx;`
		`ERR_set_mark();`

		`@@ -56,7 +56,7 @@`

		`/* do not reinitialize if pkey is set or operation is different */`
		`if (reinit`
		`- @@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -235,8 +240,10 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`signature =`
		`evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov,`
		`supported_sig, locpctx->propquery);`
		`@@ -67,7 +67,7 @@`
		`break;`
		`}`
		`if (signature == NULL)`
		`- @@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -320,6 +327,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);`
		`if (ctx->fetched_digest != NULL) {`
		`ctx->digest = ctx->reqdigest = ctx->fetched_digest;`
		`@@ -75,7 +75,7 @@`
		`} else {`
		`/* legacy engine support : remove the mark when this is deleted */`
		`ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname);`
		`- @@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -328,11 +336,13 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);`
		`goto err;`
		`}`
		`@@ -89,15 +89,15 @@`
		`if (ctx->reqdigest != NULL`
		`&& !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)`
		`&& !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)`
		`- @@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`- goto err;`
		`+ @@ -347,6 +357,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ }`
		`}`
		`}`
		`+#endif /* !defined(FIPS_MODULE) */`

		`if (ver) {`
		`if (signature->digest_verify_init == NULL) {`
		`- @@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -379,6 +390,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`EVP_KEYMGMT_free(tmp_keymgmt);`
		`return 0;`

		`@@ -105,7 +105,7 @@`
		`legacy:`
		`/*`
		`* If we don't have the full support we need with provided methods,`
		`- @@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -450,6 +462,7 @@ static int do_sigver_init(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`ctx->pctx->flag_call_digest_custom = 1;`

		`ret = 1;`
		`@@ -113,7 +113,7 @@`

		`end:`
		`#ifndef FIPS_MODULE`
		`- @@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`+ @@ -492,7 +505,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX ctx, EVP_PKEY_CTX *pctx,`
		`return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,`
		`NULL);`
		`}`
		`@@ -121,7 +121,7 @@`

		`int EVP_DigestSignUpdate(EVP_MD_CTX ctx, const void data, size_t dsize)`
		`{`
		`- @@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX ctx, const void data, size_t dsize)`
		`+ @@ -554,23 +566,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX ctx, const void data, size_t dsize)`
		`return EVP_DigestUpdate(ctx, data, dsize);`
		`}`

		`@@ -154,7 +154,7 @@`
		`dctx = EVP_PKEY_CTX_dup(pctx);`
		`if (dctx == NULL)`
		`return 0;`
		`- @@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX ctx, unsigned char sigret,`
		`+ @@ -579,8 +597,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX ctx, unsigned char sigret,`
		`sigret, siglen,`
		`*siglen);`
		`EVP_PKEY_CTX_free(dctx);`
		`@@ -165,7 +165,7 @@`
		`legacy:`
		`if (pctx == NULL \|\| pctx->pmeth == NULL) {`
		`ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);`
		`- @@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX ctx, unsigned char sigret,`
		`+ @@ -652,6 +672,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX ctx, unsigned char sigret,`
		`}`
		`}`
		`return 1;`
		`@@ -173,7 +173,7 @@`
		`}`

		`int EVP_DigestSign(EVP_MD_CTX ctx, unsigned char sigret, size_t *siglen,`
		`- @@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX ctx, unsigned char sigret, size_t *siglen,`
		`+ @@ -682,21 +703,27 @@ int EVP_DigestSign(EVP_MD_CTX ctx, unsigned char sigret, size_t *siglen,`
		`int EVP_DigestVerifyFinal(EVP_MD_CTX ctx, const unsigned char sig,`
		`size_t siglen)`
		`{`
		`@@ -203,7 +203,7 @@`
		`dctx = EVP_PKEY_CTX_dup(pctx);`
		`if (dctx == NULL)`
		`return 0;`
		`- @@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX ctx, const unsigned char sig,`
		`+ @@ -704,8 +731,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX ctx, const unsigned char sig,`
		`r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx,`
		`sig, siglen);`
		`EVP_PKEY_CTX_free(dctx);`
		`@@ -214,7 +214,7 @@`
		`legacy:`
		`if (pctx == NULL \|\| pctx->pmeth == NULL) {`
		`ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);`
		`- @@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX ctx, const unsigned char sig,`
		`+ @@ -745,6 +774,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX ctx, const unsigned char sig,`
		`if (vctx \|\| !r)`
		`return r;`
		`return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen);`
		`@@ -222,16 +222,16 @@`
		`}`

		`int EVP_DigestVerify(EVP_MD_CTX ctx, const unsigned char sigret,`
		`- @@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX ctx, const unsigned char sigret,`
		`+ @@ -770,4 +800,3 @@ int EVP_DigestVerify(EVP_MD_CTX ctx, const unsigned char sigret,`
		`return -1;`
		`return EVP_DigestVerifyFinal(ctx, sigret, siglen);`
		`}`
		`-#endif /* FIPS_MODULE */`
		`diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c`
		`- index b6d5e8e134..77eec075e6 100644`
		`+ index 3f0a14396c..f4ac61103b 100644`
		`--- a/providers/fips/self_test_kats.c`
		`+++ b/providers/fips/self_test_kats.c`
		`- @@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`+ @@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`int ret = 0;`
		`OSSL_PARAM params = NULL, params_sig = NULL;`
		`OSSL_PARAM_BLD *bld = NULL;`
		`@@ -241,6 +241,7 @@`
		`EVP_PKEY *pkey = NULL;`
		`- unsigned char sig[256];`
		`BN_CTX *bnctx = NULL;`
		`+ BIGNUM *K = NULL;`
		`+ const char *msg = "Hello World!";`
		`+ unsigned char sig[256];`
		`size_t siglen = sizeof(sig);`
		`@@ -287,7 +288,7 @@`
		`\|\| EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)`
		`goto err;`

		`- @@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`+ @@ -518,14 +524,17 @@ static int self_test_sign(const ST_KAT_SIGN *t,`
		`goto err;`

		`OSSL_SELF_TEST_oncorrupt_byte(st, sig);`
		`@@ -308,5 +309,5 @@`
		`OSSL_PARAM_free(params_sig);`
		`OSSL_PARAM_BLD_free(bld);`
		`--`
		`- 2.37.1`
		`+ 2.39.3`

0037-FIPS-Use-FFDHE2048-in-self-test.patch ~~0075-FIPS-Use-FFDHE2048-in-self-test.patch~~

file renamed

+5 -5

		`@@ -1,7 +1,7 @@`
		`- From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001`
		`+ From af8b83b59efd106e1104c3fe210f302d160d16c6 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Fri, 22 Jul 2022 17:51:16 +0200`
		`- Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test`
		`+ Subject: [PATCH 37/42] FIPS: Use FFDHE2048 in self test`

		`Signed-off-by: Clemens Lang <cllang@redhat.com>`
		`---`
		`@@ -9,10 +9,10 @@`
		`1 file changed, 172 insertions(+), 170 deletions(-)`

		`diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc`
		`- index a29cc650b5..1b5623833f 100644`
		`+ index 54742751bc..cc82afeb9e 100644`
		`--- a/providers/fips/self_test_data.inc`
		`+++ b/providers/fips/self_test_data.inc`
		`- @@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =`
		`+ @@ -824,188 +824,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] =`

		`#ifndef OPENSSL_NO_DH`
		`/* DH KAT */`
		`@@ -374,5 +374,5 @@`

		`static const ST_KAT_PARAM dh_group[] = {`
		`--`
		`- 2.35.3`
		`+ 2.39.3`

0038-FIPS-140-3-DRBG.patch ~~0076-FIPS-140-3-DRBG.patch~~

file renamed

+13 -18

		`@@ -1,14 +1,9 @@`
		`- From 4b59d71e276243615d8fcc65bab32d83e6a602ad Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:29 +0200`
		`- Subject: [PATCH 32/35] 0076-FIPS-140-3-DRBG.patch`
		`+ From de239b685b4b77d841e291a948e09d7986b1f099 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:49:04 +0200`
		`+ Subject: [PATCH 38/42] FIPS-140-3 DRBG Patch-name: 0076-FIPS-140-3-DRBG.patch`

		`- Patch-name: 0076-FIPS-140-3-DRBG.patch`
		`- Patch-id: 76`
		`- Patch-status: \|`
		`- # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)`
		`- # https://bugzilla.redhat.com/show_bug.cgi?id=2102541`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`crypto/rand/prov_seed.c \| 9 ++-`
		`providers/implementations/rands/crngt.c \| 6 +-`
		`@@ -37,10 +32,10 @@`
		`ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE);`
		`return 0;`
		`diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c`
		`- index fa4a2db14a..1f13fc759e 100644`
		`+ index 4095994bda..026e6cdca3 100644`
		`--- a/providers/implementations/rands/crngt.c`
		`+++ b/providers/implementations/rands/crngt.c`
		`- @@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,`
		`+ @@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg,`
		`* to the nearest byte. If the entropy is of less than full quality,`
		`* the amount required should be scaled up appropriately here.`
		`*/`
		`@@ -54,10 +49,10 @@`
		`bytes_needed = min_len;`
		`if (bytes_needed > max_len)`
		`diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c`
		`- index ea55363bf8..423bb91157 100644`
		`+ index c8fe66aa57..c12e99d193 100644`
		`--- a/providers/implementations/rands/drbg.c`
		`+++ b/providers/implementations/rands/drbg.c`
		`- @@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,`
		`+ @@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,`
		`#endif`
		`}`

		`@@ -68,7 +63,7 @@`
		`entropylen = get_entropy(drbg, &entropy, drbg->strength,`
		`drbg->min_entropylen, drbg->max_entropylen,`
		`diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c`
		`- index cd02a0236d..98c917b6d8 100644`
		`+ index 750afca58e..6063eee152 100644`
		`--- a/providers/implementations/rands/seeding/rand_unix.c`
		`+++ b/providers/implementations/rands/seeding/rand_unix.c`
		`@@ -48,6 +48,8 @@`
		`@@ -79,8 +74,8 @@`
		`+# include <openssl/evp.h>`

		`static uint64_t get_time_stamp(void);`
		`-`
		`- @@ -341,66 +343,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)`
		`+ static uint64_t get_timer_bits(void);`
		`+ @@ -342,66 +344,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)`
		`* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion`
		`* between size_t and ssize_t is safe even without a range check.`
		`*/`
		`@@ -150,5 +145,5 @@`
		`# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */`

		`--`
		`- 2.41.0`
		`+ 2.39.3`

0039-FIPS-140-3-zeroization.patch ~~0077-FIPS-140-3-zeroization.patch~~

file renamed

+14 -17

		`@@ -1,13 +1,10 @@`
		`- From 9c667a7ba589329f3a777b012bf69a0db7f7eda9 Mon Sep 17 00:00:00 2001`
		`- From: rpm-build <rpm-build>`
		`- Date: Mon, 31 Jul 2023 09:41:29 +0200`
		`- Subject: [PATCH 33/35] 0077-FIPS-140-3-zeroization.patch`
		`+ From 2c49bd016acbc1f8021fcd683a83f53a1f02b8ca Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:49:58 +0200`
		`+ Subject: [PATCH 39/42] FIPS-140-3 zeroization Patch-name:`
		`+ 0077-FIPS-140-3-zeroization.patch`

		`- Patch-name: 0077-FIPS-140-3-zeroization.patch`
		`- Patch-id: 77`
		`- Patch-status: \|`
		`- # https://bugzilla.redhat.com/show_bug.cgi?id=2102542`
		`- From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
		`+ Signed-off-by: Sahana Prasad <sahana@redhat.com>`
		`---`
		`crypto/ec/ec_lib.c \| 4 ++++`
		`crypto/ffc/ffc_params.c \| 8 ++++----`
		`@@ -17,7 +14,7 @@`
		`5 files changed, 12 insertions(+), 8 deletions(-)`

		`diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c`
		`- index 6c37bf78ae..cfbc3c3c1d 100644`
		`+ index b1696d93bd..3397394648 100644`
		`--- a/crypto/ec/ec_lib.c`
		`+++ b/crypto/ec/ec_lib.c`
		`@@ -744,12 +744,16 @@ EC_POINT EC_POINT_new(const EC_GROUP group)`
		`@@ -38,7 +35,7 @@`

		`void EC_POINT_clear_free(EC_POINT *point)`
		`diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c`
		`- index 3536efd1ad..f3c164b8fc 100644`
		`+ index fb558f8221..1708096cd0 100644`
		`--- a/crypto/ffc/ffc_params.c`
		`+++ b/crypto/ffc/ffc_params.c`
		`@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *params)`
		`@@ -57,7 +54,7 @@`
		`ossl_ffc_params_init(params);`
		`}`
		`diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c`
		`- index 9588a75964..76b4aac6fc 100644`
		`+ index 449097b8b2..140aaf73af 100644`
		`--- a/crypto/rsa/rsa_lib.c`
		`+++ b/crypto/rsa/rsa_lib.c`
		`@@ -155,8 +155,8 @@ void RSA_free(RSA *r)`
		`@@ -72,10 +69,10 @@`
		`BN_clear_free(r->p);`
		`BN_clear_free(r->q);`
		`diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c`
		`- index daa619b8af..5304baa6c9 100644`
		`+ index dfa7786bde..e7e9dd9e1f 100644`
		`--- a/providers/implementations/kdfs/hkdf.c`
		`+++ b/providers/implementations/kdfs/hkdf.c`
		`- @@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx)`
		`+ @@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)`
		`void *provctx = ctx->provctx;`

		`ossl_prov_digest_reset(&ctx->digest);`
		`@@ -85,10 +82,10 @@`
		`OPENSSL_free(ctx->label);`
		`OPENSSL_clear_free(ctx->data, ctx->data_len);`
		`diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c`
		`- index 5c3e7b95ce..349c3dd657 100644`
		`+ index 2a0ae63acc..d183f2b91b 100644`
		`--- a/providers/implementations/kdfs/pbkdf2.c`
		`+++ b/providers/implementations/kdfs/pbkdf2.c`
		`- @@ -92,7 +92,7 @@ static void kdf_pbkdf2_new(void provctx)`
		`+ @@ -83,7 +83,7 @@ static void kdf_pbkdf2_new(void provctx)`
		`static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)`
		`{`
		`ossl_prov_digest_reset(&ctx->digest);`
		`@@ -98,5 +95,5 @@`
		`memset(ctx, 0, sizeof(*ctx));`
		`}`
		`--`
		`- 2.41.0`
		`+ 2.39.3`

0040-Add-FIPS-indicator-parameter-to-HKDF.patch ~~0078-Add-FIPS-indicator-parameter-to-HKDF.patch~~

file renamed

+8 -8

		`@@ -1,7 +1,7 @@`
		`- From c4b086fc4de06128695e1fe428f56d776d25e748 Mon Sep 17 00:00:00 2001`
		`+ From b9178b13a129caedf5a61e6c117e2088d770dc09 Mon Sep 17 00:00:00 2001`
		`From: Clemens Lang <cllang@redhat.com>`
		`Date: Thu, 11 Aug 2022 09:27:12 +0200`
		`- Subject: [PATCH] Add FIPS indicator parameter to HKDF`
		`+ Subject: [PATCH 40/42] Add FIPS indicator parameter to HKDF`

		`NIST considers HKDF only acceptable when used as in TLS 1.3, and`
		`otherwise unapproved. Add an explicit indicator attached to the`
		`@@ -17,10 +17,10 @@`
		`3 files changed, 58 insertions(+)`

		`diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h`
		`- index 21c94d0488..87786680d7 100644`
		`+ index de6c5fdb23..28ec94a387 100644`
		`--- a/include/openssl/core_names.h`
		`+++ b/include/openssl/core_names.h`
		`- @@ -223,6 +223,7 @@ extern "C" {`
		`+ @@ -224,6 +224,7 @@ extern "C" {`
		`#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"`
		`#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"`
		`#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"`
		`@@ -44,10 +44,10 @@`
		`#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66`
		`#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67`
		`diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c`
		`- index afdb7138e1..9d28d292d8 100644`
		`+ index e7e9dd9e1f..4fa2b344db 100644`
		`--- a/providers/implementations/kdfs/hkdf.c`
		`+++ b/providers/implementations/kdfs/hkdf.c`
		`- @@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])`
		`+ @@ -340,6 +340,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])`
		`return 0;`
		`return OSSL_PARAM_set_size_t(p, sz);`
		`}`
		`@@ -104,7 +104,7 @@`
		`return -2;`
		`}`

		`- @@ -306,6 +356,9 @@ static const OSSL_PARAM kdf_hkdf_gettable_ctx_params(ossl_unused void ctx,`
		`+ @@ -348,6 +398,9 @@ static const OSSL_PARAM kdf_hkdf_gettable_ctx_params(ossl_unused void ctx,`
		`{`
		`static const OSSL_PARAM known_gettable_ctx_params[] = {`
		`OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),`
		`@@ -115,5 +115,5 @@`
		`};`
		`return known_gettable_ctx_params;`
		`--`
		`- 2.37.1`
		`+ 2.39.3`

0041-Fix-AES-GCM-on-Power-8-CPUs.patch

file added

+146

		`@@ -0,0 +1,146 @@`
		`+ From 8995f52fbb74368a084916b43fa2653afe366d8c Mon Sep 17 00:00:00 2001`
		`+ From: Tomas Mraz <tomas@openssl.org>`
		`+ Date: Fri, 9 Sep 2022 14:46:24 +0200`
		`+ Subject: [PATCH 41/42] Fix AES-GCM on Power 8 CPUs`
		`+`
		`+ Properly fallback to the default implementation on CPUs`
		`+ missing necessary instructions.`
		`+`
		`+ Fixes #19163`
		`+`
		`+ (cherry picked from commit 24344d387178d45b37a1fbc51519c390e9a4effe)`
		`+ ---`
		`+ include/crypto/aes_platform.h \| 12 +---`
		`+ .../ciphers/cipher_aes_gcm_hw_ppc.inc \| 72 ++++++++++++++-----`
		`+ 2 files changed, 56 insertions(+), 28 deletions(-)`
		`+`
		`+ diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h`
		`+ index 0c281a366a..6830bad0e9 100644`
		`+ --- a/include/crypto/aes_platform.h`
		`+ +++ b/include/crypto/aes_platform.h`
		`+ @@ -83,16 +83,8 @@ size_t ppc_aes_gcm_encrypt(const unsigned char in, unsigned char out,`
		`+ size_t ppc_aes_gcm_decrypt(const unsigned char in, unsigned char out,`
		`+ size_t len, const void *key, unsigned char ivec[16],`
		`+ u64 *Xi);`
		`+ -size_t ppc_aes_gcm_encrypt_wrap(const unsigned char in, unsigned char out,`
		`+ - size_t len, const void *key,`
		`+ - unsigned char ivec[16], u64 *Xi);`
		`+ -size_t ppc_aes_gcm_decrypt_wrap(const unsigned char in, unsigned char out,`
		`+ - size_t len, const void *key,`
		`+ - unsigned char ivec[16], u64 *Xi);`
		`+ -# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap`
		`+ -# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap`
		`+ -# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \`
		`+ - (gctx)->gcm.ghash==gcm_ghash_p8)`
		`+ +# define AES_GCM_ASM_PPC(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \`
		`+ + (gctx)->gcm.ghash==gcm_ghash_p8)`
		`+ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len);`
		`+ # endif /* PPC */`
		`+`
		`+ diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc`
		`+ index 4eed0f4ab0..03e3eddc41 100644`
		`+ --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc`
		`+ +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc`
		`+ @@ -23,12 +23,6 @@ static int aes_ppc_gcm_initkey(PROV_GCM_CTX ctx, const unsigned char key,`
		`+ return 1;`
		`+ }`
		`+`
		`+ -`
		`+ -extern size_t ppc_aes_gcm_encrypt(const unsigned char in, unsigned char out, size_t len,`
		`+ - const void key, unsigned char ivec[16], u64 Xi);`
		`+ -extern size_t ppc_aes_gcm_decrypt(const unsigned char in, unsigned char out, size_t len,`
		`+ - const void key, unsigned char ivec[16], u64 Xi);`
		`+ -`
		`+ static inline u32 UTO32(unsigned char *buf)`
		`+ {`
		`+ return ((u32) buf[0] << 24) \| ((u32) buf[1] << 16) \| ((u32) buf[2] << 8) \| ((u32) buf[3]);`
		`+ @@ -47,7 +41,7 @@ static inline u32 add32TOU(unsigned char buf[4], u32 n)`
		`+ return r;`
		`+ }`
		`+`
		`+ -static size_t aes_p10_gcm_crypt(const unsigned char in, unsigned char out, size_t len,`
		`+ +static size_t ppc_aes_gcm_crypt(const unsigned char in, unsigned char out, size_t len,`
		`+ const void key, unsigned char ivec[16], u64 Xi, int encrypt)`
		`+ {`
		`+ int s = 0;`
		`+ @@ -90,24 +84,66 @@ static size_t aes_p10_gcm_crypt(const unsigned char in, unsigned char out, siz`
		`+ return ndone;`
		`+ }`
		`+`
		`+ -size_t ppc_aes_gcm_encrypt_wrap(const unsigned char in, unsigned char out, size_t len,`
		`+ - const void key, unsigned char ivec[16], u64 Xi)`
		`+ -{`
		`+ - return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1);`
		`+ -}`
		`+ -`
		`+ -size_t ppc_aes_gcm_decrypt_wrap(const unsigned char in, unsigned char out, size_t len,`
		`+ - const void key, unsigned char ivec[16], u64 Xi)`
		`+ +static int ppc_aes_gcm_cipher_update(PROV_GCM_CTX ctx, const unsigned char in,`
		`+ + size_t len, unsigned char *out)`
		`+ {`
		`+ - return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0);`
		`+ + if (ctx->enc) {`
		`+ + if (ctx->ctr != NULL) {`
		`+ + size_t bulk = 0;`
		`+ +`
		`+ + if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM_PPC(ctx)) {`
		`+ + size_t res = (16 - ctx->gcm.mres) % 16;`
		`+ +`
		`+ + if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res))`
		`+ + return 0;`
		`+ +`
		`+ + bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res,`
		`+ + ctx->gcm.key,`
		`+ + ctx->gcm.Yi.c, ctx->gcm.Xi.u, 1);`
		`+ +`
		`+ + ctx->gcm.len.u[1] += bulk;`
		`+ + bulk += res;`
		`+ + }`
		`+ + if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,`
		`+ + len - bulk, ctx->ctr))`
		`+ + return 0;`
		`+ + } else {`
		`+ + if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len))`
		`+ + return 0;`
		`+ + }`
		`+ + } else {`
		`+ + if (ctx->ctr != NULL) {`
		`+ + size_t bulk = 0;`
		`+ +`
		`+ + if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM_PPC(ctx)) {`
		`+ + size_t res = (16 - ctx->gcm.mres) % 16;`
		`+ +`
		`+ + if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res))`
		`+ + return -1;`
		`+ +`
		`+ + bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res,`
		`+ + ctx->gcm.key,`
		`+ + ctx->gcm.Yi.c, ctx->gcm.Xi.u, 0);`
		`+ +`
		`+ + ctx->gcm.len.u[1] += bulk;`
		`+ + bulk += res;`
		`+ + }`
		`+ + if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk,`
		`+ + len - bulk, ctx->ctr))`
		`+ + return 0;`
		`+ + } else {`
		`+ + if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len))`
		`+ + return 0;`
		`+ + }`
		`+ + }`
		`+ + return 1;`
		`+ }`
		`+`
		`+ -`
		`+ static const PROV_GCM_HW aes_ppc_gcm = {`
		`+ aes_ppc_gcm_initkey,`
		`+ ossl_gcm_setiv,`
		`+ ossl_gcm_aad_update,`
		`+ - generic_aes_gcm_cipher_update,`
		`+ + ppc_aes_gcm_cipher_update,`
		`+ ossl_gcm_cipher_final,`
		`+ ossl_gcm_one_shot`
		`+ };`
		`+ --`
		`+ 2.39.3`
		`+`

0042-Adds-RSA-PKCS15-implicit-rejection.patch ~~0100-RSA-PKCS15-implicit-rejection.patch~~

file renamed

+83 -51

		`@@ -1,8 +1,37 @@`
		`+ From 0da8467e7098a78a1a3fd5f9ccd44dafe939d888 Mon Sep 17 00:00:00 2001`
		`+ From: Sahana Prasad <sahana@redhat.com>`
		`+ Date: Wed, 7 Jun 2023 10:51:38 +0200`
		`+ Subject: [PATCH 42/42] Adds RSA-PKCS15 implicit rejection Patch-name:`
		`+ 0100-RSA-PKCS15-implicit-rejection.patch From-dist-git-commit:`
		`+ 979cb8a57bbd5c15b3f09a153e107a0c2f968b9b Signed-off-by: Sahana Prasad`
		`+ <sahana@redhat.com>`
		`+`
		`+ ---`
		`+ crypto/cms/cms_env.c \| 7 +`
		`+ crypto/evp/ctrl_params_translate.c \| 6 +`
		`+ crypto/pkcs7/pk7_doit.c \| 7 +`
		`+ crypto/rsa/rsa_ossl.c \| 101 +++-`
		`+ crypto/rsa/rsa_pk1.c \| 252 ++++++++++`
		`+ crypto/rsa/rsa_pmeth.c \| 20 +-`
		`+ doc/man1/openssl-pkeyutl.pod.in \| 15 +`
		`+ doc/man1/openssl-rsautl.pod.in \| 5 +`
		`+ doc/man3/EVP_PKEY_CTX_ctrl.pod \| 9 +`
		`+ doc/man3/EVP_PKEY_decrypt.pod \| 12 +`
		`+ doc/man3/RSA_padding_add_PKCS1_type_1.pod \| 7 +-`
		`+ doc/man3/RSA_public_encrypt.pod \| 11 +-`
		`+ doc/man7/provider-asym_cipher.pod \| 9 +`
		`+ include/crypto/rsa.h \| 4 +`
		`+ include/openssl/core_names.h \| 2 +`
		`+ include/openssl/rsa.h \| 5 +`
		`+ .../implementations/asymciphers/rsa_enc.c \| 26 +-`
		`+ .../30-test_evp_data/evppkey_rsa_common.txt \| 472 ++++++++++++++++++`
		`+ 18 files changed, 962 insertions(+), 8 deletions(-)`
		`+`
		`diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c`
		`- index d25504a03f7..c55511011f6 100644`
		`+ index 51a1d7df84..ec19a9f747 100644`
		`--- a/crypto/cms/cms_env.c`
		`+++ b/crypto/cms/cms_env.c`
		`- @@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,`
		`+ @@ -571,6 +571,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,`
		`if (!ossl_cms_env_asn1_ctrl(ri, 1))`
		`goto err;`

		`@@ -17,10 +46,10 @@`
		`ktri->encryptedKey->data,`
		`ktri->encryptedKey->length) <= 0)`
		`diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c`
		`- index 56ed5ea6d68..f64c1fcb2ac 100644`
		`+ index c767c31643..2445760f3d 100644`
		`--- a/crypto/evp/ctrl_params_translate.c`
		`+++ b/crypto/evp/ctrl_params_translate.c`
		`- @@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {`
		`+ @@ -2203,6 +2203,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {`
		`EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,`
		`OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },`

		`@@ -34,10 +63,10 @@`
		`EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,`
		`OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },`
		`diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c`
		`- index 31b368bda3b..8a46ab471df 100644`
		`+ index 1cef67b211..e0094486dd 100644`
		`--- a/crypto/pkcs7/pk7_doit.c`
		`+++ b/crypto/pkcs7/pk7_doit.c`
		`- @@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char *pek, int peklen,`
		`+ @@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char *pek, int peklen,`
		`if (EVP_PKEY_decrypt_init(pctx) <= 0)`
		`goto err;`

		`@@ -52,7 +81,7 @@`
		`ri->enc_key->data, ri->enc_key->length) <= 0)`
		`goto err;`
		`diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c`
		`- index 54e2a1c61ca..094a6632b66 100644`
		`+ index 96fed3ca59..0dd3042899 100644`
		`--- a/crypto/rsa/rsa_ossl.c`
		`+++ b/crypto/rsa/rsa_ossl.c`
		`@@ -17,6 +17,9 @@`
		`@@ -65,7 +94,7 @@`

		`static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,`
		`unsigned char to, RSA rsa, int padding);`
		`- @@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ @@ -376,8 +379,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`BIGNUM f, ret;`
		`int j, num = 0, r = -1;`
		`unsigned char *buf = NULL;`
		`@@ -79,7 +108,7 @@`
		`/*`
		`* Used only if the blinding structure is shared. A non-NULL unblind`
		`* instructs rsa_blinding_convert() and rsa_blinding_invert() to store`
		`- @@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ @@ -386,6 +394,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`BIGNUM *unblind = NULL;`
		`BN_BLINDING *blinding = NULL;`

		`@@ -92,7 +121,7 @@`
		`if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)`
		`goto err;`
		`BN_CTX_start(ctx);`
		`- @@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ @@ -407,6 +421,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`goto err;`
		`}`

		`@@ -104,7 +133,7 @@`
		`/* make data into a big number */`
		`if (BN_bin2bn(from, (int)flen, f) == NULL)`
		`goto err;`
		`- @@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ @@ -469,6 +488,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`BN_free(d);`
		`}`

		`@@ -183,11 +212,11 @@`
		`+ }`
		`+ }`
		`+`
		`- if (blinding)`
		`- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))`
		`- goto err;`
		`- @@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`- goto err;`
		`+ if (blinding) {`
		`+ /*`
		`+ * ossl_bn_rsa_do_unblind() combines blinding inversion and`
		`+ @@ -485,9 +579,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ }`

		`switch (padding) {`
		`- case RSA_PKCS1_PADDING:`
		`@@ -200,7 +229,7 @@`
		`case RSA_PKCS1_OAEP_PADDING:`
		`r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);`
		`break;`
		`- @@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`+ @@ -509,6 +606,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,`
		`#endif`

		`err:`
		`@@ -210,7 +239,7 @@`
		`BN_CTX_free(ctx);`
		`OPENSSL_clear_free(buf, num);`
		`diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c`
		`- index 5f72fe1735d..04fb0e4ed5e 100644`
		`+ index 51507fc030..5cd2b26879 100644`
		`--- a/crypto/rsa/rsa_pk1.c`
		`+++ b/crypto/rsa/rsa_pk1.c`
		`@@ -21,10 +21,14 @@`
		`@@ -228,7 +257,7 @@`
		`int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,`
		`const unsigned char *from, int flen)`
		`{`
		`- @@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,`
		`+ @@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,`
		`return constant_time_select_int(good, mlen, -1);`
		`}`

		`@@ -484,7 +513,7 @@`
		`* ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2`
		`* padding from a decrypted RSA message in a TLS signature. The result is stored`
		`diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c`
		`- index 8b35e5c3c6d..c67b20baf56 100644`
		`+ index 44c819a5c3..6556a9ad28 100644`
		`--- a/crypto/rsa/rsa_pmeth.c`
		`+++ b/crypto/rsa/rsa_pmeth.c`
		`@@ -52,6 +52,8 @@ typedef struct {`
		`@@ -512,7 +541,7 @@`
		`if (sctx->oaep_label) {`
		`OPENSSL_free(dctx->oaep_label);`
		`dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);`
		`- @@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,`
		`+ @@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,`
		`const unsigned char *in, size_t inlen)`
		`{`
		`int ret;`
		`@@ -520,7 +549,7 @@`
		`RSA_PKEY_CTX *rctx = ctx->data;`
		`/*`
		`* Discard const. Its marked as const because this may be a cached copy of`
		`- @@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,`
		`+ @@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,`
		`rctx->oaep_labellen,`
		`rctx->md, rctx->mgf1md);`
		`} else {`
		`@@ -534,7 +563,7 @@`
		`}`
		`outlen = constant_time_select_s(constant_time_msb_s(ret), outlen, ret);`
		`ret = constant_time_select_int(constant_time_msb(ret), ret, 1);`
		`- @@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)`
		`+ @@ -587,6 +597,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX ctx, int type, int p1, void p2)`
		`(unsigned char *)p2 = rctx->oaep_label;`
		`return rctx->oaep_labellen;`

		`@@ -550,7 +579,7 @@`
		`case EVP_PKEY_CTRL_PKCS7_SIGN:`
		`#ifndef OPENSSL_NO_CMS`
		`diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in`
		`- index b0054ead66f..dd878297987 100644`
		`+ index b0054ead66..dd87829798 100644`
		`--- a/doc/man1/openssl-pkeyutl.pod.in`
		`+++ b/doc/man1/openssl-pkeyutl.pod.in`
		`@@ -240,6 +240,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a`
		`@@ -583,7 +612,7 @@`

		`=head1 RSA-PSS ALGORITHM`
		`diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in`
		`- index 186e49e5e49..eab34979de3 100644`
		`+ index 186e49e5e4..eab34979de 100644`
		`--- a/doc/man1/openssl-rsautl.pod.in`
		`+++ b/doc/man1/openssl-rsautl.pod.in`
		`@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,`
		`@@ -599,10 +628,10 @@`

		`Hex dump the output data.`
		`diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod`
		`- index 9b96f42dbc9..f7957e95f7f 100644`
		`+ index 3075eaafd6..3844aa2199 100644`
		`--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod`
		`+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod`
		`- @@ -393,6 +393,15 @@ this behaviour should be tolerated then`
		`+ @@ -386,6 +386,15 @@ this behaviour should be tolerated then`
		`OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual`
		`negotiated protocol version. Otherwise it should be left unset.`

		`@@ -619,7 +648,7 @@`

		`EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA`
		`diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod`
		`- index 0cd1a6548d0..462265c5a67 100644`
		`+ index b6f9bad5f1..898535a7a2 100644`
		`--- a/doc/man3/EVP_PKEY_decrypt.pod`
		`+++ b/doc/man3/EVP_PKEY_decrypt.pod`
		`@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a`
		`@@ -642,7 +671,7 @@`

		`Decrypt data using OAEP (for RSA keys):`
		`diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod`
		`- index 9f7025c4975..36ae18563f2 100644`
		`+ index 9f7025c497..36ae18563f 100644`
		`--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod`
		`+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod`
		`@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.`
		`@@ -667,7 +696,7 @@`

		`L<RSA_public_encrypt(3)>,`
		`diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod`
		`- index 1d38073aead..bd3f835ac6d 100644`
		`+ index 1d38073aea..bd3f835ac6 100644`
		`--- a/doc/man3/RSA_public_encrypt.pod`
		`+++ b/doc/man3/RSA_public_encrypt.pod`
		`@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.`
		`@@ -696,7 +725,7 @@`

		`SSL, PKCS #1 v2.0`
		`diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod`
		`- index ac3f6271969..cb770c9e857 100644`
		`+ index ac3f627196..cb770c9e85 100644`
		`--- a/doc/man7/provider-asym_cipher.pod`
		`+++ b/doc/man7/provider-asym_cipher.pod`
		`@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client.`
		`@@ -716,7 +745,7 @@`

		`OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()`
		`diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h`
		`- index 949873d0ee3..f267e5d9d1c 100644`
		`+ index 949873d0ee..f267e5d9d1 100644`
		`--- a/include/crypto/rsa.h`
		`+++ b/include/crypto/rsa.h`
		`@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA rsa, const X509_ALGOR alg);`
		`@@ -731,18 +760,18 @@`
		`size_t tlen,`
		`const unsigned char *from,`
		`diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h`
		`- index e6c4758a33e..6e4a4f8539d 100644`
		`+ index 28ec94a387..407a405513 100644`
		`--- a/include/openssl/core_names.h`
		`+++ b/include/openssl/core_names.h`
		`- @@ -302,6 +302,7 @@ extern "C" {`
		`+ @@ -294,6 +294,7 @@ extern "C" {`
		`#define OSSL_PKEY_PARAM_DIST_ID "distid"`
		`#define OSSL_PKEY_PARAM_PUB_KEY "pub"`
		`#define OSSL_PKEY_PARAM_PRIV_KEY "priv"`
		`+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"`
		`+ #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k"`

		`/* Diffie-Hellman/DSA Parameters */`
		`- #define OSSL_PKEY_PARAM_FFC_P "p"`
		`- @@ -482,6 +483,7 @@ extern "C" {`
		`+ @@ -470,6 +471,7 @@ extern "C" {`
		`#define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"`
		`#define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"`
		`#define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"`
		`@@ -751,10 +780,10 @@`
		`#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"`
		`#endif`
		`diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h`
		`- index bce21258227..167427d3c48 100644`
		`+ index a55c9727c6..247f9014e3 100644`
		`--- a/include/openssl/rsa.h`
		`+++ b/include/openssl/rsa.h`
		`- @@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX ctx, unsigned char *label);`
		`+ @@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX ctx, unsigned char *label);`

		`# define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)`

		`@@ -763,7 +792,7 @@`
		`# define RSA_PKCS1_PADDING 1`
		`# define RSA_NO_PADDING 3`
		`# define RSA_PKCS1_OAEP_PADDING 4`
		`- @@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX ctx, unsigned char *label);`
		`+ @@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX ctx, unsigned char *label);`
		`# define RSA_PKCS1_PSS_PADDING 6`
		`# define RSA_PKCS1_WITH_TLS_PADDING 7`

		`@@ -774,10 +803,10 @@`

		`# define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)`
		`diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c`
		`- index 3d331ea8dfd..fbafb84f8cb 100644`
		`+ index b85ced362e..3d2919beae 100644`
		`--- a/providers/implementations/asymciphers/rsa_enc.c`
		`+++ b/providers/implementations/asymciphers/rsa_enc.c`
		`- @@ -75,6 +75,8 @@ typedef struct {`
		`+ @@ -78,6 +78,8 @@ typedef struct {`
		`/* TLS padding */`
		`unsigned int client_version;`
		`unsigned int alt_version;`
		`@@ -786,7 +815,7 @@`
		`#ifdef FIPS_MODULE`
		`char *redhat_st_oaep_seed;`
		`#endif /* FIPS_MODULE */`
		`- @@ -107,6 +109,7 @@ static int rsa_init(void vprsactx, void vrsa, const OSSL_PARAM params[],`
		`+ @@ -113,6 +115,7 @@ static int rsa_init(void vprsactx, void vrsa, const OSSL_PARAM params[],`
		`RSA_free(prsactx->rsa);`
		`prsactx->rsa = vrsa;`
		`prsactx->operation = operation;`
		`@@ -794,7 +823,7 @@`

		`switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {`
		`case RSA_FLAG_TYPE_RSA:`
		`- @@ -195,6 +198,7 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`+ @@ -235,6 +238,7 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`{`
		`PROV_RSA_CTX prsactx = (PROV_RSA_CTX )vprsactx;`
		`int ret;`
		`@@ -802,7 +831,7 @@`
		`size_t len = RSA_size(prsactx->rsa);`

		`if (!ossl_prov_is_running())`
		`- @@ -270,8 +274,12 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`+ @@ -324,8 +328,12 @@ static int rsa_decrypt(void vprsactx, unsigned char out, size_t *outlen,`
		`}`
		`OPENSSL_free(tbuf);`
		`} else {`
		`@@ -817,7 +846,7 @@`
		`}`
		`outlen = constant_time_select_s(constant_time_msb_s(ret), outlen, ret);`
		`ret = constant_time_select_int(constant_time_msb(ret), 0, 1);`
		`- @@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void vprsactx, OSSL_PARAM params)`
		`+ @@ -452,6 +460,10 @@ static int rsa_get_ctx_params(void vprsactx, OSSL_PARAM params)`
		`if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))`
		`return 0;`

		`@@ -828,7 +857,7 @@`
		`return 1;`
		`}`

		`- @@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {`
		`+ @@ -463,6 +475,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {`
		`NULL, 0),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),`
		`@@ -836,7 +865,7 @@`
		`#ifdef FIPS_MODULE`
		`OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),`
		`#endif /* FIPS_MODULE */`
		`- @@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`+ @@ -619,6 +632,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`return 0;`
		`prsactx->alt_version = alt_version;`
		`}`
		`@@ -851,7 +880,7 @@`

		`return 1;`
		`}`
		`- @@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {`
		`+ @@ -631,6 +652,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {`
		`OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),`
		`OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),`
		`@@ -860,10 +889,10 @@`
		`};`

		`diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- index b8d8bb2993e..a3d01eec457 100644`
		`+ index c43a13b954..3406af5eed 100644`
		`--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- @@ -253,9 +253,25 @@ Decrypt = RSA-2048`
		`+ @@ -268,9 +268,25 @@ Decrypt = RSA-2048`
		Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
		`Output = "Hello World"`

		`@@ -889,7 +918,7 @@`
		Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
		`Output = "Hello World"`
		`Result = KEYOP_ERROR`
		`- @@ -277,6 +297,462 @@ Derive = RSA-2048`
		`+ @@ -293,6 +309,462 @@ Derive = RSA-2048`
		`Result = KEYOP_INIT_ERROR`
		`Reason = operation not supported for this keytype`

		`@@ -1352,3 +1381,6 @@`
		`# RSA PSS key tests`

		`# PSS only key, no parameter restrictions`
		`+ --`
		`+ 2.39.3`
		`+`

0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch

file removed

-570

		`@@ -1,570 +0,0 @@`
		`- From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001`
		`- From: Clemens Lang <cllang@redhat.com>`
		`- Date: Wed, 18 May 2022 17:25:59 +0200`
		`- Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider`
		`-`
		`- For RHEL, we already disable SHA-1 signatures by default in the default`
		`- provider, so it is unexpected that the FIPS provider would have a more`
		`- lenient configuration in this regard. Additionally, we do not think`
		`- continuing to accept SHA-1 signatures is a good idea due to the`
		`- published chosen-prefix collision attacks.`
		`-`
		`- As a consequence, disable verification of SHA-1 signatures in the FIPS`
		`- provider.`
		`-`
		`- This requires adjusting a few tests that would otherwise fail:`
		`- - 30-test_acvp: Remove the test vectors that use SHA-1.`
		`- - 30-test_evp: Mark tests in evppkey_rsa_common.txt and`
		`- evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default",`
		`- which will not run them when the FIPS provider is enabled.`
		`- - 80-test_cms: Re-create all certificates in test/smime-certificates`
		`- with SHA256 signatures while keeping the same private keys. These`
		`- certificates were signed with SHA-1 and thus fail verification in the`
		`- FIPS provider.`
		`- Fix some other tests by explicitly running them in the default`
		`- provider, where SHA-1 is available.`
		`- - 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with`
		`- the FIPS provider.`
		`-`
		`- Signed-off-by: Clemens Lang <cllang@redhat.com>`
		`- ---`
		`- providers/implementations/signature/dsa_sig.c \| 4 --`
		`- .../implementations/signature/ecdsa_sig.c \| 4 --`
		`- providers/implementations/signature/rsa_sig.c \| 8 +--`
		`- test/acvp_test.inc \| 20 -------`
		`- .../30-test_evp_data/evppkey_ecdsa.txt \| 7 +++`
		`- .../30-test_evp_data/evppkey_rsa_common.txt \| 51 +++++++++++++++-`
		`- test/recipes/80-test_cms.t \| 4 +-`
		`- test/recipes/80-test_ssl_old.t \| 4 ++`
		`- test/smime-certs/smdh.pem \| 18 +++---`
		`- test/smime-certs/smdsa1.pem \| 60 +++++++++----------`
		`- test/smime-certs/smdsa2.pem \| 60 +++++++++----------`
		`- test/smime-certs/smdsa3.pem \| 60 +++++++++----------`
		`- test/smime-certs/smec1.pem \| 30 +++++-----`
		`- test/smime-certs/smec2.pem \| 30 +++++-----`
		`- test/smime-certs/smec3.pem \| 30 +++++-----`
		`- test/smime-certs/smroot.pem \| 38 ++++++------`
		`- test/smime-certs/smrsa1.pem \| 38 ++++++------`
		`- test/smime-certs/smrsa2.pem \| 38 ++++++------`
		`- test/smime-certs/smrsa3.pem \| 38 ++++++------`
		`- 19 files changed, 286 insertions(+), 256 deletions(-)`
		`-`
		`- diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c`
		`- index fa3822f39f..c365d7b13a 100644`
		`- --- a/providers/implementations/signature/dsa_sig.c`
		`- +++ b/providers/implementations/signature/dsa_sig.c`
		`- @@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,`
		`- EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);`
		`- int md_nid;`
		`- size_t mdname_len = strlen(mdname);`
		`- -#ifdef FIPS_MODULE`
		`- - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);`
		`- -#else`
		`- int sha1_allowed = 0;`
		`- -#endif`
		`- md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,`
		`- sha1_allowed);`
		`-`
		`- diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c`
		`- index 99b228e82c..44a22832ec 100644`
		`- --- a/providers/implementations/signature/ecdsa_sig.c`
		`- +++ b/providers/implementations/signature/ecdsa_sig.c`
		`- @@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX ctx, const char mdname,`
		`- "%s could not be fetched", mdname);`
		`- return 0;`
		`- }`
		`- -#ifdef FIPS_MODULE`
		`- - sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);`
		`- -#else`
		`- sha1_allowed = 0;`
		`- -#endif`
		`- md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,`
		`- sha1_allowed);`
		`- if (md_nid < 0) {`
		`- diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c`
		`- index f66d7705c3..34f45175e8 100644`
		`- --- a/providers/implementations/signature/rsa_sig.c`
		`- +++ b/providers/implementations/signature/rsa_sig.c`
		`- @@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX ctx, const char mdname,`
		`- EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);`
		`- int md_nid;`
		`- size_t mdname_len = strlen(mdname);`
		`- -#ifdef FIPS_MODULE`
		`- - int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);`
		`- -#else`
		`- int sha1_allowed = 0;`
		`- -#endif`
		`- md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,`
		`- sha1_allowed);`
		`-`
		`- @@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])`
		`-`
		`- if (prsactx->md == NULL && pmdname == NULL`
		`- && pad_mode == RSA_PKCS1_PSS_PADDING) {`
		`- +#ifdef FIPS_MODULE`
		`- + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;`
		`- +#else`
		`- pmdname = RSA_DEFAULT_DIGEST_NAME;`
		`- -#ifndef FIPS_MODULE`
		`- if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {`
		`- pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;`
		`- }`
		`- diff --git a/test/acvp_test.inc b/test/acvp_test.inc`
		`- index ad11d3ae1e..73b24bdb0c 100644`
		`- --- a/test/acvp_test.inc`
		`- +++ b/test/acvp_test.inc`
		`- @@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {`
		`- NO_PSS_SALT_LEN,`
		`- FAIL`
		`- },`
		`- - {`
		`- - "x931",`
		`- - 3072,`
		`- - "SHA1",`
		`- - ITM(rsa_sigverx931_0_msg),`
		`- - ITM(rsa_sigverx931_0_n),`
		`- - ITM(rsa_sigverx931_0_e),`
		`- - ITM(rsa_sigverx931_0_sig),`
		`- - NO_PSS_SALT_LEN,`
		`- - PASS`
		`- - },`
		`- {`
		`- "x931",`
		`- 3072,`
		`- diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- index f36982845d..51e507a61c 100644`
		`- --- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- +++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt`
		`- @@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC`
		`-`
		`- Title = ECDSA tests`
		`-`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8`
		`-`
		`- # Digest too long`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF12345"`
		`- @@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e`
		`- Result = VERIFY_ERROR`
		`-`
		`- # Digest too short`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF123"`
		`- @@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e`
		`- Result = VERIFY_ERROR`
		`-`
		`- # Digest invalid`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1235"`
		`- @@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e`
		`- Result = VERIFY_ERROR`
		`-`
		`- # Invalid signature`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- @@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e`
		`- Result = VERIFY_ERROR`
		`-`
		`- # BER signature`
		`- +Availablein = default`
		`- Verify = P-256`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000`
		`- Result = VERIFY_ERROR`
		`-`
		`- +Availablein = default`
		`- Verify = P-256-PUBLIC`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- index b8d8bb2993..8dd566067b 100644`
		`- --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt`
		`- @@ -96,6 +96,7 @@ NDL6WCBbets=`
		`-`
		`- Title = RSA tests`
		`-`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- @@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224`
		`- Input = "0123456789ABCDEF123456789ABC"`
		- Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
		`-`
		`- +Availablein = default`
		`- VerifyRecover = RSA-2048`
		`- Ctrl = digest:SHA1`
		- Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
		`- Output = "0123456789ABCDEF1234"`
		`-`
		`- # Leading zero in the signature`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		- Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
		`- Result = VERIFY_ERROR`
		`-`
		`- +Availablein = default`
		`- VerifyRecover = RSA-2048`
		`- Ctrl = digest:SHA1`
		- Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
		`- Result = KEYOP_ERROR`
		`-`
		`- # Mismatched digest`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1233"`
		`- @@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2`
		`- Result = VERIFY_ERROR`
		`-`
		`- # Corrupted signature`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1233"`
		`- @@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2`
		`- Result = VERIFY_ERROR`
		`-`
		`- # parameter is not NULLt`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:sha1`
		`- Input = "0123456789ABCDEF1234"`
		`- @@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7`
		`- Result = VERIFY_ERROR`
		`-`
		`- # embedded digest too long`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:sha1`
		`- Input = "0123456789ABCDEF1234"`
		- Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
		`- Result = VERIFY_ERROR`
		`-`
		`- +Availablein = default`
		`- VerifyRecover = RSA-2048`
		`- Ctrl = digest:sha1`
		- Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
		`- Result = KEYOP_ERROR`
		`-`
		`- # embedded digest too short`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:sha1`
		`- Input = "0123456789ABCDEF1234"`
		- Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
		`- Result = VERIFY_ERROR`
		`-`
		`- +Availablein = default`
		`- VerifyRecover = RSA-2048`
		`- Ctrl = digest:sha1`
		- Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
		`- Result = KEYOP_ERROR`
		`-`
		`- # Garbage after DigestInfo`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:sha1`
		`- Input = "0123456789ABCDEF1234"`
		- Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
		`- Result = VERIFY_ERROR`
		`-`
		`- +Availablein = default`
		`- VerifyRecover = RSA-2048`
		`- Ctrl = digest:sha1`
		- Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
		`- Result = KEYOP_ERROR`
		`-`
		`- # invalid tag for parameter`
		`- +Availablein = default`
		`- Verify = RSA-2048`
		`- Ctrl = digest:sha1`
		`- Input = "0123456789ABCDEF1234"`
		`- @@ -195,6 +209,7 @@ Result = VERIFY_ERROR`
		`-`
		`- # Verify using public key`
		`-`
		`- +Availablein = default`
		`- Verify = RSA-2048-PUBLIC`
		`- Ctrl = digest:SHA1`
		`- Input = "0123456789ABCDEF1234"`
		`- @@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF"`
		- Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
		`-`
		`- # Verify using salt length auto detect`
		`- +# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256`
		`- +Availablein = default`
		`- Verify = RSA-2048-PUBLIC`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_pss_saltlen:auto`
		`- @@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD`
		`- Result = VERIFY_ERROR`
		`-`
		`- # Verify using default parameters, explicitly setting parameters`
		`- +# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which`
		`- +# RHEL-9 does not support in FIPS mode; all these tests are thus marked`
		`- +# Availablein = default.`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_pss_saltlen:20`
		`- @@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123"`
		- Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
		`-`
		`- # Verify explicitly setting parameters "digest" salt length`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_pss_saltlen:digest`
		`- @@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123"`
		- Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF
		`-`
		`- # Verify using salt length larger than minimum`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_pss_saltlen:30`
		`- Input="0123456789ABCDEF0123"`
		- Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
		`-`
		`- # Verify using maximum salt length`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_pss_saltlen:max`
		`- Input="0123456789ABCDEF0123"`
		- Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6
		`-`
		`- # Attempt to change salt length below minimum`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_pss_saltlen:0`
		`- Result = PKEY_CTRL_ERROR`
		`- @@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR`
		`- # Attempt to change padding mode`
		`- # Note this used to return PKEY_CTRL_INVALID`
		`- # but it is limited because setparams only returns 0 or 1.`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = rsa_padding_mode:pkcs1`
		`- Result = PKEY_CTRL_ERROR`
		`-`
		`- # Attempt to change digest`
		`- +Availablein = default`
		`- Verify = RSA-PSS-DEFAULT`
		`- Ctrl = digest:sha256`
		`- Result = PKEY_CTRL_ERROR`
		`-`
		`- # Invalid key: rejected when we try to init`
		`- +Availablein = default`
		`- Verify = RSA-PSS-BAD`
		`- Result = KEYOP_INIT_ERROR`
		`- Reason = invalid salt length`
		`-`
		`- # Invalid key: rejected when we try to init`
		`- +Availablein = default`
		`- Verify = RSA-PSS-BAD2`
		`- Result = KEYOP_INIT_ERROR`
		`- Reason = invalid salt length`
		`- @@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh`
		`- 4fINDOjP+yJJvZohNwIDAQAB`
		`- -----END PUBLIC KEY-----`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e`
		`- Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd`
		`- Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=0652ec67bcee30f9d2699122b91c19abdba89f91`
		`- Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=39c21c4cceda9c1adf839c744e1212a6437575ec`
		`- Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=36dae913b77bd17cae6e7b09453d24544cebb33c`
		`- Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-1`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- @@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh`
		`- 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ==`
		`- -----END PUBLIC KEY-----`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0`
		`- Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=2dac956d53964748ac364d06595827c6b4f143cd`
		`- Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298`
		`- Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e`
		`- Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a`
		`- Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-9`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- @@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu`
		`- BQIDAQAB`
		`- -----END PUBLIC KEY-----`
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4`
		- Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=b503319399277fd6c1c8f1033cbf04199ea21716`
		- Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=50aaede8536b2c307208b275a67ae2df196c7628`
		- Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294`
		- Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- Input=fad3902c9750622a2bc672622c48270cc57d3ea8`
		- Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc
		`-`
		`- +Availablein = default`
		`- Verify=RSA-PSS-10`
		`- Ctrl = rsa_padding_mode:pss`
		`- Ctrl = rsa_mgf1_md:sha1`
		`- @@ -1329,11 +1376,13 @@ Title = RSA FIPS tests`
		`-`
		`- # FIPS tests`
		`-`
		`- -# Verifying with SHA1 is permitted in fips mode for older applications`
		`- +# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode`
		`- +Availablein = fips`
		`- DigestVerify = SHA1`
		`- Key = RSA-2048`
		`- Input = "Hello "`
		- Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859
		`- +Result = DIGESTVERIFYINIT_ERROR`
		`-`
		`- # Verifying with a 1024 bit key is permitted in fips mode for older applications`
		`- DigestVerify = SHA256`
		`- diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t`
		`- index 48a92f735d..34afe91b88 100644`
		`- --- a/test/recipes/80-test_cms.t`
		`- +++ b/test/recipes/80-test_cms.t`
		`- @@ -162,7 +162,7 @@ my @smime_pkcs7_tests = (`
		`- [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",`
		`- "-certfile", $smroot,`
		`- "-signer", $smrsa1, "-out", "{output}.cms" ],`
		`- - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",`
		`- + [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",`
		`- "-CAfile", $smroot, "-out", "{output}.txt" ],`
		`- \&final_compare`
		`- ],`
		`- @@ -170,7 +170,7 @@ my @smime_pkcs7_tests = (`
		`- [ "signed zero-length content S/MIME format, RSA key SHA1",`
		`- [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",`
		`- "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],`
		`- - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",`
		`- + [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",`
		`- "-CAfile", $smroot, "-out", "{output}.txt" ],`
		`- \&zero_compare`
		`- ],`
		`- diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t`
		`- index 8c52b637fc..ff75c5b6ec 100644`
		`- --- a/test/recipes/80-test_ssl_old.t`
		`- +++ b/test/recipes/80-test_ssl_old.t`
		`- @@ -394,6 +394,9 @@ sub testssl {`
		`- 'test sslv2/sslv3 with 1024bit DHE via BIO pair');`
		`- }`
		`-`
		`- + SKIP: {`
		`- + skip "SSLv3 is not supported by the FIPS provider", 4`
		`- + if $provider eq "fips";`
		`- ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),`
		`- 'test sslv2/sslv3 with server authentication');`
		`- ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),`
		`- @@ -402,6 +405,7 @@ sub testssl {`
		`- 'test sslv2/sslv3 with both client and server authentication via BIO pair');`
		`- ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),`
		`- 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');`
		`- + }`
		`-`
		`- SKIP: {`
		`- skip "No IPv4 available on this machine", 4`

openssl.spec

file modified

+124 -93

		`@@ -28,8 +28,8 @@`

		`Summary: Utilities from the general purpose cryptography library with TLS implementation`
		`Name: openssl`
		`- Version: 3.1.1`
		`- Release: 2%{?dist}`
		`+ Version: 3.0.8`
		`+ Release: 3%{?dist}`
		`Epoch: 1`
		`Source: openssl-%{version}.tar.gz`
		`Source2: Makefile.certificate`
		`@@ -39,88 +39,134 @@`
		`Source7: renew-dummy-cert`
		`Source9: configuration-switch.h`
		`Source10: configuration-prefix.h`
		`- Source14: 0025-for-tests.patch`
		`- # # Patches exported from source git`
		`- # # Aarch64 and ppc64le use lib64`
		`+ # Aarch64 and ppc64le use lib64`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch`
		`- # # Use more general default values in openssl.cnf`
		`+ # Use more general default values in openssl.cnf`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch`
		`- # # Do not install html docs`
		`+ # Do not install html docs`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch3: 0003-Do-not-install-html-docs.patch`
		`- # # Override default paths for the CA directory tree`
		`+ # Override default paths for the CA directory tree`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch`
		`- # # apps/ca: fix md option help text`
		`+ # apps/ca: fix md option help text`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch5: 0005-apps-ca-fix-md-option-help-text.patch`
		`- # # Disable signature verification with totally unsafe hash algorithms`
		`+ # Disable signature verification with totally unsafe hash algorithms`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch`
		`- # # Add support for PROFILE=SYSTEM system default cipherlist`
		`+ # Add support for PROFILE=SYSTEM system default cipherlist`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch`
		`- # # Add FIPS_mode() compatibility macro`
		`+ # Add FIPS_mode() compatibility macro`
		`+ # Author: Tomas Mraz <tmraz@fedoraproject.org>`
		`Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch`
		`- # # Add check to see if fips flag is enabled in kernel`
		`+ # Add Kernel FIPS mode flag support`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch`
		`- # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so`
		`- # # that new modifications made to these files by upstream are not lost.`
		`- Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch`
		`- # # remove unsupported EC curves`
		`+ # Add changes to ectest.c and eccurve.c`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch10: 0010-Add-changes-to-ectest.c-and-eccurve.c.patch`
		`+ # Remove EC curves`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`Patch11: 0011-Remove-EC-curves.patch`
		`- # # Disable explicit EC curves`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412`
		`- Patch12: 0012-Disable-explicit-ec.patch`
		`- # # Skipped tests from former 0011-Remove-EC-curves.patch`
		`- Patch13: 0013-skipped-tests-EC-curves.patch`
		`- # # Instructions to load legacy provider in openssl.cnf`
		`- Patch24: 0024-load-legacy-prov.patch`
		`- # # Tmp: test name change`
		`- Patch31: 0031-tmp-Fix-test-names.patch`
		`- # # We load FIPS provider and set FIPS properties implicitly`
		`- Patch32: 0032-Force-fips.patch`
		`- # # Embed HMAC into the fips.so`
		`- Patch33: 0033-FIPS-embed-hmac.patch`
		`- # # Comment out fipsinstall command-line utility`
		`- Patch34: 0034.fipsinstall_disable.patch`
		- # # Skip unavailable algorithms running `openssl speed`
		`- Patch35: 0035-speed-skip-unavailable-dgst.patch`
		`- # # Extra public/private key checks required by FIPS-140-3`
		`- Patch44: 0044-FIPS-140-3-keychecks.patch`
		`- # # Minimize fips services`
		`- Patch45: 0045-FIPS-services-minimize.patch`
		`- # # Execute KATS before HMAC verification`
		`- Patch47: 0047-FIPS-early-KATS.patch`
		`- # # Selectively disallow SHA1 signatures rhbz#2070977`
		`- Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch`
		`- # # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)`
		`- Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch`
		`- # # https://github.com/openssl/openssl/pull/18103`
		`- # # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1`
		`- # # so the patch should persist`
		`- Patch56: 0056-strcasecmp.patch`
		`- # # https://github.com/openssl/openssl/pull/18175`
		`- # # Patch57: 0057-strcasecmp-fix.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289`
		`- Patch58: 0058-FIPS-limit-rsa-encrypt.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2087147`
		`- Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch`
		`- # 0062-fips-Expose-a-FIPS-indicator.patch`
		`- Patch62: 0062-fips-Expose-a-FIPS-indicator.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535`
		`- Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch`
		`- # [PATCH 30/35]`
		`- # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch`
		`- Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535`
		`- Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch`
		`- # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541`
		`- Patch76: 0076-FIPS-140-3-DRBG.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2102542`
		`- Patch77: 0077-FIPS-140-3-zeroization.patch`
		`- # # https://bugzilla.redhat.com/show_bug.cgi?id=2114772`
		`- Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch`
		`- # # https://github.com/openssl/openssl/pull/13817`
		`- Patch100: 0100-RSA-PKCS15-implicit-rejection.patch`
		`-`
		`- License: Apache-2.0`
		`+ # Disable ec curves explicitly`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch12: 0012-Disable-ec-curves-explicitly.patch`
		`+ # Skip ec tests`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch13: 0013-Skip-ec-tests.patch`
		`+ # loads the legacy provider`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch14: 0014-loads-the-legacy-provider.patch`
		`+ # Add the default provider`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch15: 0015-Add-the-default-provider.patch`
		`+ # Fix test names`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch16: 0016-Fix-test-names.patch`
		`+ # Force FIPS`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch17: 0017-Force-FIPS.patch`
		`+ # FIPS embed hmac`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch18: 0018-FIPS-embed-hmac.patch`
		`+ # Disable fipsinstall`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch19: 0019-Disable-fipsinstall.patch`
		`+ # Skip unavailable digests`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch20: 0020-Skip-unavailable-digests.patch`
		`+ # FIPS 140-3 keychecks`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch21: 0021-FIPS-140-3-keychecks.patch`
		`+ # minimize services in FIPS mode`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch22: 0022-minimize-services-in-FIPS-mode.patch`
		`+ # Patch anme: 0047-FIPS-early-KATS.patch`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch23: 0023-Patch-anme-0047-FIPS-early-KATS.patch.patch`
		`+ # Allow disabling of SHA1 signatures`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch24: 0024-Allow-disabling-of-SHA1-signatures.patch`
		`+ # Support different R_BITS lengths for KBKDF`
		`+ # Author: Patrick Uiterwijk <puiterwijk@redhat.com>`
		`+ Patch25: 0025-Support-different-R_BITS-lengths-for-KBKDF.patch`
		`+ # Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch26: 0026-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch`
		`+ # Instrument SHA-1 signatures with USDT probes`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch27: 0027-Instrument-SHA-1-signatures-with-USDT-probes.patch`
		`+ # Patch-name: 0056-strcasecmp.patch`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch28: 0028-Patch-name-0056-strcasecmp.patch.patch`
		`+ # Patch-name: 0058-FIPS-limit-rsa-encrypt.patch`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch29: 0029-Patch-name-0058-FIPS-limit-rsa-encrypt.patch.patch`
		`+ # Patch-name: 0060-FIPS-KAT-signature-tests.patch`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch30: 0030-Patch-name-0060-FIPS-KAT-signature-tests.patch.patch`
		`+ # Deny SHA-1 signature verification in FIPS provider`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch31: 0031-Deny-SHA-1-signature-verification-in-FIPS-provider.patch`
		`+ # fips: Expose a FIPS indicator`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch32: 0032-fips-Expose-a-FIPS-indicator.patch`
		`+ # AES GCM performance optimization`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch33: 0033-AES-GCM-performance-optimization.patch`
		`+ # ChaCha20 performance optimizations for ppc64le`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch34: 0034-ChaCha20-performance-optimizations-for-ppc64le.patch`
		`+ # FIPS: Use OAEP in KATs, support fixed OAEP seed`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch35: 0035-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch`
		`+ # FIPS: Use digest_sign & digest_verify in self test`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch36: 0036-FIPS-Use-digest_sign-digest_verify-in-self-test.patch`
		`+ # FIPS: Use FFDHE2048 in self test`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch37: 0037-FIPS-Use-FFDHE2048-in-self-test.patch`
		`+ # FIPS-140-3 DRBG`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch38: 0038-FIPS-140-3-DRBG.patch`
		`+ # FIPS-140-3 zeroization`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch39: 0039-FIPS-140-3-zeroization.patch`
		`+ # Add FIPS indicator parameter to HKDF`
		`+ # Author: Clemens Lang <cllang@redhat.com>`
		`+ Patch40: 0040-Add-FIPS-indicator-parameter-to-HKDF.patch`
		`+ # Fix AES-GCM on Power 8 CPUs`
		`+ # Author: Tomas Mraz <tomas@openssl.org>`
		`+ Patch41: 0041-Fix-AES-GCM-on-Power-8-CPUs.patch`
		`+ # Adds RSA-PKCS15 implicit rejection`
		`+ # Author: Sahana Prasad <sahana@redhat.com>`
		`+ Patch42: 0042-Adds-RSA-PKCS15-implicit-rejection.patch`
		`+`
		`+ License: ASL 2.0`
		`URL: http://www.openssl.org/`
		`BuildRequires: gcc g++`
		`BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp`
		`@@ -297,7 +343,7 @@`
		`OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file`
		`export OPENSSL_SYSTEM_CIPHERS_OVERRIDE`
		`#embed HMAC into fips provider for test run`
		`- OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac`
		`+ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac`
		`objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac`
		`mv providers/fips.so.mac providers/fips.so`
		`#run tests itself`
		`@@ -310,7 +356,7 @@`
		`%{?__debug_package:%{__debug_install_post}} \`
		`%{__arch_install_post} \`
		`%{__os_install_post} \`
		`- OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \`
		`+ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \`
		`objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \`
		`mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \`
		`rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \`
		`@@ -450,23 +496,8 @@`
		`%ldconfig_scriptlets libs`

		`%changelog`
		`- * Fri Aug 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-2`
		`- - migrated to SPDX license`
		`-`
		`- * Thu Jul 27 2023 Sahana Prasad <sahana@redhat.com> - 1:3.1.1-1`
		`- - Rebase to upstream version 3.1.1`
		`- Resolves: CVE-2023-0464`
		`- Resolves: CVE-2023-0465`
		`- Resolves: CVE-2023-0466`
		`- Resolves: CVE-2023-1255`
		`- Resolves: CVE-2023-2650`
		`-`
		`- * Thu Jul 27 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-4`
		`- - Forbid custom EC more completely`
		`- Resolves: rhbz#2223953`
		`-`
		`- * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.8-3`
		`- - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild`
		`+ * Sun Jun 11 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.8-3`
		`+ - Remove the unnecessary source 14 as it is already taken care of in patches.`

		`* Tue Mar 21 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.8-2`
		`- Upload new upstream sources without manually hobbling them.`

packit commented 8 months ago

Remove redundant source files that comment the activation of a default provider.
This is already done in the patch - 0015-Add-the-default-provider.patch
Signed-off-by: Sahana Prasad sahana@redhat.com

Info for package maintainer

This MR has been automatically created from
this source-git MR.

jpopelka commented 8 months ago

I finally fixed the source-git bot for the https://gitlab.com/fedora/src repos (https://gitlab.com/fedora/src/openssl in this case) and tried it on the https://gitlab.com/fedora/src/openssl/-/merge_requests/1

I guess you can/want to close this.

zuul commented 8 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/c5cce891570149f0b2602a1bb8e944c7

check-for-arches : SUCCESS in 2m 21s
check-for-eln : SUCCESS in 19s
eln-rpm-scratch-build : FAILURE in 3m 32s
rpm-scratch-build : FAILURE in 5m 04s
rpm-scratch-build-s390x : FAILURE in 3m 56s (non-voting)
rpm-scratch-build-ppc64le : FAILURE in 3m 53s (non-voting)
rpm-scratch-build-i686 : FAILURE in 4m 56s (non-voting)
rpm-scratch-build-aarch64 : FAILURE in 4m 51s (non-voting)
rpm-linter : SKIPPED Skipped due to failed job rpm-scratch-build (non-voting)
rpm-rpminspect : SKIPPED Skipped due to failed job rpm-scratch-build (non-voting)
check-for-sti-tests : SKIPPED Skipped due to failed job rpm-scratch-build
check-for-fmf-tests : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-install-test : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-tmt-test : SKIPPED Skipped due to failed job rpm-scratch-build
rpm-sti-test : SKIPPED Skipped due to failed job rpm-scratch-build