public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Syhchronization of the patches with CentOS
Date: Tue, 09 Jun 2026 12:45:33 GMT [thread overview]
Message-ID: <178100913342.1.11213367199223602249.rpms-openssl-f0b1ff1785cc@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : f0b1ff1785cc2ab566014a87d61100f40e3726ce
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2025-06-05T19:44:35+02:00
Stats : +1080/-165 in 59 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/f0b1ff1785cc2ab566014a87d61100f40e3726ce?branch=rebase_40beta
Log:
Syhchronization of the patches with CentOS
---
diff --git a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
index 6cb27b1..f9c715c 100644
--- a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
+++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
@@ -1,7 +1,7 @@
From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 01/50] RH: Aarch64 and ppc64le use lib64
+Subject: [PATCH 01/58] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
index f0808db..d9c7035 100644
--- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
+++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
@@ -1,7 +1,7 @@
From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
-Subject: [PATCH 02/50] Add a separate config file to use for rpm installs
+Subject: [PATCH 02/58] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
diff --git a/0003-RH-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch
index 52ebff1..1589d8e 100644
--- a/0003-RH-Do-not-install-html-docs.patch
+++ b/0003-RH-Do-not-install-html-docs.patch
@@ -1,7 +1,7 @@
From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 03/50] RH: Do not install html docs
+Subject: [PATCH 03/58] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
diff --git a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
index f0c1852..9b8b563 100644
--- a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
+++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
@@ -1,7 +1,7 @@
From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 04/50] RH: apps ca fix md option help text.patch - DROP?
+Subject: [PATCH 04/58] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
diff --git a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
index ac6b340..7b98fd5 100644
--- a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
+++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
@@ -1,7 +1,7 @@
From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 05/50] RH: Disable signature verification with bad digests -
+Subject: [PATCH 05/58] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
index 12a7dfc..fa24115 100644
--- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
+++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
@@ -1,7 +1,7 @@
From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 06/50] RH: Add support for PROFILE SYSTEM system default
+Subject: [PATCH 06/58] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
diff --git a/0007-RH-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
index cc5fe88..508a756 100644
--- a/0007-RH-Add-FIPS_mode-compatibility-macro.patch
+++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
@@ -1,7 +1,7 @@
From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 07/50] RH: Add FIPS_mode compatibility macro
+Subject: [PATCH 07/58] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
index aaebff7..c4768a5 100644
--- a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
+++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
@@ -1,7 +1,7 @@
From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 08/50] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+Subject: [PATCH 08/58] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
diff --git a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
index 9fd2610..80ec2c4 100644
--- a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
+++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
@@ -1,7 +1,7 @@
From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 09/50] RH: Drop weak curve definitions - RENAMED/SQUASHED
+Subject: [PATCH 09/58] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
diff --git a/0010-RH-Disable-explicit-ec-curves.patch b/0010-RH-Disable-explicit-ec-curves.patch
index 527503c..af0fcdc 100644
--- a/0010-RH-Disable-explicit-ec-curves.patch
+++ b/0010-RH-Disable-explicit-ec-curves.patch
@@ -1,7 +1,7 @@
-From 325f426bdeb49dd36868e009e99abb641300af96 Mon Sep 17 00:00:00 2001
+From 27fc7dc53e31b3dcd7ff3df40db1060d7a72f126 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 10/50] RH: Disable explicit ec curves
+Subject: [PATCH 10/58] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@@ -11,11 +11,11 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/ec/ec_asn1.c | 11 ++++++++++
- crypto/ec/ec_lib.c | 6 +++++
+ crypto/ec/ec_lib.c | 8 ++++++-
test/ectest.c | 22 ++++++++++---------
test/endecode_test.c | 20 ++++++++---------
.../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
- 5 files changed, 39 insertions(+), 32 deletions(-)
+ 5 files changed, 40 insertions(+), 33 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 643d2d8d7b..5895606176 100644
@@ -47,9 +47,18 @@ index 643d2d8d7b..5895606176 100644
if (priv_key->privateKey) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index b55677fb1f..dcfdef408e 100644
+index b55677fb1f..1df40018ac 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
+@@ -1554,7 +1554,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+ int is_prime_field = 1;
+ BN_CTX *bnctx = NULL;
+ const unsigned char *buf = NULL;
+- int encoding_flag = -1;
++ /* int encoding_flag = -1; */
+ #endif
+
+ /* This is the simple named group case */
@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch
index b912ddd..39ac428 100644
--- a/0011-RH-skipped-tests-EC-curves.patch
+++ b/0011-RH-skipped-tests-EC-curves.patch
@@ -1,7 +1,7 @@
-From ec22400267e5accaacb24eec8fd6be5e73f1833d Mon Sep 17 00:00:00 2001
+From 2c8e302b4a2f9c4eeec718d2a9d5cef655c28153 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 11/50] RH: skipped tests EC curves
+Subject: [PATCH 11/58] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
diff --git a/0012-RH-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch
index 5ca0801..ae9b19e 100644
--- a/0012-RH-skip-quic-pairwise.patch
+++ b/0012-RH-skip-quic-pairwise.patch
@@ -1,7 +1,7 @@
-From 2f327785a69b62eac55a94d49441994cbaf941d5 Mon Sep 17 00:00:00 2001
+From e87e9fbc6bcf90d43f6e09f7de46f1805e3e6674 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
-Subject: [PATCH 12/50] RH: skip quic pairwise
+Subject: [PATCH 12/58] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
diff --git a/0013-RH-version-aliasing.patch b/0013-RH-version-aliasing.patch
index 8b67dc4..595ad14 100644
--- a/0013-RH-version-aliasing.patch
+++ b/0013-RH-version-aliasing.patch
@@ -1,7 +1,7 @@
-From dcea5128f4a6ff30eedca8442b8e3cdc18bac216 Mon Sep 17 00:00:00 2001
+From c63c81754bcf4bf3aeb4049fc5952368764fb303 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 13/50] RH: version aliasing
+Subject: [PATCH 13/58] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
index bcdad9d..006fdbd 100644
--- a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
+++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
@@ -1,19 +1,47 @@
-From 1c440ca60081777e618eaecb31ef92b692cc2444 Mon Sep 17 00:00:00 2001
+From eeaa8125102427cedfda9a1d5bd663956acd8d63 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
-Subject: [PATCH 14/50] RH: Export two symbols for OPENSSL_str[n]casecmp
+Subject: [PATCH 14/58] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
ABI backwards compatibility and the correct symbols to be compatible
with upstream.
---
+ crypto/evp/digest.c | 2 +-
+ crypto/evp/evp_enc.c | 2 +-
crypto/o_str.c | 14 ++++++++++++--
test/recipes/01-test_symbol_presence.t | 2 +-
util/libcrypto.num | 2 ++
- 3 files changed, 15 insertions(+), 3 deletions(-)
+ 5 files changed, 17 insertions(+), 5 deletions(-)
mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 3c80b9dfe1..8ee9db73dd 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 7c51786515..619cf4f385 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
index 93af73561f..86442a939e 100644
--- a/crypto/o_str.c
diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch
index 5c7bf73..645280f 100644
--- a/0015-RH-TMP-KTLS-test-skip.patch
+++ b/0015-RH-TMP-KTLS-test-skip.patch
@@ -1,7 +1,7 @@
-From 73574d1847777d0c93d9ebe353d235ebb165eeae Mon Sep 17 00:00:00 2001
+From 601c308871191a17620ade34a9edcb8afe969c8d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
-Subject: [PATCH 15/50] RH: TMP KTLS test skip
+Subject: [PATCH 15/58] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
diff --git a/0016-RH-Allow-disabling-of-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
index 27429dc..52ed1bd 100644
--- a/0016-RH-Allow-disabling-of-SHA1-signatures.patch
+++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
@@ -1,7 +1,7 @@
-From 81b507715dded07f61f6d2bd7d498cc16ae04e38 Mon Sep 17 00:00:00 2001
+From 84c7c05d38e96d003df43527e4e6abc6dbae2683 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
-Subject: [PATCH 16/50] RH: Allow disabling of SHA1 signatures
+Subject: [PATCH 16/58] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@@ -9,26 +9,26 @@ Patch-status: |
# Selectively disallow SHA1 signatures rhbz#2070977
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
- crypto/context.c | 76 +++++++++++++++++++
+ crypto/context.c | 70 +++++++++++++++++++
crypto/evp/evp_cnf.c | 13 ++++
crypto/evp/m_sigver.c | 13 ++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 ++++
- include/crypto/context.h | 8 ++
+ include/crypto/context.h | 8 +++
include/internal/cryptlib.h | 3 +-
- include/internal/sslconf.h | 4 +
+ include/internal/sslconf.h | 4 ++
providers/common/include/prov/securitycheck.h | 2 +
providers/common/securitycheck.c | 14 ++++
providers/common/securitycheck_default.c | 1 +
providers/implementations/signature/dsa_sig.c | 1 +
- .../implementations/signature/ecdsa_sig.c | 5 +-
- providers/implementations/signature/rsa_sig.c | 17 ++++-
- ssl/t1_lib.c | 8 ++
+ .../implementations/signature/ecdsa_sig.c | 8 ++-
+ providers/implementations/signature/rsa_sig.c | 14 +++-
+ ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
- 16 files changed, 189 insertions(+), 6 deletions(-)
+ 16 files changed, 182 insertions(+), 7 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
-index 614c8a2c88..6859146510 100644
+index 614c8a2c88..323615e300 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
@@ -40,7 +40,7 @@ index 614c8a2c88..6859146510 100644
int ischild;
int conf_diagnostics;
};
-@@ -119,6 +121,25 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx)
+@@ -119,6 +121,22 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx)
return ctx->ischild;
}
@@ -56,9 +56,6 @@ index 614c8a2c88..6859146510 100644
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
+{
+ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
-+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
-+ * because the default on Fedora is to allow SHA-1 and support disabling
-+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ ldsigs->allowed = 0;
+ return ldsigs;
+}
@@ -66,7 +63,7 @@ index 614c8a2c88..6859146510 100644
static void context_deinit_objs(OSSL_LIB_CTX *ctx);
static int context_init(OSSL_LIB_CTX *ctx)
-@@ -235,6 +256,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
+@@ -235,6 +253,10 @@ static int context_init(OSSL_LIB_CTX *ctx)
goto err;
#endif
@@ -77,7 +74,7 @@ index 614c8a2c88..6859146510 100644
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
-@@ -382,6 +407,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
+@@ -382,6 +404,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
@@ -89,7 +86,7 @@ index 614c8a2c88..6859146510 100644
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
-@@ -660,6 +690,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
+@@ -660,6 +687,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
@@ -99,7 +96,7 @@ index 614c8a2c88..6859146510 100644
default:
return NULL;
}
-@@ -714,3 +747,46 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
+@@ -714,3 +744,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
return;
libctx->conf_diagnostics = value;
}
@@ -126,9 +123,6 @@ index 614c8a2c88..6859146510 100644
+ return 1;
+ #endif
+
-+ /* Warning: This patch differs from the same patch in CentOS and RHEL here,
-+ * because the default on Fedora is to allow SHA-1 and support disabling
-+ * it, while CentOS/RHEL disable it by default and allow enabling it. */
+ return ldsigs != NULL ? ldsigs->allowed : 0;
+}
+
@@ -372,29 +366,30 @@ index c5adbf8002..52ed52482d 100644
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 4018a772ff..80e4115b69 100644
+index 4018a772ff..04d4009ab5 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
-@@ -197,13 +197,16 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
+@@ -197,13 +197,15 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
goto err;
}
md_nid = ossl_digest_get_approved_nid(md);
-+
- #ifdef FIPS_MODULE
+-#ifdef FIPS_MODULE
- if (md_nid == NID_undef) {
++
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
-+ if (md_nid <= 0) {
++ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
++ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
}
- #endif
+-#endif
+
/* XOF digests don't work */
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index e75b90840b..c4740128ce 100644
+index e75b90840b..645304b951 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
@@ -423,18 +418,7 @@ index e75b90840b..c4740128ce 100644
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
"digest=%s", mdname);
goto err;
-@@ -475,8 +478,9 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
- "%s could not be fetched", mdname);
- return 0;
- }
-- /* The default for mgf1 is SHA1 - so allow SHA1 */
-+ /* The default for mgf1 is SHA1 - so check if we allow SHA1 */
- if ((mdnid = ossl_digest_rsa_sign_get_md_nid(md)) <= 0
-+ || (mdnid = rh_digest_signatures_allowed(ctx->libctx, mdnid)) <= 0
- || !rsa_check_padding(ctx, NULL, mdname, mdnid)) {
- if (mdnid <= 0)
- ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
-@@ -1765,8 +1769,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+@@ -1765,8 +1768,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
index 3478880..18010e2 100644
--- a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
+++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
@@ -1,7 +1,7 @@
-From 3e20d4430b34488a06102c30634e7d25d2699290 Mon Sep 17 00:00:00 2001
+From 16fdb39036e7e8438c5b97359818cd9bc472196f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
-Subject: [PATCH 17/50] FIPS: Red Hat's FIPS module name and version
+Subject: [PATCH 17/58] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0018-FIPS-disable-fipsinstall.patch b/0018-FIPS-disable-fipsinstall.patch
index 875aa37..3079823 100644
--- a/0018-FIPS-disable-fipsinstall.patch
+++ b/0018-FIPS-disable-fipsinstall.patch
@@ -1,7 +1,7 @@
-From 50de3f0a5f2023549aaa9caa2184795e692741b0 Mon Sep 17 00:00:00 2001
+From f40c27149fd5bb1864d069b3d116ffd88cca5f2f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 18/50] FIPS: disable fipsinstall
+Subject: [PATCH 18/58] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
diff --git a/0019-FIPS-Force-fips-provider-on.patch b/0019-FIPS-Force-fips-provider-on.patch
index 08e2432..6bcd040 100644
--- a/0019-FIPS-Force-fips-provider-on.patch
+++ b/0019-FIPS-Force-fips-provider-on.patch
@@ -1,7 +1,7 @@
-From a5f2ab969455d591327ea41cac9ffb64234ca38c Mon Sep 17 00:00:00 2001
+From ad031aa2b8ec4042b0081f4179b8a05131bd52df Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 19/50] FIPS: Force fips provider on
+Subject: [PATCH 19/58] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
index 62f5058..528588e 100644
--- a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
+++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
@@ -1,7 +1,7 @@
-From 01427603bda0c44624b57c284e731c539828444e Mon Sep 17 00:00:00 2001
+From ee1a3977388a9ec10aa4998beb67d8e3b4bfdd9e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 20/50] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
+Subject: [PATCH 20/58] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
index 3f894dc..2931295 100644
--- a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
+++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
@@ -1,7 +1,7 @@
-From e5fa1a36fb4786a29e5e0ffcafc1198a18ef2a1c Mon Sep 17 00:00:00 2001
+From c202200bda962300ebc7d19e62ea0df734488c0c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
-Subject: [PATCH 21/50] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
+Subject: [PATCH 21/58] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
index 1058cf5..fafbff9 100644
--- a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
+++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
@@ -1,7 +1,7 @@
-From 2c0a4a02d274997dcc969ec8a7f13922aa3a4d7b Mon Sep 17 00:00:00 2001
+From d0ad196c07d223cbb1dd2419b1ec0b0e4458febb Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 22/50] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
+Subject: [PATCH 22/58] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
diff --git a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
index 5fa29ca..1a38677 100644
--- a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
+++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
@@ -1,7 +1,7 @@
-From e3def0e0439297fdfb9d17ede9f5e38e829d5d86 Mon Sep 17 00:00:00 2001
+From 19617bb4a510d73e5080d026d22b06b637a6ad1a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 23/50] FIPS: RSA: encrypt limits - REVIEW
+Subject: [PATCH 23/58] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch
index 08fdb73..bbc2ec7 100644
--- a/0024-FIPS-RSA-PCTs.patch
+++ b/0024-FIPS-RSA-PCTs.patch
@@ -1,7 +1,7 @@
-From 77fdffb56f9194fe81d7e91bf9a7ac06be02e250 Mon Sep 17 00:00:00 2001
+From 7cb38d617ceb819a58ac14b266787ad3d71f6206 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
-Subject: [PATCH 24/50] FIPS: RSA: PCTs
+Subject: [PATCH 24/58] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -67,7 +67,7 @@ index 77d0950094..f0e71beb43 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index c4740128ce..b08c9685dd 100644
+index 645304b951..3d5af1046a 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -37,7 +37,7 @@
@@ -97,7 +97,7 @@ index c4740128ce..b08c9685dd 100644
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
-@@ -1317,7 +1317,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+@@ -1316,7 +1316,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return ok;
}
@@ -106,7 +106,7 @@ index c4740128ce..b08c9685dd 100644
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
-@@ -1867,6 +1867,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+@@ -1866,6 +1866,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch
index 65f4d51..18d5e4c 100644
--- a/0025-FIPS-RSA-encapsulate-limits.patch
+++ b/0025-FIPS-RSA-encapsulate-limits.patch
@@ -1,7 +1,7 @@
-From 1ba2caa0c71e45e5ccc9cec2e389d3ee7c68a252 Mon Sep 17 00:00:00 2001
+From 158637448165abbde8d4b0c24bf4344744b79adc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 25/50] FIPS: RSA: encapsulate limits
+Subject: [PATCH 25/58] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
diff --git a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
index 6211eab..00513c7 100644
--- a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
+++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
@@ -1,7 +1,7 @@
-From 3b61e3b98c1c0110e9c55fb14a967c69d8efdda8 Mon Sep 17 00:00:00 2001
+From 9595ceef9fe9a45fca1f970706077712dbb9287f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 26/50] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+Subject: [PATCH 26/58] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch
index dd1e11e..8a572a7 100644
--- a/0027-FIPS-RSA-size-mode-restrictions.patch
+++ b/0027-FIPS-RSA-size-mode-restrictions.patch
@@ -1,21 +1,21 @@
-From 8cb662f002e33c6fb99b96ef24733e16e3dc48ad Mon Sep 17 00:00:00 2001
+From 47cf5bdab3a46ecffd3100330781e6c297e83d66 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
-Subject: [PATCH 27/50] FIPS: RSA: size/mode restrictions
+Subject: [PATCH 27/58] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/implementations/signature/rsa_sig.c | 26 +++++++++
- ssl/ssl_ciph.c | 3 +
- test/recipes/30-test_evp_data/evppkey_rsa.txt | 55 ++++++++++++++++++-
+ ssl/ssl_ciph.c | 3 ++
+ test/recipes/30-test_evp_data/evppkey_rsa.txt | 53 +++++++++++++++++++
.../30-test_evp_data/evppkey_rsa_common.txt | 8 +--
- 4 files changed, 87 insertions(+), 5 deletions(-)
+ 4 files changed, 86 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index b08c9685dd..0e0810f60a 100644
+index 3d5af1046a..09c202f87c 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
-@@ -940,6 +940,19 @@ static int rsa_verify_recover(void *vprsactx,
+@@ -939,6 +939,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@@ -35,7 +35,7 @@ index b08c9685dd..0e0810f60a 100644
if (!ossl_prov_is_running())
return 0;
-@@ -1034,6 +1047,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
+@@ -1033,6 +1046,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
const unsigned char *tbs, size_t tbslen)
{
size_t rslen;
@@ -70,25 +70,15 @@ index 19420d6c6a..5ab1ccee93 100644
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
-index f1dc5dd2a2..103556c750 100644
+index f1dc5dd2a2..6ae973eaac 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
-@@ -268,8 +268,8 @@ TwIDAQAB
+@@ -268,8 +268,19 @@ TwIDAQAB
PrivPubKeyPair = RSA-PSS:RSA-PSS-DEFAULT
--
- # Wrong MGF1 digest
++# Wrong MGF1 digest
+Availablein = default
- Verify = RSA-2048
- Ctrl = rsa_padding_mode:pss
- Ctrl = rsa_pss_saltlen:0
-@@ -279,7 +279,19 @@ Input="0123456789ABCDEF0123456789ABCDEF"
- Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
- Result = VERIFY_ERROR
-
-+# Wrong MGF1 digest - In RHEL FIPS errors as set ctx before verify
-+Availablein = fips
+Verify = RSA-2048
+Ctrl = rsa_padding_mode:pss
+Ctrl = rsa_pss_saltlen:0
@@ -96,8 +86,16 @@ index f1dc5dd2a2..103556c750 100644
+Ctrl = rsa_mgf1_md:sha1
+Input="0123456789ABCDEF0123456789ABCDEF"
+Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
-+Result = PKEY_CTRL_ERROR
-+
++Result = VERIFY_ERROR
+
+ # Wrong MGF1 digest
++Availablein = fips
+ Verify = RSA-2048
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -280,6 +291,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+
# Verify using default parameters
+Availablein = default
Verify = RSA-PSS-DEFAULT
diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
index fd145cf..07fe304 100644
--- a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
+++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
@@ -1,7 +1,7 @@
-From 325fb1b9829a5731d9807161f077dae684fa58cb Mon Sep 17 00:00:00 2001
+From ae1fcbd1129fc53d4ac72148696efd126e574453 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
-Subject: [PATCH 28/50] FIPS: RSA: Mark x931 as not approved by default
+Subject: [PATCH 28/58] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
index 464bf1a..d6de25f 100644
--- a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
+++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
@@ -1,7 +1,7 @@
-From 004971c02760bcddb77954b90a2be4aeeb70ec22 Mon Sep 17 00:00:00 2001
+From 4ce72cfe8d1e0b37e882766b449af109d9e7c3f8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 29/50] FIPS: RSA: Remove X9.31 padding signatures tests
+Subject: [PATCH 29/58] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
index 86d09d0..f89bbfb 100644
--- a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
+++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
@@ -1,7 +1,7 @@
-From 0d8ac9675eaaf3eaded5f7d2ec304be022eacd10 Mon Sep 17 00:00:00 2001
+From 3a9f2ccf8120cbf5b854a403926dce2d772f5f78 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
-Subject: [PATCH 30/50] FIPS: RSA: NEEDS-REWORK:
+Subject: [PATCH 30/58] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
diff --git a/0031-FIPS-Deny-SHA-1-signature-verification.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch
index 15ecd81..0adf37a 100644
--- a/0031-FIPS-Deny-SHA-1-signature-verification.patch
+++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch
@@ -1,7 +1,7 @@
-From 446e3e1ec006a55206881c5e7e658918e104a972 Mon Sep 17 00:00:00 2001
+From 9b198c3634fd3871dd535389e7b7c2379f6934fb Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 31/50] FIPS: Deny SHA-1 signature verification
+Subject: [PATCH 31/58] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@@ -57,10 +57,10 @@ index 52ed52482d..0d3050dbe9 100644
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 80e4115b69..096d944896 100644
+index 04d4009ab5..4e46eaf9bc 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
-@@ -215,9 +215,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
+@@ -214,9 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
#ifdef FIPS_MODULE
{
@@ -72,7 +72,7 @@ index 80e4115b69..096d944896 100644
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 0e0810f60a..ac3888a1b9 100644
+index 09c202f87c..014b17fe49 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
@@ -86,7 +86,7 @@ index 0e0810f60a..ac3888a1b9 100644
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
-@@ -1796,11 +1794,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+@@ -1795,11 +1793,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
index 532719c..a20b46e 100644
--- a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
+++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
@@ -1,7 +1,7 @@
-From f33528e229063b98748943d2fddaf83426fcb8eb Mon Sep 17 00:00:00 2001
+From 39c7eb2e82b9df4ffe58d8e05fbdb9115dde50cc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 32/50] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
+Subject: [PATCH 32/58] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
diff --git a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
index 140b42b..fa87558 100644
--- a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
+++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
@@ -1,7 +1,7 @@
-From c5a417c02dc6f50b8886eac366650c0f0bee38a0 Mon Sep 17 00:00:00 2001
+From 92c90300747de60df2e805b9fe78fa016f5fd49e Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 33/50] FIPS: RAND: Forbid truncated hashes & SHA-3
+Subject: [PATCH 33/58] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
diff --git a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
index a9e94ce..2aa30cc 100644
--- a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
+++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
@@ -1,7 +1,7 @@
-From 07db6d2bc68c37db2c8b00225c42e3c2e3c8b6cc Mon Sep 17 00:00:00 2001
+From 5d5521b81a6714c88438e4f1fb0cf30096a0b0b6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 34/50] FIPS: PBKDF2: Set minimum password length
+Subject: [PATCH 34/58] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch
index f4ebd31..a22cfa9 100644
--- a/0035-FIPS-DH-PCT.patch
+++ b/0035-FIPS-DH-PCT.patch
@@ -1,7 +1,7 @@
-From 4201d6a3b23e14885f2703c705166c68db6351ab Mon Sep 17 00:00:00 2001
+From 1f54210f4e4de1f2143d02f6d0b56cc388b617cd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
-Subject: [PATCH 35/50] FIPS: DH: PCT
+Subject: [PATCH 35/58] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
index c86fcaa..0b2dd30 100644
--- a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
+++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
@@ -1,7 +1,7 @@
-From ea3020727f873e14b4ee4c7f94dfa038d4777319 Mon Sep 17 00:00:00 2001
+From 863cb10f0add28b1d82ec3042d2e7b418169b48a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 36/50] FIPS: DH: Disable FIPS 186-4 type parameters
+Subject: [PATCH 36/58] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
diff --git a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
index 2415b7b..8c0e545 100644
--- a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
+++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
@@ -1,7 +1,7 @@
-From 39afccf3c978a35d1a2d3ebd072d3d1a7a0d0e09 Mon Sep 17 00:00:00 2001
+From 900d90fa1e34bfbbfcc91face57680c0424f2014 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 37/50] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
+Subject: [PATCH 37/58] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
index 3465171..3e93713 100644
--- a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
+++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
@@ -1,7 +1,7 @@
-From e1d57286ca07c3d89018d3c4368bed420f5c454a Mon Sep 17 00:00:00 2001
+From a227572868569ba87b9aef722a8d981ad5feb11b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
-Subject: [PATCH 38/50] FIPS: CMS: Set default padding to OAEP
+Subject: [PATCH 38/58] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
index fa3e3b4..5d7be3e 100644
--- a/0039-FIPS-PKCS12-PBMAC1-defaults.patch
+++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
@@ -1,7 +1,7 @@
-From db948b9f36c27a72595eb81633d787e6c95977b4 Mon Sep 17 00:00:00 2001
+From 6ca4910fa964f135e5a18b31502bddef3aef1304 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
-Subject: [PATCH 39/50] FIPS: PKCS12: PBMAC1 defaults
+Subject: [PATCH 39/58] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
index d94c9ec..762757c 100644
--- a/0040-FIPS-Fix-encoder-decoder-negative-test.patch
+++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
@@ -1,7 +1,7 @@
-From c49eb02a6c08ab8398688e609a6c1681b86c24e0 Mon Sep 17 00:00:00 2001
+From fe12acbd953da37dd25e8abca64582c9bdeadf3c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
-Subject: [PATCH 40/50] FIPS: Fix encoder/decoder negative test
+Subject: [PATCH 40/58] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch
index 25ea8c1..8770f3e 100644
--- a/0041-FIPS-EC-DH-DSA-PCTs.patch
+++ b/0041-FIPS-EC-DH-DSA-PCTs.patch
@@ -1,7 +1,7 @@
-From ad8a02985f28b1ead7169ca20dca010113f52250 Mon Sep 17 00:00:00 2001
+From a4fc741bd6e43b301121f01ef7c823a589faad39 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
-Subject: [PATCH 41/50] FIPS: EC: DH/DSA PCTs
+Subject: [PATCH 41/58] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -100,7 +100,7 @@ index 9421aabb14..77531c4b59 100644
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 096d944896..34fb3aa56e 100644
+index 4e46eaf9bc..4d7c25728a 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
@@ -130,7 +130,7 @@ index 096d944896..34fb3aa56e 100644
{
PROV_ECDSA_CTX *ctx;
-@@ -613,7 +613,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ok;
}
@@ -139,7 +139,7 @@ index 096d944896..34fb3aa56e 100644
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
-@@ -862,6 +862,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch
index 7c0a5a2..7d89757 100644
--- a/0042-FIPS-EC-disable-weak-curves.patch
+++ b/0042-FIPS-EC-disable-weak-curves.patch
@@ -1,7 +1,7 @@
-From 998f0c96eb674c2647bfead8b925f3599be3bd0a Mon Sep 17 00:00:00 2001
+From c3f3de074f9140dd8f5833f7fe3e751ac0838323 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
-Subject: [PATCH 42/50] FIPS: EC: disable weak curves
+Subject: [PATCH 42/58] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch
index e3471ec..bf39c28 100644
--- a/0043-FIPS-NO-DSA-Support.patch
+++ b/0043-FIPS-NO-DSA-Support.patch
@@ -1,7 +1,7 @@
-From 64467bd0ad1bf2a0c1a67462a27e405632704026 Mon Sep 17 00:00:00 2001
+From d923f8b4531718ede24814722a0c0f0f912dca7c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
-Subject: [PATCH 43/50] FIPS: NO DSA Support
+Subject: [PATCH 43/58] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch
index a117127..2e49a80 100644
--- a/0044-FIPS-NO-DES-support.patch
+++ b/0044-FIPS-NO-DES-support.patch
@@ -1,7 +1,7 @@
-From 88abbb0a30dd2d990992c769eaad71f6c6764237 Mon Sep 17 00:00:00 2001
+From ca860bb5c16d9a96afb32e025b54db76e5f8cfd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
-Subject: [PATCH 44/50] FIPS: NO DES support
+Subject: [PATCH 44/58] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch
index 5abcbc0..bf948cf 100644
--- a/0045-FIPS-NO-Kmac.patch
+++ b/0045-FIPS-NO-Kmac.patch
@@ -1,7 +1,7 @@
-From 77495dcfb162a588e9121305e798997c687862cd Mon Sep 17 00:00:00 2001
+From 3928272f2d86188ef8796c7d18b1ec7d617cae97 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
-Subject: [PATCH 45/50] FIPS: NO Kmac
+Subject: [PATCH 45/58] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch
index 503a515..5822c05 100644
--- a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch
+++ b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch
@@ -1,7 +1,7 @@
-From 5de6758ff6d27df266280e8df7f587d7deba6d92 Mon Sep 17 00:00:00 2001
+From a6dce07d8e44e79dc3db9538d269bbbc903a8e15 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:24:36 -0500
-Subject: [PATCH 46/50] FIPS: NO PQ (ML/SLH-DSA)
+Subject: [PATCH 46/58] FIPS: NO PQ (ML/SLH-DSA)
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
index 16d336c..d593bc5 100644
--- a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
+++ b/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
@@ -1,7 +1,7 @@
-From 7996dc097918cf09350312d5ee04c727c3cd42ac Mon Sep 17 00:00:00 2001
+From 50c0087bdd6c15e2c63c8324f35221fd45a10518 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
-Subject: [PATCH 47/50] FIPS: Fix some tests due to our versioning change
+Subject: [PATCH 47/58] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0048-Current-Rebase-status.patch b/0048-Current-Rebase-status.patch
index a130864..4c64f0a 100644
--- a/0048-Current-Rebase-status.patch
+++ b/0048-Current-Rebase-status.patch
@@ -1,7 +1,7 @@
-From d2068b5ee18ccb9014bc49e71be49e467f1bf07f Mon Sep 17 00:00:00 2001
+From 3bc3a6514c078564ac8addbdf24172a5fb90f4d7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
-Subject: [PATCH 48/50] Current Rebase status
+Subject: [PATCH 48/58] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0049-FIPS-KDF-key-lenght-errors.patch b/0049-FIPS-KDF-key-lenght-errors.patch
index e29f212..c557654 100644
--- a/0049-FIPS-KDF-key-lenght-errors.patch
+++ b/0049-FIPS-KDF-key-lenght-errors.patch
@@ -1,7 +1,7 @@
-From f9fb76834b0c471d770463e5d7d70f1e2fca3237 Mon Sep 17 00:00:00 2001
+From 573cde99e796fbd76f9be7f6a553c681abbfb55a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
-Subject: [PATCH 49/50] FIPS: KDF key lenght errors
+Subject: [PATCH 49/58] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0050-FIPS-fix-disallowed-digests-tests.patch b/0050-FIPS-fix-disallowed-digests-tests.patch
index bd56dca..a062ce1 100644
--- a/0050-FIPS-fix-disallowed-digests-tests.patch
+++ b/0050-FIPS-fix-disallowed-digests-tests.patch
@@ -1,7 +1,7 @@
-From 7dc0e5c5dbab91874602bbe73a3c0b627283ff64 Mon Sep 17 00:00:00 2001
+From 48498bd445161f1d0fffb60bce8d9474acfe840b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
-Subject: [PATCH 50/50] FIPS: fix disallowed digests tests
+Subject: [PATCH 50/58] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
diff --git a/0051-Make-openssl-speed-run-in-FIPS-mode.patch b/0051-Make-openssl-speed-run-in-FIPS-mode.patch
new file mode 100644
index 0000000..6a232f0
--- /dev/null
+++ b/0051-Make-openssl-speed-run-in-FIPS-mode.patch
@@ -0,0 +1,76 @@
+From 0895e273cacec26a4bd027bef7ab07bae12d9741 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 9 May 2025 15:09:46 +0200
+Subject: [PATCH 51/58] Make `openssl speed` run in FIPS mode
+
+---
+ apps/speed.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index 1edf9b8485..d4e707074c 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 16);
+ params[1] = OSSL_PARAM_construct_end();
+
+- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
+- goto end;
+- for (testnum = 0; testnum < size_num; testnum++) {
+- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+- Time_F(START);
+- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+- d = Time_F(STOP);
+- print_result(D_KMAC128, testnum, count, d);
+- if (count < 0)
+- break;
++ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
++ for (testnum = 0; testnum < size_num; testnum++) {
++ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
++ Time_F(START);
++ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
++ d = Time_F(STOP);
++ print_result(D_KMAC128, testnum, count, d);
++ if (count < 0)
++ break;
++ }
++ mac_teardown(&mac, loopargs, loopargs_len);
+ }
+- mac_teardown(&mac, loopargs, loopargs_len);
+ }
+
+ if (doit[D_KMAC256]) {
+@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 32);
+ params[1] = OSSL_PARAM_construct_end();
+
+- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
+- goto end;
+- for (testnum = 0; testnum < size_num; testnum++) {
+- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+- Time_F(START);
+- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+- d = Time_F(STOP);
+- print_result(D_KMAC256, testnum, count, d);
+- if (count < 0)
+- break;
++ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
++ for (testnum = 0; testnum < size_num; testnum++) {
++ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
++ Time_F(START);
++ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
++ d = Time_F(STOP);
++ print_result(D_KMAC256, testnum, count, d);
++ if (count < 0)
++ break;
++ }
++ mac_teardown(&mac, loopargs, loopargs_len);
+ }
+- mac_teardown(&mac, loopargs, loopargs_len);
+ }
+
+ for (i = 0; i < loopargs_len; i++)
+--
+2.49.0
+
diff --git a/0052-Backport-upstream-27483-for-PKCS11-needs.patch b/0052-Backport-upstream-27483-for-PKCS11-needs.patch
new file mode 100644
index 0000000..afbce9a
--- /dev/null
+++ b/0052-Backport-upstream-27483-for-PKCS11-needs.patch
@@ -0,0 +1,146 @@
+From 120558807e15d3cb2959020bacc928988e512a78 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 14:34:39 +0200
+Subject: [PATCH 52/58] Backport upstream #27483 for PKCS11 needs
+
+---
+ .../implementations/skeymgmt/aes_skmgmt.c | 2 +
+ providers/implementations/skeymgmt/generic.c | 12 ++++
+ .../implementations/skeymgmt/skeymgmt_lcl.h | 1 +
+ test/evp_skey_test.c | 61 +++++++++++++++++++
+ 4 files changed, 76 insertions(+)
+
+diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
+index 6d3b5f377f..17be480131 100644
+--- a/providers/implementations/skeymgmt/aes_skmgmt.c
++++ b/providers/implementations/skeymgmt/aes_skmgmt.c
+@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
+ { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+ { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
+ { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++ (void (*)(void))generic_imp_settable_params },
+ OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
+index b41bf8e12d..5fb3fad7e3 100644
+--- a/providers/implementations/skeymgmt/generic.c
++++ b/providers/implementations/skeymgmt/generic.c
+@@ -65,6 +65,16 @@ end:
+ return generic;
+ }
+
++static const OSSL_PARAM generic_import_params[] = {
++ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
++ OSSL_PARAM_END
++};
++
++const OSSL_PARAM *generic_imp_settable_params(void *provctx)
++{
++ return generic_import_params;
++}
++
+ int generic_export(void *keydata, int selection,
+ OSSL_CALLBACK *param_callback, void *cbarg)
+ {
+@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
+ { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+ { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
+ { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++ (void (*)(void))generic_imp_settable_params },
+ OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+index c180c1d303..a7e7605050 100644
+--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
++++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+@@ -15,5 +15,6 @@
+ OSSL_FUNC_skeymgmt_import_fn generic_import;
+ OSSL_FUNC_skeymgmt_export_fn generic_export;
+ OSSL_FUNC_skeymgmt_free_fn generic_free;
++OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
+
+ #endif
+diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
+index b81df9c8f8..e33bbbe003 100644
+--- a/test/evp_skey_test.c
++++ b/test/evp_skey_test.c
+@@ -92,6 +92,66 @@ end:
+ return ret;
+ }
+
++static int test_skey_skeymgmt(void)
++{
++ int ret = 0;
++ EVP_SKEYMGMT *skeymgmt = NULL;
++ EVP_SKEY *key = NULL;
++ const unsigned char import_key[KEY_SIZE] = {
++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++ };
++ OSSL_PARAM params[2];
++ const OSSL_PARAM *imp_params;
++ const OSSL_PARAM *p;
++ OSSL_PARAM *exp_params = NULL;
++ const void *export_key = NULL;
++ size_t export_len;
++
++ deflprov = OSSL_PROVIDER_load(libctx, "default");
++ if (!TEST_ptr(deflprov))
++ return 0;
++
++ /* Fetch our SKYMGMT for Generic Secrets */
++ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
++ NULL)))
++ goto end;
++
++ /* Check the parameter we need is available */
++ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
++ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
++ OSSL_SKEY_PARAM_RAW_BYTES)))
++ goto end;
++
++ /* Import EVP_SKEY */
++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
++ (void *)import_key, KEY_SIZE);
++ params[1] = OSSL_PARAM_construct_end();
++
++ if (!TEST_ptr(key = EVP_SKEY_import(libctx,
++ EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
++ OSSL_SKEYMGMT_SELECT_ALL, params)))
++ goto end;
++
++ /* Export EVP_SKEY */
++ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
++ ossl_pkey_todata_cb, &exp_params), 0)
++ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
++ OSSL_SKEY_PARAM_RAW_BYTES))
++ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
++ &export_len), 0)
++ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
++ goto end;
++
++ ret = 1;
++end:
++ OSSL_PARAM_free(exp_params);
++ EVP_SKEYMGMT_free(skeymgmt);
++ EVP_SKEY_free(key);
++
++ return ret;
++}
++
+ #define IV_SIZE 16
+ #define DATA_SIZE 32
+ static int test_aes_raw_skey(void)
+@@ -252,6 +312,7 @@ int setup_tests(void)
+ return 0;
+
+ ADD_TEST(test_skey_cipher);
++ ADD_TEST(test_skey_skeymgmt);
+
+ ADD_TEST(test_aes_raw_skey);
+ #ifndef OPENSSL_NO_DES
+--
+2.49.0
+
diff --git a/0053-Red-Hat-9-FIPS-indicator-defines.patch b/0053-Red-Hat-9-FIPS-indicator-defines.patch
new file mode 100644
index 0000000..dea0da0
--- /dev/null
+++ b/0053-Red-Hat-9-FIPS-indicator-defines.patch
@@ -0,0 +1,129 @@
+From ee9a3d993eb82f98e4670adc9ccb015065b81555 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 16:21:23 +0200
+Subject: [PATCH 53/58] Red Hat 9 FIPS indicator defines
+
+---
+ include/openssl/evp.h | 15 +++++++++++++++
+ include/openssl/kdf.h | 4 ++++
+ util/perl/OpenSSL/paramnames.pm | 7 +++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index e5da1e6415..3849c1779e 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+ const unsigned char *key, const unsigned char *iv);
+ __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+ int *outl);
+
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+ EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+ void *arg);
+
+ /* MAC stuff */
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+ const char *properties);
+@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
+ # endif
+
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+ const char *properties);
+ int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index 059b489735..5a1864309d 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -143,6 +143,8 @@ my %params = (
+ 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
+ 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
++ #Old RedHat FIPS provider compatibility
++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
+ # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
+ # time being, the old libcrypto functions will use both, so old providers
+ # continue to work.
+@@ -190,6 +192,7 @@ my %params = (
+ 'MAC_PARAM_SIZE' => "size", # size_t
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
+ 'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
+ 'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+@@ -234,6 +237,7 @@ my %params = (
+ 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
+ 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
+ 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
+ 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
+ 'KDF_PARAM_THREADS' => "threads", # uint32_t
+@@ -474,6 +478,7 @@ my %params = (
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
+@@ -508,6 +513,7 @@ my %params = (
+ 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
+ 'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+
+ # Encoder / decoder parameters
+
+@@ -541,6 +547,7 @@ my %params = (
+
+ # KEM parameters
+ 'KEM_PARAM_OPERATION' => "operation",
++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KEM_PARAM_IKME' => "ikme",
+ 'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+--
+2.49.0
+
diff --git a/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch b/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
new file mode 100644
index 0000000..cc3db16
--- /dev/null
+++ b/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
@@ -0,0 +1,58 @@
+From 92e50723ae6aa29476b7ebb66d262f78677ee68d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 7 Apr 2025 12:58:54 +0200
+Subject: [PATCH 54/58] crypto: disable OSSL_PARAM_REAL on UEFI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Floating point types like double can't be used on UEFI.
+Fix build on UEFI by disabling the OSSL_PARAM_REAL branch.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/27284)
+---
+ crypto/params_from_text.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
+index 7532d4d439..fb25400dc1 100644
+--- a/crypto/params_from_text.c
++++ b/crypto/params_from_text.c
+@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
+ BIGNUM *bn;
+ #ifndef OPENSSL_SYS_UEFI
+ double d;
++ int dok;
+ #endif
+ int ok = -1;
+- int dok;
+
+ /*
+ * Iterate through each key in the array printing its key and value
+@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
+ case OSSL_PARAM_OCTET_STRING:
+ ok = BIO_dump(bio, (char *)p->data, p->data_size);
+ break;
++#ifndef OPENSSL_SYS_UEFI
+ case OSSL_PARAM_REAL:
+ dok = 0;
+-#ifndef OPENSSL_SYS_UEFI
+ dok = OSSL_PARAM_get_double(p, &d);
+-#endif
+ if (dok == 1)
+ ok = BIO_printf(bio, "%f\n", d);
+ else
+ ok = BIO_printf(bio, "error getting value\n");
+ break;
++#endif
+ default:
+ ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n",
+ p->data_type, p->data_size);
+--
+2.49.0
+
diff --git a/0055-hashfunc-add-stddef.h-include.patch b/0055-hashfunc-add-stddef.h-include.patch
new file mode 100644
index 0000000..7c894c0
--- /dev/null
+++ b/0055-hashfunc-add-stddef.h-include.patch
@@ -0,0 +1,36 @@
+From fb8649ec423277d50936a6a7848a1b6705e208cc Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 7 Apr 2025 13:29:36 +0200
+Subject: [PATCH 55/58] hashfunc: add stddef.h include
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+size_t is declared in stddef.h, so include the header file to
+make sure it is available. Fixes build on UEFI.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/27284)
+---
+ include/internal/hashfunc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h
+index cabc7beed4..fae8a275fa 100644
+--- a/include/internal/hashfunc.h
++++ b/include/internal/hashfunc.h
+@@ -11,6 +11,7 @@
+ # define OPENSSL_HASHFUNC_H
+
+ # include <openssl/e_os2.h>
++# include <stddef.h>
+ /**
+ * Generalized fnv1a 64 bit hash function
+ */
+--
+2.49.0
+
diff --git a/0056-rio-add-RIO_POLL_METHOD_NONE.patch b/0056-rio-add-RIO_POLL_METHOD_NONE.patch
new file mode 100644
index 0000000..5c7b9c1
--- /dev/null
+++ b/0056-rio-add-RIO_POLL_METHOD_NONE.patch
@@ -0,0 +1,73 @@
+From 60699bc32870a3325a79234158740aac917b39a6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 7 Apr 2025 14:06:28 +0200
+Subject: [PATCH 56/58] rio: add RIO_POLL_METHOD_NONE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes build on UEFI.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/27284)
+---
+ ssl/rio/poll_builder.c | 4 +++-
+ ssl/rio/poll_builder.h | 4 +++-
+ ssl/rio/poll_method.h | 5 ++++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
+index 007e360d87..3cfbe3b0ac 100644
+--- a/ssl/rio/poll_builder.c
++++ b/ssl/rio/poll_builder.c
+@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
+
+ int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb)
+ {
+-#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
++#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
++ return 0;
++#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+ FD_ZERO(&rpb->rfd);
+ FD_ZERO(&rpb->wfd);
+ FD_ZERO(&rpb->efd);
+diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h
+index ffc9bbf9fc..985e4713b2 100644
+--- a/ssl/rio/poll_builder.h
++++ b/ssl/rio/poll_builder.h
+@@ -23,7 +23,9 @@
+ * FDs.
+ */
+ typedef struct rio_poll_builder_st {
+-# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
++# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
++ /* nothing */;
++# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
+ fd_set rfd, wfd, efd;
+ int hwm_fd;
+ # elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL
+diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h
+index 9a6de89270..d5af8663c2 100644
+--- a/ssl/rio/poll_method.h
++++ b/ssl/rio/poll_method.h
+@@ -14,9 +14,12 @@
+
+ # define RIO_POLL_METHOD_SELECT 1
+ # define RIO_POLL_METHOD_POLL 2
++# define RIO_POLL_METHOD_NONE 3
+
+ # ifndef RIO_POLL_METHOD
+-# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
++# if defined(OPENSSL_SYS_UEFI)
++# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE
++# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
+ # define RIO_POLL_METHOD RIO_POLL_METHOD_POLL
+ # else
+ # define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT
+--
+2.49.0
+
diff --git a/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch b/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
new file mode 100644
index 0000000..765a4f3
--- /dev/null
+++ b/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
@@ -0,0 +1,62 @@
+From d7ab338f85b55ed6aa6d0187123dbab8684551a5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 20 May 2025 16:34:10 +0200
+Subject: [PATCH 57/58] apps/x509.c: Fix the -addreject option adding trust
+ instead of rejection
+
+Fixes CVE-2025-4575
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/27672)
+---
+ apps/x509.c | 2 +-
+ test/recipes/25-test_x509.t | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/apps/x509.c b/apps/x509.c
+index fdae8f383a..0c340c15b3 100644
+--- a/apps/x509.c
++++ b/apps/x509.c
+@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
+ prog, opt_arg());
+ goto opthelp;
+ }
+- if (!sk_ASN1_OBJECT_push(trust, objtmp))
++ if (!sk_ASN1_OBJECT_push(reject, objtmp))
+ goto end;
+ trustout = 1;
+ break;
+diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
+index 09b61708ff..dfa0a428f5 100644
+--- a/test/recipes/25-test_x509.t
++++ b/test/recipes/25-test_x509.t
+@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+ setup("test_x509");
+
+-plan tests => 134;
++plan tests => 138;
+
+ # Prevent MSys2 filename munging for arguments that look like file paths but
+ # aren't
+@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
+ && run(app(["openssl", "verify", "-no_check_time",
+ "-trusted", $ca, "-partial_chain", $caout])));
+
++# test trust decoration
++ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
++ "-out", "ca-trusted.pem"])));
++cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
++ 1, 'trusted use - E-mail Protection');
++ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
++ "-out", "ca-rejected.pem"])));
++cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
++ 1, 'rejected use - E-mail Protection');
++
+ subtest 'x509 -- x.509 v1 certificate' => sub {
+ tconversion( -type => 'x509', -prefix => 'x509v1',
+ -in => srctop_file("test", "testx509.pem") );
+--
+2.49.0
+
diff --git a/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
new file mode 100644
index 0000000..b139ecc
--- /dev/null
+++ b/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
@@ -0,0 +1,302 @@
+From 26ad3b905a6d4b1fa50b304f21f67aa0d35265e9 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 30 May 2025 16:17:37 +0200
+Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode
+
+---
+ crypto/ml_kem/ml_kem.c | 11 ++--
+ include/crypto/ml_kem.h | 2 +
+ providers/defltprov.c | 8 +--
+ providers/implementations/kem/mlx_kem.c | 33 +++++++++-
+ providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
+ 5 files changed, 103 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
+index ec75233435..8d0cc1a82c 100644
+--- a/crypto/ml_kem/ml_kem.c
++++ b/crypto/ml_kem/ml_kem.c
+@@ -1581,6 +1581,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+ {
+ const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
+ ML_KEM_KEY *key;
++ char *adjusted_propq = NULL;
+
+ if (vinfo == NULL)
+ return NULL;
+@@ -1588,15 +1589,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+ if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
+ return NULL;
+
++ adjusted_propq = get_adjusted_propq(properties);
+ key->vinfo = vinfo;
+ key->libctx = libctx;
+ key->prov_flags = ML_KEM_KEY_PROV_FLAGS_DEFAULT;
+- key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", properties);
+- key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", properties);
+- key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", properties);
+- key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", properties);
++ key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", adjusted_propq ? adjusted_propq : properties);
++ key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", adjusted_propq ? adjusted_propq : properties);
++ key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", adjusted_propq ? adjusted_propq : properties);
++ key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", adjusted_propq ? adjusted_propq : properties);
+ key->d = key->z = key->rho = key->pkhash = key->encoded_dk = NULL;
+ key->s = key->m = key->t = NULL;
++ OPENSSL_free(adjusted_propq);
+
+ if (key->shake128_md != NULL
+ && key->shake256_md != NULL
+diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
+index 67d55697e9..ab1aaae8ac 100644
+--- a/include/crypto/ml_kem.h
++++ b/include/crypto/ml_kem.h
+@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
+ __owur
+ int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+
++char *get_adjusted_propq(const char *propq);
++
+ #endif /* OPENSSL_HEADER_ML_KEM_H */
+diff --git a/providers/defltprov.c b/providers/defltprov.c
+index eee2178b41..0dba017f3f 100644
+--- a/providers/defltprov.c
++++ b/providers/defltprov.c
+@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
+ { "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+- { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
+- { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
++ { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
++ { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ #endif
+ { NULL, NULL, NULL }
+@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
+ PROV_DESCS_X448MLKEM1024 },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
++ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
+ PROV_DESCS_SecP256r1MLKEM768 },
+- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
++ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
+ PROV_DESCS_SecP384r1MLKEM1024 },
+ # endif
+ #endif
+diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
+index 197c345d85..08fbf99a76 100644
+--- a/providers/implementations/kem/mlx_kem.c
++++ b/providers/implementations/kem/mlx_kem.c
+@@ -19,6 +19,7 @@
+ #include "prov/mlx_kem.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
++#include <string.h>
+
+ static OSSL_FUNC_kem_newctx_fn mlx_kem_newctx;
+ static OSSL_FUNC_kem_freectx_fn mlx_kem_freectx;
+@@ -103,6 +104,28 @@ mlx_kem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ return 1;
+ }
+
++char *get_adjusted_propq(const char *propq)
++{
++ char *adjusted_propq = NULL;
++ const char *nofips = "-fips";
++ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
++ strlen(nofips) + 1;
++ char *ptr = NULL;
++
++ adjusted_propq = OPENSSL_zalloc(len);
++ if (adjusted_propq != NULL) {
++ ptr = adjusted_propq;
++ if (propq && strlen(propq) > 0) {
++ memcpy(ptr, propq, strlen(propq));
++ ptr += strlen(propq);
++ *ptr = ',';
++ ptr++;
++ }
++ memcpy(ptr, nofips, strlen(nofips));
++ }
++ return adjusted_propq;
++}
++
+ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ unsigned char *shsec, size_t *slen)
+ {
+@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ uint8_t *sbuf;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (!mlx_kem_have_pubkey(key)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -167,7 +191,8 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ encap_slen = ML_KEM_SHARED_SECRET_BYTES;
+ cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+ sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++ adjusted_propq = get_adjusted_propq(key->propq);
++ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+ if (ctx == NULL
+ || EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
+ || EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
+@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ end:
+ EVP_PKEY_free(xkey);
+ EVP_PKEY_CTX_free(ctx);
++ OPENSSL_free(adjusted_propq);
+ return ret;
+ }
+
+@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (!mlx_kem_have_prvkey(key)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ decap_slen = ML_KEM_SHARED_SECRET_BYTES;
+ cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+ sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++ adjusted_propq = get_adjusted_propq(key->propq);
++ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+ if (ctx == NULL
+ || EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
+ || EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
+@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ end:
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(xkey);
++ OPENSSL_free(adjusted_propq);
+ return ret;
+ }
+
+diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
+index bea8783276..aeef0c8f84 100644
+--- a/providers/implementations/keymgmt/mlx_kmgmt.c
++++ b/providers/implementations/keymgmt/mlx_kmgmt.c
+@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
+ size_t prvlen;
+ } EXPORT_CB_ARG;
+
++#ifndef FIPS_MODULE
++# include <openssl/bn.h>
++# include <openssl/ec.h>
++static size_t decompress_pub_key(void *pub, size_t compressed_len, size_t decompressed_len)
++{
++ EC_GROUP *group = NULL;
++ EC_POINT *point = NULL;
++ BN_CTX *ctx = NULL;
++ size_t len = compressed_len;
++ int group_nid = NID_undef;
++
++ switch (len) {
++ case 33:
++ group_nid = NID_X9_62_prime256v1;
++ break;
++ case 49:
++ group_nid = NID_secp384r1;
++ break;
++ default:
++ return len;
++ break;
++ }
++
++ ctx = BN_CTX_new();
++ group = EC_GROUP_new_by_curve_name(group_nid);
++ if (ctx == NULL || group == NULL)
++ goto err;
++
++ point = EC_POINT_new(group);
++ if (point == NULL)
++ goto err;
++
++ if (!EC_POINT_oct2point(group, point, pub, len, ctx))
++ goto err;
++
++ len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, pub, decompressed_len, ctx);
++
++err:
++ EC_POINT_free(point);
++ EC_GROUP_free(group);
++ BN_CTX_free(ctx);
++
++ return len;
++}
++#endif
++
+ /* Copy any exported key material into its storage slot */
+ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+ {
+@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+
+ if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
+ return 0;
++#ifndef FIPS_MODULE
++ if (len < sub_arg->publen)
++ len = decompress_pub_key(pub, len, sub_arg->publen);
++#endif
+ if (len != sub_arg->publen) {
+ ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
+ "Unexpected %s public key length %lu != %lu",
+@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ void *val;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (slot == ml_kem_slot) {
+ alg = key->minfo->algorithm_name;
+ ppkey = &key->mkey;
+ off = slot * xbytes;
+ len = mbytes;
++ adjusted_propq = get_adjusted_propq(propq);
+ } else {
+ alg = key->xinfo->algorithm_name;
+ group = (char *) key->xinfo->group_name;
+@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ }
+ val = (void *)(in + off);
+
+- if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg, propq)) == NULL
++ if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg,
++ adjusted_propq ? adjusted_propq : propq)) == NULL
+ || EVP_PKEY_fromdata_init(ctx) <= 0)
+ goto err;
+ parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
+@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ ret = 1;
+
+ err:
++ OPENSSL_free(adjusted_propq);
+ EVP_PKEY_CTX_free(ctx);
+ return ret;
+ }
+@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ PROV_ML_KEM_GEN_CTX *gctx = vgctx;
+ MLX_KEY *key;
+ char *propq;
++ char *adjusted_propq = NULL;
+
+ if (gctx == NULL
+ || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
+@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ return key;
+
+ /* For now, using the same "propq" for all components */
+- key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
++ adjusted_propq = get_adjusted_propq(propq);
++ key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
+ key->minfo->algorithm_name);
++ OPENSSL_free(adjusted_propq);
+ key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
+ key->xinfo->algorithm_name,
+ key->xinfo->group_name);
+--
+2.49.0
+
diff --git a/openssl.spec b/openssl.spec
index e185595..3ee56d8 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -34,7 +34,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.5.0
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -93,6 +93,17 @@ Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0048: 0048-Current-Rebase-status.patch
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
+Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
+Patch0052: 0052-Backport-upstream-27483-for-PKCS11-needs.patch
+Patch0053: 0053-Red-Hat-9-FIPS-indicator-defines.patch
+Patch0054: 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
+Patch0055: 0055-hashfunc-add-stddef.h-include.patch
+Patch0056: 0056-rio-add-RIO_POLL_METHOD_NONE.patch
+Patch0057: 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
+%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
+Patch0058: 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
+%endif
+
License: Apache-2.0
URL: http://www.openssl.org/
@@ -462,6 +473,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Thu Jun 05 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-5
+- Sync patches from RHEL
+
* Thu Apr 24 2025 Yaakov Selkowitz <yselkowi@redhat.com> - 1:3.5.0-4
- Disable -devel-engine on RHEL 10+
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100913342.1.11213367199223602249.rpms-openssl-f0b1ff1785cc@fedoraproject.org \
--to=dbelyavs@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox