public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Synchronize patches from CentOS stream
Date: Tue, 09 Jun 2026 12:45:13 GMT [thread overview]
Message-ID: <178100911327.1.11648652099510126698.rpms-openssl-e52367af4797@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : e52367af47978ce12d37b7af6cbaf9fe669db16f
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2023-08-22T16:39:12+02:00
Stats : +5417/-1649 in 24 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/e52367af47978ce12d37b7af6cbaf9fe669db16f?branch=rebase_40beta
Log:
Synchronize patches from CentOS stream
---
diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch
index 4010bf5..cbc0a7f 100644
--- a/0011-Remove-EC-curves.patch
+++ b/0011-Remove-EC-curves.patch
@@ -1,20 +1,19 @@
-From e65f698d59fc71300d3e49492f9ef899b7209e5f Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 11/35] 0011-Remove-EC-curves.patch
+From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:46:40 +0200
+Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch
Patch-name: 0011-Remove-EC-curves.patch
Patch-id: 11
Patch-status: |
# remove unsupported EC curves
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
apps/speed.c | 8 +---
- crypto/evp/ec_support.c | 76 ------------------------------------
- test/acvp_test.inc | 9 -----
- test/ecdsatest.h | 17 --------
- test/recipes/15-test_genec.t | 27 -------------
- 5 files changed, 1 insertion(+), 136 deletions(-)
+ crypto/evp/ec_support.c | 87 ------------------------------------
+ test/acvp_test.inc | 9 ----
+ test/ecdsatest.h | 17 -------
+ test/recipes/15-test_genec.t | 27 -----------
+ 5 files changed, 1 insertion(+), 147 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
index cace25eda1..d527f12f18 100644
@@ -57,7 +56,7 @@ index cace25eda1..d527f12f18 100644
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
-index 1ec10143d2..8fe774140f 100644
+index 1ec10143d2..82b95294b4 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
@@ -159,6 +158,24 @@ index 1ec10143d2..8fe774140f 100644
};
const char *OSSL_EC_curve_nid2name(int nid)
+@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name)
+ /* Functions to translate between common NIST curve names and NIDs */
+
+ static const EC_NAME2NID nist_curves[] = {
+- {"B-163", NID_sect163r2},
+- {"B-233", NID_sect233r1},
+- {"B-283", NID_sect283r1},
+- {"B-409", NID_sect409r1},
+- {"B-571", NID_sect571r1},
+- {"K-163", NID_sect163k1},
+- {"K-233", NID_sect233k1},
+- {"K-283", NID_sect283k1},
+- {"K-409", NID_sect409k1},
+- {"K-571", NID_sect571k1},
+- {"P-192", NID_X9_62_prime192v1},
+ {"P-224", NID_secp224r1},
+ {"P-256", NID_X9_62_prime256v1},
+ {"P-384", NID_secp384r1},
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index ad11d3ae1e..894a0bff9d 100644
--- a/test/acvp_test.inc
diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch
index ce5c3cf..e114fca 100644
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@@ -1,30 +1,30 @@
-From 8c6dffe2347fc801a2b285d79dd99b8739414bc3 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 16/35] 0032-Force-fips.patch
+From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 11:59:02 +0200
+Subject: [PATCH 16/48] 0032-Force-fips.patch
Patch-name: 0032-Force-fips.patch
Patch-id: 32
Patch-status: |
# We load FIPS provider and set FIPS properties implicitly
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
- crypto/provider_conf.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
+ crypto/provider_conf.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
-index 058fb58837..ad0b29c954 100644
+index 058fb58837..5274265a70 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
-@@ -10,6 +10,7 @@
+@@ -10,6 +10,8 @@
#include <string.h>
#include <openssl/trace.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
++#include <unistd.h>
#include <openssl/conf.h>
#include <openssl/safestack.h>
#include <openssl/provider.h>
-@@ -169,7 +170,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
+@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name,
if (path != NULL)
ossl_provider_set_module_path(prov, path);
@@ -33,14 +33,28 @@ index 058fb58837..ad0b29c954 100644
if (ok) {
if (!ossl_provider_activate(prov, 1, 0)) {
-@@ -309,6 +310,16 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
+@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf)
return 0;
}
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
-+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
-+ return 0;
++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf"
++
++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) {
++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default());
++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0)
++ return 0;
++
++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) {
++ NCONF_free(fips_conf);
++ return 0;
++ }
++ NCONF_free(fips_conf);
++ } else {
++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
++ return 0;
++ }
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
+ return 0;
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch
index 986b5e6..50e385c 100644
--- a/0044-FIPS-140-3-keychecks.patch
+++ b/0044-FIPS-140-3-keychecks.patch
@@ -1,21 +1,23 @@
-From bdf751d87be5dfb3164264ebcdbc0c0374d3eabf Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 20/35] 0044-FIPS-140-3-keychecks.patch
+From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 12:05:23 +0200
+Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch
Patch-name: 0044-FIPS-140-3-keychecks.patch
Patch-id: 44
Patch-status: |
# Extra public/private key checks required by FIPS-140-3
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
- crypto/dh/dh_key.c | 28 ++++++++++++
- crypto/rsa/rsa_gen.c | 44 ++++++++-----------
+ crypto/dh/dh_key.c | 26 ++++++++++
.../implementations/exchange/ecdh_exch.c | 19 ++++++++
- 3 files changed, 65 insertions(+), 26 deletions(-)
+ providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++-
+ providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++
+ .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++--
+ providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++--
+ 6 files changed, 162 insertions(+), 9 deletions(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 4e9705beef..cb9e641f54 100644
+index 4e9705beef..83773cceea 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@@ -52,7 +54,7 @@ index 4e9705beef..cb9e641f54 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -354,8 +367,23 @@ static int generate_key(DH *dh)
+@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@@ -67,97 +69,13 @@ index 4e9705beef..cb9e641f54 100644
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
+ if (ossl_dh_check_pairwise(dh) <= 0) {
-+ dh->pub_key = dh->priv_key = NULL;
-+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
-+ goto err;
++ abort();
+ }
+#endif
+
dh->dirty_cnt++;
ok = 1;
err:
-diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
-index e0d139d312..de9cedb64b 100644
---- a/crypto/rsa/rsa_gen.c
-+++ b/crypto/rsa/rsa_gen.c
-@@ -23,6 +23,7 @@
- #include <time.h>
- #include "internal/cryptlib.h"
- #include <openssl/bn.h>
-+#include <openssl/obj_mac.h>
- #include <openssl/self_test.h>
- #include "prov/providercommon.h"
- #include "rsa_local.h"
-@@ -478,52 +479,43 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
- static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
- {
- int ret = 0;
-- unsigned int ciphertxt_len;
-- unsigned char *ciphertxt = NULL;
-- const unsigned char plaintxt[16] = {0};
-- unsigned char *decoded = NULL;
-- unsigned int decoded_len;
-- unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len);
-- int padding = RSA_PKCS1_PADDING;
-+ unsigned int signature_len;
-+ unsigned char *signature = NULL;
- OSSL_SELF_TEST *st = NULL;
-+ static const unsigned char dgst[] = {
-+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81,
-+ 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28,
-+ 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69
-+ };
-
- st = OSSL_SELF_TEST_new(cb, cbarg);
- if (st == NULL)
- goto err;
- OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
-+ /* No special name for RSA signature PCT*/
- OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1);
-
-- ciphertxt_len = RSA_size(rsa);
-- /*
-- * RSA_private_encrypt() and RSA_private_decrypt() requires the 'to'
-- * parameter to be a maximum of RSA_size() - allocate space for both.
-- */
-- ciphertxt = OPENSSL_zalloc(ciphertxt_len * 2);
-- if (ciphertxt == NULL)
-+ signature_len = RSA_size(rsa);
-+ signature = OPENSSL_zalloc(signature_len);
-+ if (signature == NULL)
- goto err;
-- decoded = ciphertxt + ciphertxt_len;
-
-- ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa,
-- padding);
-- if (ciphertxt_len <= 0)
-+ if (RSA_sign(NID_sha256, dgst, sizeof(dgst), signature, &signature_len, rsa) <= 0)
- goto err;
-- if (ciphertxt_len == plaintxt_len
-- && memcmp(ciphertxt, plaintxt, plaintxt_len) == 0)
-+
-+ if (signature_len <= 0)
- goto err;
-
-- OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt);
-+ OSSL_SELF_TEST_oncorrupt_byte(st, signature);
-
-- decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa,
-- padding);
-- if (decoded_len != plaintxt_len
-- || memcmp(decoded, plaintxt, decoded_len) != 0)
-+ if (RSA_verify(NID_sha256, dgst, sizeof(dgst), signature, signature_len, rsa) <= 0)
- goto err;
-
- ret = 1;
- err:
- OSSL_SELF_TEST_onend(st, ret);
- OSSL_SELF_TEST_free(st);
-- OPENSSL_free(ciphertxt);
-+ OPENSSL_free(signature);
-
- return ret;
- }
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index 43caedb6df..73873f9758 100644
--- a/providers/implementations/exchange/ecdh_exch.c
@@ -188,6 +106,283 @@ index 43caedb6df..73873f9758 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
+diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
+index a37cbbdba8..bca3f3c674 100644
+--- a/providers/implementations/keymgmt/ec_kmgmt.c
++++ b/providers/implementations/keymgmt/ec_kmgmt.c
+@@ -989,8 +989,17 @@ struct ec_gen_ctx {
+ int selection;
+ int ecdh_mode;
+ EC_GROUP *gen_group;
++#ifdef FIPS_MODULE
++ void *ecdsa_sig_ctx;
++#endif
+ };
+
++#ifdef FIPS_MODULE
++void *ecdsa_newctx(void *provctx, const char *propq);
++void ecdsa_freectx(void *vctx);
++int do_ec_pct(void *, const char *, void *);
++#endif
++
+ static void *ec_gen_init(void *provctx, int selection,
+ const OSSL_PARAM params[])
+ {
+@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection,
+ gctx = NULL;
+ }
+ }
++#ifdef FIPS_MODULE
++ if (gctx != NULL)
++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL);
++#endif
+ return gctx;
+ }
+
+@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+
+ if (gctx->ecdh_mode != -1)
+ ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
++#ifdef FIPS_MODULE
++ /* Pairwise consistency test */
++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0
++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1)
++ abort();
++#endif
+
+ if (gctx->group_check != NULL)
+ ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
+@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx)
+
+ if (gctx == NULL)
+ return;
+-
++#ifdef FIPS_MODULE
++ ecdsa_freectx(gctx->ecdsa_sig_ctx);
++ gctx->ecdsa_sig_ctx = NULL;
++#endif
+ EC_GROUP_free(gctx->gen_group);
+ BN_free(gctx->p);
+ BN_free(gctx->a);
+diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
+index 3ba12c4889..ff49f8fcd8 100644
+--- a/providers/implementations/keymgmt/rsa_kmgmt.c
++++ b/providers/implementations/keymgmt/rsa_kmgmt.c
+@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+ /* ACVP test parameters */
+ OSSL_PARAM *acvp_test_params;
++ void *prov_rsa_ctx;
+ #endif
+ };
+
+@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
+ return gctx->cb(params, gctx->cbarg);
+ }
+
++#ifdef FIPS_MODULE
++void *rsa_newctx(void *provctx, const char *propq);
++void rsa_freectx(void *vctx);
++int do_rsa_pct(void *, const char *, void *);
++#endif
++
+ static void *gen_init(void *provctx, int selection, int rsa_type,
+ const OSSL_PARAM params[])
+ {
+@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
+
+ if (!rsa_gen_set_params(gctx, params))
+ goto err;
++#ifdef FIPS_MODULE
++ if (gctx != NULL)
++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL);
++#endif
+ return gctx;
+
+ err:
+@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+
+ rsa = rsa_tmp;
+ rsa_tmp = NULL;
++#ifdef FIPS_MODULE
++ /* Pairwise consistency test */
++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
++ abort();
++#endif
+ err:
+ BN_GENCB_free(gencb);
+ RSA_free(rsa_tmp);
+@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
+ #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
+ ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
+ gctx->acvp_test_params = NULL;
++ rsa_freectx(gctx->prov_rsa_ctx);
++ gctx->prov_rsa_ctx = NULL;
+ #endif
+ BN_clear_free(gctx->pub_exp);
+ OPENSSL_free(gctx);
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 865d49d100..ebeb30e002 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
++++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -32,7 +32,7 @@
+ #include "crypto/ec.h"
+ #include "prov/der_ec.h"
+
+-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
++OSSL_FUNC_signature_newctx_fn ecdsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init;
+ static OSSL_FUNC_signature_sign_fn ecdsa_sign;
+@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
++OSSL_FUNC_signature_freectx_fn ecdsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params;
+@@ -104,7 +104,7 @@ typedef struct {
+ #endif
+ } PROV_ECDSA_CTX;
+
+-static void *ecdsa_newctx(void *provctx, const char *propq)
++void *ecdsa_newctx(void *provctx, const char *propq)
+ {
+ PROV_ECDSA_CTX *ctx;
+
+@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+ return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen);
+ }
+
+-static void ecdsa_freectx(void *vctx)
++void ecdsa_freectx(void *vctx)
+ {
+ PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
+
+@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+ return EVP_MD_settable_ctx_params(ctx->md);
+ }
+
++#ifdef FIPS_MODULE
++int do_ec_pct(void *vctx, const char *mdname, void *ec)
++{
++ static const unsigned char data[32];
++ unsigned char sigbuf[256];
++ size_t siglen = sizeof(sigbuf);
++
++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0)
++ return 0;
++
++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++ return 0;
++
++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0)
++ return 0;
++
++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0)
++ return 0;
++
++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++ return 0;
++
++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++ return 0;
++
++ return 1;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index cd5de6bd51..d4261e8f7d 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -34,7 +34,7 @@
+
+ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+
+-static OSSL_FUNC_signature_newctx_fn rsa_newctx;
++OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
+ static OSSL_FUNC_signature_verify_init_fn rsa_verify_init;
+ static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init;
+@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final;
+ static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init;
+ static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update;
+ static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final;
+-static OSSL_FUNC_signature_freectx_fn rsa_freectx;
++OSSL_FUNC_signature_freectx_fn rsa_freectx;
+ static OSSL_FUNC_signature_dupctx_fn rsa_dupctx;
+ static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params;
+ static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params;
+@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen)
+ return 1;
+ }
+
+-static void *rsa_newctx(void *provctx, const char *propq)
++void *rsa_newctx(void *provctx, const char *propq)
+ {
+ PROV_RSA_CTX *prsactx = NULL;
+ char *propq_copy = NULL;
+@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+ return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen);
+ }
+
+-static void rsa_freectx(void *vprsactx)
++void rsa_freectx(void *vprsactx)
+ {
+ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+
+@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+ return EVP_MD_settable_ctx_params(prsactx->md);
+ }
+
++#ifdef FIPS_MODULE
++int do_rsa_pct(void *vctx, const char *mdname, void *rsa)
++{
++ static const unsigned char data[32];
++ unsigned char *sigbuf = NULL;
++ size_t siglen = 0;
++ int ret = 0;
++
++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0)
++ return 0;
++
++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++ return 0;
++
++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0)
++ return 0;
++
++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL)
++ return 0;
++
++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0)
++ goto err;
++
++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0)
++ goto err;
++
++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0)
++ goto err;
++
++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0)
++ goto err;
++ ret = 1;
++
++ err:
++ OPENSSL_free(sigbuf);
++ return ret;
++}
++#endif
++
+ const OSSL_DISPATCH ossl_rsa_signature_functions[] = {
+ { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
+ { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
2.41.0
diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index 82fb6ee..891f659 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -1,20 +1,19 @@
-From 8da97ba910507ea36fecd374ab896f80d150a7e7 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 21/35] 0045-FIPS-services-minimize.patch
+From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 12:55:57 +0200
+Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch
Patch-name: 0045-FIPS-services-minimize.patch
Patch-id: 45
Patch-status: |
# Minimize fips services
-From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
- apps/ecparam.c | 3 ++
+ apps/ecparam.c | 7 +++
apps/req.c | 2 +-
providers/common/capabilities.c | 2 +-
- providers/fips/fipsprov.c | 45 +++++++++++--------
- providers/fips/self_test_data.inc | 12 +++--
- providers/implementations/signature/rsa_sig.c | 13 ++++++
+ providers/fips/fipsprov.c | 44 +++++++++++--------
+ providers/fips/self_test_data.inc | 9 +++-
+ providers/implementations/signature/rsa_sig.c | 26 +++++++++++
ssl/ssl_ciph.c | 3 ++
test/acvp_test.c | 2 +
test/endecode_test.c | 4 ++
@@ -22,20 +21,24 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
test/recipes/15-test_gendsa.t | 2 +-
test/recipes/20-test_cli_fips.t | 3 +-
test/recipes/30-test_evp.t | 16 +++----
- .../30-test_evp_data/evpmac_common.txt | 22 +++++++++
- test/recipes/80-test_cms.t | 22 ++++-----
+ .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++
+ test/recipes/80-test_cms.t | 22 +++++-----
test/recipes/80-test_ssl_old.t | 2 +-
- 16 files changed, 112 insertions(+), 50 deletions(-)
+ 16 files changed, 128 insertions(+), 47 deletions(-)
diff --git a/apps/ecparam.c b/apps/ecparam.c
-index 9e9ad13683..fc125a45c9 100644
+index 9e9ad13683..9c66cf2434 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
-@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out)
+@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
-+ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
+ continue;
+
if (comment == NULL)
@@ -70,7 +73,7 @@ index ed37e76969..eb836dfa6a 100644
# ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are as per RFC 7919 */
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 518226dfc6..73bb96dece 100644
+index 518226dfc6..29438faea8 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
@@ -111,8 +114,8 @@ index 518226dfc6..73bb96dece 100644
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+ /* We don't certify 3DES in our FIPS provider */
-+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
-+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
++ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
++ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */
#endif /* OPENSSL_NO_DES */
{ { NULL, NULL, NULL }, NULL }
};
@@ -140,7 +143,7 @@ index 518226dfc6..73bb96dece 100644
#endif
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
ossl_kdf_tls1_prf_keyexch_functions },
-@@ -420,13 +424,14 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+@@ -420,13 +424,15 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
static const OSSL_ALGORITHM fips_signature[] = {
#ifndef OPENSSL_NO_DSA
@@ -151,15 +154,15 @@ index 518226dfc6..73bb96dece 100644
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
#ifndef OPENSSL_NO_EC
- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
-- ossl_ed25519_signature_functions },
-- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
+ /* We don't certify Edwards curves in our FIPS provider */
-+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
-+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
++ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES,
+ ossl_ed25519_signature_functions },
+- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, */
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
#endif
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
-@@ -456,8 +461,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@@ -171,7 +174,7 @@ index 518226dfc6..73bb96dece 100644
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
-@@ -466,14 +472,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
#ifndef OPENSSL_NO_EC
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
PROV_DESCS_EC },
@@ -190,7 +193,7 @@ index 518226dfc6..73bb96dece 100644
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
PROV_DESCS_TLS1_PRF_SIGN },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 2057378d3d..e0fdc0daa4 100644
+index 2057378d3d..4b80bb70b9 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
@@ -221,18 +224,15 @@ index 2057378d3d..e0fdc0daa4 100644
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
-@@ -1589,8 +1591,8 @@ static const ST_KAT_PARAM dsa_key[] = {
- ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv),
+@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
--#endif /* OPENSSL_NO_DSA */
--
-+#endif
+ #endif /* OPENSSL_NO_DSA */
+#endif
+
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
- 0x06, 0x6d, 0xc8, 0xce, 0x75, 0xb2, 0x89, 0x66, 0xa6, 0x85, 0x16, 0x3f,
-@@ -1642,6 +1644,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif
#endif /* OPENSSL_NO_EC */
@@ -240,7 +240,7 @@ index 2057378d3d..e0fdc0daa4 100644
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
-@@ -1654,6 +1657,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
@@ -249,10 +249,30 @@ index 2057378d3d..e0fdc0daa4 100644
static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index cd5de6bd51..07824e558c 100644
+index d4261e8f7d..2a5504d104 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
-@@ -777,6 +777,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
+@@ -689,6 +689,19 @@ static int rsa_verify_recover(void *vprsactx,
+ {
+ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ int ret;
++# ifdef FIPS_MODULE
++ size_t rsabits = RSA_bits(prsactx->rsa);
++
++ if (rsabits < 2048) {
++ if (rsabits != 1024
++ && rsabits != 1280
++ && rsabits != 1536
++ && rsabits != 1792) {
++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
++ }
++# endif
+
+ if (!ossl_prov_is_running())
+ return 0;
+@@ -777,6 +790,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
size_t rslen;
@@ -401,7 +421,7 @@ index 6d3c5ba1bb..2ba47b5fca 100644
subtest DSA => sub {
my $testtext_prefix = 'DSA';
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
-index 9d7040ced2..3be2549cb5 100644
+index 9d7040ced2..f8beb538d4 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -42,10 +42,8 @@ my @files = qw(
@@ -428,16 +448,20 @@ index 9d7040ced2..3be2549cb5 100644
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
-@@ -91,6 +83,8 @@ my @defltfiles = qw(
+@@ -91,6 +83,7 @@ my @defltfiles = qw(
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
+ evpciph_des3_common.txt
-+ evpkdf_kbkdf_kmac.txt
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
-@@ -118,6 +112,12 @@ my @defltfiles = qw(
+@@ -114,10 +107,17 @@ my @defltfiles = qw(
+ evpmd_whirlpool.txt
+ evppbe_scrypt.txt
+ evppbe_pkcs12.txt
++ evpkdf_kbkdf_kmac.txt
+ evppkey_kdf_scrypt.txt
evppkey_kdf_tls1_prf.txt
evppkey_rsa.txt
);
diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch
index 559342f..c70537a 100644
--- a/0049-Allow-disabling-of-SHA1-signatures.patch
+++ b/0049-Allow-disabling-of-SHA1-signatures.patch
@@ -1,44 +1,13 @@
-From 51d52096122cc73413d55aac06d5e0641f58ffcb Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Mon, 21 Feb 2022 17:24:44 +0100
-Subject: [PATCH] Allow disabling of SHA1 signatures
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
+From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 13:07:07 +0200
+Subject: [PATCH 23/48] 0049-Allow-disabling-of-SHA1-signatures.patch
-NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
-denying SHA1 signatures. On Fedora, the default is – for now – to allow
-SHA1 signatures.
-
-In order to phase out SHA1 signatures, introduce a new configuration
-option in the alg_section named 'rh-allow-sha1-signatures'. This option
-defaults to true. If set to false, any signature creation or
-verification operations that involve SHA1 as digest will fail.
-
-This also affects TLS, where the signature_algorithms extension of any
-ClientHello message sent by OpenSSL will no longer include signatures
-with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
-that request a client certificate, the same also applies for
-CertificateRequest messages sent by them.
-
-For signatures created using the EVP_PKEY API, this is a best-effort
-check that will deny signatures in cases where the digest algorithm is
-known. This means, for example, that that following steps will still
-work:
-
- $> openssl dgst -sha1 -binary -out sha1 infile
- $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
- $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
-
-whereas these will not:
-
- $> openssl dgst -sha1 -binary -out sha1 infile
- $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
- $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
-
-This happens because in the first case, OpenSSL's signature
-implementation does not know that it is signing a SHA1 hash (it could be
-signing arbitrary data).
+Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
+Patch-id: 49
+Patch-status: |
+ # Selectively disallow SHA1 signatures rhbz#2070977
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 14 ++++
crypto/evp/evp_cnf.c | 13 +++
@@ -58,10 +27,10 @@ signing arbitrary data).
15 files changed, 209 insertions(+), 9 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
-index e294ea1512..ab6abf44ab 100644
+index 51002ba79a..e697974c9d 100644
--- a/crypto/context.c
+++ b/crypto/context.c
-@@ -43,6 +43,8 @@ struct ossl_lib_ctx_st {
+@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st {
void *fips_prov;
#endif
@@ -70,7 +39,7 @@ index e294ea1512..ab6abf44ab 100644
unsigned int ischild:1;
};
-@@ -171,6 +173,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
+@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
goto err;
#endif
@@ -81,7 +50,7 @@ index e294ea1512..ab6abf44ab 100644
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
-@@ -299,6 +305,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
+@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
@@ -93,7 +62,7 @@ index e294ea1512..ab6abf44ab 100644
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
-@@ -589,6 +600,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
+@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
return ctx->fips_prov;
#endif
@@ -265,10 +234,10 @@ index ce6e1a1ccb..003926247b 100644
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
-index 8d312c661f..979683e0a5 100644
+index bd05736220..ed34ff4b9c 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
-@@ -296,6 +296,19 @@ Within the algorithm properties section, the following names have meaning:
+@@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning:
The value may be anything that is acceptable as a property query
string for EVP_set_default_properties().
@@ -433,7 +402,7 @@ index 70d0ea5d24..3c482e0181 100644
if (md == NULL || md_nid < 0) {
if (md == NULL)
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 865d49d100..99b228e82c 100644
+index ebeb30e002..c874f87bd5 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
@@ -449,7 +418,7 @@ index 865d49d100..99b228e82c 100644
sha1_allowed);
if (md_nid < 0) {
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index cd5de6bd51..25a51df878 100644
+index 2a5504d104..5f3a029566 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -25,6 +25,7 @@
@@ -466,7 +435,7 @@ index cd5de6bd51..25a51df878 100644
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
- static OSSL_FUNC_signature_newctx_fn rsa_newctx;
+ OSSL_FUNC_signature_newctx_fn rsa_newctx;
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
@@ -486,7 +455,7 @@ index cd5de6bd51..25a51df878 100644
if (md == NULL
|| md_nid <= 0
-@@ -1370,8 +1377,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+@@ -1396,8 +1403,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
@@ -552,5 +521,5 @@ index 9cb8a4dda2..feb660d030 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
-2.40.1
+2.41.0
diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch
index ff84edf..0d1170b 100644
--- a/0058-FIPS-limit-rsa-encrypt.patch
+++ b/0058-FIPS-limit-rsa-encrypt.patch
@@ -1,7 +1,7 @@
-From 7a6ade7947ceea6ca367afa0427f61a9505e37a5 Mon Sep 17 00:00:00 2001
+From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:28 +0200
-Subject: [PATCH 26/35] 0058-FIPS-limit-rsa-encrypt.patch
+Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@@ -31,7 +31,7 @@ index e534ad0a5f..c017c658e5 100644
{
int protect = 0;
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
-index d865968058..9cd8904131 100644
+index d865968058..872967bcb3 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa,
@@ -41,7 +41,7 @@ index d865968058..9cd8904131 100644
+# ifdef FIPS_MODULE
+static int fips_padding_allowed(const PROV_RSA_CTX *prsactx)
+{
-+ if (prsactx->pad_mode == RSA_PKCS1_PADDING
++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING
+ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING)
+ return 0;
+
diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch
index 747cf7d..15cdac6 100644
--- a/0076-FIPS-140-3-DRBG.patch
+++ b/0076-FIPS-140-3-DRBG.patch
@@ -1,7 +1,7 @@
-From 4b59d71e276243615d8fcc65bab32d83e6a602ad Mon Sep 17 00:00:00 2001
+From 89c00cc67b9b34bc94f9dc3a9fce9374bbaade03 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 31 Jul 2023 09:41:29 +0200
-Subject: [PATCH 32/35] 0076-FIPS-140-3-DRBG.patch
+Subject: [PATCH 32/48] 0076-FIPS-140-3-DRBG.patch
Patch-name: 0076-FIPS-140-3-DRBG.patch
Patch-id: 76
@@ -12,9 +12,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/crngt.c | 6 +-
- providers/implementations/rands/drbg.c | 3 +
+ providers/implementations/rands/drbg.c | 11 +++-
+ providers/implementations/rands/drbg_local.h | 2 +-
.../implementations/rands/seeding/rand_unix.c | 64 ++-----------------
- 4 files changed, 20 insertions(+), 62 deletions(-)
+ 5 files changed, 28 insertions(+), 64 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index 96c499c957..61c4cd8779 100644
@@ -54,7 +55,7 @@ index fa4a2db14a..1f13fc759e 100644
bytes_needed = min_len;
if (bytes_needed > max_len)
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
-index ea55363bf8..423bb91157 100644
+index ea55363bf8..1b2410b3db 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -570,6 +570,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drbg, int prediction_resistance,
@@ -67,6 +68,35 @@ index ea55363bf8..423bb91157 100644
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen, drbg->max_entropylen,
+@@ -662,8 +665,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+ reseed_required = 1;
+ }
+ if (drbg->parent != NULL
+- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
++#ifdef FIPS_MODULE
++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
++#else
+ reseed_required = 1;
++#endif
++ }
+
+ if (reseed_required || prediction_resistance) {
+ if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0,
+diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
+index 3b5417b43b..d27c50950b 100644
+--- a/providers/implementations/rands/drbg_local.h
++++ b/providers/implementations/rands/drbg_local.h
+@@ -38,7 +38,7 @@
+ *
+ * The value is in bytes.
+ */
+-#define CRNGT_BUFSIZ 16
++#define CRNGT_BUFSIZ 32
+
+ /*
+ * Maximum input size for the DRBG (entropy, nonce, personalization string)
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index cd02a0236d..98c917b6d8 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
diff --git a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
index 31e3c7d..539e08d 100644
--- a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+++ b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch
@@ -1,119 +1,874 @@
-From c4b086fc4de06128695e1fe428f56d776d25e748 Mon Sep 17 00:00:00 2001
-From: Clemens Lang <cllang@redhat.com>
-Date: Thu, 11 Aug 2022 09:27:12 +0200
-Subject: [PATCH] Add FIPS indicator parameter to HKDF
+From 2000eaead63732669283e6b54c8ef02e268eaeb8 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:29 +0200
+Subject: [PATCH 34/48] 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
-NIST considers HKDF only acceptable when used as in TLS 1.3, and
-otherwise unapproved. Add an explicit indicator attached to the
-EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to
-determine whether the KDF operation was approved after performing it.
-
-Related: rhbz#2114772
-Signed-off-by: Clemens Lang <cllang@redhat.com>
+Patch-name: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
+Patch-id: 78
+Patch-status: |
+ # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
- include/openssl/core_names.h | 1 +
- include/openssl/kdf.h | 4 ++
- providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++
- 3 files changed, 58 insertions(+)
+ include/crypto/evp.h | 7 ++
+ include/openssl/core_names.h | 1 +
+ include/openssl/kdf.h | 4 +
+ providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++--
+ providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++-
+ providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++-
+ providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++-
+ providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++-
+ 9 files changed, 487 insertions(+), 22 deletions(-)
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index dbbdcccbda..aa07153441 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -219,6 +219,13 @@ struct evp_mac_st {
+ OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params;
+ };
+
++#ifdef FIPS_MODULE
++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving
++ * Additional Keys from a Cryptographic Key, "[t]he length of the
++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */
++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_kdf_st {
+ OSSL_PROVIDER *prov;
+ int name_id;
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
-index 21c94d0488..87786680d7 100644
+index c0cce14297..b431b9f871 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
-@@ -223,6 +223,7 @@ extern "C" {
+@@ -226,6 +226,7 @@ extern "C" {
#define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo"
#define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo"
#define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits"
-+#define OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR "hkdf-fips-indicator"
++#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
/* Known KDF names */
#define OSSL_KDF_NAME_HKDF "HKDF"
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
-index 0983230a48..869f23d8fb 100644
+index 0983230a48..86171635ea 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
-+# define EVP_KDF_HKDF_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED 1
-+# define EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED 2
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
-index afdb7138e1..9d28d292d8 100644
+index 5304baa6c9..f9c77f4236 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
-@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+@@ -43,6 +43,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params;
+ static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+ static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params;
++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new;
+ static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive;
+ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params;
+ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params;
+@@ -86,6 +87,10 @@ typedef struct {
+ size_t data_len;
+ unsigned char *info;
+ size_t info_len;
++ int is_tls13;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_HKDF;
+
+ static void *kdf_hkdf_new(void *provctx)
+@@ -201,6 +206,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ switch (ctx->mode) {
+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
+ default:
+@@ -363,15 +373,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ KDF_HKDF *ctx = (KDF_HKDF *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
+ size_t sz = kdf_hkdf_size(ctx);
+
+- if (sz == 0)
++ any_valid = 1;
++
++ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz))
return 0;
- return OSSL_PARAM_set_size_t(p, sz);
+- return OSSL_PARAM_set_size_t(p, sz);
+ }
+- return -2;
++
++#ifdef FIPS_MODULE
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++ != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ if (ctx->is_tls13) {
++ if (md != NULL
++ && !EVP_MD_is_a(md, "SHA2-256")
++ && !EVP_MD_is_a(md, "SHA2-384")) {
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic
++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3
++ * key derivation function documented in Section 7.1 of RFC
++ * 8446. This is considered an approved CVL because the
++ * underlying functions performed within the TLS 1.3 KDF map to
++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3
++ * Option #3), SP 800-56Crev2, and SP 800-108."
++ *
++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ } else {
++ if (md != NULL
++ && (EVP_MD_is_a(md, "SHAKE-128") ||
++ EVP_MD_is_a(md, "SHAKE-256"))) {
++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1,
++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because
++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the
++ * standalone algorithms." */
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -379,6 +452,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+@@ -709,6 +785,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx,
+ return ret;
+ }
+
++static void *kdf_tls1_3_new(void *provctx)
++{
++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx);
++
++ if (hkdf != NULL)
++ hkdf->is_tls13 = 1;
++
++ return hkdf;
++}
++
++
+ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+ const OSSL_PARAM params[])
+ {
+@@ -724,6 +811,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ switch (ctx->mode) {
+ default:
+ return 0;
+@@ -801,7 +893,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx,
+ }
+
+ const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = {
+- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new },
++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new },
+ { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset },
+diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
+index aa3df15bc7..3f82710061 100644
+--- a/providers/implementations/kdfs/kbkdf.c
++++ b/providers/implementations/kdfs/kbkdf.c
+@@ -59,6 +59,9 @@ typedef struct {
+ kbkdf_mode mode;
+ EVP_MAC_CTX *ctx_init;
+
++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */
++ PROV_DIGEST digest;
++
+ /* Names are lowercased versions of those found in SP800-108. */
+ int r;
+ unsigned char *ki;
+@@ -72,6 +75,9 @@ typedef struct {
+ int use_l;
+ int is_kmac;
+ int use_separator;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KBKDF;
+
+ /* Definitions needed for typechecking. */
+@@ -143,6 +149,7 @@ static void kbkdf_reset(void *vctx)
+ void *provctx = ctx->provctx;
+
+ EVP_MAC_CTX_free(ctx->ctx_init);
++ ossl_prov_digest_reset(&ctx->digest);
+ OPENSSL_clear_free(ctx->context, ctx->context_len);
+ OPENSSL_clear_free(ctx->label, ctx->label_len);
+ OPENSSL_clear_free(ctx->ki, ctx->ki_len);
+@@ -308,6 +315,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ goto done;
+ }
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init);
+ if (h == 0)
+ goto done;
+@@ -381,6 +393,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ }
+ }
+
++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++ return 0;
++
+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE);
+ if (p != NULL
+ && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) {
+@@ -461,20 +476,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE);
+- if (p == NULL)
++ if (p != NULL) {
++ any_valid = 1;
++
++ /* KBKDF can produce results as large as you like. */
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ KBKDF *ctx = (KBKDF *)vctx;
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." Note that the digest is only used when the MAC
++ * algorithm is HMAC. */
++ if (ctx->ctx_init != NULL
++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) {
++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
++ if (md != NULL
++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
+ return -2;
+
+- /* KBKDF can produce results as large as you like. */
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
++ return 1;
+ }
+
+ static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx,
+ ossl_unused void *provctx)
+ {
+- static const OSSL_PARAM known_gettable_ctx_params[] =
+- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END };
++ static const OSSL_PARAM known_gettable_ctx_params[] = {
++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
++ OSSL_PARAM_END
++ };
+ return known_gettable_ctx_params;
+ }
+
+diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
+index 1afac4e477..389b82b714 100644
+--- a/providers/implementations/kdfs/sshkdf.c
++++ b/providers/implementations/kdfs/sshkdf.c
+@@ -49,6 +49,9 @@ typedef struct {
+ char type; /* X */
+ unsigned char *session_id;
+ size_t session_id_len;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSHKDF;
+
+ static void *kdf_sshkdf_new(void *provctx)
+@@ -151,6 +154,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE);
+ return 0;
+ }
++
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ return SSHKDF(md, ctx->key, ctx->key_len,
+ ctx->xcghash, ctx->xcghash_len,
+ ctx->session_id, ctx->session_id_len,
+@@ -219,10 +228,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx,
+ static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+- return -2;
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ KDF_SSHKDF *ctx = vctx;
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms."
++ *
++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash
++ * function used in SSHKDF "is one of the hash functions specified in
++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2.
++ * */
++ if (ctx->digest.md != NULL
++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -230,6 +296,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
+index ecb98de6fd..98fcc583d8 100644
+--- a/providers/implementations/kdfs/sskdf.c
++++ b/providers/implementations/kdfs/sskdf.c
+@@ -63,6 +63,10 @@ typedef struct {
+ size_t salt_len;
+ size_t out_len; /* optional KMAC parameter */
+ int is_kmac;
++ int is_x963kdf;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_SSKDF;
+
+ #define SSKDF_MAX_INLEN (1<<30)
+@@ -73,6 +77,7 @@ typedef struct {
+ static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 };
+
+ static OSSL_FUNC_kdf_newctx_fn sskdf_new;
++static OSSL_FUNC_kdf_newctx_fn x963kdf_new;
+ static OSSL_FUNC_kdf_dupctx_fn sskdf_dup;
+ static OSSL_FUNC_kdf_freectx_fn sskdf_free;
+ static OSSL_FUNC_kdf_reset_fn sskdf_reset;
+@@ -297,6 +302,16 @@ static void *sskdf_new(void *provctx)
+ return ctx;
+ }
+
++static void *x963kdf_new(void *provctx)
++{
++ KDF_SSKDF *ctx = sskdf_new(provctx);
++
++ if (ctx)
++ ctx->is_x963kdf = 1;
++
++ return ctx;
++}
++
+ static void sskdf_reset(void *vctx)
+ {
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+@@ -392,6 +407,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen,
}
+ md = ossl_prov_digest_md(&ctx->digest);
+
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+
+ if (ctx->macctx != NULL) {
+ /* H(x) = KMAC or H(x) = HMAC */
+ int ret;
+@@ -473,6 +493,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ return 0;
+ }
+
+#ifdef FIPS_MODULE
-+ if ((p = OSSL_PARAM_locate(params,
-+ OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR)) != NULL) {
-+ int fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_UNDETERMINED;
-+ switch (ctx->mode) {
-+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
-+ /* TLS 1.3 never uses extract-and-expand */
-+ fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
-+ break;
-+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
-+ {
-+ /* When TLS 1.3 uses extract, the following holds:
-+ * 1. The salt length matches the hash length, and either
-+ * 2.1. the key is all zeroes and matches the hash length, or
-+ * 2.2. the key originates from a PSK (resumption_master_secret
-+ * or some externally esablished key), or an ECDH or DH key
-+ * derivation. See
-+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1.
-+ * Unfortunately at this point, we cannot verify where the key
-+ * comes from, so all we can do is check the salt length.
-+ */
-+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest);
-+ if (md != NULL && ctx->salt_len == EVP_MD_get_size(md))
-+ fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED;
-+ else
-+ fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++
+ return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len,
+ ctx->info, ctx->info_len, 1, key, keylen);
+ }
+@@ -545,10 +570,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ KDF_SSKDF *ctx = (KDF_SSKDF *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx)))
++ return 0;
++ }
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx));
+- return -2;
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." */
++ if (ctx->macctx == NULL
++ || (ctx->macctx != NULL &&
++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) {
++ if (ctx->digest.md != NULL
++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
-+ break;
-+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
-+ /* When TLS 1.3 uses expand, it always provides a label that
-+ * contains an uint16 for the length, followed by between 7 and 255
-+ * bytes for a label string that starts with "tls13 " or "dtls13".
-+ * For compatibility with future versions, we only check for "tls"
-+ * or "dtls". See
-+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and
-+ * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */
-+ if (ctx->label != NULL
-+ && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */
-+ && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 ||
-+ strncmp("dtls", (const char *)ctx->label + 2, 4) == 0))
-+ fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_APPROVED;
-+ else
-+ fips_indicator = EVP_KDF_HKDF_FIPS_INDICATOR_NOT_APPROVED;
-+ break;
++
++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions
++ * should only be used for 80-bit key agreement, but FIPS 140-3
++ * requires a security strength of 112 bits, so SHA-1 cannot be
++ * used with X9.63. See the discussion in
++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395.
++ */
++ if (ctx->is_x963kdf
++ && ctx->digest.md != NULL
++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -556,6 +645,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+@@ -577,7 +669,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = {
+ };
+
+ const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = {
+- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new },
++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new },
+ { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup },
+ { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free },
+ { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset },
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index 54124ad4cb..25a6c79a2e 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -104,6 +104,13 @@ typedef struct {
+ /* Buffer of concatenated seed data */
+ unsigned char seed[TLS1_PRF_MAXBUF];
+ size_t seedlen;
++
++ /* MAC digest algorithm; used to compute FIPS indicator */
++ PROV_DIGEST digest;
++
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } TLS1_PRF;
+
+ static void *kdf_tls1_prf_new(void *provctx)
+@@ -140,6 +147,7 @@ static void kdf_tls1_prf_reset(void *vctx)
+ EVP_MAC_CTX_free(ctx->P_sha1);
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ OPENSSL_cleanse(ctx->seed, ctx->seedlen);
++ ossl_prov_digest_reset(&ctx->digest);
+ memset(ctx, 0, sizeof(*ctx));
+ ctx->provctx = provctx;
+ }
+@@ -194,6 +202,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
+ return 0;
+ }
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
+
+ /*
+ * The seed buffer is prepended with a label.
+@@ -243,6 +255,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ }
+ }
+
++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
++ return 0;
++
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) {
+ OPENSSL_clear_free(ctx->sec, ctx->seclen);
+ ctx->sec = NULL;
+@@ -284,10 +299,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params(
+ static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ OSSL_PARAM *p;
++#ifdef FIPS_MODULE
++ TLS1_PRF *ctx = vctx;
++#endif /* defined(FIPS_MODULE) */
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3)
++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */
++ if (ctx->digest.md != NULL
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384")
++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+ }
-+ return OSSL_PARAM_set_int(p, fips_indicator);
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
+ }
++#endif
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+- return -2;
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+@@ -295,6 +360,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params(
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
+index 4c274fe27a..5ce23c8eb9 100644
+--- a/providers/implementations/kdfs/x942kdf.c
++++ b/providers/implementations/kdfs/x942kdf.c
+@@ -13,11 +13,13 @@
+ #include <openssl/core_dispatch.h>
+ #include <openssl/err.h>
+ #include <openssl/evp.h>
++#include <openssl/kdf.h>
+ #include <openssl/params.h>
+ #include <openssl/proverr.h>
+ #include "internal/packet.h"
+ #include "internal/der.h"
+ #include "internal/nelem.h"
++#include "crypto/evp.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
+ #include "prov/implementations.h"
+@@ -49,6 +51,9 @@ typedef struct {
+ const unsigned char *cek_oid;
+ size_t cek_oid_len;
+ int use_keybits;
++#ifdef FIPS_MODULE
++ int fips_indicator;
++#endif /* defined(FIPS_MODULE) */
+ } KDF_X942;
+
+ /*
+@@ -497,6 +502,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen,
+ ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING);
+ return 0;
+ }
++#ifdef FIPS_MODULE
++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+#endif /* defined(FIPS_MODULE) */
+ ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len,
+ der, der_len, ctr, key, keylen);
+ OPENSSL_free(der);
+@@ -600,10 +609,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
+ KDF_X942 *ctx = (KDF_X942 *)vctx;
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx));
+- return -2;
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ any_valid = 1;
++
++ /* According to NIST Special Publication 800-131Ar2, Section 8:
++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of
++ * the key-derivation key [i.e., the input key] shall be at least 112
++ * bits". */
++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section D.B and NIST Special Publication
++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security
++ * strength < 112 bits is legacy use only, so all derived keys should
++ * be longer than that. If a derived key has ever been shorter than
++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we
++ * should also set the returned FIPS indicator to unapproved. */
++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256
++ * extendable-output functions may only be used as the standalone
++ * algorithms." */
++ if (ctx->digest.md != NULL
++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") ||
++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) {
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif
++
++ if (!any_valid)
++ return -2;
+
- return -2;
++ return 1;
}
-@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
+ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
+@@ -611,6 +668,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+#ifdef FIPS_MODULE
-+ OSSL_PARAM_int(OSSL_KDF_PARAM_HKDF_REDHAT_FIPS_INDICATOR, NULL),
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0),
+#endif /* defined(FIPS_MODULE) */
OSSL_PARAM_END
};
return known_gettable_ctx_params;
--
-2.37.1
+2.41.0
diff --git a/0079-RSA-PKCS15-implicit-rejection.patch b/0079-RSA-PKCS15-implicit-rejection.patch
new file mode 100644
index 0000000..09701c8
--- /dev/null
+++ b/0079-RSA-PKCS15-implicit-rejection.patch
@@ -0,0 +1,1388 @@
+From a0d7a92474123c1fb11e13491d2d37f6c43321b0 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 31 Jul 2023 09:41:29 +0200
+Subject: [PATCH 35/48] 0079-RSA-PKCS15-implicit-rejection.patch
+
+Patch-name: 0079-RSA-PKCS15-implicit-rejection.patch
+Patch-id: 79
+Patch-status: |
+ # https://github.com/openssl/openssl/pull/13817
+From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
+---
+ crypto/cms/cms_env.c | 7 +
+ crypto/evp/ctrl_params_translate.c | 6 +
+ crypto/pkcs7/pk7_doit.c | 7 +
+ crypto/rsa/rsa_ossl.c | 101 +++-
+ crypto/rsa/rsa_pk1.c | 252 ++++++++++
+ crypto/rsa/rsa_pmeth.c | 20 +-
+ doc/man1/openssl-pkeyutl.pod.in | 15 +
+ doc/man1/openssl-rsautl.pod.in | 5 +
+ doc/man3/EVP_PKEY_CTX_ctrl.pod | 9 +
+ doc/man3/EVP_PKEY_decrypt.pod | 12 +
+ doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +-
+ doc/man3/RSA_public_encrypt.pod | 11 +-
+ doc/man7/provider-asym_cipher.pod | 9 +
+ include/crypto/rsa.h | 4 +
+ include/openssl/core_names.h | 2 +
+ include/openssl/rsa.h | 5 +
+ .../implementations/asymciphers/rsa_enc.c | 26 +-
+ .../30-test_evp_data/evppkey_rsa_common.txt | 472 ++++++++++++++++++
+ 18 files changed, 962 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
+index 3105d37726..58d44e1940 100644
+--- a/crypto/cms/cms_env.c
++++ b/crypto/cms/cms_env.c
+@@ -571,6 +571,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
+ if (!ossl_cms_env_asn1_ctrl(ri, 1))
+ goto err;
+
++ if (EVP_PKEY_is_a(pkey, "RSA"))
++ /* upper layer CMS code incorrectly assumes that a successful RSA
++ * decryption means that the key matches ciphertext (which never
++ * was the case, implicit rejection or not), so to make it work
++ * disable implicit rejection for RSA keys */
++ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
++
+ if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
+ ktri->encryptedKey->data,
+ ktri->encryptedKey->length) <= 0)
+diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
+index d6f8a10840..51f9a2da57 100644
+--- a/crypto/evp/ctrl_params_translate.c
++++ b/crypto/evp/ctrl_params_translate.c
+@@ -2256,6 +2256,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
+ EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
+ OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
+
++ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
++ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL,
++ "rsa_pkcs1_implicit_rejection",
++ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER,
++ NULL },
++
+ { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
+ EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
+ OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 1cef67b211..e0094486dd 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
+ if (EVP_PKEY_decrypt_init(pctx) <= 0)
+ goto err;
+
++ if (EVP_PKEY_is_a(pkey, "RSA"))
++ /* upper layer pkcs7 code incorrectly assumes that a successful RSA
++ * decryption means that the key matches ciphertext (which never
++ * was the case, implicit rejection or not), so to make it work
++ * disable implicit rejection for RSA keys */
++ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
++
+ if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
+ ri->enc_key->data, ri->enc_key->length) <= 0)
+ goto err;
+diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
+index 0fc642e777..e5591cb14a 100644
+--- a/crypto/rsa/rsa_ossl.c
++++ b/crypto/rsa/rsa_ossl.c
+@@ -17,6 +17,9 @@
+ #include "crypto/bn.h"
+ #include "rsa_local.h"
+ #include "internal/constant_time.h"
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
+
+ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding);
+@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BIGNUM *f, *ret;
+ int j, num = 0, r = -1;
+ unsigned char *buf = NULL;
++ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
++ HMAC_CTX *hmac = NULL;
++ unsigned int md_len = SHA256_DIGEST_LENGTH;
++ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
+ BN_CTX *ctx = NULL;
+ int local_blinding = 0;
++ EVP_MD *md = NULL;
+ /*
+ * Used only if the blinding structure is shared. A non-NULL unblind
+ * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+@@ -387,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BIGNUM *unblind = NULL;
+ BN_BLINDING *blinding = NULL;
+
++ /*
++ * we need the value of the private exponent to perform implicit rejection
++ */
++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
++ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++
+ if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+@@ -408,6 +422,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ goto err;
+ }
+
++ if (flen < 1) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
++ goto err;
++ }
++
+ /* make data into a big number */
+ if (BN_bin2bn(from, (int)flen, f) == NULL)
+ goto err;
+@@ -468,6 +487,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BN_free(d);
+ }
+
++ /*
++ * derive the Key Derivation Key from private exponent and public
++ * ciphertext
++ */
++ if (padding == RSA_PKCS1_PADDING) {
++ /*
++ * because we use d as a handle to rsa->d we need to keep it local and
++ * free before any further use of rsa->d
++ */
++ BIGNUM *d = BN_new();
++ if (d == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++ if (rsa->d == NULL) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
++ BN_free(d);
++ goto err;
++ }
++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++ if (BN_bn2binpad(d, buf, num) < 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ BN_free(d);
++ goto err;
++ }
++ BN_free(d);
++
++ /*
++ * we use hardcoded hash so that migrating between versions that use
++ * different hash doesn't provide a Bleichenbacher oracle:
++ * if the attacker can see that different versions return different
++ * messages for the same ciphertext, they'll know that the message is
++ * syntethically generated, which means that the padding check failed
++ */
++ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
++ if (md == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ hmac = HMAC_CTX_new();
++ if (hmac == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ if (flen < num) {
++ memset(buf, 0, num - flen);
++ if (HMAC_Update(hmac, buf, num - flen) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ }
++ if (HMAC_Update(hmac, from, flen) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ md_len = SHA256_DIGEST_LENGTH;
++ if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ }
++
+ if (blinding)
+ if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
+ goto err;
+@@ -477,9 +571,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ goto err;
+
+ switch (padding) {
+- case RSA_PKCS1_PADDING:
++ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
+ r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
+ break;
++ case RSA_PKCS1_PADDING:
++ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
++ break;
+ case RSA_PKCS1_OAEP_PADDING:
+ r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
+ break;
+@@ -501,6 +598,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ #endif
+
+ err:
++ HMAC_CTX_free(hmac);
++ EVP_MD_free(md);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ OPENSSL_clear_free(buf, num);
+diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
+index 51507fc030..5cd2b26879 100644
+--- a/crypto/rsa/rsa_pk1.c
++++ b/crypto/rsa/rsa_pk1.c
+@@ -21,10 +21,14 @@
+ #include <openssl/rand.h>
+ /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */
+ #include <openssl/prov_ssl.h>
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
+ #include "internal/cryptlib.h"
+ #include "crypto/rsa.h"
+ #include "rsa_local.h"
+
++
+ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+ const unsigned char *from, int flen)
+ {
+@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+ return constant_time_select_int(good, mlen, -1);
+ }
+
++
++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx,
++ unsigned char *to, int tlen,
++ const char *label, int llen,
++ const unsigned char *kdk,
++ uint16_t bitlen)
++{
++ int pos;
++ int ret = -1;
++ uint16_t iter = 0;
++ unsigned char be_iter[sizeof(iter)];
++ unsigned char be_bitlen[sizeof(bitlen)];
++ HMAC_CTX *hmac = NULL;
++ EVP_MD *md = NULL;
++ unsigned char hmac_out[SHA256_DIGEST_LENGTH];
++ unsigned int md_len;
++
++ if (tlen * 8 != bitlen) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ return ret;
++ }
++
++ be_bitlen[0] = (bitlen >> 8) & 0xff;
++ be_bitlen[1] = bitlen & 0xff;
++
++ hmac = HMAC_CTX_new();
++ if (hmac == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ /*
++ * we use hardcoded hash so that migrating between versions that use
++ * different hash doesn't provide a Bleichenbacher oracle:
++ * if the attacker can see that different versions return different
++ * messages for the same ciphertext, they'll know that the message is
++ * syntethically generated, which means that the padding check failed
++ */
++ md = EVP_MD_fetch(ctx, "sha256", NULL);
++ if (md == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) {
++ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ be_iter[0] = (iter >> 8) & 0xff;
++ be_iter[1] = iter & 0xff;
++
++ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
++ /*
++ * HMAC_Final requires the output buffer to fit the whole MAC
++ * value, so we need to use the intermediate buffer for the last
++ * unaligned block
++ */
++ md_len = SHA256_DIGEST_LENGTH;
++ if (pos + SHA256_DIGEST_LENGTH > tlen) {
++ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ memcpy(to + pos, hmac_out, tlen - pos);
++ } else {
++ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++ }
++ }
++
++ ret = 0;
++
++err:
++ HMAC_CTX_free(hmac);
++ EVP_MD_free(md);
++ return ret;
++}
++
++/*
++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2
++ * padding from a decrypted RSA message. Unlike the
++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it
++ * detects a padding error, rather it will return a deterministically generated
++ * random message. In other words it will perform an implicit rejection
++ * of an invalid padding. This means that the returned value does not indicate
++ * if the padding of the encrypted message was correct or not, making
++ * side channel attacks like the ones described by Bleichenbacher impossible
++ * without access to the full decrypted value and a brute-force search of
++ * remaining padding bytes
++ */
++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
++ unsigned char *to, int tlen,
++ const unsigned char *from, int flen,
++ int num, unsigned char *kdk)
++{
++/*
++ * We need to generate a random length for the synthethic message, to avoid
++ * bias towards zero and avoid non-constant timeness of DIV, we prepare
++ * 128 values to check if they are not too large for the used key size,
++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough
++ * safety margin
++ */
++#define MAX_LEN_GEN_TRIES 128
++ unsigned char *synthetic = NULL;
++ int synthethic_length;
++ uint16_t len_candidate;
++ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
++ uint16_t len_mask;
++ uint16_t max_sep_offset;
++ int synth_msg_index = 0;
++ int ret = -1;
++ int i, j;
++ unsigned int good, found_zero_byte;
++ int zero_index = 0, msg_index;
++
++ /*
++ * If these checks fail then either the message in publicly invalid, or
++ * we've been called incorrectly. We can fail immediately.
++ * Since this code is called only internally by openssl, those are just
++ * sanity checks
++ */
++ if (num != flen || tlen <= 0 || flen <= 0) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ return -1;
++ }
++
++ /* Generate a random message to return in case the padding checks fail */
++ synthetic = OPENSSL_malloc(flen);
++ if (synthetic == NULL) {
++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++ return -1;
++ }
++
++ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0)
++ goto err;
++
++ /* decide how long the random message should be */
++ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths),
++ "length", 6, kdk,
++ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0)
++ goto err;
++
++ /*
++ * max message size is the size of the modulus size less 2 bytes for
++ * version and padding type and a minimum of 8 bytes padding
++ */
++ len_mask = max_sep_offset = flen - 2 - 8;
++ /*
++ * we want a mask so lets propagate the high bit to all positions less
++ * significant than it
++ */
++ len_mask |= len_mask >> 1;
++ len_mask |= len_mask >> 2;
++ len_mask |= len_mask >> 4;
++ len_mask |= len_mask >> 8;
++
++ synthethic_length = 0;
++ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
++ i += sizeof(len_candidate)) {
++ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1];
++ len_candidate &= len_mask;
++
++ synthethic_length = constant_time_select_int(
++ constant_time_lt(len_candidate, max_sep_offset),
++ len_candidate, synthethic_length);
++ }
++
++ synth_msg_index = flen - synthethic_length;
++
++ /* we have alternative message ready, check the real one */
++ good = constant_time_is_zero(from[0]);
++ good &= constant_time_eq(from[1], 2);
++
++ /* then look for the padding|message separator (the first zero byte) */
++ found_zero_byte = 0;
++ for (i = 2; i < flen; i++) {
++ unsigned int equals0 = constant_time_is_zero(from[i]);
++ zero_index = constant_time_select_int(~found_zero_byte & equals0,
++ i, zero_index);
++ found_zero_byte |= equals0;
++ }
++
++ /*
++ * padding must be at least 8 bytes long, and it starts two bytes into
++ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check
++ * also fails.
++ */
++ good &= constant_time_ge(zero_index, 2 + 8);
++
++ /*
++ * Skip the zero byte. This is incorrect if we never found a zero-byte
++ * but in this case we also do not copy the message out.
++ */
++ msg_index = zero_index + 1;
++
++ /*
++ * old code returned an error in case the decrypted message wouldn't fit
++ * into the |to|, since that would leak information, return the synthethic
++ * message instead
++ */
++ good &= constant_time_ge(tlen, num - msg_index);
++
++ msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
++
++ /*
++ * since at this point the |msg_index| does not provide the signal
++ * indicating if the padding check failed or not, we don't have to worry
++ * about leaking the length of returned message, we still need to ensure
++ * that we read contents of both buffers so that cache accesses don't leak
++ * the value of |good|
++ */
++ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++)
++ to[j] = constant_time_select_8(good, from[i], synthetic[i]);
++ ret = j;
++
++err:
++ /*
++ * the only time ret < 0 is when the ciphertext is publicly invalid
++ * or we were called with invalid parameters, so we don't have to perform
++ * a side-channel secure raising of the error
++ */
++ if (ret < 0)
++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++ OPENSSL_free(synthetic);
++ return ret;
++}
++
+ /*
+ * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
+ * padding from a decrypted RSA message in a TLS signature. The result is stored
+diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
+index 44c819a5c3..6556a9ad28 100644
+--- a/crypto/rsa/rsa_pmeth.c
++++ b/crypto/rsa/rsa_pmeth.c
+@@ -52,6 +52,8 @@ typedef struct {
+ /* OAEP label */
+ unsigned char *oaep_label;
+ size_t oaep_labellen;
++ /* if to use implicit rejection in PKCS#1 v1.5 decryption */
++ int implicit_rejection;
+ } RSA_PKEY_CTX;
+
+ /* True if PSS parameters are restricted */
+@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
+ /* Maximum for sign, auto for verify */
+ rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
+ rctx->min_saltlen = -1;
++ rctx->implicit_rejection = 1;
+ ctx->data = rctx;
+ ctx->keygen_info = rctx->gentmp;
+ ctx->keygen_info_count = 2;
+@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
+ dctx->md = sctx->md;
+ dctx->mgf1md = sctx->mgf1md;
+ dctx->saltlen = sctx->saltlen;
++ dctx->implicit_rejection = sctx->implicit_rejection;
+ if (sctx->oaep_label) {
+ OPENSSL_free(dctx->oaep_label);
+ dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
+@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+ const unsigned char *in, size_t inlen)
+ {
+ int ret;
++ int pad_mode;
+ RSA_PKEY_CTX *rctx = ctx->data;
+ /*
+ * Discard const. Its marked as const because this may be a cached copy of
+@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+ rctx->oaep_labellen,
+ rctx->md, rctx->mgf1md);
+ } else {
+- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
++ if (rctx->pad_mode == RSA_PKCS1_PADDING &&
++ rctx->implicit_rejection == 0)
++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++ else
++ pad_mode = rctx->pad_mode;
++ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
+ }
+ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+ ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+@@ -587,6 +597,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
+ *(unsigned char **)p2 = rctx->oaep_label;
+ return rctx->oaep_labellen;
+
++ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
++ if (rctx->pad_mode != RSA_PKCS1_PADDING) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
++ return -2;
++ }
++ rctx->implicit_rejection = p1;
++ return 1;
++
+ case EVP_PKEY_CTRL_DIGESTINIT:
+ case EVP_PKEY_CTRL_PKCS7_SIGN:
+ #ifndef OPENSSL_NO_CMS
+diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
+index b0054ead66..dd87829798 100644
+--- a/doc/man1/openssl-pkeyutl.pod.in
++++ b/doc/man1/openssl-pkeyutl.pod.in
+@@ -240,6 +240,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a
+ digest is set then the a B<DigestInfo> structure is used and its the length
+ must correspond to the digest type.
+
++Note, for B<pkcs1> padding, as a protection against Bleichenbacher attack,
++the decryption will not fail in case of padding check failures. Use B<none>
++and manual inspection of the decrypted message to verify if the decrypted
++value has correct PKCS#1 v1.5 padding.
++
+ For B<oaep> mode only encryption and decryption is supported.
+
+ For B<x931> if the digest type is set it is used to format the block data
+@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used.
+ Sets the digest used for the OAEP hash function. If not explicitly set then
+ SHA1 is used.
+
++=item B<rsa_pkcs1_implicit_rejection:>I<flag>
++
++Disables (when set to 0) or enables (when set to 1) the use of implicit
++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
++protection against Bleichenbacher attack, the library will generate a
++deterministic random plaintext that it will return to the caller in case
++of padding check failure.
++When disabled, it's the callers' responsibility to handle the returned
++errors in a side-channel free manner.
++
+ =back
+
+ =head1 RSA-PSS ALGORITHM
+diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
+index 186e49e5e4..eab34979de 100644
+--- a/doc/man1/openssl-rsautl.pod.in
++++ b/doc/man1/openssl-rsautl.pod.in
+@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+ ANSI X9.31, or no padding, respectively.
+ For signatures, only B<-pkcs> and B<-raw> can be used.
+
++Note: because of protection against Bleichenbacher attacks, decryption
++using PKCS#1 v1.5 mode will not return errors in case padding check failed.
++Use B<-raw> and inspect the returned value manually to check if the
++padding is correct.
++
+ =item B<-hexdump>
+
+ Hex dump the output data.
+diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+index 5596b8ccdd..a8cc4ecd9f 100644
+--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+@@ -393,6 +393,15 @@ this behaviour should be tolerated then
+ OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual
+ negotiated protocol version. Otherwise it should be left unset.
+
++Similarly to the B<RSA_PKCS1_WITH_TLS_PADDING> above, since OpenSSL version
++3.1.0, the use of B<RSA_PKCS1_PADDING> will return a randomly generated message
++instead of padding errors in case padding checks fail. Applications that
++want to remain secure while using earlier versions of OpenSSL, still need to
++handle both the error code from the RSA decryption operation and the
++returned message in a side channel secure manner.
++This protection against Bleichenbacher attacks can be disabled by setting
++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0.
++
+ =head2 DSA parameters
+
+ EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA
+diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
+index b6f9bad5f1..898535a7a2 100644
+--- a/doc/man3/EVP_PKEY_decrypt.pod
++++ b/doc/man3/EVP_PKEY_decrypt.pod
+@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a
+ return value of -2 indicates the operation is not supported by the public key
+ algorithm.
+
++=head1 WARNINGS
++
++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding,
++both the return value from the EVP_PKEY_decrypt() and the B<outlen> provided
++information useful in mounting a Bleichenbacher attack against the
++used private key. They had to processed in a side-channel free way.
++
++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1
++v1.5 padding doesn't return an error in case it detects an error in padding,
++instead it returns a pseudo-randomly generated message, removing the need
++of side-channel secure code from applications using OpenSSL.
++
+ =head1 EXAMPLES
+
+ Decrypt data using OAEP (for RSA keys):
+diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+index 9f7025c497..36ae18563f 100644
+--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
++++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.
+
+ =head1 WARNINGS
+
+-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
+-information which can potentially be used to mount a Bleichenbacher
++The result of RSA_padding_check_PKCS1_type_2() is exactly the
++information which is used to mount a classical Bleichenbacher
+ padding oracle attack. This is an inherent weakness in the PKCS #1
+ v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
+ possible, the result of RSA_padding_check_PKCS1_type_2() should be
+@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be
+ used to mount a Bleichenbacher attack against any padding mode
+ including PKCS1_OAEP.
+
++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption
++as they implement the necessary workarounds internally.
++
+ =head1 SEE ALSO
+
+ L<RSA_public_encrypt(3)>,
+diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
+index 1d38073aea..bd3f835ac6 100644
+--- a/doc/man3/RSA_public_encrypt.pod
++++ b/doc/man3/RSA_public_encrypt.pod
+@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.
+
+ =back
+
+-B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+-based padding modes, not more than RSA_size(B<rsa>) - 42 for
++When encrypting B<flen> must not be more than RSA_size(B<rsa>) - 11 for the
++PKCS #1 v1.5 based padding modes, not more than RSA_size(B<rsa>) - 42 for
+ RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
+ When a padding mode other than RSA_NO_PADDING is in use, then
+ RSA_public_encrypt() will include some random bytes into the ciphertext
+@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle
+ attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+ design. Prefer RSA_PKCS1_OAEP_PADDING.
+
++In OpenSSL before version 3.1.0, both the return value and the length of
++returned value could be used to mount the Bleichenbacher attack.
++Since version 3.1.0, OpenSSL does not return an error in case of padding
++checks failed. Instead it generates a random message based on used private
++key and provided ciphertext so that application code doesn't have to implement
++a side-channel secure error handling.
++
+ =head1 CONFORMING TO
+
+ SSL, PKCS #1 v2.0
+diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
+index 0976a263a8..2a8426a6ed 100644
+--- a/doc/man7/provider-asym_cipher.pod
++++ b/doc/man7/provider-asym_cipher.pod
+@@ -234,6 +234,15 @@ The TLS protocol version first requested by the client.
+
+ The negotiated TLS protocol version.
+
++=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
++
++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5
++decryption. When set (non zero value), the decryption API will return
++a deterministically random value if the PKCS#1 v1.5 padding check fails.
++This makes explotation of the Bleichenbacher significantly harder, even
++if the code using the RSA decryption API is not implemented in side-channel
++free manner. Set by default.
++
+ =back
+
+ OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
+diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
+index 949873d0ee..f267e5d9d1 100644
+--- a/include/crypto/rsa.h
++++ b/include/crypto/rsa.h
+@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg);
+ RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
+ OSSL_LIB_CTX *libctx, const char *propq);
+
++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
++ unsigned char *to, int tlen,
++ const unsigned char *from, int flen,
++ int num, unsigned char *kdk);
+ int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to,
+ size_t tlen,
+ const unsigned char *from,
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index b431b9f871..f185bc9342 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -296,6 +296,7 @@ extern "C" {
+ #define OSSL_PKEY_PARAM_DIST_ID "distid"
+ #define OSSL_PKEY_PARAM_PUB_KEY "pub"
+ #define OSSL_PKEY_PARAM_PRIV_KEY "priv"
++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"
+
+ /* Diffie-Hellman/DSA Parameters */
+ #define OSSL_PKEY_PARAM_FFC_P "p"
+@@ -472,6 +473,7 @@ extern "C" {
+ #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection"
+ #ifdef FIPS_MODULE
+ #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
+ #endif
+diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
+index d0c9599274..e3e1476cda 100644
+--- a/include/openssl/rsa.h
++++ b/include/openssl/rsa.h
+@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
+
+ # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)
+
++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
++
+ # define RSA_PKCS1_PADDING 1
+ # define RSA_NO_PADDING 3
+ # define RSA_PKCS1_OAEP_PADDING 4
+@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
+ # define RSA_PKCS1_PSS_PADDING 6
+ # define RSA_PKCS1_WITH_TLS_PADDING 7
+
++/* internal RSA_ only */
++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
++
+ # define RSA_PKCS1_PADDING_SIZE 11
+
+ # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index 666a699d84..d169bfd396 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -78,6 +78,8 @@ typedef struct {
+ /* TLS padding */
+ unsigned int client_version;
+ unsigned int alt_version;
++ /* PKCS#1 v1.5 decryption mode */
++ unsigned int implicit_rejection;
+ #ifdef FIPS_MODULE
+ char *redhat_st_oaep_seed;
+ #endif /* FIPS_MODULE */
+@@ -113,6 +115,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
+ RSA_free(prsactx->rsa);
+ prsactx->rsa = vrsa;
+ prsactx->operation = operation;
++ prsactx->implicit_rejection = 1;
+
+ switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
+ case RSA_FLAG_TYPE_RSA:
+@@ -237,6 +240,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ {
+ PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+ int ret;
++ int pad_mode;
+ size_t len = RSA_size(prsactx->rsa);
+
+ if (!ossl_prov_is_running())
+@@ -326,8 +330,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ }
+ OPENSSL_free(tbuf);
+ } else {
+- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa,
+- prsactx->pad_mode);
++ if ((prsactx->implicit_rejection == 0) &&
++ (prsactx->pad_mode == RSA_PKCS1_PADDING))
++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++ else
++ pad_mode = prsactx->pad_mode;
++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode);
+ }
+ *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+ ret = constant_time_select_int(constant_time_msb(ret), 0, 1);
+@@ -454,6 +462,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
+ return 0;
+
++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
++ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
++ return 0;
++
+ return 1;
+ }
+
+@@ -465,6 +477,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ NULL, 0),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+ #ifdef FIPS_MODULE
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
+ #endif /* FIPS_MODULE */
+@@ -621,6 +634,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ return 0;
+ prsactx->alt_version = alt_version;
+ }
++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
++ if (p != NULL) {
++ unsigned int implicit_rejection;
++
++ if (!OSSL_PARAM_get_uint(p, &implicit_rejection))
++ return 0;
++ prsactx->implicit_rejection = implicit_rejection;
++ }
+
+ return 1;
+ }
+@@ -633,6 +654,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+ OSSL_PARAM_END
+ };
+
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 7487684e19..e807c0a2e1 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -268,9 +268,25 @@ Decrypt = RSA-2048
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
+ Output = "Hello World"
+
++Availablein = default
++# Note: disable the Bleichenbacher workaround to see if it passes
++Decrypt = RSA-2048
++Ctrl = rsa_pkcs1_implicit_rejection:0
++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
++Output = "Hello World"
++
++Availablein = default
++# Corrupted ciphertext
++# Note: output is generated synthethically by the Bleichenbacher workaround
++Decrypt = RSA-2048
++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
++Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
++
+ # Corrupted ciphertext
+ Availablein = default
++# Note: disable the Bleichenbacher workaround to see if it fails
+ Decrypt = RSA-2048
++Ctrl = rsa_pkcs1_implicit_rejection:0
+ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
+ Output = "Hello World"
+ Result = KEYOP_ERROR
+@@ -293,6 +309,462 @@ Derive = RSA-2048
+ Result = KEYOP_INIT_ERROR
+ Reason = operation not supported for this keytype
+
++# Test vectors for the Bleichenbacher workaround
++
++PrivateKey = RSA-2048-2
++-----BEGIN RSA PRIVATE KEY-----
++MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS
++KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC
++Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y
++o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/
+++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F
++EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm
++pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G
++MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp
++aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo
++RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6
++egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX
++eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe
++z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG
++lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou
++O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw
++93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF
++1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr
++uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb
++3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx
++sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a
++AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL
++9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW
++FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp
++LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM
++FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da
++-----END RSA PRIVATE KEY-----
++
++# corresponding public key
++PublicKey = RSA-2048-2-PUBLIC
++-----BEGIN PUBLIC KEY-----
++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc
++iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO
++jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7
++SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO
++yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1
++a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn
++aQIDAQAB
++-----END PUBLIC KEY-----
++
++PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
++
++# RSA decrypt
++
++# a random positive test case
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
++Output = "lorem ipsum dolor sit amet"
++
++Availablein = default
++# a random negative test case decrypting to empty
++Decrypt = RSA-2048-2
++Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
++Output =
++
++Availablein = default
++# invalid decrypting to max length message
++Decrypt = RSA-2048-2
++Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
++Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
++
++Availablein = default
++# invalid decrypting to message with length specified by second to last value from PRF
++Decrypt = RSA-2048-2
++Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
++Output = 0f9b
++
++Availablein = default
++# invalid decrypting to message with length specified by third to last value from PRF
++Decrypt = RSA-2048-2
++Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
++Output = 4f02
++
++# positive test with 11 byte long value
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
++Output = "lorem ipsum"
++
++# positive test with 11 byte long value and zero padded ciphertext
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
++Output = "lorem ipsum"
++
++# positive test with 11 byte long value and zero truncated ciphertext
++Availablein = default
++Decrypt = RSA-2048-2
++Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
++Output = "lorem ipsum"
++
++# positive test with 11 byte long value and double zero padded ciphertext
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
++Output = "lorem ipsum"
++
++# positive test with 11 byte long value and double zero truncated ciphertext
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
++Output = "lorem ipsum"
++
++# positive that generates a 0 byte long synthethic message internally
++Availablein = default
++Decrypt = RSA-2048-2
++Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
++Output = "lorem ipsum"
++
++# positive that generates a 245 byte long synthethic message internally
++Availablein = default
++Decrypt = RSA-2048-2
++Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
++Output = "lorem ipsum"
++
++Availablein = default
++# a random negative test that generates an 11 byte long message
++Decrypt = RSA-2048-2
++Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
++Output = af9ac70191c92413cb9f2d
++
++Availablein = default
++# an otherwise correct plaintext, but with wrong first byte
++# (0x01 instead of 0x00), generates a random 11 byte long plaintext
++Decrypt = RSA-2048-2
++Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f
++Output = a1f8c9255c35cfba403ccc
++
++Availablein = default
++# an otherwise correct plaintext, but with wrong second byte
++# (0x01 instead of 0x02), generates a random 11 byte long plaintext
++Decrypt = RSA-2048-2
++Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579
++Output = e6d700309ca0ed62452254
++
++Availablein = default
++# an invalid ciphertext, with a zero byte in first byte of
++# ciphertext, decrypts to a random 11 byte long synthethic
++# plaintext
++Decrypt = RSA-2048-2
++Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
++Output = ba27b1842e7c21c0e7ef6a
++
++Availablein = default
++# an invalid ciphertext, with a zero byte removed from first byte of
++# ciphertext, decrypts to a random 11 byte long synthethic
++# plaintext
++Decrypt = RSA-2048-2
++Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
++Output = ba27b1842e7c21c0e7ef6a
++
++Availablein = default
++# an invalid ciphertext, with two zero bytes in first bytes of
++# ciphertext, decrypts to a random 11 byte long synthethic
++# plaintext
++Decrypt = RSA-2048-2
++Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
++Output = d5cf555b1d6151029a429a
++
++Availablein = default
++# an invalid ciphertext, with two zero bytes removed from first bytes of
++# ciphertext, decrypts to a random 11 byte long synthethic
++# plaintext
++Decrypt = RSA-2048-2
++Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
++Output = d5cf555b1d6151029a429a
++
++Availablein = default
++# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
++# to random 11 byte long synthethic plaintext
++Decrypt = RSA-2048-2
++Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955
++Output = 3d4a054d9358209e9cbbb9
++
++Availablein = default
++# negative test with otherwise valid padding but a zero byte in first byte
++# of padding
++Decrypt = RSA-2048-2
++Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e
++Output = 1f037dd717b07d3e7f7359
++
++Availablein = default
++# negative test with otherwise valid padding but a zero byte at the eigth
++# byte of padding
++Decrypt = RSA-2048-2
++Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f
++Output = 63cb0bf65fc8255dd29e17
++
++Availablein = default
++# negative test with an otherwise valid plaintext but with missing separator
++# byte
++Decrypt = RSA-2048-2
++Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065
++Output = 6f09a0b62699337c497b0b
++
++# Test vectors for the Bleichenbacher workaround (2049 bit key size)
++
++PrivateKey = RSA-2049
++-----BEGIN RSA PRIVATE KEY-----
++MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD
++rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi
++5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES
++9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp
++j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6
++3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5
++1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl
++omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT
++e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo
++DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M
++8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH
++HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP
++wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4
++dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H
++zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll
++YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J
++qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC
+++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL
++ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c
++ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd
++G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3
++3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP
++G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv
++iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t
++5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k=
++-----END RSA PRIVATE KEY-----
++
++# corresponding public key
++PublicKey = RSA-2049-PUBLIC
++-----BEGIN PUBLIC KEY-----
++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL
++woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI
++XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf
++YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U
++FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr
++w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ
++lwIDAQAB
++-----END PUBLIC KEY-----
++
++PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
++
++# RSA decrypt
++
++Availablein = default
++# malformed that generates length specified by 3rd last value from PRF
++Decrypt = RSA-2049
++Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
++Output = 42
++
++# simple positive test case
++Availablein = default
++Decrypt = RSA-2049
++Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
++Output = "lorem ipsum"
++
++# positive test case with null padded ciphertext
++Availablein = default
++Decrypt = RSA-2049
++Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
++Output = "lorem ipsum"
++
++# positive test case with null truncated ciphertext
++Availablein = default
++Decrypt = RSA-2049
++Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
++Output = "lorem ipsum"
++
++# positive test case with double null padded ciphertext
++Availablein = default
++Decrypt = RSA-2049
++Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
++Output = "lorem ipsum"
++
++# positive test case with double null truncated ciphertext
++Availablein = default
++Decrypt = RSA-2049
++Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
++Output = "lorem ipsum"
++
++Availablein = default
++# a random negative test case that generates an 11 byte long message
++Decrypt = RSA-2049
++Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
++Output = 1189b6f5498fd6df532b00
++
++Availablein = default
++# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
++Decrypt = RSA-2049
++Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
++Output = f6d0f5b78082fe61c04674
++
++Availablein = default
++# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
++Decrypt = RSA-2049
++Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
++Output = 1ab287fcef3ff17067914d
++
++# RSA decrypt with 3072 bit keys
++PrivateKey = RSA-3072
++-----BEGIN RSA PRIVATE KEY-----
++MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ
++72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS
++N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K
++CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64
++wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU
++YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5
++XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P
++ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5
++CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy
++9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY
++gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J
++pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm
++DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0
++2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s
++HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC
++Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d
++RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9
++UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP
++Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ
+++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI
++gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv
++StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF
++rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1
++bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb
++7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm
++IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48
++Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH
++ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2
++c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff
++/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O
++to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6
++ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr
++Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR
++ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo
++G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH
++mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe
++0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw==
++-----END RSA PRIVATE KEY-----
++
++PublicKey = RSA-3072-PUBLIC
++-----BEGIN PUBLIC KEY-----
++MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx
++nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd
++vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni
++5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx
++UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx
++7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v
++EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/
++gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk
++ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
++-----END PUBLIC KEY-----
++
++PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
++
++Availablein = default
++# a random invalid ciphertext that generates an empty synthethic one
++Decrypt = RSA-3072
++Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
++Output =
++
++Availablein = default
++# a random invalid that has PRF output with a length one byte too long
++# in the last value
++Decrypt = RSA-3072
++Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271
++Output = 56a3bea054e01338be9b7d7957539c
++
++Availablein = default
++# a random invalid that generates a synthethic of maximum size
++Decrypt = RSA-3072
++Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
++Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
++
++# a positive test case that decrypts to 9 byte long value
++Availablein = default
++Decrypt = RSA-3072
++Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
++Output = "forty two"
++
++# a positive test case with null padded ciphertext
++Availablein = default
++Decrypt = RSA-3072
++Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
++Output = "forty two"
++
++# a positive test case with null truncated ciphertext
++Availablein = default
++Decrypt = RSA-3072
++Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
++Output = "forty two"
++
++# a positive test case with double null padded ciphertext
++Availablein = default
++Decrypt = RSA-3072
++Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
++Output = "forty two"
++
++# a positive test case with double null truncated ciphertext
++Availablein = default
++Decrypt = RSA-3072
++Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
++Output = "forty two"
++
++Availablein = default
++# a random negative test case that generates a 9 byte long message
++Decrypt = RSA-3072
++Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
++Output = 257906ca6de8307728
++
++Availablein = default
++# a random negative test case that generates a 9 byte long message based on
++# second to last value from PRF
++Decrypt = RSA-3072
++Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5
++Output = 043383c929060374ed
++
++Availablein = default
++# a random negative test that generates message based on 3rd last value from
++# PRF
++Decrypt = RSA-3072
++Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83
++Output = 70263fa6050534b9e0
++
++Availablein = default
++# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
++Decrypt = RSA-3072
++Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
++Output = 6d8d3a094ff3afff4c
++
++Availablein = default
++# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
++Decrypt = RSA-3072
++Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
++Output = c6ae80ffa80bc184b0
++
++Availablein = default
++# an otherwise valid plaintext, but with zero byte in first byte of padding
++Decrypt = RSA-3072
++Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
++Output = a8a9301daa01bb25c7
++
++Availablein = default
++# an otherwise valid plaintext, but with zero byte in eight byte of padding
++Decrypt = RSA-3072
++Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
++Output = 6c716fe01d44398018
++
++Availablein = default
++# an otherwise valid plaintext, but with null separator missing
++Decrypt = RSA-3072
++Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
++Output = aa2de6cde4e2442884
++
+ # RSA PSS key tests
+
+ # PSS only key, no parameter restrictions
+--
+2.41.0
+
diff --git a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
new file mode 100644
index 0000000..4308f5e
--- /dev/null
+++ b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
@@ -0,0 +1,1102 @@
+From 936e081bd752ca0a883568aaf3b5752c9eaccb12 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:38:21 +0200
+Subject: [PATCH 36/48]
+ 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
+
+Patch-name: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
+Patch-id: 80
+Patch-status: |
+ # We believe that some changes present in CentOS are not necessary
+ # because ustream has a check for FIPS version
+---
+ providers/implementations/rands/drbg_hash.c | 12 ++
+ providers/implementations/rands/drbg_hmac.c | 12 ++
+ test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++
+ 3 files changed, 153 insertions(+)
+
+diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c
+index fb824abfa6..b90fee6dec 100644
+--- a/providers/implementations/rands/drbg_hash.c
++++ b/providers/implementations/rands/drbg_hash.c
+@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ if (!ossl_drbg_verify_digest(libctx, md))
+ return 0; /* Error already raised for us */
+
++#ifdef FIPS_MODULE
++ if (!EVP_MD_is_a(md, SN_sha1)
++ && !EVP_MD_is_a(md, SN_sha256)
++ && !EVP_MD_is_a(md, SN_sha512)) {
++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
++ "%s is not an acceptable hash function for an SP 800-90A"
++ " DRBG according to FIPS 140-3 IG, section D.R",
++ EVP_MD_get0_name(md));
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
++
+ /* These are taken from SP 800-90 10.1 Table 2 */
+ hash->blocklen = EVP_MD_get_size(md);
+ /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */
+diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
+index 664a074639..cbd4d0f519 100644
+--- a/providers/implementations/rands/drbg_hmac.c
++++ b/providers/implementations/rands/drbg_hmac.c
+@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ if (md != NULL && !ossl_drbg_verify_digest(libctx, md))
+ return 0; /* Error already raised for us */
+
++#ifdef FIPS_MODULE
++ if (!EVP_MD_is_a(md, SN_sha1)
++ && !EVP_MD_is_a(md, SN_sha256)
++ && !EVP_MD_is_a(md, SN_sha512)) {
++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
++ "%s is not an acceptable hash function for an SP 800-90A"
++ " DRBG according to FIPS 140-3 IG, section D.R",
++ EVP_MD_get0_name(md));
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
++
+ if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params,
+ NULL, NULL, NULL, libctx))
+ return 0;
+diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt
+index 0e2ee82c58..7a17e7b3e1 100644
+--- a/test/recipes/30-test_evp_data/evprand.txt
++++ b/test/recipes/30-test_evp_data/evprand.txt
+@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe
+ PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568
+ Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -8659,6 +8660,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6
+ AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128
+ Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -8709,6 +8711,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf
+ Nonce.14 = 3c8a77351e93065d584feeb08c8424a9
+ Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -8789,6 +8792,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09
+ AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68
+ Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -8854,6 +8858,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512
+ PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5
+ Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -8949,6 +8954,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d
+ AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b
+ Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -8999,6 +9005,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938
+ Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df
+ Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9079,6 +9086,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6
+ AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf
+ Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9144,6 +9152,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef
+ PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125
+ Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9239,6 +9248,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b
+ AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6
+ Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9289,6 +9299,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab
+ Nonce.14 = 298de64bbd817d009a71c1424ae839f9
+ Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9369,6 +9380,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62
+ AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f
+ Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9434,6 +9446,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1
+ PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b
+ Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9529,6 +9542,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6
+ AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515
+ Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9579,6 +9593,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716
+ Nonce.14 = 4a42f39e5a241a2b96db29055159c91f
+ Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -9659,6 +9674,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d
+ AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707
+ Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -10995,6 +11011,7 @@ AdditionalInputA.14 = 23e4e6b0e0c1b28a6f9731f8b09960ce7adac17527b3bbaca7c811daea
+ AdditionalInputB.14 = dc7fac6aeded9e17b5bb5e2bcad9424d42dc07e809da59d52caecba6e75ca457
+ Output.14 = 5a42b35cf1b72d2520d92719a94ef1a7ca5b6d6c7eef2de25c8ea44c1fc3a9a5ff2128f47bbe58084a0c7a3fc790626eff5666b4c1e68fb2f53de3370b29c398d5067b255f5f7f29fdb0f8bc256ee3afbe78a33981626837c55f981e56eb2e1bdd89ca081e48f6da7ce6576fbd37dbd57a3f41cf410cb375614af239f2e10218e777fb97a55d9cc73243882b8d8d2a2c812fbdeaaed90b5bd71a274b4b171cd7e661912c9b3de1714a3fe4931d8fc7cb1c9f64f4e37d4e5dbc31602d2f8699e0
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11045,6 +11062,7 @@ Entropy.14 = 471746177fa3ebbc1f1e06fa42d61d5d491abc82eb7d66e749b87d562a7eff34
+ Nonce.14 = 42f8a1ee9b09940e9e1dc64f51a78b4b
+ Output.14 = 238c9889284139945e657d2c4312ee3ca2013de69be10bdc8b90d54867889f2c15c6cc933913457d4f5a00bd52b0216d90c56bcb341dde7496218861b083f80d8c933627e19b7bd8b73d6dda1bb0b2b0f1f90e2b453cd063938cec3a08f34e5581c1322329d87709e552a97e8a8c8e8e598a5c5cd6623ad1eb9f7ddd12739b1d157b1020cb8cef19402938d31b74e490c0ce75a9f57a17476df1cffa55de73bb8151071edf396c3b9e4607b07c7e2b45c249f5a8194cca1e97af78be47cec0ab0096cf588f3d4432393a8f5423a165d585e2e5f98fe47510d9415418aba28aab1193261036214c35d8ba04650b4539be6b9f7377e3c75ed236d0e69cce004906
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11125,6 +11143,7 @@ AdditionalInputA.14 = 4b69404b80b6f2fec36a7dff1b194a228761694129efa6c6b9a044f553
+ AdditionalInputB.14 = 519c4cf1b30500f729e5426d76373c291e26cafceb594c10c96bdb9aef4b42fa
+ Output.14 = 53568141a5c09b6b02ac4ab674d341aa6300f8be93c0f36a7376a6850abfce068927510a1b98301aaa29252cfadfe5a2f241abc677e9e70fbca287c579acd276c2eec5c8b508f2b119a40164c6a12c0e0ca1d3d53595bbebe32fda2eef2b613329a614a28d3b374a7b031b49dba74b465a7db60a8dbdcc9e952ea143e9d5a3a651c1b0d6dad79341a7c3fd5816933f2579cc005f3c5655eb8d3f9d1e4562a756ecca3fc1d688c9824391ec8444c6024774a295c44c17fe592694dcf41f305f50a16e07fc28e247bb3d9dd0c52c6fde79df84c8d521606cec9a55f909691f5cfd797b69304dff5b60ac816b0d5046a47c2434127da1fbaa86d2844f5164a9dbdd
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11190,6 +11209,7 @@ Nonce.14 = 8680d7b3f0a8ae576bb0f75364b463ea
+ PersonalisationString.14 = c0bf8f2ca4efb48b8dca73ca7148da3cd5981c5a459be32db5a14fc7762c68d6
+ Output.14 = 269b3b656e58f9aeed32c80700d9d1b863b0253b3b33155cc0849efbedfa51cff82262c9342cff7f1a7a58a5954fe66547baa1831fee55ae0d322674c6c784095f43b30c1887fb9fa5e7e7f1905da2808ab810ecd224ab403b6f562bac54e65cf7f0473991ce7d7cbc1a669a022fde3141a9880d974b7ede2fad24a3263570443cab0e8017d242fb4c2032dc8be56d8fc1e0e8f92254c7480e4941259ecc29ea47a1d11e074148b259ff95a94711d767f0655f1e0574dfdc4ae4f27b12015af86aefd36f6c10056c3d83e639e3641cdd8ba178f7779dcf502bab3d7588cffb72f6489981aaa7139c255df0e76bf6bba32e4f547327da4597745b15042869b2c2
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11285,6 +11305,7 @@ AdditionalInputA.14 = 64278bb6b8224b93c0b5339726fb752f6d81e85b204d76376d99779ff1
+ AdditionalInputB.14 = 4995815c060c80e9bead55dfe823b869862bd0e5b4357afe810a53c68d4b0e7b
+ Output.14 = 9b4249e1e692153ecd20e968f86eb31bf9a22d3671d0ce9d3eea243bfc70890644a95d551cb9956cc3770e95c2f14ff154760cba1b24c51c41f7a961a4502aa053068751618eaaf743e0d37fd41ab4969444519c22c8fd96f9eb1be6ff3ae01a25abba84a259dad8bbc78f47dcab3ac2242e6974a56454999b4c59243102b731fc4bb4e01c92d36f232ca8cfe00fcbc0ac200c2e403d17d5d1dd3d6c2095ddd15ad58a070f18b69a5f5d3f240435d298bd48bd9be028ccaeb10997f88857a848882f51a193522bb0b979b37b5508775fe150cab8ce97c0760b7418b5bbe496562fe639540e77c1025c0e191fe000aa5d1e49bf02a5a3c6f46b40dd2c47786d45
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11335,6 +11356,7 @@ Entropy.14 = 337373a24fe76f025575b3dbd7eeedd03d3459d6ef44cd53335a9c4963cc45de
+ Nonce.14 = ebbea7e8e1a3a45c58044b65ab7688b9
+ Output.14 = 21ae4510a133fa0906c873eb73e00d777b68a45a1de8759b1497f5146f0c45cf612b02e972ec93ebccbb85c9adaf0f5942fcfbb3b808482f05497f2f4734dd6d42c8413e1bd1bad10463dd4b4cf29f1662c15efc6d24955b1e54a60508d9ed008c9d29f8a6bddfe564c21473271350137452f4601179af37e19d553ec738539cfd7a8df17f07e1f9db5df776256e3c00199997307de394a8ba41be2829defbd8105fcb3cda215219fecb607eb1e7137a29eef188ca7eb349d2d1fe27edc2526ccc6d8f1af7eec9c06910f3909907f966d5904b32577f2715cc32ac08f1b5e25a734716ffddf60c57d422b515ce817b605ead2f875db7a789e351b660704f0cbc
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11415,6 +11437,7 @@ AdditionalInputA.14 = 771e91743429c40a2e3ececc9a3d73a92336c9c988c5d9dde47563b631
+ AdditionalInputB.14 = ae1a58611aa54df3c655a1f20985552ed9e3610e92170a0de1a4573a5a1f93d7
+ Output.14 = b2534bf690444513bdfecb35bd616b0de47b7cca7f8ab9c5e823b468da62855601b59c6bb75cf34fe3dbc7f795536b9619d243c0f6960895d6710130fbfda2a0bff803e856f1cf21a63e86e59be0d6da7516b697e9ff95c341913ff27c8abe10e6af1b7ad8dec9f7aab46b8d35c103f9bff3016b39ec24026a7b582f6e95261031f734e29a1b64c65639cf238381e5f7e31da624ad24290930501132c860118b6c59052aaa7cf982486219431311453a431a1cf50deaf068e2f9993c0ab851c9aec72be8f7c5c57ed03c488befe6ffc256efe6db52b7734c042b69a5ed74e2593c4788c5fa8a03a5017b927bb8f1c8262925d734c5604639a9b441187b0d95e3
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11480,6 +11503,7 @@ Nonce.14 = 78e7f6e9e8e1511bc0ba7f230b65fe47
+ PersonalisationString.14 = 37544eb1992fc569ff259946d639a00230ec1196c5565b8f9da62d9ce552e09a
+ Output.14 = 0ddbb84e21d4d7110b933bbeaddb35ad81dc1f331ac8293695b30924f2713eca6f93a13d520da4486f32a12412a927d00e3f27009a944056a5805b0e050f5bf6c6bd32c523c1d607d6e3e97b59fd059a610d664396f69961599ce7f0a0cbd1dcff15474ac267e36c0b871c559fd13b7ff0c3fcc11ff8dac26761a42697c3744981cc5c5ac10cd0f3b285c4ceb4a550ecead095f90fb6f53aa302218ede7ed5ae5deac91a83f957d15ee901746d11777b23c327ee811966690f5f253c7c314a2bf2bea73ca46c6c8cc332c3493f9d023029d762fc90e5dddbb838f2225c521f196332812570a17455b3db45306aa9100ca83185395435137a0b961531cbcafc03
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11575,6 +11599,7 @@ AdditionalInputA.14 = 8dab17e96142c890eb16981b97364223e815130bdb0c0c284e50dd3349
+ AdditionalInputB.14 = 1439e2d19a99703fc35607b5bde55331eca67b2b9a9f7587ddba0dd1fe690ab2
+ Output.14 = aa088ba4682bd2285e90c7967a7b8a518e0ec45afd490d367022893e3822c09d967d06ff28748b5de3fb33b071b73c581bd893b6641a72cd5db35540b904eae19765cc121ca4dc9404530114c3369fa80d20dd63c8c09559c4be48aa26ca77b47579dc52fdf0eb2f2db84ab688b87f63097140aef65410fcd7a81c2bddb2c92f9d67b2e46647aadd9b85c9e17ff8b579cd672708282981ba54d854e7c9a1de66621845ae2d337a90025ccbdd1b0d695790b1f977b1e944bbc04d16a9a399628bfb33f98b40e13567514d8ce0b23340803718ea3da44fa84c923f2a85ba21495c2f9541cbe8cadc0b230b1b942e934eb4fe95c3754a77a09641ad730a550fc24e
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11625,6 +11650,7 @@ Entropy.14 = 5f72e390aa960846a0004d266e3741b6fe0aaac98d9d87b4cbaaa7a2af0d0bdf
+ Nonce.14 = 2074991cf0c22cd34b2de48ea1f9ec66
+ Output.14 = 7bf54b69e455c7941e8e24ef59b5525dc1ed3b7f934333713b9dc305dcae2cd1b74648149e04bb4f4e00b110926a6bfead7adef954b6d7e180ff820192677efa3c0c8af6a3e201d8d555cc599cdd2626d8778ea2c7a2a8e0c99e719929ae9ac4fb9a7e5176da8987508d1152909f456a4ce9461188e264cda1c879af1a8cca6c182e73c164986cbf07f441756791fa1fae40b784800335d94b0b54135831044bf0cb5dbb5c0c71de6b6ae33d6b87782d34be3cbc2991ad109d6c0440916d91baf96c4375ecdc9f09dca79671a45309c408062cd08ee623c8de007cda3b3d110425d7e8fee13b2a14215033d9ea2397cc6b5c995f37273a00dbcdf9437bc77857
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11705,6 +11731,7 @@ AdditionalInputA.14 = 97f8c1e98fd25289be846d80f667341a095dfbabd610c691ad6b2b901c
+ AdditionalInputB.14 = 136912d2805ab8ffcb4e7d6a81e37e14b7f7bb65dd0241d56f11d7c72dd5de1d
+ Output.14 = 2e1f4954107f3654f51024f032518ba91512c9d8005265ff35248487b8c87d8862b8caaae27898a22f9ba7a0297fc071ceb6a1612bb99c0f15210a11f5a0725158832996f15106a7c43a216f90501c0dfb36933be940a875d4f6b0e5c29edb01614a26cb3ff7b906762fd6435eb7cec8c88f5fd7c4d76fcb018c08987108117c95d4d35c1c59efc06358c7abe7a73012ae4440b2ec86c3664e5549b8b0a30d6c8538d6e5151f9c17f9ce026556508b8b3d926e4364839bb526a94c7d8abf4c1241cd844bc6227a01d024affaedd4701129fb0f9b5ae853c7085ca13ec78ffa3476ddb1c1e71942c351c3ce9a855ccfa4c3c7f92b59d5b67e8eab16b699b7ed5b
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11770,6 +11797,7 @@ Nonce.14 = fe9dfa1b683fa9cc70b7c7f8c81185b2
+ PersonalisationString.14 = 7e86cf4111fbea8fa9b180a1bd9ff3e9d233304b1d293adffa49ce8e77f400ab
+ Output.14 = ca0a6268d034f6817edcb6875b4754b5e9b2061ce0bc2bcd27c28065d8258b40ae63bf6d1e15521196da0afea8139c10d7bf3b54694a82d24476c578991fce1371e40b78087d95b1117650af7134567513a017353bb4af85cdc98db757cec9f92df42b7323b1e5d05387debb02750683a5553bdfb5f9fa34e14d29e09ad18bc6ef2380c173a19631abde085369ff47fa8b4fdfebe13b95b90c6f5841fe5aa6334edcfae26c13cc5d14d17a02d684b64bd55841831bde4c75de7d49bdc1a405d4e3e0d327bec44644e972349a49cbd48a4d3b8e984f5847ffeba950fff55bba9b287d51d8475f7799752208da31d91853fe6d04d97ea2a33d53b07a4fc787be2a
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11865,6 +11893,7 @@ AdditionalInputA.14 = 91e14e178a033e26e6f6a0b0f3890fa46f83731a14cf31445c51a92166
+ AdditionalInputB.14 = 20299371a1de6f994260d1c59c1d3f731d8f70fea6e9389b3ede54d47594414d
+ Output.14 = 1b4efcce136b40bdc792d1607d4ab4fadc10d5e2b22eacca6f412d3aa1c60320bf825778e7ff8296db9ea360e068350f90d7d4947dc9a2e2a4074653458784059ceebf2a97db0e4a29f7c6107783fa3683b6846b8c8ce7161082405643bb84d602c6c36ca79b2b6562417f0d15f46a4fbdc445d50935f49eedf01bb131d104385369fdf88d91518618134a37c5bf73140400cced73795910ad0d2a89db2d79355ecedbcdabf135219d2afd7ac28cd7e45c6fd4e913ce5d464fd6de6e4c62b76ff86c28b0ab27a3c2622cacec075c790a7ff2f57f99ccb89c590a1dfb5a1862200c9cdf97f94eef18ddc85cf9830be662cec1885a629a6603add9396fb26341d9
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11915,6 +11944,7 @@ Entropy.14 = c5ebb2ae08a03815e496c2db1e2a650b40893ea78fbd7ca8434edcde4432a43e
+ Nonce.14 = 0cede46aca7d2a60f2e98eb3c7d1dba7
+ Output.14 = 6d8eeb5ba130de7dca993b44b46e08894fd84ab8c347992aeeac56ce5fb5f435bba92f1129aaf9b3035aa117301a1289acc222cdac043dac58b62567102dd5a57483d79fd703e188a0fe47254bb20b361281b5b8cedded86ba9b6d86deb30e539eb7ee007131ab2af99408f38ec7fd66bec4f1ed71251c149dbf8393b6dbe96cdeb9a3b5ee065ec8636444e72339ed2cb27fbbe5421f7f141940d6fa1cf570b8dd0393625ae16b10df2f1f6fe35dba15a732357dcdf4f56abcbb47a4640dcef618e27d049e27f2af7b8634faad00280e004cfe3f52d63185eccd6c4937a026830c38e1ed6aa9bfeaf739416706f63bb8b1475ac25d734db28e39163aa0c69c52
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -11995,6 +12025,7 @@ AdditionalInputA.14 = def9d8f7b18023b69c6cd4121c0adbc2a89b3ca37333d4523261d5eb20
+ AdditionalInputB.14 = 06051dec796525094018b436605bd2ddd66359a2836a5996e8262bb7763fadc0
+ Output.14 = 29e8184e37a5c26670bdc95c842c602ed8b0cf102ca144133e8cc841e1dc32fd038a72c26b8be8a568db60a4cfbd52b0d8b74cdf180a4931d6dd19a255104db105b3366d75e8f6afd0e5fab4dc14f6deac82e7703eb6a61f22b79bdad8ac7fab95a58a71f80fa510542615c305f7cbf84790060f17e7d78ab5d4b0ca34fad47133a0627b803c1caee3b97fe47626a8590672e2211f39cbe1b79d1999fb772b884122c8e50c59fdd3de13a53e805f40f8aa35501571a4c4cce79a8f738e60a43a11afdbed94e26f474ba5cd6ff5cdaf00d0fb84109aeb3510f1ea576c70ae78cdd0415a0521f3ff4083f9160011dcd6e2802cfbbbdfe9c4a3b114dd47b3a6cddb
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -12060,6 +12091,7 @@ Nonce.14 = 7b9a876017e5e14bd6a19719c73035da
+ PersonalisationString.14 = eb97028b093f820b182384baafa56ecf196dc11ebc515a405ac24f73e465ae9a
+ Output.14 = 3791ee66e505257b0bebc4319897e80ea8a70577b8a85d809cc7e4c77a458e8517368e2eaa7c0623b91ab3ebc4de3240e00e5f0cd20524d73b8000f00a3cecf869bee26763db9689dfaad9b5f21e3975f750e0c6b694d7df35fea26b2ff3c2bc679b5ecaf129320dde8245677aab9fb54b8faa97d394adae687a35b00f026430ef29bc7226957dac5edbc4a70dc82fcac00bf89d97e11d2a3e6ecfc4af4536c329ed3f4dda201db47236b03f30daf71e6368a18ab6224a023fca2ead589d9ea165d66fbce2b37a630d18ef1c97a619cd8949f16f44a9bc0f5837737d7fa4355587af5ab452f53fb82dd8b8b4706cf04e77938d7e0c3a9744c353edd0c6931591
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -31145,6 +31177,7 @@ Output.14 = 01f11971835819c1148aa079eea09fd5b1aa3ac6ba557ae3317b1a33f4505174cf9d
+
+ Title = Hash DRBG No Reseed Tests (from NIST test vectors)
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31195,6 +31228,7 @@ Entropy.14 = 6fe9597b59903b1af4012a15368af7b1
+ Nonce.14 = fd3e84b3a96caaff
+ Output.14 = 1eee4c786476d488e58d0e065bb025db548787fafbe757f29ee2bd4781cf69216091ba2b68919b54ad3070ac72a2342320eb1e697b9115acbe07e194d060562e4d0fd966ab29e2c5e560574b2dac04ce
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31275,6 +31309,7 @@ AdditionalInputA.14 = 93dc424bd0d266879601745a23317141
+ AdditionalInputB.14 = a17321015d327c5dc0bc1e130aad81ee
+ Output.14 = f682834b5b492e09ff8e0f2c80683b032a3b262d16bc609c550dc0e74a4b7d8ebc0e3b8f2c9970d90aec9a82497dded20422b17b9e3cc3bca771cbe717ddaed5a7a6ae2601c7f765eaa719b71624e83b
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31340,6 +31375,7 @@ Nonce.14 = fa9adae924417150
+ PersonalisationString.14 = dbad22c389c527715d21a5bdf38c1fad
+ Output.14 = a18d57e672218956e6c8cb9901d02888f3587177c3e11e1a99ea72370347b953a9f122c9446dfa109723b27f36fbf15edf103a56741c24968592479cfe30bc0053fa7b9818e9debcc494db64d15d038b
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31435,6 +31471,7 @@ AdditionalInputA.14 = e488e16f48c61dd2152afe925eceee92
+ AdditionalInputB.14 = 12c692abd90ab485f4d9499680a6893f
+ Output.14 = 8ba04617a135d8abe0c3c0a170e7472e7ed750eac706e5c3ed8305d6f6f8a1a53e0c52d4853b21ab8951e80970b426008ae11952ff364817b6856ef0810860dc65faea487b5d7c3f3d63fd443756d2a8
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31485,6 +31522,7 @@ Entropy.14 = ceb354444d1a29c0c3e8a1cc24d02846
+ Nonce.14 = 86d3fd9fc51f8b19
+ Output.14 = 6f90ad611987a37bac54bea0782ac78215b7d17ecdd3991a81a36d0e263c6f0dda2c102cfba56b26c7b74b5dd2548be9bc81c7958e9d19821583c6f388132b9e19ae7609add9a296c1e92d66a2ef5464
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31565,6 +31603,7 @@ AdditionalInputA.14 = 32d09b604a65dc8daa35cdc34141b751
+ AdditionalInputB.14 = b8186a294c7824b7c550c1054badec00
+ Output.14 = ae9a091cfafbf0e74c2be8ad4b984e824a24e65ba7610b0f3ab1750e2f12de1620db6bb8c493b3d8b06ab78e69cf2dffd73d4322a67ee7725aad84fb458b8f26cf04846850202e53c874213221e761e5
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31630,6 +31669,7 @@ Nonce.14 = 8368ee0e29d35c67
+ PersonalisationString.14 = f189a80d5619f53cce878ed57522a468
+ Output.14 = aeac5933065c33ce2ace2531a193e367f73c83fc328f61ee2627f6f3841914c6b8a3ff767f96b3c3b685bac931af9ec10c6f3efe25b5109bb647b120e3a3f6971a4ec41f4ef0c7a900fdb09d7ff3b247
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31725,6 +31765,7 @@ AdditionalInputA.14 = af578fbbb8a830947e9b4e2c9e729336
+ AdditionalInputB.14 = 5a69864ca39da1ba4719dfe1dc850a4a
+ Output.14 = 8b846f03cb66f7e49fdddf7cc449a5f3f6ccdc17ae7e2265a5d0e39ea10fc3e6cffefc04147b773a1584e429fe99e885f278aff74a49d8c842e7ccd870f1330692fc9c4836dac5046c544be74652da26
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31775,6 +31816,7 @@ Entropy.14 = b7ddb82f5664834b4fb17778d22e62f2
+ Nonce.14 = 52461924becab175
+ Output.14 = 8735d06e26814ee54b5daca4e1da3e321a5a19b062ec0c3afbe3b16f23332a687fadb29e65208130c3d667c075660ff70aea96430fee254c472686b8e82ca359a57bbdc3004bb3eb641c1f97e4b19e02
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31855,6 +31897,7 @@ AdditionalInputA.14 = 7725ef70592c362d70b088ed639f9d9b
+ AdditionalInputB.14 = 5ab2e0067c3b384e55a78492f0f6ed44
+ Output.14 = ca095da39d9c21d7da073d9c95d2e415503b33c327d739f1838bbea4fc6f0254fdaf8ef6152e9263f46b864f39c7104d1d337d99fee588061152e623d7e00a27e03b5d16fe6e543453a31d4dafeda3b5
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -31920,6 +31963,7 @@ Nonce.14 = 4e838a124e4b53df
+ PersonalisationString.14 = 163e393b290a4d390ab0beb392f52d26
+ Output.14 = 76234afc296ea36a44254f999ac31fca258a24427cf4bfe2c54495fc41478ec4a00b540659b3b9461cc6188bc1f57c19ae414bd18aa81eca7b9d765a784f0ef24335e46c2c77b8dc915f5d12c26bc653
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -32015,6 +32059,7 @@ AdditionalInputA.14 = 27486f8dae1b36462639ff7eee869a29
+ AdditionalInputB.14 = d1bfc7eabd8eddf622297012169f351b
+ Output.14 = 4c893c3d1ed3a190fa88e159d6c99f26a02fb5fccb98bdef9fe43f1f492f490109224ba6c317db9569f618984409f2fb3db0b1e2cd4b95746f159cca76f1204f6d2a4c455c547a39a5f79fec95c8f4cd
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -32065,6 +32110,7 @@ Entropy.14 = f484b922f492d19b58407c242ab90e76
+ Nonce.14 = 8952a0a4b666b0c8
+ Output.14 = 2d77235fa273cab3c1bb176d44817cc25300b3f0172a0b5aaa66b282c015d426edec5f1ebbfc0269956b85994167992a71002586923ea234be6c5df09f47d89132e440827b89f7ff97e032b3f74fe32f
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -32145,6 +32191,7 @@ AdditionalInputA.14 = 9e3ea6eac120d663e330d282ca9b9d7c
+ AdditionalInputB.14 = b8d71fce7779a9906b9790cd1d4e48d5
+ Output.14 = 63d28a300a329ca202b98498c9f46912620bc85c246f034dca4186cd9b0e0810a363785878effde90aec8cb584862524eebf940c44fed21cb580d4115f3e0dda07e0e4a66689c2ff3e9b87edfaa4d051
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -32210,6 +32257,7 @@ Nonce.14 = 7239f92b63fb3dbe
+ PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568
+ Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -33481,6 +33529,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6
+ AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128
+ Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33531,6 +33580,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf
+ Nonce.14 = 3c8a77351e93065d584feeb08c8424a9
+ Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33611,6 +33661,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09
+ AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68
+ Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33676,6 +33727,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512
+ PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5
+ Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33771,6 +33823,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d
+ AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b
+ Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33821,6 +33874,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938
+ Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df
+ Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33901,6 +33955,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6
+ AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf
+ Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -33966,6 +34021,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef
+ PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125
+ Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34061,6 +34117,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b
+ AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6
+ Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34111,6 +34168,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab
+ Nonce.14 = 298de64bbd817d009a71c1424ae839f9
+ Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34191,6 +34249,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62
+ AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f
+ Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34256,6 +34315,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1
+ PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b
+ Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34351,6 +34411,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6
+ AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515
+ Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34401,6 +34462,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716
+ Nonce.14 = 4a42f39e5a241a2b96db29055159c91f
+ Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34481,6 +34543,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d
+ AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707
+ Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -34546,6 +34609,7 @@ Nonce.14 = 66ad2a0d5de624f3d709cc95e5c99220
+ PersonalisationString.14 = 6f7f8f1ffdcf859adcf6020d5cffdd8e3e1bdcaef0b22e9e61384b888f1b3537
+ Output.14 = 1bc4cd76787f031df8e4f592f56a845f7d8aa200aca0b910e68f149cde112d0f1e127faa7fae25ca4299eacf9e49e132f3e4083f1c5fb0304b714f06cea122bc1392cbe18289d2411ae08642a9196b654a8b177c127b9215f9df815eceb254b8d9b4f632d25d123ceec686124e58b3606ff1ce51fce0752f42232c03694a1d8a
+
++Availablein = default
+ RAND = HASH-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -39331,6 +39395,7 @@ Output.14 = c731cc7b21c42730bd3cca61fc5250b507ad08b24ac471d526f2217f15dc4d1fea85
+
+ Title = HMAC DRBG No Reseed Tests (from NIST test vectors)
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39381,6 +39446,7 @@ Entropy.14 = 5d80883ce24feb3911fdeb8e730f9588
+ Nonce.14 = 6a63c01478ecd62b
+ Output.14 = 9e351b853091add2047e9ea2da07d41fa4ace03db3d4a43217e802352f1c97382ed7afee5cb2cf5848a93ce0a25a28cdc8e96ccdf14875cb9f845790800d542bac81d0be53376385baa5e7cbe2c3b469
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39461,6 +39527,7 @@ AdditionalInputA.14 = 7206a271499fb2ef9087fb8843b1ed64
+ AdditionalInputB.14 = f14b17febd813294b3c4b22b7bae71b0
+ Output.14 = 49c35814f44b54bf13f0db52bd8a7651d060ddae0b6dde8edbeb003dbc30a7ffea1ea5b08ebe1d50b52410b972bec51fd174190671eecae201568b73deb0454194ef5c7b57b13320a0ac4dd60c04ae3b
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39526,6 +39593,7 @@ Nonce.14 = 296bfe331b6578e6
+ PersonalisationString.14 = 4fccbf2d3c73a8e1e92273a33e648eaa
+ Output.14 = 90dc6e1532022a9fe2161604fc79536b4afd9af06ab8adbb77f7490b355d0db3368d102d723a0d0f70d10475f9e99771fb774f7ad0ba7b5fe22a50bfda89e0215a014dc1f1605939590aa783360eb52e
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39621,6 +39689,7 @@ AdditionalInputA.14 = 4de6c923346d7adc16bbe89b9a184a79
+ AdditionalInputB.14 = 9e9e3412635aec6fcfb9d00da0c49fb3
+ Output.14 = 48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39671,6 +39740,7 @@ Entropy.14 = f41d60edb7749acb68111045000ccef2
+ Nonce.14 = bb5fb8962ca3002f
+ Output.14 = 262821119be1ee0bceedc1bcfd04f7fa2e199b2a7522c4a3a98c4174e0ac4ddcf7323dee2fcf9fbd2fe26c4fad347f7199be105730441f042865aeef50b89c00aa661361b6a1f20849bc7c70aa294543
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39751,6 +39821,7 @@ AdditionalInputA.14 = b4894bbb6435ffeb710bf5ae440bd744
+ AdditionalInputB.14 = 689fb48c27983ededdd56d5a6b2c0345
+ Output.14 = dfe8a9e17b938a1782fc3dba4f234dd9c9e36b67b28e1d901ca6b3628689aa4d2ae6b005ae3ce97e0d1e645da2710162294606ce51638b91e9c46d8f7f4f1a217e44c36b560f78b0541fececcf49b9b9
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39816,6 +39887,7 @@ Nonce.14 = 3c9434b7d7e18472
+ PersonalisationString.14 = 55bfc33da17f712877829b7f8a134e55
+ Output.14 = 705950e4790ada95b99ace57e31115610ebc65d755fe587eae8fb1aeae463bea8b50a278f45e61d3433272ec31b0d48afcf219f5f4a0adb20537be9c7cb65911df28976aed4b4278cc524639a1ca5f40
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39911,6 +39983,7 @@ AdditionalInputA.14 = 7ee4f3670c4671f128cbd743c408bdd1
+ AdditionalInputB.14 = 38f8003e8fb8c119534a2c3400a87f8d
+ Output.14 = fedbb1636b83c5cc5379c9aa4d1319df6d30770e469c2f7bd65b4b74d9bc880d520e11b2c3642a7c4cb6d6138d1d92f716317dd762c0a841e56e7e0226971a7f470e918d44b4f374f9e7e3b5209516d3
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -39961,6 +40034,7 @@ Entropy.14 = 5b6aaaf5c4e5acdacd2c0c14648eeb3f
+ Nonce.14 = 353cc1174da7f766
+ Output.14 = f7664dd99fb870dad1a45a4ddb870c9936fb42b3a063336e447f15703c5a95dd79eacd9f41cd0c1b4f2e1a45229aca140f463c1beab47aa0525e5bd6e1accf360bc8525430ba05fd14d1f008009fd586
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40041,6 +40115,7 @@ AdditionalInputA.14 = 4eb5c1192fa86b355237b5a8bd43ebf9
+ AdditionalInputB.14 = 7323d1a6f983b7d16df6b0aa9d14adb4
+ Output.14 = cd41a0d7371b2eeb790fa8335660385c418ba84507ba94d1d1015b3353cdcad556993c19388461fd2cce38cc9fbc00e707b18dea9d712ac0616b443b23aee8131c295a1a741ffde36b2032bdb8ae2f6f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40106,6 +40181,7 @@ Nonce.14 = 9bee7502db25ae7f
+ PersonalisationString.14 = d0e8fa47aed6b67ca4e8e521f733921c
+ Output.14 = 3c649d295fd9b98082706f3f841f5275834143698c202da4c881c7d0a3c9995329a54d440fc4d21ab596e95e5b6651c6e7138b332c97ef771bc6e3b0b3fa09090ffb402ed1116d8395e5f1cfea3eae6b
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40201,6 +40277,7 @@ AdditionalInputA.14 = d56ade0d74ea34577eb12a899d18d382
+ AdditionalInputB.14 = ea83bdba8490ffd136def5f7d9240c59
+ Output.14 = cd3d8174d8af97387ff02707d2757ce685ffb5d8dd91d95b8af4a3a757f9321b0e908096cd1321de0599640b7d81f43606b12e029ae158ed568ce1db429be75285c655e15f88da859f09b4cd843a0b61
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40251,6 +40328,7 @@ Entropy.14 = 1c3fc8de26ddc78651c9c2e4ba874ee0
+ Nonce.14 = ca6a2d3cc5495dd0
+ Output.14 = d00ff8d3b8ca273cf7c3650e36c892018c0f765da45ab5b902c5accb30ffe01a99d3b86752195dc9aa1232fc852790ef51860fd114bdc78ae02acb5ab2021ec726829591d623b0b66329e641c1f915ce
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40331,6 +40409,7 @@ AdditionalInputA.14 = b180d77e0ef217268d2d4dc9d4a9532f
+ AdditionalInputB.14 = b192957f3e98f7595768d00834eee1d9
+ Output.14 = 7d4791ccae7980ad19e5d8eb8932ea8ea1756710349ab8b771558cfe471a278dcc263b737486179a4ffad12d5311d23912c3a46f07152808d288be2dfd2b315fc4f6df6418029be52daed643dd3c6110
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -40396,6 +40475,7 @@ Nonce.14 = 84f7310a7ab653e6
+ PersonalisationString.14 = 0fb2233c2cea27d17b6dd93bc4621285
+ Output.14 = a2f373a523ac9f2524b059d0c23bcaa905e15948c7ebf71b6e82150aef562dae4003c1a8a3748cfd553d9a51a8f9450b9d569d96d897fed50eee23978e49b364c64db63fac9dc0fe9e8b58836aa04a74
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 0
+@@ -41667,6 +41747,7 @@ AdditionalInputA.14 = a58757b98280d90e84d6cf4e2fa89c01a9e6aad22d6cff0d
+ AdditionalInputB.14 = a3f5de1ec6d0ccd39fa153899f0c1a414106a2aa182acf31
+ Output.14 = b1797707f1217d81c8463b44957df350dd139073b056c50d1c912fa111f9cb488bfb7d2ec6faebd078171cd6b71171ae33698ff96c7225d7fd36ddcfeb2630464974d12b3e03877bc73ce1a2f89aea7ff7ddc8ac85708b35dd94d3972875e2d3e7237ec33871e99301202b52e2ff89db
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -41717,6 +41798,7 @@ Entropy.14 = 451ed024bc4b95f1025b14ec3616f5e42e80824541dc795a2f07500f92adc665
+ Nonce.14 = 2f28e6ee8de5879db1eccd58c994e5f0
+ Output.14 = 3fb637085ab75f4e95655faae95885166a5fbb423bb03dbf0543be063bcd48799c4f05d4e522634d9275fe02e1edd920e26d9accd43709cb0d8f6e50aa54a5f3bdd618be23cf73ef736ed0ef7524b0d14d5bef8c8aec1cf1ed3e1c38a808b35e61a44078127c7cb3a8fd7addfa50fcf3ff3bc6d6bc355d5436fe9b71eb44f7fd
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -41797,6 +41879,7 @@ AdditionalInputA.14 = 4f53db89b9ba7fc00767bc751fb8f3c103fe0f76acd6d5c7891ab15b2b
+ AdditionalInputB.14 = 582c2a7d34679088cca6bd28723c99aac07db46c332dc0153d1673256903b446
+ Output.14 = 6311f4c0c4cd1f86bd48349abb9eb930d4f63df5e5f7217d1d1b91a71d8a6938b0ad2b3e897bd7e3d8703db125fab30e03464fad41e5ddf5bf9aeeb5161b244468cfb26a9d956931a5412c97d64188b0da1bd907819c686f39af82e91cfeef0cbffb5d1e229e383bed26d06412988640706815a6e820796876f416653e464961
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -41862,6 +41945,7 @@ Nonce.14 = a59394e0af764e2f21cf751f623ffa6c
+ PersonalisationString.14 = eb8164b3bf6c1750a8de8528af16cffdf400856d82260acd5958894a98afeed5
+ Output.14 = fc5701b508f0264f4fdb88414768e1afb0a5b445400dcfdeddd0eba67b4fea8c056d79a69fd050759fb3d626b29adb8438326fd583f1ba0475ce7707bd294ab01743d077605866425b1cbd0f6c7bba972b30fbe9fce0a719b044fcc1394354895a9f8304a2b5101909808ddfdf66df6237142b6566588e4e1e8949b90c27fc1f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -41957,6 +42041,7 @@ AdditionalInputA.14 = 288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecae
+ AdditionalInputB.14 = d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb
+ Output.14 = ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42007,6 +42092,7 @@ Entropy.14 = 17da1efd3e5250dfde3ef1683bd9cf4d4432a2f223399664f7645763bebd5ebd
+ Nonce.14 = 0b160c67b97d5302972b5c517bed5a7c
+ Output.14 = 859bab959dd16f2cddb05376b3d3e46cd13c191c18203bf3c0bbd5803cc559aacce48d88564166fd5f43c22d08cda1acd8004f36915739796a39ca96f8e7def14b58a8ee55ff72de7e2e2727389e027657447e32e47d4ea2f0fda48e86046d111cc334bebf4ee1019199c94fdb26169661cec0b0c47176cb5fb7aed8ad35afb1
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42087,6 +42173,7 @@ AdditionalInputA.14 = 50687524beffed38fe27963340483886645153311dbd4d10d86e7d6b26
+ AdditionalInputB.14 = 1e3ebe4a54c3092d540ad2898ec3be1af84a1d515c013632402ffdeede7caa8b
+ Output.14 = 007139a46072d9dbb6589b8ecf5f287d3aebb13b480ffcd6e95f0b2f916cd99e75f30a21971298257a80c17e9e41f8e0874dc9da8f6c18007a6e4cd5971df083ae62bb7b9f1bd4926f17e5574535f6009c0068b4ea3a50e2ba6c6aa6c7729fbe8ba58b4b795740ff6ae2f3d6fbe3e06828080cd1dcfb11771ec98ad9e0bac0b7
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42152,6 +42239,7 @@ Nonce.14 = 2b653a89e549e3b1ee7817f5864fa684
+ PersonalisationString.14 = 814146b3b340e042557b0e8482fcc496a14c02d89195782679172e99654991ed
+ Output.14 = 3ea100cf50c25d7b2ef286b5fa0720f344de2d568979e7349befa23589083e835205cdf6a4670722fff04260e54618c9c00af75cc26eee665b64e7e628ec4c56a8086dcd583681170f60d565bd97d0f416e4c231e281081b0fcd16c8db63ea9029abbfcb068bf57a36364aa9e27603f447adf337baa35f049a129abdc899f808
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42247,6 +42335,7 @@ AdditionalInputA.14 = 95f6df9905b652de6d08399f61956acf943fe412bc71de60d6b69881f8
+ AdditionalInputB.14 = 87b818568ed80f7c2e8f5b5d7be403f8badf9fa0e716aaf1d6409957b242aa07
+ Output.14 = 45b5182f313a26008bb4ab82f68a12e7c783c243ba1ac6d8bfaed44ddddb607f964ace9c3505d59ef5a3691143a4845491661a1dff8ac4de2e56b54e263ac3aef86966fd656b5a65d4f3b89731d50fa919663bd5691678ee5f8f499e84b1822bd0b91409b62cf98c176df7e812513f3252d25d15fe13ef9f253af477d16bcfcd
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42297,6 +42386,7 @@ Entropy.14 = 32695b2c55839eb3a048fabedcae1f23bf0c7206280ba4ba0d08b9bd9f119908
+ Nonce.14 = 01f2a4cf8a9311abe5ecf58d6661dc5a
+ Output.14 = 4a4f44f418d585e03f508f2ff05345abffeafd75f610a957be7f3ccaae31ba28e69bf8ae441a405fdbc0ee761e39c76b69062f5a3866fc296be1ad306e6584ab2d250d717605c70a17c46a298f714e4e820c85a1fb84f4d61b9857a40c2902193ad703c78635a2791abe6abca6124229ed75827135c27f1a04d244e1d73ff059
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42377,6 +42467,7 @@ AdditionalInputA.14 = 2e51dbbfda8c92f2c838bd85ca5dfd7f35504fae1ad438431b61c2f062
+ AdditionalInputB.14 = 00f507a359585778988b6bb6b91f23d4ab29d2adbe632e4cd4646c8cd5f1b76a
+ Output.14 = b7adbbf07414551464711ad9a718315b0587db2782d34179b70b4c0e323a91ad9de40933023e3a6be71cd50dc58953ad1bf66354bc45dcd9ea23682d487b43903a8f426182536e170af8b04460c586d8ca56e4c307ab7116d8130634dc9a58e1c3077bbddd6bd58c8a0fb9b18c4b839aacf5fcd711c611db120e6a605745e86a
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42442,6 +42533,7 @@ Nonce.14 = 3f9e88b93a6e69d070328c2c570c3be9
+ PersonalisationString.14 = bbe702bbd2265e73aa073f47ce55fb65902abbe51635b414df688c60868546e1
+ Output.14 = 0280555ba6b2379dce7cd56615d7d86feadb8ad995e2852a0607e663a34b1e0342c7bc649adcb204e271eeb87521591fad74b3bd841971cb100ae5f21599b732d8c5f9d578c1113da7034b580013720e62b1d013e28205d5024f8b1eb3219e6cf821792713354cf1349d32a64f32ecdbd7578c55e401fbea57f21ea3ebef0f9f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42537,6 +42629,7 @@ AdditionalInputA.14 = 38684dfa6edbd61e464e49f7d01932802a5a5d824db6b1df6087e84a8e
+ AdditionalInputB.14 = 4949b08a12656c497cc6760791982c0d4e674b0f8a14be730a91689ee77e981a
+ Output.14 = fda39bf8dc1aa785422281dec946bad99d5ead17cac55d47bdb9bd0a80a72f3c611f92bcf29e3e45475426a7a9f139b755f332cf75035b047697f4131c9bbc9ee825ede9a743b14f02dea122194405864aa2b538ed5cdf40ecf81e02bed1556ce0e7974548f050b084b8f3626c0fb2c7272d42cdcb039af4c7d957e285b53b5b
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42587,6 +42680,7 @@ Entropy.14 = 1006646f977b83f4d90870f24b3b72d0b4947037f7671a64ce3b52829506a519
+ Nonce.14 = 5698d50f59c42b26339d218fc985a41d
+ Output.14 = 44ab1d22fd3a84f8847c33d0fb0aea66408d5181b8ea95416beddd9784d86d72d2851857b503253016036246cea11f2ad2bd18fe56508697a50b14e7c85bd9b002deadbce5ff9f72508b6ebce741dd7803a2d8633dbec235cccd37c089c9d747a52000ed4cc1dc8545ddb65e784a698bdc74a6ff4fd7b3dbed31a22f83b4fd8f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42667,6 +42761,7 @@ AdditionalInputA.14 = 8d72118578abbd90ddbe6115ab10b499afa26c2360eaf6fa118ba590ac
+ AdditionalInputB.14 = 6ca4d45fcbd0c7e964557b2bd7622a528b4722335b47383f7bca004b7cd5cf04
+ Output.14 = 360d9ff3111c6b713fc641b571b582770991885f2fea806a485006a1b4f41ece4ce83dcabfd403edde77780c044c96e85ce5d1f1a368ad881a64be8c41e87f0a682ab67170ae05a24b08b4a9178d13ac9928ecb3b5e23e745d93aaa5f111c335c77cb9a5c3da8163cb428fef60da737b884105ae57616637b0e40bad9594bd51
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -42732,6 +42827,7 @@ Nonce.14 = 50f723edc4f658862758e149e7ae4f20
+ PersonalisationString.14 = 39d43e627ab7c7a6d12fce4cd8c001678bfadd9d07d4086674e5d8bdef4ac62e
+ Output.14 = 02e68bf3f78812aa270619b307dc0e57b05b8310084ecd1914a67d93b77127e0b3ec40e359adc451eac8788ac708fde70575fc1b9bbfd291bf5b8d7bda7bcc23a0271ba0bb0e6d617132399bd6cedf5a9a683ea98b3b0dd3bc6d811e4f66c9ec751012992cf54e3ce474e09b31ba9c01ea231d4fa8f09441e204c4d3285c78d0
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-256
+ PredictionResistance = 0
+@@ -44003,6 +44099,7 @@ AdditionalInputA.14 = 73cd5580972f69bb4b0d0cd8915a5b594c3a9fa40b82d6b37446dff4c0
+ AdditionalInputB.14 = 304c2001d8bfb9f1b23f3b336db9f5da17752cbaba782d8932d2641aab4c34b8
+ Output.14 = 5771705c788e15fd5f656d4b5555d532ee4c48453be651a69c30fa706abe7719d9842028c667fab59aab97fe64a6140baa5d42dbfb7ecd58f2ce557a7b8b2c01669232e0b8bb0ddc6ef8dbe627ec5b370ec74553640982a14bd38ad9824b9651b717f8e90f539c42d04f7cff648c38b26abf38dd2a777348a4c2872f6551ef0f9e148bec810025779e7cbe1055cb0250a764fca5a1feba53bba64b7ea0c4dd3d56a7e6b4f8a157264e6666d356fe5a7a29fde7f4391662c4e69f471c21c6beeb
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44053,6 +44150,7 @@ Entropy.14 = 2c13e44674e89aa105fc11b05e8526769a53ab0b4688f3d0d9cf23af4c8469bb
+ Nonce.14 = 700ac6a616c1d1bb7bd8ff7e96a4d250
+ Output.14 = f778161306fc5f1d9e649b2a26983f31266a84bc79dd1b0016c8de53706f9812c4cebdbde78a3592bc7752303154acd7f4d27c2d5751fc7b1fee62677a71fc90e259dfb4b6a9c372515fac6efe01958d199888c360504ffa4c7cf4517918c430f5640fedc738e0cc1fcec33945a34a62ca61a71a9067298d34ac4a93751ddcd9a0f142748a1f0a81a948c6c6a16179e70b6f13633fd03b838da20f81450b4fdc1752e98e71296f1941ca58e71b73ea93e99a98f58d0892fa16de6a16c602036ac857dd75f9ac2c9185932103db5430e80cde9131e814a0bf3f3e7a2200a7152424472fd27f791a854f29aecc448f8d3fca3f93290266df3193d9e13e08907ab2
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44133,6 +44231,7 @@ AdditionalInputA.14 = 6cfccdd8253cc5b284701ef8d16f8888f79100373a7df50f43a122591b
+ AdditionalInputB.14 = 5795ae5be47a7f793423820352505e3890bac3805c102020e48226deab70140a
+ Output.14 = 4a398c114f2e0ac330893d103b585cadcf9cd3b2ac7e46cde15b2f32cc4b9a7c7172b1a73f86d6d12d02973e561fa7f615e30195f7715022df75157f41dc7f9a50029350e308e3345c9ab2029bdc0f1b72c195db098c26c1ab1864224504c72f48a64d722e41b00707c7f2f6cdfe8634d06abe838c85b419c02bf419b88cde35324b1bfdaddff8b7e95f6af0e55b5ff3f5475feb354f2a7a490597b36080322265b213541682572616f3d3276c713a978259d607c6d69eec26d524ba38163a329103e39e3b0a8ec989eca74f287d6d39c7ceda4df8558faeb9d25149963430f33b108dc136a4f9bfa416b3ceaa6632cd5505fe14fb0d78cf15f2acfa03b9c307
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44198,6 +44297,7 @@ Nonce.14 = fff1f2e2ac117af8b2cb023f0dd6c6ea
+ PersonalisationString.14 = 0a4c2df69d6c69df0a9c58ab7c886ed9db294f5fe98eb066fde543b409ee91e0
+ Output.14 = ae35e947a538e7da73f944b4dea689c064b144b753fe597369e58ec4868099c0f000995949e82dc3e5c00555a2cfe48c8a87e87ae5e7402e2b1679e413cc556f08796269ef3ea83d6a49116349a31710964fb2f936cccf249472eab3267cc1ca0073ff4d964eefc82dd1559c3737661f8b206757a64c756680fb7ab6be8cb433b93f21a04c1e99c777ac26c1f34918794085ee593ca27ae991c53d141e52f90e7872bbb036dce78e6a33e2d638360f9c15d5746d6ff13c1bcdff1cd01749fa51c3c72e68c0ce57423d4915abe84c15cfb3301d0c3b8ffc6a1962c1fd981790fa2a3da60d70e8e8557e4b2e7458ad85f5141ad46e1db751893e8327c8197571e8
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44293,6 +44393,7 @@ AdditionalInputA.14 = 2b2dbe3834d8be93f1396b19be83bd96823dd82740da71c5eeb7b21865
+ AdditionalInputB.14 = 49c322fc1bec86d3e20628d9bdc1644e6f5e0237c7c694746bfee32a00145696
+ Output.14 = 9110cec7d07e6e32724bf043e73021b3ca0e4516b619d036ac9a00914e12f01ece71989f55c1caccd542c60a9cccffb91e203fd39dca2d92c8eb03ee7ee88abf21dc6891de326c3190f25ee9ab44ca72d178db0f846969465b25a07dcc83777e6b63a7f9f1a8246dd31ce50cd9eb70e6e383c9ad4dae19f7cec8bfe079b36d309c28b10161c28b8d66c357c7ee01f07403a596366725fd5bd3a5de3cb40dcf60aac10635615b866ae633fbdb7ece41695d533757d9d16c6d44fd170fae77c15b7426ed6ec8c9d6e9245cd5e19e8dc3c8c7e671007ce8454413bd07407e8a2248bee95a7669db6ee47377b4490a6251abb60cd4e2e404ab88aa4948e71ecec50c
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44343,6 +44444,7 @@ Entropy.14 = 1436be35237c34bac5b5b36b24c998380883fb52621daa420112cb57bc84745c
+ Nonce.14 = ed884f91a94c1b0a51f316df776283af
+ Output.14 = c74ce568f0c465e79ef3700857cc8857b74ec8c075cada3f2698ff69569318b130b5b079ac5b69814d057097b0a107a546b011db601b2f7aa1708effd6479f383d7d484a5df76b63f1419eb360991475b2cd97590a1887487a76cd6fde7764cba5f101e4614c635ba7b1e18724a0a8fb39ca0948bffc441b6aa0216cf3c28ae6c06a24ad1bbe68970e06884d3b68325a3d7c1dce9a2fe87d565dccdcee7c62ed32b577763f510f0029a99530209628359bedf4bbfed1a13c222692d8cae60ca736df834a6e316db27642ed5839d2e11716a5c06e8d067e8548d7ac0687da801d292e2a6f414d7470d2e72261188347878d18e00fab3d4c15cb4c4a73cf963437
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44423,6 +44525,7 @@ AdditionalInputA.14 = 48e994654ab1d109511a3b34f5fa9f12b8da17da510d7a71e3839ba86b
+ AdditionalInputB.14 = 949ee0617b277a3ddf4a51343104704775d91797be1826d78051496a87d9113d
+ Output.14 = c4bce916b00a8583ebe1e85feaa1f076315ec9433e18afa1252061a62fc7558491678cb31048e4b4551b697e8dcb58dff951337f0fb7a41546d9a7838a1da149cb44558d324eab9e7ae147e8ead666e3d4eabc9978626efc8710ba8b5eb485d5693e5d6cac36ddd3a1a878ffbc77e9ec5d333cdae2b5803dcbba70d4e0dc60366dae5cf25990f3ae6147c99ec6c998397a1ac02b1b6ef6867aa897ca90b7fb938e3ddeef57e40897a644a4f08e37c995210e00f07145d5b3620ce673072525f9f74adf79ad703c4a09adc6eadcf77e76c6b032270d4c68f01672decf9aa0e941086188304fc33a28f53bf121df747b7dfdc00ddfe68f6d06ab7e82295f70652e
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44488,6 +44591,7 @@ Nonce.14 = 70916df78dd9ea799230435b3e48686b
+ PersonalisationString.14 = bf755696adb9c92839798798f836b063cbbe987f0163ef3f4a97222c888f5da0
+ Output.14 = 411cd8e76e711447e8a93ca95aa3aac5e51f559d65a8385a15e71877ac8472a347d9d453bd6761655711ce2133900d28e41cfd1292d28848646e5cbdcac1e60e49e62aab169b1735e701e38d65ccc073f277972ca85444dea86c19c0c08317dbbeca4fbd5d4295c9da71b89623d0028cebf1ab68fd0aef5b37e76e2e0b3e7f72eee04c01b6afb180b1fa0c370975526b788ec4db076a16a798671451af3e20d323684e232a25d78aaa8ee43f734f1555bf0a324053c7c895dc3e098621e189962a914f486cd7a5ff330f39316afb762b1a06cf8b593ca00d7edf739e2e6827a7af662f33bb09fad09d6bdb3a565f2bd32512c79927d390c79a1cc6db968b13a0
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44583,6 +44687,7 @@ AdditionalInputA.14 = 6f9f47857a60b6f3f9fe9a83ebcec5f16ca73e236d2af5b0daab45c0b9
+ AdditionalInputB.14 = e6628fbe4a774bc5383218302b7c565da5a5bd9f19db6182b444af5ae5f62739
+ Output.14 = d701c1824a82ff1803c4b59f490c3f37850ce85b5905059ac4484f5049f31772ab8401bc9b8fc1fd6ca06d01f01caecb3cbd914ea9574f497df0316a0d56e2830c8a908ba78d1dbe243d0fbc560c407052ec02e9c77f7b12264a46316a777955ae87a71f2da9cef2811f6328ccb288343abb65a36359c07122cb4e6639397829c48dbf8a821ddf00ddec2f294e48d05adfd0f7a706bfc337387bb7923641d08c288d23ed5a2a20f34684549f9f6b3d74ac0f04e10c7dec04aceac369f505d7ccacdf30ea0662cbab001740922e9ac32b6968e0c5a640345d1132e883e07fc82858980489893d0e38960883e989c41e72ee967c00b9a943f0666d1f5e93e848ef
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44633,6 +44738,7 @@ Entropy.14 = f5ee32b61bd57a4a4d51309e846f636560a8bb2a576c65d37a3f715ff1878014
+ Nonce.14 = c638557dae4f9ab6e078c61d54d0f566
+ Output.14 = e929e6c5c4a629c49fbb8623aea903ea129bb6484ed542cf940dd97bedc292e8bce924ef0cc57fa9b50b17b82618a840375874735560aea57e4e9701e4ecd0e812d1bf9fdecf67f431e4d7f6f455dfe4bd3b9a1553c574b0bfbc933a31580319c97682dd990c7081b711c2fa67a4eb54472be39f634c5dd901848c012c309c43f34d189a72c219acf8ca393d3f2cb292d62bb4d5e88f2b6e5e0422dafeac17415af623473f26ec24e65082123db9b9c00dbce3ca1942269fdf66f14add6c486a00527a39b050c2f3a6bc461e750f6e33236de198742284998bff98b7b3f6566e66679b3d8a1e63561fb5f8228867b8ff92230a9f2a6b9427821b6d55a359994d
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44713,6 +44819,7 @@ AdditionalInputA.14 = db7b290176b65f826aac2190a912672f8a9c97815706af33732f68b1f7
+ AdditionalInputB.14 = 13425f17d8fbcca3b4d7793a53507a85813f6f50d3365d680c0620d5fe1bfc33
+ Output.14 = 12d4cfe6574dddbf9de82b8a357bbd6e32a3addb7022c313ac401d0aecfbdfbc7229822f7db9012e8bb0e2907fd48d3eb435ef8368802e5eb948f1bd8d47569b694e23979652f6978b568d7e2288b596afbc67b6c1e0d662240356dc6257d9d273a9ca9f7dfc9bd4175a50ad5b328056c37046e734a76384d7418591a7604f332a457f2fbb277dce4fd2729fdd1319dc3a56b9901a50dc90feaf5969cd9e450bd8716e44253ca55c4e1dcf791658cc467cfba613c27a96f67bd68dd8ccf46bbca4294a0f548b919626d1712ed4290ec90c1098a082699450738d32a8c6516d83bd54a42413bc0ea0b37fe5d6b0663806df67f61d2c553aba3aed3f9aff111d2d
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44778,6 +44885,7 @@ Nonce.14 = c600da30d68cddd9b823433845111880
+ PersonalisationString.14 = 8896ff67866ff1f59c8e5074d91e6b9112410c9b6a1eefbcf05a1b8c7123dc89
+ Output.14 = ad8150de910a0bbdad0a674d032919ac3304d5977fc43ad5d5b1fa9be46f22e94f5c2747db228315b0d0505867fd97f9b1582f97b4693ed542c416df1847a85bcd4ad07d6348a4df78412e3df4e675def7f44b1895a8a2156c811040a46198a863c0107aebc3a426b4c2b9ac294b227d323879a70cdf7ceeee7f6f51f102c3ba4ae9a7343aff295b664c869f2c2d6e4396362fdae7d9b5eb0802f37ff7a3a7f1c944044b1bd9b21fbf23f191c6f538398164c2d1b67390e7b059b1c9f5bb031b89a23895ac65770182c8072fb0ad4a7be055d9a4653d08e6b22a61ebdfb66adec2629030f47aca70a06d68c9e1c041ceb2dc9bcd1ceaf61655ef7bbb1653f3d6
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44873,6 +44981,7 @@ AdditionalInputA.14 = 4adc98c66aa72da2c63172aba2a6c59fb20aa7b195a0b79edc709bfa99
+ AdditionalInputB.14 = 83485ecbf938b8035d047956a3a1bea5adb66c4a7a24b21dfce4269681c31bae
+ Output.14 = 6c69a58a3b27c73ac396840a93ff914219fa80241d39d65890ea612017d7b92b12062fbc0e3c39508c86023f7d70e9b156b4a766465c01c554acd6b5d78568d2087834b3b14f3fdc4d4b959e78ae2fa5298c87321b777afaea4a5c271a584a23a262f8b679cc8198ccd116c88dcf529a6677ebf5189d287f56eb445ad7313acce013b3fe49fb5212cdc3cf8c5ed15aa26b1135d7d9e0570719c4230c104a652fb36ffc57e219e735c03346d18eb57bcba813965bcb39b6a81da624838ba7b9a65d3b684a021f4071c66ce705974f2bd0ce1ad6727136d77529e3b400db0d14ffeabbac877cdf6a38ca66d83492a90482343a5a427ae8b8f77a2f724aa30c11b9
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -44923,6 +45032,7 @@ Entropy.14 = 60da58990a377a615436ef43b1199f88c7a4629653dde2350a4c5115c42e52f6
+ Nonce.14 = 592033d0de138ae7082c03553e3bfdf9
+ Output.14 = 7a770dbe8e1d3af1dae5b93acd9e6f1748a4a6a88229a875d23b37665e0cc96d888dfdc428a32cab378a9ebe22409709cd9d11f0c751c08d98eeac13b6f76f0f51ccea254cae23177c3aa207c59b5ce221b93442d037256d553275a6c4b5c83c1fe555a630e37d8277e02c050c19e145a71ec98b96ae3ae44c9ff87c4501c1ff7fd5231510ac9df623b3fb178e147f07d1fe02b48e877cba89a822c91b5af56b71d60116c49f80d87656144854909a7d718b5aa8f071f18357c2c9f9b6c0fac3195040f26b86aa936fd35ff37287aa140cd01ca6c5e577d815790d6fcb1a57569d23e801e2eb2b669ae7cf17d87f9ee66e0b515bcab09087e111da199b6a15b2
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -45003,6 +45113,7 @@ AdditionalInputA.14 = 967911f9412d40f2c62e43f48ff965bb1579a2ace388c781e125fe70f4
+ AdditionalInputB.14 = 052c401de1053b8dea309196bb8e326d4b643371976d1ff6be0a6ea4ad27e5e9
+ Output.14 = f7e8cdc3f8d2796414b9c83486d746cb8b1675b37d0d7546392c59622c693045dbcb10e9343524a6e7a9cc757717af22ddb8127bcdfb29cb8da409bd69d42aed9708cb2f904dff562a695be004ab25d31b8485bdd677c96d156ce8037726519d1949cc15e91acfd1c7c0bd58058b72c7d340b2f0bb12115ef44af6d20ce5f429d681b614e06bcddbf8ba00b40732b4dd425d1a87b663afce0e9a87b942a543b055f00b2428de12464a1309fccd0a15d512691e3858666ea4dc6084283deb075877c0162dbaf8318c9cda01ca611d72fac0b386a753ef35f438757cdf732a61a1f6123d1de3f61eb072d022f56c679a86f7a05bd6fa420ba39ed2973d4007b9cc
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -45068,6 +45179,7 @@ Nonce.14 = 0a6bef6b736129740978e31c3fa279e8
+ PersonalisationString.14 = a5ca2491479bda16341b2c14339a5307fc2e2f5df4fa625e0ea351a95a14f588
+ Output.14 = df587647f8d440a6c8034e757cd47f28d0e58f8aad9a047cdc8a70a8b1cd0d8185240d47bc5d2f4657205ed218ec38307e68efad94714630cd490b939719a4a07ab994793112c021969a8c69872903315c74b00b677648673e5883b5f46e075550092914cfeab05454226ee3d2154698f368bfda0b8b99eff5d111c1649a0f7e67ec0f637c6d3466994d655066a95732590e521ca055b048dbafd219be1a04fcd047c3722c4adf29ebd8486e7171359292e11ac6b740b4d51093383d64d2a45e51115c689ae29357366f2013eb9b420c6bd069d22c2110182e842eccadae81797a5f57d9ff47311f094ea0a25d7e329fcccb93c28b92ed85ccc2d690a84f2b2a
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 0
+@@ -68233,6 +68345,7 @@ Output.14 = 6af689cec62a633492f6e24b754d38dd6ab0b556e91802d72f14dc8c0e9ff50df728
+
+ Title = HMAC DRBG Prediction Resistance Tests (from NIST test vectors)
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68313,6 +68426,7 @@ EntropyPredictionResistanceA.14 = ae706e740dda50209b20acf90dfa8cec
+ EntropyPredictionResistanceB.14 = b4d4b4bc7cba4daa285ff88ce9e8d451
+ Output.14 = 74acba48f0216087f18042ff14101707c27d281e5ddbc19c722bec3f77bf17ca31239382f4fc1d4dd0f44c296bc2f10f74864951f7da19a23e3e598ac43fb8bbdd1fca8047b98689ef1c05bc81102bb5
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68423,6 +68537,7 @@ AdditionalInputB.14 = ccdb3f7d7f6a4d169f5f2e24ec481fcb
+ EntropyPredictionResistanceB.14 = be4a2c87c875be0e1be01aadf2efeef6
+ Output.14 = bfcc8f2ece23d22545ec2176aabd083855923ca9a673b54b66a3e2562212aad3cc74c4c8976de259cc95a2f09a85b7acd1f18c343eff0368a80e73a547efdcd954816b38df1c19556d714897e317d69f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68518,6 +68633,7 @@ EntropyPredictionResistanceA.14 = f324c09f96434ceea7e756fc2f55a0b3
+ EntropyPredictionResistanceB.14 = f043b6e11fc2f671ec00f4d478b791c6
+ Output.14 = 40e87b822b1000441884a38b8776baa69fbea99962571e8a20d8af012d50c8c211860ad579869ec880320ea8057d5cb0de9496ec57d8b594ca8be5b94219eaa800af7205f8a83b66c87e0fee9aa9732f
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68643,6 +68759,7 @@ AdditionalInputB.14 = 0d5a2183c9f9ca6941f6a617892f5e47
+ EntropyPredictionResistanceB.14 = 998f9cde45b1dc22db6d2d7bfd4f3930
+ Output.14 = 934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68723,6 +68840,7 @@ EntropyPredictionResistanceA.14 = 427b47ed008e489cfd06e1a6e0a9f07b
+ EntropyPredictionResistanceB.14 = e5ee8df96c0e929446502a4bbd23ab22
+ Output.14 = a544ea7c3362570f48a42635f4b79f615d11a5d8a480d85ac71e4be90074fbd5e2d368d00755e95a262d79ed262003d3e2a26f82c37d091ae763a01fba08c87b3ec0ce817bbab8d1905f91f021b7d7d0
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68833,6 +68951,7 @@ AdditionalInputB.14 = 3e95f86a7168410eac0c84995c187fd9
+ EntropyPredictionResistanceB.14 = fd15dfdd8cfeeb7ce0c76f759dfd47df
+ Output.14 = 480d9cbbfa6c923866179318b293c52c9ad86c2ee27faa745873a77d0242afe669d1773fd9c17284097ee8e644aa054deefbb9c73732ba6b5004623df15edeb49ef2e1bc8dbe023f7104ea1395d9fd38
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -68928,6 +69047,7 @@ EntropyPredictionResistanceA.14 = 845decbe6e03e423b3660bfe7db383bf
+ EntropyPredictionResistanceB.14 = f4ee7409c076201255bc78ec82ca5530
+ Output.14 = ac57a08b77c528b834df2757069b6330f05a9196fbbb17300f9c31ef596f551ecc56fa3256c0ab1534df4955f2da1e8d98026b7c5e07290faa5131a95d0fa35a56b075752656ab61a74f889fbb735c58
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69053,6 +69173,7 @@ AdditionalInputB.14 = 063e444dc2990f59e04839fd5e9eaeb6
+ EntropyPredictionResistanceB.14 = e059229538a827fe9b7e5caa44fb1e3d
+ Output.14 = 62efebd7730c6999fd052b98e2bf26eebc96b617a03fe2f1aa7ea3be1aea833f705a3ef3776adc7578f5bb6955a60853ef267fbc18aa3d57b8e0d9134c81e8ffadd0c66d385e5d535d74a615fa896757
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69133,6 +69254,7 @@ EntropyPredictionResistanceA.14 = 74b72e7e1c5f16bf0389dafed9a86ae4
+ EntropyPredictionResistanceB.14 = adef9418a342b4717e93df6450429a38
+ Output.14 = eae51f34bfaa2970f41c3211ec228cfccc1d3c0fcc077d1d9ba159b3bac8685bc5783f61c67fdd4beca05dd4f14afcfc4d554ae75f73842637671102c3b81cabc9a0638cecad5a6615171be5265d5454
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69243,6 +69365,7 @@ AdditionalInputB.14 = 696d9380b814b456ca59ed58ea765400
+ EntropyPredictionResistanceB.14 = d57fb196a634da13ba8695098ed79f9c
+ Output.14 = 069848aef419759b75896cd507a109f685228b5639470afeac0caa853f1c3dbe373f99db76bf06fe8bac356bedf6bf18787043970fb0a185c8a0a4d8482aa3059eeba0d244fc03c9b72857dc5188d44b
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69338,6 +69461,7 @@ EntropyPredictionResistanceA.14 = 015ef1f359f60a391b3720d578731070
+ EntropyPredictionResistanceB.14 = 963736987090fe71e69b4a2480d9b314
+ Output.14 = c75a102bea830a8a58d9a9a43cb03b21aea75d8d2a08c37aaae9180a5e1c78e5700b20a5fe1c7ef0a7e3d2adcf539c4c1357946a328a057e719b97d802b586910f804c166d4884d8bbb3bbc03074c53a
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69463,6 +69587,7 @@ AdditionalInputB.14 = e0b7ad60c542e6c2b324652fd2d7cdc6
+ EntropyPredictionResistanceB.14 = dc7ea852c3e5467977c7946e77223567
+ Output.14 = 0e2e5f47ca8ce1c7fdae1b49d6bc8594da1458eb8dfb35e0602d3812df7532cf6213eba8e75302444529565c40d23d0a336c4cadde37f0def2c3d412984360b65c668ef43263fada16b28860f6ee6ceb
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69543,6 +69668,7 @@ EntropyPredictionResistanceA.14 = 4912a46c447c2de26dbbaec01817d2a6
+ EntropyPredictionResistanceB.14 = c182dc35363cd7e04394c28030e6d6b9
+ Output.14 = 976daafdf1dd5163e88a928d91933678cda9c8ef9a8251070ee8a6b42efda3c00a73303d0426da4a4af7c587174dce9936bfbb68a73979afee9f3a5b4fb4da2eb2b2f2f1c0948b63b45bf583412b2890
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69653,6 +69779,7 @@ AdditionalInputB.14 = 8022a4985c745515682102a25b379301
+ EntropyPredictionResistanceB.14 = 8cc2d8a789d343547ee48869f57ae225
+ Output.14 = 5707c544445358767b1c4d6c319b6a8d9be38afbf945dd4e869e9136d63c9d74aa872139e8bdd374510ebcf8c36c39e45ff31596fa58721c2a089dea7b418b3f7a00d78c6ba531adbb59ae2ab44bb683
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -69748,6 +69875,7 @@ EntropyPredictionResistanceA.14 = 701b8e70583effd1c4e901c50966127e
+ EntropyPredictionResistanceB.14 = 40e9ad701b63ee7bd6132d7f056a1f09
+ Output.14 = a76b3e058ed1a8ca5860b15abe08a607894207d3d3be5bf6c3dc99c01523c85bf18927bc6d3f66cfef63a238aaef1ee87998100faabeef0d2518f3ccc0423d776a440ec9a87c5601fdf45c309c264dcd
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-1
+ PredictionResistance = 1
+@@ -76340,6 +76468,7 @@ EntropyPredictionResistanceA.14 = a918ec35414b0bf1d9ba3b80ef838e75b9504fb6b77e40
+ EntropyPredictionResistanceB.14 = c25de5d8b1f17acb7303c4a652ea1bcf284bfdc08a12c40ece16e3125fc8757e
+ Output.14 = a3072880e72e76ec1e467d7c4f4ab8013eca926c96f075a0a25f5550931f4d6b3aff2057ae6fc1382d579e8963ee24459d76d7414d250aaf5b302a539775862e26596176de2891589defa7aa66f763126c7fb7ced0fa80f3f5e1f0d15295e6025fad617e554838876c8c8efb4bef1e1227a1c967afe99540c1992328a70798167eaea5a768f1f4395178dc914cde01b8e6b98266a66c5c079e19e5d3b6599c6dec24e8e155b310164299d1b4d31ab2e0c3b917b0cb627a4cc19c86061c74c849aab764feacd33de7472b7c4e1403cb38f8f1c3062e75966b2e2c0b2d7d966271f3d180440aa2ed2194bbf7d8b9415a5c5bb7f3df7cf2d02740cd4366ee3781a9
+
++Availablein = default
+ RAND = HMAC-DRBG
+ Digest = SHA-512
+ PredictionResistance = 1
+--
+2.41.0
+
diff --git a/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch b/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
new file mode 100644
index 0000000..01fa935
--- /dev/null
+++ b/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
@@ -0,0 +1,273 @@
+From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:43:57 +0200
+Subject: [PATCH 37/48]
+ 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+
+Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+Patch-id: 81
+---
+ providers/implementations/signature/rsa_sig.c | 6 +
+ test/acvp_test.inc | 214 ------------------
+ 2 files changed, 6 insertions(+), 214 deletions(-)
+
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 63ee11e566..cfaa4841cb 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -1279,7 +1279,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ err_extra_text = "No padding not allowed with RSA-PSS";
+ goto cont;
+ case RSA_X931_PADDING:
++#ifndef FIPS_MODULE
+ err_extra_text = "X.931 padding not allowed with RSA-PSS";
++#else /* !defined(FIPS_MODULE) */
++ err_extra_text = "X.931 padding no longer allowed in FIPS mode,"
++ " since it was removed from FIPS 186-5";
++ goto bad_pad;
++#endif /* !defined(FIPS_MODULE) */
+ cont:
+ if (RSA_test_flags(prsactx->rsa,
+ RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA)
+diff --git a/test/acvp_test.inc b/test/acvp_test.inc
+index 73b24bdb0c..96a72073f9 100644
+--- a/test/acvp_test.inc
++++ b/test/acvp_test.inc
+@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = {
+ ITM(rsa_siggen0_msg),
+ NO_PSS_SALT_LEN,
+ },
+- {
+- "x931",
+- 2048,
+- "SHA384",
+- ITM(rsa_siggen0_msg),
+- NO_PSS_SALT_LEN,
+- },
+ {
+ "pss",
+ 2048,
+@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = {
+ 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b,
+ };
+
+-static const unsigned char rsa_sigverx931_0_n[] = {
+- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad,
+- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83,
+- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87,
+- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6,
+- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c,
+- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73,
+- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10,
+- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6,
+- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79,
+- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7,
+- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b,
+- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02,
+- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41,
+- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f,
+- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf,
+- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d,
+- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54,
+- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e,
+- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04,
+- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79,
+- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16,
+- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e,
+- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b,
+- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8,
+- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89,
+- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b,
+- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62,
+- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73,
+- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b,
+- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f,
+- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77,
+- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33,
+- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66,
+- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4,
+- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c,
+- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28,
+- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8,
+- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4,
+- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0,
+- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07,
+- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60,
+- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a,
+- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e,
+- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e,
+- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81,
+- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a,
+- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45,
+- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_e[] = {
+- 0x01, 0x00, 0x01,
+-};
+-static const unsigned char rsa_sigverx931_0_msg[] = {
+- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47,
+- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd,
+- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9,
+- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52,
+- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41,
+- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54,
+- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c,
+- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf,
+- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47,
+- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01,
+- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f,
+- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67,
+- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41,
+- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd,
+- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca,
+- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00,
+-
+-};
+-static const unsigned char rsa_sigverx931_0_sig[] = {
+- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb,
+- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3,
+- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e,
+- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00,
+- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18,
+- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc,
+- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5,
+- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f,
+- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75,
+- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74,
+- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4,
+- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1,
+- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19,
+- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82,
+- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef,
+- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5,
+- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2,
+- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04,
+- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf,
+- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a,
+- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c,
+- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d,
+- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74,
+- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75,
+- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd,
+- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57,
+- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07,
+- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05,
+- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c,
+- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca,
+- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57,
+- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e,
+- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a,
+- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e,
+- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b,
+- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a,
+- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10,
+- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d,
+- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52,
+- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f,
+- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda,
+- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59,
+- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37,
+- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15,
+- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec,
+- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0,
+- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13,
+- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb,
+-};
+-
+-#define rsa_sigverx931_1_n rsa_sigverx931_0_n
+-#define rsa_sigverx931_1_e rsa_sigverx931_0_e
+-static const unsigned char rsa_sigverx931_1_msg[] = {
+- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8,
+- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d,
+- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9,
+- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3,
+- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26,
+- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f,
+- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2,
+- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5,
+- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42,
+- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59,
+- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd,
+- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72,
+- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45,
+- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44,
+- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42,
+- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55,
+-};
+-
+-static const unsigned char rsa_sigverx931_1_sig[] = {
+- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5,
+- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67,
+- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95,
+- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a,
+- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3,
+- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69,
+- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23,
+- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14,
+- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75,
+- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f,
+- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37,
+- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef,
+- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60,
+- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94,
+- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93,
+- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde,
+- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b,
+- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99,
+- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb,
+- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef,
+- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6,
+- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe,
+- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9,
+- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63,
+- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9,
+- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48,
+- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd,
+- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16,
+- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8,
+- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54,
+- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66,
+- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56,
+- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99,
+- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90,
+- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3,
+- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25,
+- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34,
+- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70,
+- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75,
+- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3,
+- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53,
+- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c,
+- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07,
+- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85,
+- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab,
+- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b,
+- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4,
+- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d,
+-};
+-
+ static const struct rsa_sigver_st rsa_sigver_data[] = {
+ {
+ "pkcs1", /* pkcs1v1.5 */
+@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = {
+ NO_PSS_SALT_LEN,
+ FAIL
+ },
+- {
+- "x931",
+- 3072,
+- "SHA256",
+- ITM(rsa_sigverx931_1_msg),
+- ITM(rsa_sigverx931_1_n),
+- ITM(rsa_sigverx931_1_e),
+- ITM(rsa_sigverx931_1_sig),
+- NO_PSS_SALT_LEN,
+- FAIL
+- },
+ {
+ "pss",
+ 4096,
+--
+2.41.0
+
diff --git a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
new file mode 100644
index 0000000..a857ef9
--- /dev/null
+++ b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
@@ -0,0 +1,104 @@
+From 8e388e194e665286a8996d7d5926bab5c1a6b4f9 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:46:40 +0200
+Subject: [PATCH 38/48]
+ 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+
+Patch-name: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+Patch-id: 83
+---
+ include/crypto/evp.h | 7 +++++++
+ include/openssl/core_names.h | 1 +
+ include/openssl/evp.h | 3 +++
+ providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++
+ 4 files changed, 28 insertions(+)
+
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index aa07153441..a13127bd59 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void);
+ const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void);
+ const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void);
+
++#ifdef FIPS_MODULE
++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key
++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for
++ * HMAC verification. */
++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8)
++#endif
++
+ struct evp_mac_st {
+ OSSL_PROVIDER *prov;
+ int name_id;
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index f185bc9342..1d1da4d3ca 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -175,6 +175,7 @@ extern "C" {
+ #define OSSL_MAC_PARAM_SIZE "size" /* size_t */
+ #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */
+ #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */
++#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+
+ /* Known MAC names */
+ #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC"
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 86f4e22c70..615857caf5 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1194,6 +1194,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+ void *arg);
+
+ /* MAC stuff */
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+ const char *properties);
+diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
+index 52ebb08b8f..cf5c3ecbe7 100644
+--- a/providers/implementations/macs/hmac_prov.c
++++ b/providers/implementations/macs/hmac_prov.c
+@@ -21,6 +21,8 @@
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
+
++#include "crypto/evp.h"
++
+ #include "prov/implementations.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/provider_util.h"
+@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
+ OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
+@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
+ && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
+ return 0;
+
++#ifdef FIPS_MODULE
++ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) {
++ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED;
++ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms
++ * specifies key lengths < 112 bytes are disallowed for HMAC generation
++ * and legacy use for HMAC verification. */
++ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN)
++ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ return OSSL_PARAM_set_int(p, fips_indicator);
++ }
++#endif /* defined(FIPS_MODULE) */
++
+ return 1;
+ }
+
+--
+2.41.0
+
diff --git a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
new file mode 100644
index 0000000..bf94740
--- /dev/null
+++ b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
@@ -0,0 +1,69 @@
+From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:47:55 +0200
+Subject: [PATCH 39/48]
+ 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+
+Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+Patch-id: 84
+---
+ providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index 349c3dd657..11820d1e69 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -35,6 +35,21 @@
+ #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
+ #define KDF_PBKDF2_MIN_ITERATIONS 1000
+ #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
++/* The Implementation Guidance for FIPS 140-3 says in section D.N
++ * "Password-Based Key Derivation for Storage Applications" that "the vendor
++ * shall document in the module’s Security Policy the length of
++ * a password/passphrase used in key derivation and establish an upper bound
++ * for the probability of having this parameter guessed at random. This
++ * probability shall take into account not only the length of the
++ * password/passphrase, but also the difficulty of guessing it. The decision on
++ * the minimum length of a password used for key derivation is the vendor’s,
++ * but the vendor shall at a minimum informally justify the decision."
++ *
++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP
++ * testing uses passwords as short as 8 bytes, and requiring longer passwords
++ * combined with an implicit indicator (i.e., returning an error) would cause
++ * the module to fail ACVP testing. */
++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)
+
+ static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new;
+ static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup;
+@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ ctx->lower_bound_checks = pkcs5 == 0;
+ }
+
+- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
++ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) {
++ if (ctx->lower_bound_checks != 0
++ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
+ if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p))
+ return 0;
++ }
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) {
+ if (ctx->lower_bound_checks != 0
+@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen,
+ }
+
+ if (lower_bound_checks) {
++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
++ return 0;
++ }
+ if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+--
+2.41.0
+
diff --git a/0085-FIPS-RSA-disable-shake.patch b/0085-FIPS-RSA-disable-shake.patch
new file mode 100644
index 0000000..9ae7a99
--- /dev/null
+++ b/0085-FIPS-RSA-disable-shake.patch
@@ -0,0 +1,101 @@
+From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:51:55 +0200
+Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch
+
+Patch-name: 0085-FIPS-RSA-disable-shake.patch
+Patch-id: 85
+---
+ crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++
+ crypto/rsa/rsa_pss.c | 16 ++++++++++++++++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
+index b2f7f7dc4b..af2b0b026c 100644
+--- a/crypto/rsa/rsa_oaep.c
++++ b/crypto/rsa/rsa_oaep.c
+@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx,
+ return 0;
+ #endif
+ }
++
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++ return 0;
++ }
++#endif
+ if (mgf1md == NULL)
+ mgf1md = md;
+
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++ return 0;
++ }
++#endif
++
+ mdlen = EVP_MD_get_size(md);
+ if (mdlen <= 0) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH);
+@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+ #endif
+ }
+
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++ return -1;
++ }
++#endif
++
+ if (mgf1md == NULL)
+ mgf1md = md;
+
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) {
++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED);
++ return -1;
++ }
++#endif
++
+ mdlen = EVP_MD_get_size(md);
+
+ if (tlen <= 0 || flen <= 0)
+diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
+index bb46ec64c7..c0fdf232da 100644
+--- a/crypto/rsa/rsa_pss.c
++++ b/crypto/rsa/rsa_pss.c
+@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+ if (mgf1Hash == NULL)
+ mgf1Hash = Hash;
+
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++ goto err;
++
++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++ goto err;
++#endif
++
+ hLen = EVP_MD_get_size(Hash);
+ if (hLen < 0)
+ goto err;
+@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+ if (mgf1Hash == NULL)
+ mgf1Hash = Hash;
+
++#ifdef FIPS_MODULE
++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256"))
++ goto err;
++
++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256"))
++ goto err;
++#endif
++
+ hLen = EVP_MD_get_size(Hash);
+ if (hLen < 0)
+ goto err;
+--
+2.41.0
+
diff --git a/0088-signature-Add-indicator-for-PSS-salt-length.patch b/0088-signature-Add-indicator-for-PSS-salt-length.patch
new file mode 100644
index 0000000..0577e00
--- /dev/null
+++ b/0088-signature-Add-indicator-for-PSS-salt-length.patch
@@ -0,0 +1,82 @@
+From 98ee6faef3da1439c04f11cd2796132d27d1e607 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 15:58:07 +0200
+Subject: [PATCH 41/48] 0088-signature-Add-indicator-for-PSS-salt-length.patch
+
+Patch-name: 0088-signature-Add-indicator-for-PSS-salt-length.patch
+Patch-id: 88
+---
+ include/openssl/core_names.h | 1 +
+ include/openssl/evp.h | 4 ++++
+ providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 1d1da4d3ca..48af87e236 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -458,6 +458,7 @@ extern "C" {
+ #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \
+ OSSL_PKEY_PARAM_MGF1_PROPERTIES
+ #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE
++#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+
+ /* Asym cipher parameters */
+ #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 615857caf5..05f2d0f75a 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -799,6 +799,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+ int *outl);
+
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+ EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index cfaa4841cb..851671cfb1 100644
+--- a/providers/implementations/signature/rsa_sig.c
++++ b/providers/implementations/signature/rsa_sig.c
+@@ -1173,6 +1173,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+ }
+ }
+
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED;
++ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) {
++ if (prsactx->md == NULL) {
++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED;
++ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) {
++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ } else if (prsactx->pad_mode == RSA_NO_PADDING) {
++ if (prsactx->md == NULL) /* Should always be the case */
++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++ }
++ return OSSL_PARAM_set_int(p, fips_indicator);
++ }
++#endif
++
+ return 1;
+ }
+
+@@ -1182,6 +1200,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif
+ OSSL_PARAM_END
+ };
+
+--
+2.41.0
+
diff --git a/0091-FIPS-RSA-encapsulate.patch b/0091-FIPS-RSA-encapsulate.patch
new file mode 100644
index 0000000..69c8546
--- /dev/null
+++ b/0091-FIPS-RSA-encapsulate.patch
@@ -0,0 +1,47 @@
+From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:01:48 +0200
+Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch
+
+Patch-name: 0091-FIPS-RSA-encapsulate.patch
+Patch-id: 91
+---
+ providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
+index 365ae3d7d6..8a6f585d0b 100644
+--- a/providers/implementations/kem/rsa_kem.c
++++ b/providers/implementations/kem/rsa_kem.c
+@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
+ *secretlen = nlen;
+ return 1;
+ }
++
++#ifdef FIPS_MODULE
++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ /*
+ * Step (2): Generate a random byte string z of nlen bytes where
+ * 1 < z < n - 1
+@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
+ return 1;
+ }
+
++#ifdef FIPS_MODULE
++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
++ return 0;
++ }
++#endif
++
+ /* Step (2): check the input ciphertext 'inlen' matches the nlen */
+ if (inlen != nlen) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
+--
+2.41.0
+
diff --git a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
new file mode 100644
index 0000000..c92d417
--- /dev/null
+++ b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
@@ -0,0 +1,330 @@
+From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:07:18 +0200
+Subject: [PATCH 43/48]
+ 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+
+Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+Patch-id: 93
+---
+ crypto/dh/dh_backend.c | 10 ++++
+ crypto/dh/dh_check.c | 12 ++--
+ crypto/dh/dh_gen.c | 12 +++-
+ crypto/dh/dh_key.c | 13 ++--
+ crypto/dh/dh_pmeth.c | 10 +++-
+ providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
+ test/endecode_test.c | 4 +-
+ test/evp_libctx_test.c | 2 +-
+ test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
+ test/helpers/predefined_dhparams.h | 1 +
+ test/recipes/80-test_cms.t | 4 +-
+ test/recipes/80-test_ssl_old.t | 3 +
+ 12 files changed, 118 insertions(+), 20 deletions(-)
+
+diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
+index 726843fd30..24c65ca84f 100644
+--- a/crypto/dh/dh_backend.c
++++ b/crypto/dh/dh_backend.c
+@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
+ if (!dh_ffc_params_fromdata(dh, params))
+ return 0;
+
++#ifdef FIPS_MODULE
++ if (!ossl_dh_is_named_safe_prime_group(dh)) {
++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++ "FIPS 186-4 type domain parameters no longer allowed in"
++ " FIPS mode, since the required validation routines"
++ " were removed from FIPS 186-5");
++ return 0;
++ }
++#endif
++
+ param_priv_len =
+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+ if (param_priv_len != NULL
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 0b391910d6..75581ca347 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
+ nid = DH_get_nid((DH *)dh);
+ if (nid != NID_undef)
+ return 1;
++
+ /*
+- * OR
+- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param
+- * validity tests.
++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
+ */
+- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
+- FFC_PARAM_TYPE_DH, ret, NULL);
++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++ "FIPS 186-4 type domain parameters no longer allowed in"
++ " FIPS mode, since the required validation routines were"
++ " removed from FIPS 186-5");
++ return 0;
+ }
+ #else
+ int DH_check_params(const DH *dh, int *ret)
+diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
+index 204662a81c..9961f21920 100644
+--- a/crypto/dh/dh_gen.c
++++ b/crypto/dh/dh_gen.c
+@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
+ int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
+ BN_GENCB *cb)
+ {
+- int ret, res;
++ int ret = 0;
+
+ #ifndef FIPS_MODULE
++ int res;
++
+ if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
+ ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
+ FFC_PARAM_TYPE_DH,
+ pbits, qbits, &res, cb);
+ else
+-#endif
+ ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
+ FFC_PARAM_TYPE_DH,
+ pbits, qbits, &res, cb);
++#else
++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++ "FIPS 186-4 type domain parameters no longer allowed in"
++ " FIPS mode, since the required generation routines were"
++ " removed from FIPS 186-5");
++#endif
+ if (ret > 0)
+ dh->dirty_cnt++;
+ return ret;
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 83773cceea..7e988368d3 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
+ goto err;
+ } else {
+ #ifdef FIPS_MODULE
+- if (dh->params.q == NULL)
+- goto err;
++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++ "FIPS 186-4 type domain parameters no longer"
++ " allowed in FIPS mode, since the required"
++ " generation routines were removed from FIPS"
++ " 186-5");
++ goto err;
+ #else
+ if (dh->params.q == NULL) {
+ /* secret exponent length, must satisfy 2^(l-1) <= p */
+@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
+ if (!BN_clear_bit(priv_key, 0))
+ goto err;
+ }
+- } else
+-#endif
+- {
++ } else {
+ /* Do a partial check for invalid p, q, g */
+ if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
+ FFC_PARAM_TYPE_DH, NULL))
+@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
+ priv_key))
+ goto err;
+ }
++#endif
+ }
+ }
+
+diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
+index f201eede0d..30f90d15be 100644
+--- a/crypto/dh/dh_pmeth.c
++++ b/crypto/dh/dh_pmeth.c
+@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
+ prime_len, subprime_len, &res,
+ pcb);
+ else
+-# endif
+- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
+- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
+ rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+ FFC_PARAM_TYPE_DH,
+ prime_len, subprime_len, &res,
+ pcb);
++# else
++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
++ "FIPS 186-4 type domain parameters no longer allowed in"
++ " FIPS mode, since the required generation routines were"
++ " removed from FIPS 186-5");
++# endif
+ if (rv <= 0) {
+ DH_free(ret);
+ return NULL;
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index 9a7dde7c66..b3e7bca5ac 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
++++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
+ if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
+ return 1; /* nothing to validate */
+
++#ifdef FIPS_MODULE
++ /* In FIPS provider, always check the domain parameters to disallow
++ * operations on keys with FIPS 186-4 params. */
++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
++#endif
+ if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+ /*
+ * Both of these functions check parameters. DH_check_params_ex()
+diff --git a/test/endecode_test.c b/test/endecode_test.c
+index 53385028fc..169f3ccd73 100644
+--- a/test/endecode_test.c
++++ b/test/endecode_test.c
+@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
+ * for testing only. Use a minimum key size of 2048 for security purposes.
+ */
+ if (strcmp(type, "DH") == 0)
+- return get_dh512(keyctx);
++ return get_dh2048(keyctx);
+
+ if (strcmp(type, "X9.42 DH") == 0)
+- return get_dhx512(keyctx);
++ return get_dhx_ffdhe2048(keyctx);
+ # endif
+
+ /*
+diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
+index a7913cda4c..96a35ac1cc 100644
+--- a/test/evp_libctx_test.c
++++ b/test/evp_libctx_test.c
+@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
+
+ if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
+ || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
+- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected))
++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected))
+ goto err;
+
+ if (expected) {
+diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
+index 4bdadc4143..e5186e4b4a 100644
+--- a/test/helpers/predefined_dhparams.c
++++ b/test/helpers/predefined_dhparams.c
+@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
+ dhx512_q, sizeof(dhx512_q));
+ }
+
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
++{
++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for
++ * non-well-known groups in FIPS mode. */
++ static unsigned char dhx_p[] = {
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58,
++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1,
++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41,
++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9,
++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02,
++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61,
++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55,
++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35,
++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda,
++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35,
++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82,
++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb,
++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3,
++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19,
++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1,
++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61,
++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32,
++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73,
++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83,
++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa,
++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff,
++ 0xff, 0xff, 0xff, 0xff
++ };
++ static unsigned char dhx_g[] = {
++ 0x02
++ };
++ static unsigned char dhx_q[] = {
++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c,
++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78,
++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20,
++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c,
++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01,
++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0,
++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa,
++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a,
++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed,
++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a,
++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1,
++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd,
++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51,
++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c,
++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70,
++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0,
++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19,
++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9,
++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1,
++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd,
++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff,
++ 0xff, 0xff, 0xff, 0xff
++ };
++
++ return get_dh_from_pg(libctx, "X9.42 DH",
++ dhx_p, sizeof(dhx_p),
++ dhx_g, sizeof(dhx_g),
++ dhx_q, sizeof(dhx_q));
++}
++
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
+ {
+ static unsigned char dh1024_p[] = {
+diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
+index f0e8709062..2ff6d6e721 100644
+--- a/test/helpers/predefined_dhparams.h
++++ b/test/helpers/predefined_dhparams.h
+@@ -12,6 +12,7 @@
+ #ifndef OPENSSL_NO_DH
+ EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx);
++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
+ EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
+ EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 2a459856f0..afac836fa3 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
+ ],
+
+ [ "enveloped content test streaming S/MIME format, X9.42 DH",
+- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
+ "-stream", "-out", "{output}.cms",
+ "-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
+- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ "-in", "{output}.cms", "-out", "{output}.txt" ],
+ \&final_compare
+ ]
+diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
+index 527abcea6e..e1d38b1e62 100644
+--- a/test/recipes/80-test_ssl_old.t
++++ b/test/recipes/80-test_ssl_old.t
+@@ -390,6 +390,9 @@ sub testssl {
+ skip "skipping dhe1024dsa test", 1
+ if ($no_dh);
+
++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1
++ if $provider eq "fips";
++
+ ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
+ 'test sslv2/sslv3 with 1024bit DHE via BIO pair');
+ }
+--
+2.41.0
+
diff --git a/0100-RSA-PKCS15-implicit-rejection.patch b/0100-RSA-PKCS15-implicit-rejection.patch
deleted file mode 100644
index 6821325..0000000
--- a/0100-RSA-PKCS15-implicit-rejection.patch
+++ /dev/null
@@ -1,1354 +0,0 @@
-diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
-index d25504a03f7..c55511011f6 100644
---- a/crypto/cms/cms_env.c
-+++ b/crypto/cms/cms_env.c
-@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
- if (!ossl_cms_env_asn1_ctrl(ri, 1))
- goto err;
-
-+ if (EVP_PKEY_is_a(pkey, "RSA"))
-+ /* upper layer CMS code incorrectly assumes that a successful RSA
-+ * decryption means that the key matches ciphertext (which never
-+ * was the case, implicit rejection or not), so to make it work
-+ * disable implicit rejection for RSA keys */
-+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
-+
- if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
- ktri->encryptedKey->data,
- ktri->encryptedKey->length) <= 0)
-diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
-index 56ed5ea6d68..f64c1fcb2ac 100644
---- a/crypto/evp/ctrl_params_translate.c
-+++ b/crypto/evp/ctrl_params_translate.c
-@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
- EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
- OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
-
-+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
-+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL,
-+ "rsa_pkcs1_implicit_rejection",
-+ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER,
-+ NULL },
-+
- { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
- EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
- OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
-diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
-index 31b368bda3b..8a46ab471df 100644
---- a/crypto/pkcs7/pk7_doit.c
-+++ b/crypto/pkcs7/pk7_doit.c
-@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
- if (EVP_PKEY_decrypt_init(pctx) <= 0)
- goto err;
-
-+ if (EVP_PKEY_is_a(pkey, "RSA"))
-+ /* upper layer pkcs7 code incorrectly assumes that a successful RSA
-+ * decryption means that the key matches ciphertext (which never
-+ * was the case, implicit rejection or not), so to make it work
-+ * disable implicit rejection for RSA keys */
-+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
-+
- if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
- ri->enc_key->data, ri->enc_key->length) <= 0)
- goto err;
-diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
-index 54e2a1c61ca..094a6632b66 100644
---- a/crypto/rsa/rsa_ossl.c
-+++ b/crypto/rsa/rsa_ossl.c
-@@ -17,6 +17,9 @@
- #include "crypto/bn.h"
- #include "rsa_local.h"
- #include "internal/constant_time.h"
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+#include <openssl/hmac.h>
-
- static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding);
-@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- BIGNUM *f, *ret;
- int j, num = 0, r = -1;
- unsigned char *buf = NULL;
-+ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
-+ HMAC_CTX *hmac = NULL;
-+ unsigned int md_len = SHA256_DIGEST_LENGTH;
-+ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
- BN_CTX *ctx = NULL;
- int local_blinding = 0;
-+ EVP_MD *md = NULL;
- /*
- * Used only if the blinding structure is shared. A non-NULL unblind
- * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
-@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- BIGNUM *unblind = NULL;
- BN_BLINDING *blinding = NULL;
-
-+ /*
-+ * we need the value of the private exponent to perform implicit rejection
-+ */
-+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
-+ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
-+
- if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
- goto err;
- BN_CTX_start(ctx);
-@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- goto err;
- }
-
-+ if (flen < 1) {
-+ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
-+ goto err;
-+ }
-+
- /* make data into a big number */
- if (BN_bin2bn(from, (int)flen, f) == NULL)
- goto err;
-@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- BN_free(d);
- }
-
-+ /*
-+ * derive the Key Derivation Key from private exponent and public
-+ * ciphertext
-+ */
-+ if (padding == RSA_PKCS1_PADDING) {
-+ /*
-+ * because we use d as a handle to rsa->d we need to keep it local and
-+ * free before any further use of rsa->d
-+ */
-+ BIGNUM *d = BN_new();
-+ if (d == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+ if (rsa->d == NULL) {
-+ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
-+ BN_free(d);
-+ goto err;
-+ }
-+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-+ if (BN_bn2binpad(d, buf, num) < 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ BN_free(d);
-+ goto err;
-+ }
-+ BN_free(d);
-+
-+ /*
-+ * we use hardcoded hash so that migrating between versions that use
-+ * different hash doesn't provide a Bleichenbacher oracle:
-+ * if the attacker can see that different versions return different
-+ * messages for the same ciphertext, they'll know that the message is
-+ * syntethically generated, which means that the padding check failed
-+ */
-+ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
-+ if (md == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ hmac = HMAC_CTX_new();
-+ if (hmac == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
-+ goto err;
-+ }
-+
-+ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ if (flen < num) {
-+ memset(buf, 0, num - flen);
-+ if (HMAC_Update(hmac, buf, num - flen) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ }
-+ if (HMAC_Update(hmac, from, flen) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ md_len = SHA256_DIGEST_LENGTH;
-+ if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ }
-+
- if (blinding)
- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
- goto err;
-@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- goto err;
-
- switch (padding) {
-- case RSA_PKCS1_PADDING:
-+ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
- r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
- break;
-+ case RSA_PKCS1_PADDING:
-+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
-+ break;
- case RSA_PKCS1_OAEP_PADDING:
- r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
- break;
-@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
- #endif
-
- err:
-+ HMAC_CTX_free(hmac);
-+ EVP_MD_free(md);
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- OPENSSL_clear_free(buf, num);
-diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
-index 5f72fe1735d..04fb0e4ed5e 100644
---- a/crypto/rsa/rsa_pk1.c
-+++ b/crypto/rsa/rsa_pk1.c
-@@ -21,10 +21,14 @@
- #include <openssl/rand.h>
- /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */
- #include <openssl/prov_ssl.h>
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+#include <openssl/hmac.h>
- #include "internal/cryptlib.h"
- #include "crypto/rsa.h"
- #include "rsa_local.h"
-
-+
- int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
- const unsigned char *from, int flen)
- {
-@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
- return constant_time_select_int(good, mlen, -1);
- }
-
-+
-+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx,
-+ unsigned char *to, int tlen,
-+ const char *label, int llen,
-+ const unsigned char *kdk,
-+ uint16_t bitlen)
-+{
-+ int pos;
-+ int ret = -1;
-+ uint16_t iter = 0;
-+ unsigned char be_iter[sizeof(iter)];
-+ unsigned char be_bitlen[sizeof(bitlen)];
-+ HMAC_CTX *hmac = NULL;
-+ EVP_MD *md = NULL;
-+ unsigned char hmac_out[SHA256_DIGEST_LENGTH];
-+ unsigned int md_len;
-+
-+ if (tlen * 8 != bitlen) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ return ret;
-+ }
-+
-+ be_bitlen[0] = (bitlen >> 8) & 0xff;
-+ be_bitlen[1] = bitlen & 0xff;
-+
-+ hmac = HMAC_CTX_new();
-+ if (hmac == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ /*
-+ * we use hardcoded hash so that migrating between versions that use
-+ * different hash doesn't provide a Bleichenbacher oracle:
-+ * if the attacker can see that different versions return different
-+ * messages for the same ciphertext, they'll know that the message is
-+ * syntethically generated, which means that the padding check failed
-+ */
-+ md = EVP_MD_fetch(ctx, "sha256", NULL);
-+ if (md == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) {
-+ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ be_iter[0] = (iter >> 8) & 0xff;
-+ be_iter[1] = iter & 0xff;
-+
-+ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
-+ /*
-+ * HMAC_Final requires the output buffer to fit the whole MAC
-+ * value, so we need to use the intermediate buffer for the last
-+ * unaligned block
-+ */
-+ md_len = SHA256_DIGEST_LENGTH;
-+ if (pos + SHA256_DIGEST_LENGTH > tlen) {
-+ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ memcpy(to + pos, hmac_out, tlen - pos);
-+ } else {
-+ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+ }
-+ }
-+
-+ ret = 0;
-+
-+err:
-+ HMAC_CTX_free(hmac);
-+ EVP_MD_free(md);
-+ return ret;
-+}
-+
-+/*
-+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2
-+ * padding from a decrypted RSA message. Unlike the
-+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it
-+ * detects a padding error, rather it will return a deterministically generated
-+ * random message. In other words it will perform an implicit rejection
-+ * of an invalid padding. This means that the returned value does not indicate
-+ * if the padding of the encrypted message was correct or not, making
-+ * side channel attacks like the ones described by Bleichenbacher impossible
-+ * without access to the full decrypted value and a brute-force search of
-+ * remaining padding bytes
-+ */
-+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
-+ unsigned char *to, int tlen,
-+ const unsigned char *from, int flen,
-+ int num, unsigned char *kdk)
-+{
-+/*
-+ * We need to generate a random length for the synthethic message, to avoid
-+ * bias towards zero and avoid non-constant timeness of DIV, we prepare
-+ * 128 values to check if they are not too large for the used key size,
-+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough
-+ * safety margin
-+ */
-+#define MAX_LEN_GEN_TRIES 128
-+ unsigned char *synthetic = NULL;
-+ int synthethic_length;
-+ uint16_t len_candidate;
-+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
-+ uint16_t len_mask;
-+ uint16_t max_sep_offset;
-+ int synth_msg_index = 0;
-+ int ret = -1;
-+ int i, j;
-+ unsigned int good, found_zero_byte;
-+ int zero_index = 0, msg_index;
-+
-+ /*
-+ * If these checks fail then either the message in publicly invalid, or
-+ * we've been called incorrectly. We can fail immediately.
-+ * Since this code is called only internally by openssl, those are just
-+ * sanity checks
-+ */
-+ if (num != flen || tlen <= 0 || flen <= 0) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ return -1;
-+ }
-+
-+ /* Generate a random message to return in case the padding checks fail */
-+ synthetic = OPENSSL_malloc(flen);
-+ if (synthetic == NULL) {
-+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
-+ return -1;
-+ }
-+
-+ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0)
-+ goto err;
-+
-+ /* decide how long the random message should be */
-+ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths),
-+ "length", 6, kdk,
-+ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0)
-+ goto err;
-+
-+ /*
-+ * max message size is the size of the modulus size less 2 bytes for
-+ * version and padding type and a minimum of 8 bytes padding
-+ */
-+ len_mask = max_sep_offset = flen - 2 - 8;
-+ /*
-+ * we want a mask so lets propagate the high bit to all positions less
-+ * significant than it
-+ */
-+ len_mask |= len_mask >> 1;
-+ len_mask |= len_mask >> 2;
-+ len_mask |= len_mask >> 4;
-+ len_mask |= len_mask >> 8;
-+
-+ synthethic_length = 0;
-+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
-+ i += sizeof(len_candidate)) {
-+ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1];
-+ len_candidate &= len_mask;
-+
-+ synthethic_length = constant_time_select_int(
-+ constant_time_lt(len_candidate, max_sep_offset),
-+ len_candidate, synthethic_length);
-+ }
-+
-+ synth_msg_index = flen - synthethic_length;
-+
-+ /* we have alternative message ready, check the real one */
-+ good = constant_time_is_zero(from[0]);
-+ good &= constant_time_eq(from[1], 2);
-+
-+ /* then look for the padding|message separator (the first zero byte) */
-+ found_zero_byte = 0;
-+ for (i = 2; i < flen; i++) {
-+ unsigned int equals0 = constant_time_is_zero(from[i]);
-+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
-+ i, zero_index);
-+ found_zero_byte |= equals0;
-+ }
-+
-+ /*
-+ * padding must be at least 8 bytes long, and it starts two bytes into
-+ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check
-+ * also fails.
-+ */
-+ good &= constant_time_ge(zero_index, 2 + 8);
-+
-+ /*
-+ * Skip the zero byte. This is incorrect if we never found a zero-byte
-+ * but in this case we also do not copy the message out.
-+ */
-+ msg_index = zero_index + 1;
-+
-+ /*
-+ * old code returned an error in case the decrypted message wouldn't fit
-+ * into the |to|, since that would leak information, return the synthethic
-+ * message instead
-+ */
-+ good &= constant_time_ge(tlen, num - msg_index);
-+
-+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
-+
-+ /*
-+ * since at this point the |msg_index| does not provide the signal
-+ * indicating if the padding check failed or not, we don't have to worry
-+ * about leaking the length of returned message, we still need to ensure
-+ * that we read contents of both buffers so that cache accesses don't leak
-+ * the value of |good|
-+ */
-+ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++)
-+ to[j] = constant_time_select_8(good, from[i], synthetic[i]);
-+ ret = j;
-+
-+err:
-+ /*
-+ * the only time ret < 0 is when the ciphertext is publicly invalid
-+ * or we were called with invalid parameters, so we don't have to perform
-+ * a side-channel secure raising of the error
-+ */
-+ if (ret < 0)
-+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
-+ OPENSSL_free(synthetic);
-+ return ret;
-+}
-+
- /*
- * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
- * padding from a decrypted RSA message in a TLS signature. The result is stored
-diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
-index 8b35e5c3c6d..c67b20baf56 100644
---- a/crypto/rsa/rsa_pmeth.c
-+++ b/crypto/rsa/rsa_pmeth.c
-@@ -52,6 +52,8 @@ typedef struct {
- /* OAEP label */
- unsigned char *oaep_label;
- size_t oaep_labellen;
-+ /* if to use implicit rejection in PKCS#1 v1.5 decryption */
-+ int implicit_rejection;
- } RSA_PKEY_CTX;
-
- /* True if PSS parameters are restricted */
-@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
- /* Maximum for sign, auto for verify */
- rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
- rctx->min_saltlen = -1;
-+ rctx->implicit_rejection = 1;
- ctx->data = rctx;
- ctx->keygen_info = rctx->gentmp;
- ctx->keygen_info_count = 2;
-@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
- dctx->md = sctx->md;
- dctx->mgf1md = sctx->mgf1md;
- dctx->saltlen = sctx->saltlen;
-+ dctx->implicit_rejection = sctx->implicit_rejection;
- if (sctx->oaep_label) {
- OPENSSL_free(dctx->oaep_label);
- dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
-@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
- const unsigned char *in, size_t inlen)
- {
- int ret;
-+ int pad_mode;
- RSA_PKEY_CTX *rctx = ctx->data;
- /*
- * Discard const. Its marked as const because this may be a cached copy of
-@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
- rctx->oaep_labellen,
- rctx->md, rctx->mgf1md);
- } else {
-- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
-+ if (rctx->pad_mode == RSA_PKCS1_PADDING &&
-+ rctx->implicit_rejection == 0)
-+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
-+ else
-+ pad_mode = rctx->pad_mode;
-+ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
- }
- *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
- ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
-@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
- *(unsigned char **)p2 = rctx->oaep_label;
- return rctx->oaep_labellen;
-
-+ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
-+ if (rctx->pad_mode != RSA_PKCS1_PADDING) {
-+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
-+ return -2;
-+ }
-+ rctx->implicit_rejection = p1;
-+ return 1;
-+
- case EVP_PKEY_CTRL_DIGESTINIT:
- case EVP_PKEY_CTRL_PKCS7_SIGN:
- #ifndef OPENSSL_NO_CMS
-diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
-index b0054ead66f..dd878297987 100644
---- a/doc/man1/openssl-pkeyutl.pod.in
-+++ b/doc/man1/openssl-pkeyutl.pod.in
-@@ -240,6 +240,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a
- digest is set then the a B<DigestInfo> structure is used and its the length
- must correspond to the digest type.
-
-+Note, for B<pkcs1> padding, as a protection against Bleichenbacher attack,
-+the decryption will not fail in case of padding check failures. Use B<none>
-+and manual inspection of the decrypted message to verify if the decrypted
-+value has correct PKCS#1 v1.5 padding.
-+
- For B<oaep> mode only encryption and decryption is supported.
-
- For B<x931> if the digest type is set it is used to format the block data
-@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used.
- Sets the digest used for the OAEP hash function. If not explicitly set then
- SHA1 is used.
-
-+=item B<rsa_pkcs1_implicit_rejection:>I<flag>
-+
-+Disables (when set to 0) or enables (when set to 1) the use of implicit
-+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
-+protection against Bleichenbacher attack, the library will generate a
-+deterministic random plaintext that it will return to the caller in case
-+of padding check failure.
-+When disabled, it's the callers' responsibility to handle the returned
-+errors in a side-channel free manner.
-+
- =back
-
- =head1 RSA-PSS ALGORITHM
-diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
-index 186e49e5e49..eab34979de3 100644
---- a/doc/man1/openssl-rsautl.pod.in
-+++ b/doc/man1/openssl-rsautl.pod.in
-@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
- ANSI X9.31, or no padding, respectively.
- For signatures, only B<-pkcs> and B<-raw> can be used.
-
-+Note: because of protection against Bleichenbacher attacks, decryption
-+using PKCS#1 v1.5 mode will not return errors in case padding check failed.
-+Use B<-raw> and inspect the returned value manually to check if the
-+padding is correct.
-+
- =item B<-hexdump>
-
- Hex dump the output data.
-diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
-index 9b96f42dbc9..f7957e95f7f 100644
---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
-+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
-@@ -393,6 +393,15 @@ this behaviour should be tolerated then
- OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual
- negotiated protocol version. Otherwise it should be left unset.
-
-+Similarly to the B<RSA_PKCS1_WITH_TLS_PADDING> above, since OpenSSL version
-+3.1.0, the use of B<RSA_PKCS1_PADDING> will return a randomly generated message
-+instead of padding errors in case padding checks fail. Applications that
-+want to remain secure while using earlier versions of OpenSSL, still need to
-+handle both the error code from the RSA decryption operation and the
-+returned message in a side channel secure manner.
-+This protection against Bleichenbacher attacks can be disabled by setting
-+the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0.
-+
- =head2 DSA parameters
-
- EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA
-diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
-index 0cd1a6548d0..462265c5a67 100644
---- a/doc/man3/EVP_PKEY_decrypt.pod
-+++ b/doc/man3/EVP_PKEY_decrypt.pod
-@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a
- return value of -2 indicates the operation is not supported by the public key
- algorithm.
-
-+=head1 WARNINGS
-+
-+In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding,
-+both the return value from the EVP_PKEY_decrypt() and the B<outlen> provided
-+information useful in mounting a Bleichenbacher attack against the
-+used private key. They had to processed in a side-channel free way.
-+
-+Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1
-+v1.5 padding doesn't return an error in case it detects an error in padding,
-+instead it returns a pseudo-randomly generated message, removing the need
-+of side-channel secure code from applications using OpenSSL.
-+
- =head1 EXAMPLES
-
- Decrypt data using OAEP (for RSA keys):
-diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
-index 9f7025c4975..36ae18563f2 100644
---- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
-+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
-@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.
-
- =head1 WARNINGS
-
--The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
--information which can potentially be used to mount a Bleichenbacher
-+The result of RSA_padding_check_PKCS1_type_2() is exactly the
-+information which is used to mount a classical Bleichenbacher
- padding oracle attack. This is an inherent weakness in the PKCS #1
- v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
- possible, the result of RSA_padding_check_PKCS1_type_2() should be
-@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be
- used to mount a Bleichenbacher attack against any padding mode
- including PKCS1_OAEP.
-
-+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption
-+as they implement the necessary workarounds internally.
-+
- =head1 SEE ALSO
-
- L<RSA_public_encrypt(3)>,
-diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
-index 1d38073aead..bd3f835ac6d 100644
---- a/doc/man3/RSA_public_encrypt.pod
-+++ b/doc/man3/RSA_public_encrypt.pod
-@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.
-
- =back
-
--B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
--based padding modes, not more than RSA_size(B<rsa>) - 42 for
-+When encrypting B<flen> must not be more than RSA_size(B<rsa>) - 11 for the
-+PKCS #1 v1.5 based padding modes, not more than RSA_size(B<rsa>) - 42 for
- RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
- When a padding mode other than RSA_NO_PADDING is in use, then
- RSA_public_encrypt() will include some random bytes into the ciphertext
-@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle
- attack. This is an inherent weakness in the PKCS #1 v1.5 padding
- design. Prefer RSA_PKCS1_OAEP_PADDING.
-
-+In OpenSSL before version 3.1.0, both the return value and the length of
-+returned value could be used to mount the Bleichenbacher attack.
-+Since version 3.1.0, OpenSSL does not return an error in case of padding
-+checks failed. Instead it generates a random message based on used private
-+key and provided ciphertext so that application code doesn't have to implement
-+a side-channel secure error handling.
-+
- =head1 CONFORMING TO
-
- SSL, PKCS #1 v2.0
-diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
-index ac3f6271969..cb770c9e857 100644
---- a/doc/man7/provider-asym_cipher.pod
-+++ b/doc/man7/provider-asym_cipher.pod
-@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client.
-
- The negotiated TLS protocol version.
-
-+=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
-+
-+Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5
-+decryption. When set (non zero value), the decryption API will return
-+a deterministically random value if the PKCS#1 v1.5 padding check fails.
-+This makes explotation of the Bleichenbacher significantly harder, even
-+if the code using the RSA decryption API is not implemented in side-channel
-+free manner. Set by default.
-+
- =back
-
- OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
-diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
-index 949873d0ee3..f267e5d9d1c 100644
---- a/include/crypto/rsa.h
-+++ b/include/crypto/rsa.h
-@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg);
- RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
- OSSL_LIB_CTX *libctx, const char *propq);
-
-+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
-+ unsigned char *to, int tlen,
-+ const unsigned char *from, int flen,
-+ int num, unsigned char *kdk);
- int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to,
- size_t tlen,
- const unsigned char *from,
-diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
-index e6c4758a33e..6e4a4f8539d 100644
---- a/include/openssl/core_names.h
-+++ b/include/openssl/core_names.h
-@@ -302,6 +302,7 @@ extern "C" {
- #define OSSL_PKEY_PARAM_DIST_ID "distid"
- #define OSSL_PKEY_PARAM_PUB_KEY "pub"
- #define OSSL_PKEY_PARAM_PRIV_KEY "priv"
-+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection"
-
- /* Diffie-Hellman/DSA Parameters */
- #define OSSL_PKEY_PARAM_FFC_P "p"
-@@ -482,6 +483,7 @@ extern "C" {
- #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label"
- #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version"
- #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version"
-+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection"
- #ifdef FIPS_MODULE
- #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
- #endif
-diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
-index bce21258227..167427d3c48 100644
---- a/include/openssl/rsa.h
-+++ b/include/openssl/rsa.h
-@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
-
- # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13)
-
-+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
-+
- # define RSA_PKCS1_PADDING 1
- # define RSA_NO_PADDING 3
- # define RSA_PKCS1_OAEP_PADDING 4
-@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
- # define RSA_PKCS1_PSS_PADDING 6
- # define RSA_PKCS1_WITH_TLS_PADDING 7
-
-+/* internal RSA_ only */
-+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
-+
- # define RSA_PKCS1_PADDING_SIZE 11
-
- # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg)
-diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
-index 3d331ea8dfd..fbafb84f8cb 100644
---- a/providers/implementations/asymciphers/rsa_enc.c
-+++ b/providers/implementations/asymciphers/rsa_enc.c
-@@ -75,6 +75,8 @@ typedef struct {
- /* TLS padding */
- unsigned int client_version;
- unsigned int alt_version;
-+ /* PKCS#1 v1.5 decryption mode */
-+ unsigned int implicit_rejection;
- #ifdef FIPS_MODULE
- char *redhat_st_oaep_seed;
- #endif /* FIPS_MODULE */
-@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
- RSA_free(prsactx->rsa);
- prsactx->rsa = vrsa;
- prsactx->operation = operation;
-+ prsactx->implicit_rejection = 1;
-
- switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
- case RSA_FLAG_TYPE_RSA:
-@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
- {
- PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
- int ret;
-+ int pad_mode;
- size_t len = RSA_size(prsactx->rsa);
-
- if (!ossl_prov_is_running())
-@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
- }
- OPENSSL_free(tbuf);
- } else {
-- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa,
-- prsactx->pad_mode);
-+ if ((prsactx->implicit_rejection == 0) &&
-+ (prsactx->pad_mode == RSA_PKCS1_PADDING))
-+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
-+ else
-+ pad_mode = prsactx->pad_mode;
-+ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode);
- }
- *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
- ret = constant_time_select_int(constant_time_msb(ret), 0, 1);
-@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
- if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
- return 0;
-
-+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
-+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
-+ return 0;
-+
- return 1;
- }
-
-@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
- NULL, 0),
- OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
- OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
-+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
- #ifdef FIPS_MODULE
- OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
- #endif /* FIPS_MODULE */
-@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
- return 0;
- prsactx->alt_version = alt_version;
- }
-+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
-+ if (p != NULL) {
-+ unsigned int implicit_rejection;
-+
-+ if (!OSSL_PARAM_get_uint(p, &implicit_rejection))
-+ return 0;
-+ prsactx->implicit_rejection = implicit_rejection;
-+ }
-
- return 1;
- }
-@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
- OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0),
- OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
- OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
-+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
- OSSL_PARAM_END
- };
-
-diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-index b8d8bb2993e..a3d01eec457 100644
---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
-@@ -253,9 +253,25 @@ Decrypt = RSA-2048
- Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
- Output = "Hello World"
-
-+Availablein = default
-+# Note: disable the Bleichenbacher workaround to see if it passes
-+Decrypt = RSA-2048
-+Ctrl = rsa_pkcs1_implicit_rejection:0
-+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78
-+Output = "Hello World"
-+
-+Availablein = default
-+# Corrupted ciphertext
-+# Note: output is generated synthethically by the Bleichenbacher workaround
-+Decrypt = RSA-2048
-+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
-+Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff
-+
- # Corrupted ciphertext
- Availablein = default
-+# Note: disable the Bleichenbacher workaround to see if it fails
- Decrypt = RSA-2048
-+Ctrl = rsa_pkcs1_implicit_rejection:0
- Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79
- Output = "Hello World"
- Result = KEYOP_ERROR
-@@ -277,6 +297,462 @@ Derive = RSA-2048
- Result = KEYOP_INIT_ERROR
- Reason = operation not supported for this keytype
-
-+# Test vectors for the Bleichenbacher workaround
-+
-+PrivateKey = RSA-2048-2
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS
-+KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC
-+Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y
-+o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/
-++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F
-+EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm
-+pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G
-+MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp
-+aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo
-+RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6
-+egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX
-+eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe
-+z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG
-+lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou
-+O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw
-+93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF
-+1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr
-+uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb
-+3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx
-+sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a
-+AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL
-+9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW
-+FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp
-+LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM
-+FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da
-+-----END RSA PRIVATE KEY-----
-+
-+# corresponding public key
-+PublicKey = RSA-2048-2-PUBLIC
-+-----BEGIN PUBLIC KEY-----
-+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc
-+iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO
-+jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7
-+SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO
-+yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1
-+a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn
-+aQIDAQAB
-+-----END PUBLIC KEY-----
-+
-+PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC
-+
-+# RSA decrypt
-+
-+# a random positive test case
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066
-+Output = "lorem ipsum dolor sit amet"
-+
-+Availablein = default
-+# a random negative test case decrypting to empty
-+Decrypt = RSA-2048-2
-+Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7
-+Output =
-+
-+Availablein = default
-+# invalid decrypting to max length message
-+Decrypt = RSA-2048-2
-+Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303
-+Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3
-+
-+Availablein = default
-+# invalid decrypting to message with length specified by second to last value from PRF
-+Decrypt = RSA-2048-2
-+Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354
-+Output = 0f9b
-+
-+Availablein = default
-+# invalid decrypting to message with length specified by third to last value from PRF
-+Decrypt = RSA-2048-2
-+Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081
-+Output = 4f02
-+
-+# positive test with 11 byte long value
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592
-+Output = "lorem ipsum"
-+
-+# positive test with 11 byte long value and zero padded ciphertext
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
-+Output = "lorem ipsum"
-+
-+# positive test with 11 byte long value and zero truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b
-+Output = "lorem ipsum"
-+
-+# positive test with 11 byte long value and double zero padded ciphertext
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
-+Output = "lorem ipsum"
-+
-+# positive test with 11 byte long value and double zero truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc
-+Output = "lorem ipsum"
-+
-+# positive that generates a 0 byte long synthethic message internally
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0
-+Output = "lorem ipsum"
-+
-+# positive that generates a 245 byte long synthethic message internally
-+Availablein = default
-+Decrypt = RSA-2048-2
-+Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50
-+Output = "lorem ipsum"
-+
-+Availablein = default
-+# a random negative test that generates an 11 byte long message
-+Decrypt = RSA-2048-2
-+Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2
-+Output = af9ac70191c92413cb9f2d
-+
-+Availablein = default
-+# an otherwise correct plaintext, but with wrong first byte
-+# (0x01 instead of 0x00), generates a random 11 byte long plaintext
-+Decrypt = RSA-2048-2
-+Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f
-+Output = a1f8c9255c35cfba403ccc
-+
-+Availablein = default
-+# an otherwise correct plaintext, but with wrong second byte
-+# (0x01 instead of 0x02), generates a random 11 byte long plaintext
-+Decrypt = RSA-2048-2
-+Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579
-+Output = e6d700309ca0ed62452254
-+
-+Availablein = default
-+# an invalid ciphertext, with a zero byte in first byte of
-+# ciphertext, decrypts to a random 11 byte long synthethic
-+# plaintext
-+Decrypt = RSA-2048-2
-+Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
-+Output = ba27b1842e7c21c0e7ef6a
-+
-+Availablein = default
-+# an invalid ciphertext, with a zero byte removed from first byte of
-+# ciphertext, decrypts to a random 11 byte long synthethic
-+# plaintext
-+Decrypt = RSA-2048-2
-+Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576
-+Output = ba27b1842e7c21c0e7ef6a
-+
-+Availablein = default
-+# an invalid ciphertext, with two zero bytes in first bytes of
-+# ciphertext, decrypts to a random 11 byte long synthethic
-+# plaintext
-+Decrypt = RSA-2048-2
-+Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
-+Output = d5cf555b1d6151029a429a
-+
-+Availablein = default
-+# an invalid ciphertext, with two zero bytes removed from first bytes of
-+# ciphertext, decrypts to a random 11 byte long synthethic
-+# plaintext
-+Decrypt = RSA-2048-2
-+Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645
-+Output = d5cf555b1d6151029a429a
-+
-+Availablein = default
-+# and invalid ciphertext, otherwise valid but starting with 000002, decrypts
-+# to random 11 byte long synthethic plaintext
-+Decrypt = RSA-2048-2
-+Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955
-+Output = 3d4a054d9358209e9cbbb9
-+
-+Availablein = default
-+# negative test with otherwise valid padding but a zero byte in first byte
-+# of padding
-+Decrypt = RSA-2048-2
-+Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e
-+Output = 1f037dd717b07d3e7f7359
-+
-+Availablein = default
-+# negative test with otherwise valid padding but a zero byte at the eigth
-+# byte of padding
-+Decrypt = RSA-2048-2
-+Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f
-+Output = 63cb0bf65fc8255dd29e17
-+
-+Availablein = default
-+# negative test with an otherwise valid plaintext but with missing separator
-+# byte
-+Decrypt = RSA-2048-2
-+Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065
-+Output = 6f09a0b62699337c497b0b
-+
-+# Test vectors for the Bleichenbacher workaround (2049 bit key size)
-+
-+PrivateKey = RSA-2049
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD
-+rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi
-+5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES
-+9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp
-+j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6
-+3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5
-+1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl
-+omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT
-+e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo
-+DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M
-+8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH
-+HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP
-+wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4
-+dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H
-+zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll
-+YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J
-+qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC
-++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL
-+ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c
-+ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd
-+G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3
-+3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP
-+G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv
-+iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t
-+5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k=
-+-----END RSA PRIVATE KEY-----
-+
-+# corresponding public key
-+PublicKey = RSA-2049-PUBLIC
-+-----BEGIN PUBLIC KEY-----
-+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL
-+woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI
-+XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf
-+YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U
-+FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr
-+w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ
-+lwIDAQAB
-+-----END PUBLIC KEY-----
-+
-+PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC
-+
-+# RSA decrypt
-+
-+Availablein = default
-+# malformed that generates length specified by 3rd last value from PRF
-+Decrypt = RSA-2049
-+Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894
-+Output = 42
-+
-+# simple positive test case
-+Availablein = default
-+Decrypt = RSA-2049
-+Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967
-+Output = "lorem ipsum"
-+
-+# positive test case with null padded ciphertext
-+Availablein = default
-+Decrypt = RSA-2049
-+Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
-+Output = "lorem ipsum"
-+
-+# positive test case with null truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-2049
-+Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162
-+Output = "lorem ipsum"
-+
-+# positive test case with double null padded ciphertext
-+Availablein = default
-+Decrypt = RSA-2049
-+Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
-+Output = "lorem ipsum"
-+
-+# positive test case with double null truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-2049
-+Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052
-+Output = "lorem ipsum"
-+
-+Availablein = default
-+# a random negative test case that generates an 11 byte long message
-+Decrypt = RSA-2049
-+Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca
-+Output = 1189b6f5498fd6df532b00
-+
-+Availablein = default
-+# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00)
-+Decrypt = RSA-2049
-+Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff
-+Output = f6d0f5b78082fe61c04674
-+
-+Availablein = default
-+# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02)
-+Decrypt = RSA-2049
-+Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3
-+Output = 1ab287fcef3ff17067914d
-+
-+# RSA decrypt with 3072 bit keys
-+PrivateKey = RSA-3072
-+-----BEGIN RSA PRIVATE KEY-----
-+MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ
-+72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS
-+N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K
-+CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64
-+wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU
-+YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5
-+XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P
-+ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5
-+CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy
-+9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY
-+gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J
-+pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm
-+DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0
-+2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s
-+HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC
-+Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d
-+RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9
-+UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP
-+Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ
-++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI
-+gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv
-+StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF
-+rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1
-+bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb
-+7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm
-+IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48
-+Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH
-+ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2
-+c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff
-+/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O
-+to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6
-+ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr
-+Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR
-+ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo
-+G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH
-+mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe
-+0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw==
-+-----END RSA PRIVATE KEY-----
-+
-+PublicKey = RSA-3072-PUBLIC
-+-----BEGIN PUBLIC KEY-----
-+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx
-+nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd
-+vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni
-+5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx
-+UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx
-+7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v
-+EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/
-+gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk
-+ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE=
-+-----END PUBLIC KEY-----
-+
-+PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC
-+
-+Availablein = default
-+# a random invalid ciphertext that generates an empty synthethic one
-+Decrypt = RSA-3072
-+Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59
-+Output =
-+
-+Availablein = default
-+# a random invalid that has PRF output with a length one byte too long
-+# in the last value
-+Decrypt = RSA-3072
-+Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271
-+Output = 56a3bea054e01338be9b7d7957539c
-+
-+Availablein = default
-+# a random invalid that generates a synthethic of maximum size
-+Decrypt = RSA-3072
-+Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6
-+Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04
-+
-+# a positive test case that decrypts to 9 byte long value
-+Availablein = default
-+Decrypt = RSA-3072
-+Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde
-+Output = "forty two"
-+
-+# a positive test case with null padded ciphertext
-+Availablein = default
-+Decrypt = RSA-3072
-+Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
-+Output = "forty two"
-+
-+# a positive test case with null truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-3072
-+Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727
-+Output = "forty two"
-+
-+# a positive test case with double null padded ciphertext
-+Availablein = default
-+Decrypt = RSA-3072
-+Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
-+Output = "forty two"
-+
-+# a positive test case with double null truncated ciphertext
-+Availablein = default
-+Decrypt = RSA-3072
-+Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0
-+Output = "forty two"
-+
-+Availablein = default
-+# a random negative test case that generates a 9 byte long message
-+Decrypt = RSA-3072
-+Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56
-+Output = 257906ca6de8307728
-+
-+Availablein = default
-+# a random negative test case that generates a 9 byte long message based on
-+# second to last value from PRF
-+Decrypt = RSA-3072
-+Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5
-+Output = 043383c929060374ed
-+
-+Availablein = default
-+# a random negative test that generates message based on 3rd last value from
-+# PRF
-+Decrypt = RSA-3072
-+Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83
-+Output = 70263fa6050534b9e0
-+
-+Availablein = default
-+# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00)
-+Decrypt = RSA-3072
-+Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62
-+Output = 6d8d3a094ff3afff4c
-+
-+Availablein = default
-+# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02)
-+Decrypt = RSA-3072
-+Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936
-+Output = c6ae80ffa80bc184b0
-+
-+Availablein = default
-+# an otherwise valid plaintext, but with zero byte in first byte of padding
-+Decrypt = RSA-3072
-+Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0
-+Output = a8a9301daa01bb25c7
-+
-+Availablein = default
-+# an otherwise valid plaintext, but with zero byte in eight byte of padding
-+Decrypt = RSA-3072
-+Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571
-+Output = 6c716fe01d44398018
-+
-+Availablein = default
-+# an otherwise valid plaintext, but with null separator missing
-+Decrypt = RSA-3072
-+Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4
-+Output = aa2de6cde4e2442884
-+
- # RSA PSS key tests
-
- # PSS only key, no parameter restrictions
diff --git a/0109-fips-Zeroize-out-in-fips-selftest.patch b/0109-fips-Zeroize-out-in-fips-selftest.patch
new file mode 100644
index 0000000..d76ecc6
--- /dev/null
+++ b/0109-fips-Zeroize-out-in-fips-selftest.patch
@@ -0,0 +1,26 @@
+From 3e24e76dfaf7367e0790c22aa1e740f3b68d91a3 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:08:39 +0200
+Subject: [PATCH 44/48] 0109-fips-Zeroize-out-in-fips-selftest.patch
+
+Patch-name: 0109-fips-Zeroize-out-in-fips-selftest.patch
+Patch-id: 109
+---
+ providers/fips/self_test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
+index 062d9df84a..64107d054b 100644
+--- a/providers/fips/self_test.c
++++ b/providers/fips/self_test.c
+@@ -339,6 +339,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+ goto err;
+ ret = 1;
+ err:
++ OPENSSL_cleanse(out, sizeof(out));
+ OSSL_SELF_TEST_onend(ev, ret);
+ EVP_MAC_CTX_free(ctx);
+ EVP_MAC_free(mac);
+--
+2.41.0
+
diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
new file mode 100644
index 0000000..1ea7122
--- /dev/null
+++ b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
@@ -0,0 +1,96 @@
+From 5db03a4d024f1e396ff54d38ac70d9890b034074 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:10:11 +0200
+Subject: [PATCH 45/48]
+ 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+
+Patch-name: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+Patch-id: 110
+---
+ include/openssl/core_names.h | 1 +
+ include/openssl/evp.h | 4 +++
+ .../implementations/ciphers/ciphercommon.c | 4 +++
+ .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++
+ 4 files changed, 34 insertions(+)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 48af87e236..29459049ad 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -99,6 +99,7 @@ extern "C" {
+ #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */
+ /* For passing the AlgorithmIdentifier parameter in DER form */
+ #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */
++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
+
+ #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \
+ "tls1multi_maxsndfrag" /* uint */
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index 05f2d0f75a..f1a33ff6f2 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -748,6 +748,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+ const unsigned char *key, const unsigned char *iv);
+ /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
+index fa383165d8..716add7339 100644
+--- a/providers/implementations/ciphers/ciphercommon.c
++++ b/providers/implementations/ciphers/ciphercommon.c
+@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0),
+ OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL),
+ OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0),
++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does
++ * not work in ciphercommon.c because it is compiled only once into
++ * libcommon.a */
++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+ OSSL_PARAM_END
+ };
+ const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params(
+diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
+index ed95c97ff4..db7910eb0e 100644
+--- a/providers/implementations/ciphers/ciphercommon_gcm.c
++++ b/providers/implementations/ciphers/ciphercommon_gcm.c
+@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ || !getivgen(ctx, p->data, p->data_size))
+ return 0;
+ }
++
++ /* We would usually hide this under #ifdef FIPS_MODULE, but
++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do
++ * not work here. */
++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module
++ * Verification Program, Section C.H requires guarantees about the
++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure
++ * this. This provides an indicator for option 2 "The IV may be
++ * generated internally at its entirety randomly." Note that one of the
++ * conditions of this option is that "The IV length shall be at least
++ * 96 bits (per SP 800-38D)." We do not specically check for this
++ * condition here, because gcm_iv_generate will fail in this case. */
++ if (ctx->enc && !ctx->iv_gen_rand)
++ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator)) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
++ return 0;
++ }
++ }
++
+ return 1;
+ }
+
+--
+2.41.0
+
diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
new file mode 100644
index 0000000..aec08c9
--- /dev/null
+++ b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
@@ -0,0 +1,75 @@
+From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:12:33 +0200
+Subject: [PATCH 46/48]
+ 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+
+Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+Patch-id: 112
+---
+ providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
+index 11820d1e69..bae2238ab5 100644
+--- a/providers/implementations/kdfs/pbkdf2.c
++++ b/providers/implementations/kdfs/pbkdf2.c
+@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
+
+ static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
+ {
++#ifdef FIPS_MODULE
++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM *p;
++ int any_valid = 0; /* set to 1 when at least one parameter was valid */
++
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
++ any_valid = 1;
++
++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
++ return 0;
++ }
++
++#ifdef FIPS_MODULE
++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR))
++ != NULL) {
++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ /* The lower_bound_checks parameter enables checks required by FIPS. If
++ * those checks are disabled, the PBKDF2 implementation will also
++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
++ * NIST SP 800-132 section 5.1). */
++ if (!ctx->lower_bound_checks)
++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
+
+- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
+- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
+- return -2;
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++
++ any_valid = 1;
++ }
++#endif /* defined(FIPS_MODULE) */
++
++ if (!any_valid)
++ return -2;
++
++ return 1;
+ }
+
+ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
+ {
+ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+ return known_gettable_ctx_params;
+--
+2.41.0
+
diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
new file mode 100644
index 0000000..564f8d1
--- /dev/null
+++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
@@ -0,0 +1,137 @@
+From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:13:46 +0200
+Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+
+Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+Patch-id: 113
+---
+ include/openssl/core_names.h | 2 ++
+ include/openssl/evp.h | 4 +++
+ .../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++
+ providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
+ 4 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 29459049ad..9af0b1847d 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -480,6 +480,7 @@ extern "C" {
+ #ifdef FIPS_MODULE
+ #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed"
+ #endif
++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator"
+
+ /*
+ * Encoder / decoder parameters
+@@ -514,6 +515,7 @@ extern "C" {
+
+ /* KEM parameters */
+ #define OSSL_KEM_PARAM_OPERATION "operation"
++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */
+
+ /* OSSL_KEM_PARAM_OPERATION values */
+ #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE"
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index f1a33ff6f2..dadbf46a5a 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
+ # endif
+
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+ const char *properties);
+ int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index d169bfd396..bd4dcb4e27 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
+ return 0;
+
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
++
++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
++ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
++ * explicit key confirmation is not implemented here and cannot be
++ * implemented without protocol changes, and the FIPS provider does not
++ * implement trusted third party validation, since it relies on its
++ * callers to do that. We must thus mark RSA-OAEP as unapproved until
++ * we have received clarification from NIST on how library modules such
++ * as OpenSSL should implement TTP validation. */
++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
++
+ return 1;
+ }
+
+@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+ #ifdef FIPS_MODULE
+ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0),
++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL),
+ #endif /* FIPS_MODULE */
+ OSSL_PARAM_END
+ };
+diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
+index 8a6f585d0b..f4b7415074 100644
+--- a/providers/implementations/kem/rsa_kem.c
++++ b/providers/implementations/kem/rsa_kem.c
+@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
+ static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+ {
+ PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
++#ifdef FIPS_MODULE
++ OSSL_PARAM *p;
++#endif /* defined(FIPS_MODULE) */
++
++ if (ctx == NULL)
++ return 0;
++
++#ifdef FIPS_MODULE
++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR);
++ if (p != NULL) {
++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
++ * party (section 6.4.2.3.1) for key agreement or key transport, but
++ * explicit key confirmation is not implemented here and cannot be
++ * implemented without protocol changes, and the FIPS provider does not
++ * implement trusted third party validation, since it relies on its
++ * callers to do that. We must thus mark RSASVE unapproved until we
++ * have received clarification from NIST on how library modules such as
++ * OpenSSL should implement TTP validation. */
++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++
++ if (!OSSL_PARAM_set_int(p, fips_indicator))
++ return 0;
++ }
++#endif /* defined(FIPS_MODULE) */
+
+- return ctx != NULL;
++ return 1;
+ }
+
+ static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
++#ifdef FIPS_MODULE
++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL),
++#endif /* defined(FIPS_MODULE) */
+ OSSL_PARAM_END
+ };
+
+--
+2.41.0
+
diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch
new file mode 100644
index 0000000..2094ce3
--- /dev/null
+++ b/0114-FIPS-enforce-EMS-support.patch
@@ -0,0 +1,251 @@
+From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <dbelyavs@redhat.com>
+Date: Mon, 21 Aug 2023 16:40:56 +0200
+Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch
+
+Patch-name: 0114-FIPS-enforce-EMS-support.patch
+Patch-id: 114
+Patch-status: |
+ # We believe that some changes present in CentOS are not necessary
+ # because ustream has a check for FIPS version
+---
+ doc/man3/SSL_CONF_cmd.pod | 3 +++
+ doc/man5/fips_config.pod | 13 +++++++++++
+ include/openssl/fips_names.h | 8 +++++++
+ include/openssl/ssl.h.in | 1 +
+ providers/fips/fipsprov.c | 2 +-
+ providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++
+ ssl/ssl_conf.c | 1 +
+ ssl/statem/extensions_srvr.c | 8 ++++++-
+ ssl/t1_enc.c | 11 ++++++++--
+ .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++
+ test/sslapitest.c | 2 +-
+ 11 files changed, 76 insertions(+), 5 deletions(-)
+
+diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
+index ae6ca43282..b83c04a308 100644
+--- a/doc/man3/SSL_CONF_cmd.pod
++++ b/doc/man3/SSL_CONF_cmd.pod
+@@ -524,6 +524,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
+ default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
+ B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+
++B<RHNoEnforceEMSinFIPS>: allow establishing connections without EMS in FIPS mode.
++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies.
++
+ B<CANames>: use CA names extension, enabled by
+ default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
+ B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
+index 1c15e32a5c..f2cedaf88d 100644
+--- a/doc/man5/fips_config.pod
++++ b/doc/man5/fips_config.pod
+@@ -15,6 +15,19 @@ for more information.
+
+ This functionality was added in OpenSSL 3.0.
+
++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in
++OpenSSL configuration directory and managed by crypto policies. If present, it
++should have format
++
++ [fips_sect]
++ tls1-prf-ems-check = 0
++ activate = 1
++
++The B<tls1-prf-ems-check> option specifies whether FIPS module will require the
++presence of extended master secret or not.
++
++The B<activate> option enforces FIPS provider activation.
++
+ =head1 COPYRIGHT
+
+ Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h
+index 5c77f6d691..8cdd5a6bf7 100644
+--- a/include/openssl/fips_names.h
++++ b/include/openssl/fips_names.h
+@@ -70,6 +70,14 @@ extern "C" {
+ */
+ # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md"
+
++/*
++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed.
++ * This is disabled by default.
++ *
++ * Type: OSSL_PARAM_UTF8_STRING
++ */
++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check"
++
+ # ifdef __cplusplus
+ }
+ # endif
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 0b6de603e2..26a69ca282 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
+ * interoperability with CryptoPro CSP 3.x
+ */
+ # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
+
+ /*
+ * Option "collections."
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index 5ff9872bd8..eb9653a9df 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
+ if (fgbl == NULL)
+ return NULL;
+ init_fips_option(&fgbl->fips_security_checks, 1);
+- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
++ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */
+ init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
+ return fgbl;
+ }
+diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
+index 25a6c79a2e..79bc7a9719 100644
+--- a/providers/implementations/kdfs/tls1_prf.c
++++ b/providers/implementations/kdfs/tls1_prf.c
+@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx)
+ static void kdf_tls1_prf_free(void *vctx)
+ {
+ TLS1_PRF *ctx = (TLS1_PRF *)vctx;
++ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
+
+ if (ctx != NULL) {
+ kdf_tls1_prf_reset(ctx);
+@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen,
+ }
+ }
+
++ /*
++ * The seed buffer is prepended with a label.
++ * If EMS mode is enforced then the label "master secret" is not allowed,
++ * We do the check this way since the PRF is used for other purposes, as well
++ * as "extended master secret".
++ */
++#ifdef FIPS_MODULE
++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
++#endif /* defined(FIPS_MODULE) */
++ if (ossl_tls1_prf_ems_check_enabled(libctx)) {
++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE
++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST,
++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED);
++ return 0;
++ }
++ }
++
+ return tls1_prf_alg(ctx->P_hash, ctx->P_sha1,
+ ctx->sec, ctx->seclen,
+ ctx->seed, ctx->seedlen,
+diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
+index 5146cedb96..086db98c33 100644
+--- a/ssl/ssl_conf.c
++++ b/ssl/ssl_conf.c
+@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+ SSL_FLAG_TBL("ClientRenegotiation",
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
+ SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
+ SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
+ SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
+ SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
+diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
+index 00b1ee531e..22cdabb308 100644
+--- a/ssl/statem/extensions_srvr.c
++++ b/ssl/statem/extensions_srvr.c
+@@ -11,6 +11,7 @@
+ #include "../ssl_local.h"
+ #include "statem_local.h"
+ #include "internal/cryptlib.h"
++#include <openssl/fips.h>
+
+ #define COOKIE_STATE_FORMAT_VERSION 1
+
+@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
+ EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+ {
+- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
++ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) {
++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++ return EXT_RETURN_FAIL;
++ }
+ return EXT_RETURN_NOT_SENT;
++ }
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
+ || !WPACKET_put_bytes_u16(pkt, 0)) {
+diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
+index 91238e6457..e8ad8ecd9e 100644
+--- a/ssl/t1_enc.c
++++ b/ssl/t1_enc.c
+@@ -20,6 +20,7 @@
+ #include <openssl/obj_mac.h>
+ #include <openssl/core_names.h>
+ #include <openssl/trace.h>
++#include <openssl/fips.h>
+
+ /* seed1 through seed5 are concatenated */
+ static int tls1_PRF(SSL *s,
+@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s,
+ }
+
+ err:
+- if (fatal)
+- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ if (fatal) {
++ /* The calls to this function are local so it's safe to implement the check */
++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED);
++ else
++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ }
+ else
+ ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
+ EVP_KDF_CTX_free(kctx);
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index 44040ff66b..deb6bf3fcb 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+ Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+
++Availablein = fips
++KDF = TLS1-PRF
++Ctrl.digest = digest:SHA256
++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Result = KDF_DERIVE_ERROR
++
+ FIPSversion = <=3.1.0
+ KDF = TLS1-PRF
+ Ctrl.digest = digest:SHA256
+diff --git a/test/sslapitest.c b/test/sslapitest.c
+index 169e3c7466..e67b5bb44c 100644
+--- a/test/sslapitest.c
++++ b/test/sslapitest.c
+@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void)
+ STACK_OF(X509) *server_chain;
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+- int testresult = 0;
++ int testresult = 0, status;
+
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+--
+2.41.0
+
diff --git a/openssl.spec b/openssl.spec
index 248e826..c6127e2 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.1.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -105,7 +105,7 @@ Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
-# [PATCH 30/35]
+# [PATCH 30/48]
# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
@@ -118,7 +118,41 @@ Patch77: 0077-FIPS-140-3-zeroization.patch
# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
# # https://github.com/openssl/openssl/pull/13817
-Patch100: 0100-RSA-PKCS15-implicit-rejection.patch
+Patch79: 0079-RSA-PKCS15-implicit-rejection.patch
+# # We believe that some changes present in CentOS are not necessary
+# # because ustream has a check for FIPS version
+Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
+# [PATCH 37/48]
+# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
+# [PATCH 38/48]
+# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
+# [PATCH 39/48]
+# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
+# 0085-FIPS-RSA-disable-shake.patch
+Patch85: 0085-FIPS-RSA-disable-shake.patch
+# 0088-signature-Add-indicator-for-PSS-salt-length.patch
+Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
+# 0091-FIPS-RSA-encapsulate.patch
+Patch91: 0091-FIPS-RSA-encapsulate.patch
+# [PATCH 43/48]
+# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
+# 0109-fips-Zeroize-out-in-fips-selftest.patch
+Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch
+# [PATCH 45/48]
+# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
+# [PATCH 46/48]
+# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
+# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
+# # We believe that some changes present in CentOS are not necessary
+# # because ustream has a check for FIPS version
+Patch114: 0114-FIPS-enforce-EMS-support.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -450,6 +484,9 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Tue Aug 22 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-3
+- Integrate FIPS patches from CentOS
+
* Fri Aug 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.1.1-2
- migrated to SPDX license
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100911327.1.11648652099510126698.rpms-openssl-e52367af4797@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox