public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Rebasing to OpenSSL 3.5
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : cf5f991d6ae87ac9e306262f39a7e0ed5cba81d7
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2025-07-03T13:14:48+02:00
Stats : +1297/-1574 in 69 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/cf5f991d6ae87ac9e306262f39a7e0ed5cba81d7?branch=rebase_40beta
Log:
Rebasing to OpenSSL 3.5
---
diff --git a/.gitignore b/.gitignore
index bbd74fa..5d79149 100644
--- a/.gitignore
+++ b/.gitignore
@@ -66,3 +66,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.5.0-alpha1.tar.gz
/openssl-3.5.0-beta1.tar.gz
/openssl-3.5.0.tar.gz
+/openssl-3.5.1.tar.gz
diff --git a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
index f9c715c..1331ab0 100644
--- a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
+++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
@@ -1,7 +1,7 @@
-From fb792883f3ccc55997fdc21a9c1052f778dea1ac Mon Sep 17 00:00:00 2001
+From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 01/58] RH: Aarch64 and ppc64le use lib64
+Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
@@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
-2.49.0
+2.50.0
diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
index d9c7035..bfcf061 100644
--- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
+++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
@@ -1,7 +1,7 @@
-From 193d88dfd8d131d2057fc69b4e2abb66f51924d0 Mon Sep 17 00:00:00 2001
+From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
-Subject: [PATCH 02/58] Add a separate config file to use for rpm installs
+Subject: [PATCH 02/53] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
@@ -44,7 +44,7 @@ index e24ea0c595..39fa468320 100644
If no providers are activated explicitly, the default one is activated implicitly.
diff --git a/rh-openssl.cnf b/rh-openssl.cnf
new file mode 100644
-index 0000000000..20f5962541
+index 0000000000..fe2346eb2b
--- /dev/null
+++ b/rh-openssl.cnf
@@ -0,0 +1,403 @@
@@ -66,7 +66,7 @@ index 0000000000..20f5962541
+# Use this in order to automatically load providers.
+openssl_conf = openssl_init
+
-+# Comment out the next line to ignore configuration errors
++# Ignore configuration errors
+config_diagnostics = 0
+
+# Extra OBJECT IDENTIFIER info:
@@ -452,5 +452,5 @@ index 0000000000..20f5962541
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
-2.49.0
+2.50.0
diff --git a/0003-RH-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch
index 1589d8e..8c2edce 100644
--- a/0003-RH-Do-not-install-html-docs.patch
+++ b/0003-RH-Do-not-install-html-docs.patch
@@ -1,7 +1,7 @@
-From 786b3456ad2d3d37e9729b83d0ddce8794060fb1 Mon Sep 17 00:00:00 2001
+From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 03/58] RH: Do not install html docs
+Subject: [PATCH 03/53] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
@@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index e85763ccf8..8a829be037 100644
+index a6f666957e..b1d8b00755 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
@@ -26,5 +26,5 @@ index e85763ccf8..8a829be037 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
-2.49.0
+2.50.0
diff --git a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
index 9b8b563..2486532 100644
--- a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
+++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
@@ -1,7 +1,7 @@
-From 9e410805cbd962214f0c0db785320f5fd594ea75 Mon Sep 17 00:00:00 2001
+From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 04/58] RH: apps ca fix md option help text.patch - DROP?
+Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
@@ -26,5 +26,5 @@ index 6d1d1c0a6e..a7553ba609 100644
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
--
-2.49.0
+2.50.0
diff --git a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
index 7b98fd5..b52e60b 100644
--- a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
+++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
@@ -1,7 +1,7 @@
-From fc8b2977d0b92f5a2e62131e398857ee431bff6e Mon Sep 17 00:00:00 2001
+From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 05/58] RH: Disable signature verification with bad digests -
+Subject: [PATCH 05/53] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
@@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644
const EVP_MD *type = NULL;
--
-2.49.0
+2.50.0
diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
index fa24115..99505a3 100644
--- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
+++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
@@ -1,7 +1,7 @@
-From e4f78101181c2a16343c0f281d218fde34b84637 Mon Sep 17 00:00:00 2001
+From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 06/58] RH: Add support for PROFILE SYSTEM system default
+Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@@ -20,7 +20,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
7 files changed, 105 insertions(+), 14 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 8a829be037..ba1266659a 100644
+index b1d8b00755..91fd703afa 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
@@ -43,7 +43,7 @@ index 8a829be037..ba1266659a 100644
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff --git a/Configure b/Configure
-index 15054f9403..7945d6b750 100755
+index 499585438a..e1b908fe13 100755
--- a/Configure
+++ b/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
@@ -66,7 +66,7 @@ index 15054f9403..7945d6b750 100755
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
-@@ -408,6 +412,7 @@ $config{prefix}="";
+@@ -409,6 +413,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
@@ -74,7 +74,7 @@ index 15054f9403..7945d6b750 100755
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
-@@ -1104,6 +1109,10 @@ while (@argvcopy)
+@@ -1105,6 +1110,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
@@ -106,7 +106,7 @@ index 69195bcdcb..a6e0ede570 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
-index b342079968..0b2232b01c 100644
+index 383c5bc411..d1b00e8454 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
@@ -281,10 +281,10 @@ index 6127cb7a4b..19420d6c6a 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 4c7b62e142..7af3f29cd8 100644
+index 9696a4c55f..4bd3318407 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
-@@ -679,7 +679,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
+@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@@ -293,7 +293,7 @@ index 4c7b62e142..7af3f29cd8 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
-@@ -4099,7 +4099,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
+@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@@ -317,5 +317,5 @@ index c46e431b00..19d05e860b 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
-2.49.0
+2.50.0
diff --git a/0007-RH-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
index 508a756..0be56b9 100644
--- a/0007-RH-Add-FIPS_mode-compatibility-macro.patch
+++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
@@ -1,7 +1,7 @@
-From 6778626185fb566b9b89f548ff18f481c10ce808 Mon Sep 17 00:00:00 2001
+From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 07/58] RH: Add FIPS_mode compatibility macro
+Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
@@ -79,5 +79,5 @@ index 18f8cc8740..6864b1a3c1 100644
return 1;
}
--
-2.49.0
+2.50.0
diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
index c4768a5..06bdbce 100644
--- a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
+++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
@@ -1,7 +1,7 @@
-From 9df43c7443d85c5685f87c132de448a7c4e652b5 Mon Sep 17 00:00:00 2001
+From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 08/58] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
@@ -74,10 +74,10 @@ index f15bc3d755..614c8a2c88 100644
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
-index 6909a1919c..9d2e355251 100644
+index 7d94346155..c0f1d00da9 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
-@@ -111,6 +111,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
+@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
@@ -88,5 +88,5 @@ index 6909a1919c..9d2e355251 100644
}
# endif
--
-2.49.0
+2.50.0
diff --git a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
index 80ec2c4..ba1900c 100644
--- a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
+++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
@@ -1,7 +1,7 @@
-From f9d74e58291461804defa0e2de9635aad76e5d57 Mon Sep 17 00:00:00 2001
+From 68174cf923fbaaa95469e433c29992cd63f24f99 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 09/58] RH: Drop weak curve definitions - RENAMED/SQUASHED
+Subject: [PATCH 09/53] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
@@ -28,7 +28,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
8 files changed, 10 insertions(+), 1157 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
-index f52f2c839d..1edf9b8485 100644
+index 6c1eb59e91..3307a9cb46 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
@@ -1161,7 +1161,7 @@ index 63fe319025..06b5c0aac5 100644
{NID_secp224r1, NID_sha224,
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/ectest.c b/test/ectest.c
-index 70df89ee2f..0ddbba3b98 100644
+index e1cb59d58d..b852381924 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -175,184 +175,26 @@ static int prime_field_tests(void)
@@ -1356,7 +1356,7 @@ index 70df89ee2f..0ddbba3b98 100644
"FFFFFFFF000000000000000000000001"))
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
|| !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
-@@ -3128,7 +2970,7 @@ int setup_tests(void)
+@@ -3130,7 +2972,7 @@ int setup_tests(void)
ADD_TEST(parameter_test);
ADD_TEST(ossl_parameter_test);
@@ -1425,5 +1425,5 @@ index e6a2c9eb59..861c01e177 100644
Ctrl = key-check:0
+Result = KEYGEN_GENERATE_ERROR
--
-2.49.0
+2.50.0
diff --git a/0010-RH-Disable-explicit-ec-curves.patch b/0010-RH-Disable-explicit-ec-curves.patch
index af0fcdc..a39a9df 100644
--- a/0010-RH-Disable-explicit-ec-curves.patch
+++ b/0010-RH-Disable-explicit-ec-curves.patch
@@ -1,7 +1,7 @@
-From 27fc7dc53e31b3dcd7ff3df40db1060d7a72f126 Mon Sep 17 00:00:00 2001
+From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 10/58] RH: Disable explicit ec curves
+Subject: [PATCH 10/53] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@@ -80,7 +80,7 @@ index b55677fb1f..1df40018ac 100644
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
-index 0ddbba3b98..f736d13feb 100644
+index b852381924..6eac5de4fa 100644
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
@@ -134,7 +134,7 @@ index 0ddbba3b98..f736d13feb 100644
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
-@@ -2892,7 +2894,7 @@ static int custom_params_test(int id)
+@@ -2893,7 +2895,7 @@ static int custom_params_test(int id)
/* compare with previous result */
|| !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
@@ -240,5 +240,5 @@ index 54b143bead..06ec905be0 100644
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
-2.49.0
+2.50.0
diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch
index 39ac428..d879679 100644
--- a/0011-RH-skipped-tests-EC-curves.patch
+++ b/0011-RH-skipped-tests-EC-curves.patch
@@ -1,7 +1,7 @@
-From 2c8e302b4a2f9c4eeec718d2a9d5cef655c28153 Mon Sep 17 00:00:00 2001
+From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 11/58] RH: skipped tests EC curves
+Subject: [PATCH 11/53] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
@@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
-2.49.0
+2.50.0
diff --git a/0012-RH-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch
index ae9b19e..3906238 100644
--- a/0012-RH-skip-quic-pairwise.patch
+++ b/0012-RH-skip-quic-pairwise.patch
@@ -1,7 +1,7 @@
-From e87e9fbc6bcf90d43f6e09f7de46f1805e3e6674 Mon Sep 17 00:00:00 2001
+From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
-Subject: [PATCH 12/58] RH: skip quic pairwise
+Subject: [PATCH 12/53] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
-index 38dd42c184..b2e18522ab 100644
+index b98a940553..3d946ae93c 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
-@@ -2761,7 +2761,9 @@ int setup_tests(void)
+@@ -2937,7 +2937,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@@ -41,7 +41,7 @@ index 222b1886ae..7e2f65cccb 100644
note "Duplicates:";
note join('\n', @duplicates);
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
-index a101a26fb1..43e5396766 100644
+index eaf0dbbb42..21864ad319 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -9,7 +9,7 @@
@@ -82,5 +82,5 @@ index a101a26fb1..43e5396766 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
-2.49.0
+2.50.0
diff --git a/0013-RH-version-aliasing.patch b/0013-RH-version-aliasing.patch
index 595ad14..3ee4695 100644
--- a/0013-RH-version-aliasing.patch
+++ b/0013-RH-version-aliasing.patch
@@ -1,7 +1,7 @@
-From c63c81754bcf4bf3aeb4049fc5952368764fb303 Mon Sep 17 00:00:00 2001
+From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 13/58] RH: version aliasing
+Subject: [PATCH 13/53] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
-2.49.0
+2.50.0
diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
index 006fdbd..8937c02 100644
--- a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
+++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
@@ -1,7 +1,7 @@
-From eeaa8125102427cedfda9a1d5bd663956acd8d63 Mon Sep 17 00:00:00 2001
+From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
-Subject: [PATCH 14/58] RH: Export two symbols for OPENSSL_str[n]casecmp
+Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
@@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
-2.49.0
+2.50.0
diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch
index 645280f..58dfd80 100644
--- a/0015-RH-TMP-KTLS-test-skip.patch
+++ b/0015-RH-TMP-KTLS-test-skip.patch
@@ -1,7 +1,7 @@
-From 601c308871191a17620ade34a9edcb8afe969c8d Mon Sep 17 00:00:00 2001
+From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
-Subject: [PATCH 15/58] RH: TMP KTLS test skip
+Subject: [PATCH 15/53] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
@@ -9,7 +9,7 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 38d58e9387..39118a9162 100644
+index b83dd6c552..250a439137 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
@@ -26,5 +26,5 @@ index 38d58e9387..39118a9162 100644
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
-2.49.0
+2.50.0
diff --git a/0016-RH-Allow-disabling-of-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
index 52ed1bd..fedd85d 100644
--- a/0016-RH-Allow-disabling-of-SHA1-signatures.patch
+++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
@@ -1,7 +1,7 @@
-From 84c7c05d38e96d003df43527e4e6abc6dbae2683 Mon Sep 17 00:00:00 2001
+From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
-Subject: [PATCH 16/58] RH: Allow disabling of SHA1 signatures
+Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@@ -11,7 +11,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
crypto/context.c | 70 +++++++++++++++++++
crypto/evp/evp_cnf.c | 13 ++++
- crypto/evp/m_sigver.c | 13 ++++
+ crypto/evp/m_sigver.c | 14 ++++
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 ++++
include/crypto/context.h | 8 +++
@@ -25,7 +25,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
providers/implementations/signature/rsa_sig.c | 14 +++-
ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
- 16 files changed, 182 insertions(+), 7 deletions(-)
+ 16 files changed, 183 insertions(+), 7 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index 614c8a2c88..323615e300 100644
@@ -172,7 +172,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
-index 2d1839fedb..6e4685ecc0 100644
+index d5df497da7..53044238a1 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
@@ -183,10 +183,11 @@ index 2d1839fedb..6e4685ecc0 100644
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
-@@ -251,6 +252,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
- }
+@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
}
+ desc = signature->description != NULL ? signature->description : "";
++
+ if (ctx->reqdigest != NULL
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
@@ -201,9 +202,9 @@ index 2d1839fedb..6e4685ecc0 100644
+
if (ver) {
if (signature->digest_verify_init == NULL) {
- ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+ ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED,
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 665cafbc21..84fb95d4ca 100644
+index 08c0d6a7b2..b936ad4447 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@@ -214,7 +215,7 @@ index 665cafbc21..84fb95d4ca 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
-@@ -954,6 +955,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
@@ -435,7 +436,7 @@ index e75b90840b..645304b951 100644
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 8d0c2647b7..f6117a1fc5 100644
+index 2f71f95438..bea5cab253 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -21,6 +21,7 @@
@@ -446,7 +447,7 @@ index 8d0c2647b7..f6117a1fc5 100644
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
-@@ -2176,6 +2177,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
@@ -454,7 +455,7 @@ index 8d0c2647b7..f6117a1fc5 100644
if (ctx == NULL)
goto err;
-@@ -2193,6 +2195,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
@@ -462,7 +463,7 @@ index 8d0c2647b7..f6117a1fc5 100644
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
-@@ -2213,6 +2216,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
@@ -485,5 +486,5 @@ index d377d542db..c2c55129ae 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
-2.49.0
+2.50.0
diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
index 18010e2..77ab57a 100644
--- a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
+++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
@@ -1,7 +1,7 @@
-From 16fdb39036e7e8438c5b97359818cd9bc472196f Mon Sep 17 00:00:00 2001
+From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
-Subject: [PATCH 17/58] FIPS: Red Hat's FIPS module name and version
+Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 373cd1c2e4..aa1ab85470 100644
+index 4b9a057462..1e90f363af 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
@@ -30,5 +30,5 @@ index 373cd1c2e4..aa1ab85470 100644
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
-2.49.0
+2.50.0
diff --git a/0018-FIPS-disable-fipsinstall.patch b/0018-FIPS-disable-fipsinstall.patch
index 3079823..69d078f 100644
--- a/0018-FIPS-disable-fipsinstall.patch
+++ b/0018-FIPS-disable-fipsinstall.patch
@@ -1,7 +1,7 @@
-From f40c27149fd5bb1864d069b3d116ffd88cca5f2f Mon Sep 17 00:00:00 2001
+From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 18/58] FIPS: disable fipsinstall
+Subject: [PATCH 18/53] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
@@ -800,10 +800,10 @@ index a25ced3383..15748c5756 100644
=head1 COPYRIGHT
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
-index 20d35fada8..f8f219d647 100644
+index 571a1e99e0..1e384a4ff3 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
-@@ -575,7 +575,6 @@ want to operate in a FIPS approved manner. The algorithms are:
+@@ -588,7 +588,6 @@ process.
=head1 SEE ALSO
@@ -866,5 +866,5 @@ index 1f9110ef60..7e80637bd5
# Compatible options for pedantic FIPS compliance
--
-2.49.0
+2.50.0
diff --git a/0019-FIPS-Force-fips-provider-on.patch b/0019-FIPS-Force-fips-provider-on.patch
index 6bcd040..a931116 100644
--- a/0019-FIPS-Force-fips-provider-on.patch
+++ b/0019-FIPS-Force-fips-provider-on.patch
@@ -1,7 +1,7 @@
-From ad031aa2b8ec4042b0081f4179b8a05131bd52df Mon Sep 17 00:00:00 2001
+From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 19/58] FIPS: Force fips provider on
+Subject: [PATCH 19/53] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
@@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
-index 5ec50f97e4..a2a9786e1c 100644
+index 9649517dd2..1e5053cbce 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
@@ -75,5 +75,5 @@ index 5ec50f97e4..a2a9786e1c 100644
}
--
-2.49.0
+2.50.0
diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
index 528588e..ecb98c7 100644
--- a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
+++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
@@ -1,7 +1,7 @@
-From ee1a3977388a9ec10aa4998beb67d8e3b4bfdd9e Mon Sep 17 00:00:00 2001
+From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 20/58] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
+Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
@@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe
+[fips_sect]
+activate = 1
--
-2.49.0
+2.50.0
diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
index 2931295..cce845d 100644
--- a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
+++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
@@ -1,7 +1,7 @@
-From c202200bda962300ebc7d19e62ea0df734488c0c Mon Sep 17 00:00:00 2001
+From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
-Subject: [PATCH 21/58] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
+Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
@@ -28,5 +28,5 @@ index 0000000000..54ae60b07f
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
-2.49.0
+2.50.0
diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
index fafbff9..a66c84a 100644
--- a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
+++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
@@ -1,7 +1,7 @@
-From d0ad196c07d223cbb1dd2419b1ec0b0e4458febb Mon Sep 17 00:00:00 2001
+From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 22/58] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
+Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
@@ -45,5 +45,5 @@ index 8b17b8ca94..0f5074936f 100644
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
-2.49.0
+2.50.0
diff --git a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
index 1a38677..1ae9587 100644
--- a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
+++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
@@ -1,7 +1,7 @@
-From 19617bb4a510d73e5080d026d22b06b637a6ad1a Mon Sep 17 00:00:00 2001
+From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 23/58] FIPS: RSA: encrypt limits - REVIEW
+Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4
}
next if $protocol eq "-tls1_3";
--
-2.49.0
+2.50.0
diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch
index bbc2ec7..8f0c1a2 100644
--- a/0024-FIPS-RSA-PCTs.patch
+++ b/0024-FIPS-RSA-PCTs.patch
@@ -1,7 +1,7 @@
-From 7cb38d617ceb819a58ac14b266787ad3d71f6206 Mon Sep 17 00:00:00 2001
+From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
-Subject: [PATCH 24/58] FIPS: RSA: PCTs
+Subject: [PATCH 24/53] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -153,5 +153,5 @@ index 645304b951..3d5af1046a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
-2.49.0
+2.50.0
diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch
index 18d5e4c..06591da 100644
--- a/0025-FIPS-RSA-encapsulate-limits.patch
+++ b/0025-FIPS-RSA-encapsulate-limits.patch
@@ -1,7 +1,7 @@
-From 158637448165abbde8d4b0c24bf4344744b79adc Mon Sep 17 00:00:00 2001
+From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 25/58] FIPS: RSA: encapsulate limits
+Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
@@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
-2.49.0
+2.50.0
diff --git a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
index 00513c7..9a592fa 100644
--- a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
+++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
@@ -1,7 +1,7 @@
-From 9595ceef9fe9a45fca1f970706077712dbb9287f Mon Sep 17 00:00:00 2001
+From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 26/58] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644
if (hLen <= 0)
goto err;
--
-2.49.0
+2.50.0
diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch
index 8a572a7..ca83feb 100644
--- a/0027-FIPS-RSA-size-mode-restrictions.patch
+++ b/0027-FIPS-RSA-size-mode-restrictions.patch
@@ -1,7 +1,7 @@
-From 47cf5bdab3a46ecffd3100330781e6c297e83d66 Mon Sep 17 00:00:00 2001
+From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
-Subject: [PATCH 27/58] FIPS: RSA: size/mode restrictions
+Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
-2.49.0
+2.50.0
diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
index 07fe304..068dc29 100644
--- a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
+++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
@@ -1,7 +1,7 @@
-From ae1fcbd1129fc53d4ac72148696efd126e574453 Mon Sep 17 00:00:00 2001
+From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
-Subject: [PATCH 28/58] FIPS: RSA: Mark x931 as not approved by default
+Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
-2.49.0
+2.50.0
diff --git a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
index d6de25f..40a7f4c 100644
--- a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
+++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
@@ -1,7 +1,7 @@
-From 4ce72cfe8d1e0b37e882766b449af109d9e7c3f8 Mon Sep 17 00:00:00 2001
+From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 29/58] FIPS: RSA: Remove X9.31 padding signatures tests
+Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644
"pss",
4096,
--
-2.49.0
+2.50.0
diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
index f89bbfb..eac058b 100644
--- a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
+++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
@@ -1,7 +1,7 @@
-From 3a9f2ccf8120cbf5b854a403926dce2d772f5f78 Mon Sep 17 00:00:00 2001
+From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
-Subject: [PATCH 30/58] FIPS: RSA: NEEDS-REWORK:
+Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
@@ -383,5 +383,5 @@ index 0000000000..2833a383c1
+--
+
--
-2.49.0
+2.50.0
diff --git a/0031-FIPS-Deny-SHA-1-signature-verification.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch
index 0adf37a..97b612a 100644
--- a/0031-FIPS-Deny-SHA-1-signature-verification.patch
+++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch
@@ -1,7 +1,7 @@
-From 9b198c3634fd3871dd535389e7b7c2379f6934fb Mon Sep 17 00:00:00 2001
+From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 31/58] FIPS: Deny SHA-1 signature verification
+Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@@ -704,5 +704,5 @@ index 568a1ddba4..6332aaec4b 100755
SKIP: {
skip "No IPv4 available on this machine", 4
--
-2.49.0
+2.50.0
diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
index a20b46e..5430a7a 100644
--- a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
+++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
@@ -1,7 +1,7 @@
-From 39c7eb2e82b9df4ffe58d8e05fbdb9115dde50cc Mon Sep 17 00:00:00 2001
+From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 32/58] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
+Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
@@ -14,9 +14,8 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/drbg.c | 11 ++-
- providers/implementations/rands/drbg_local.h | 2 +-
.../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
- 4 files changed, 23 insertions(+), 67 deletions(-)
+ 3 files changed, 22 insertions(+), 66 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
index 2985c7f2d8..3202a28226 100644
@@ -68,19 +67,6 @@ index 4925a3b400..1cdb67b22c 100644
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
-diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h
-index e591e0b3d1..c7cafba1ea 100644
---- a/providers/implementations/rands/drbg_local.h
-+++ b/providers/implementations/rands/drbg_local.h
-@@ -39,7 +39,7 @@
- *
- * The value is in bytes.
- */
--#define CRNGT_BUFSIZ 16
-+#define CRNGT_BUFSIZ 32
-
- /*
- * Maximum input size for the DRBG (entropy, nonce, personalization string)
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
index c3a5d8b3bf..b7b34a9345 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
@@ -168,5 +154,5 @@ index c3a5d8b3bf..b7b34a9345 100644
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
-2.49.0
+2.50.0
diff --git a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
index fa87558..86a363b 100644
--- a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
+++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
@@ -1,7 +1,7 @@
-From 92c90300747de60df2e805b9fe78fa016f5fd49e Mon Sep 17 00:00:00 2001
+From d2369dfc75e2b121650bc51f5ac3e0e7c9b75a29 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 33/58] FIPS: RAND: Forbid truncated hashes & SHA-3
+Subject: [PATCH 33/53] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
-2.49.0
+2.50.0
diff --git a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
index 2aa30cc..936afd1 100644
--- a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
+++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
@@ -1,7 +1,7 @@
-From 5d5521b81a6714c88438e4f1fb0cf30096a0b0b6 Mon Sep 17 00:00:00 2001
+From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 34/58] FIPS: PBKDF2: Set minimum password length
+Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -117,5 +117,5 @@ index b383314064..68f9355b7d 100644
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
-2.49.0
+2.50.0
diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch
index a22cfa9..e7ab885 100644
--- a/0035-FIPS-DH-PCT.patch
+++ b/0035-FIPS-DH-PCT.patch
@@ -1,7 +1,7 @@
-From 1f54210f4e4de1f2143d02f6d0b56cc388b617cd Mon Sep 17 00:00:00 2001
+From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
-Subject: [PATCH 35/58] FIPS: DH: PCT
+Subject: [PATCH 35/53] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -69,5 +69,5 @@ index 7132b9b68e..189bfc3e8b 100644
ok = 1;
err:
--
-2.49.0
+2.50.0
diff --git a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
index 0b2dd30..191985f 100644
--- a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
+++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
@@ -1,7 +1,7 @@
-From 863cb10f0add28b1d82ec3042d2e7b418169b48a Mon Sep 17 00:00:00 2001
+From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 36/58] FIPS: DH: Disable FIPS 186-4 type parameters
+Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@@ -156,7 +156,7 @@ index 189bfc3e8b..023d628502 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
-index c11ada9826..e279e9d60d 100644
+index 3b75a537b3..6ea7a423d5 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
@@ -326,5 +326,5 @@ index 6332aaec4b..4d8c900c00 100755
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
-2.49.0
+2.50.0
diff --git a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
index 8c0e545..ebeba13 100644
--- a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
+++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
@@ -1,7 +1,7 @@
-From 900d90fa1e34bfbbfcc91face57680c0424f2014 Mon Sep 17 00:00:00 2001
+From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 37/58] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
+Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
@@ -25,7 +25,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
9 files changed, 46 insertions(+), 5 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
-index e2c1e69847..009b683b27 100644
+index 9338ffc01d..911ea21a68 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
@@ -63,7 +63,7 @@ index 15748c5756..34cbfbb2ad 100644
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
-index 0b2232b01c..99b2ad4eb3 100644
+index d1b00e8454..b815f25dae 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
@@ -175,7 +175,7 @@ index 50944328cb..edb2e81273 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 39118a9162..9522478ad2 100644
+index 250a439137..acc4751095 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
@@ -188,5 +188,5 @@ index 39118a9162..9522478ad2 100644
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
-2.49.0
+2.50.0
diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
index 3e93713..3b9b627 100644
--- a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
+++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
@@ -1,7 +1,7 @@
-From a227572868569ba87b9aef722a8d981ad5feb11b Mon Sep 17 00:00:00 2001
+From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
-Subject: [PATCH 38/58] FIPS: CMS: Set default padding to OAEP
+Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
@@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
-2.49.0
+2.50.0
diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
index 5d7be3e..b26bfaf 100644
--- a/0039-FIPS-PKCS12-PBMAC1-defaults.patch
+++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
@@ -1,7 +1,7 @@
-From 6ca4910fa964f135e5a18b31502bddef3aef1304 Mon Sep 17 00:00:00 2001
+From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
-Subject: [PATCH 39/58] FIPS: PKCS12: PBMAC1 defaults
+Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
@@ -31,5 +31,5 @@ index 9964faf21a..59439a8cc0 100644
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
--
-2.49.0
+2.50.0
diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
index 762757c..e98b350 100644
--- a/0040-FIPS-Fix-encoder-decoder-negative-test.patch
+++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
@@ -1,7 +1,7 @@
-From fe12acbd953da37dd25e8abca64582c9bdeadf3c Mon Sep 17 00:00:00 2001
+From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
-Subject: [PATCH 40/58] FIPS: Fix encoder/decoder negative test
+Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
-2.49.0
+2.50.0
diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch
index 8770f3e..f5cdb07 100644
--- a/0041-FIPS-EC-DH-DSA-PCTs.patch
+++ b/0041-FIPS-EC-DH-DSA-PCTs.patch
@@ -1,7 +1,7 @@
-From a4fc741bd6e43b301121f01ef7c823a589faad39 Mon Sep 17 00:00:00 2001
+From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
-Subject: [PATCH 41/58] FIPS: EC: DH/DSA PCTs
+Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -176,5 +176,5 @@ index 4e46eaf9bc..4d7c25728a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
-2.49.0
+2.50.0
diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch
index 7d89757..f625b85 100644
--- a/0042-FIPS-EC-disable-weak-curves.patch
+++ b/0042-FIPS-EC-disable-weak-curves.patch
@@ -1,7 +1,7 @@
-From c3f3de074f9140dd8f5833f7fe3e751ac0838323 Mon Sep 17 00:00:00 2001
+From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
-Subject: [PATCH 42/58] FIPS: EC: disable weak curves
+Subject: [PATCH 42/53] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
-2.49.0
+2.50.0
diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch
index bf39c28..f58ff19 100644
--- a/0043-FIPS-NO-DSA-Support.patch
+++ b/0043-FIPS-NO-DSA-Support.patch
@@ -1,7 +1,7 @@
-From d923f8b4531718ede24814722a0c0f0f912dca7c Mon Sep 17 00:00:00 2001
+From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
-Subject: [PATCH 43/58] FIPS: NO DSA Support
+Subject: [PATCH 43/53] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -18,10 +18,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index aa1ab85470..7999744b5a 100644
+index 1e90f363af..84d8e897cc 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -430,7 +430,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
};
static const OSSL_ALGORITHM fips_signature[] = {
@@ -31,7 +31,7 @@ index aa1ab85470..7999744b5a 100644
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
-@@ -560,8 +561,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@@ -396,5 +396,5 @@ index ece29485f4..756f90c1bd 100644
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
-2.49.0
+2.50.0
diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch
index 2e49a80..2f55859 100644
--- a/0044-FIPS-NO-DES-support.patch
+++ b/0044-FIPS-NO-DES-support.patch
@@ -1,7 +1,7 @@
-From ca860bb5c16d9a96afb32e025b54db76e5f8cfd3 Mon Sep 17 00:00:00 2001
+From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
-Subject: [PATCH 44/58] FIPS: NO DES support
+Subject: [PATCH 44/53] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -14,10 +14,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
6 files changed, 14 insertions(+), 23 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 7999744b5a..30f0c8ca14 100644
+index 84d8e897cc..4b394c3e39 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -354,7 +354,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
+@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
@@ -80,7 +80,7 @@ index 2838f343bd..19dd2c6c63 100644
return 1;
}
diff --git a/test/recipes/30-test_evp_data/evpciph_des3_common.txt b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
-index 1947e21f74..119b75d9ce 100644
+index 6c74b65cef..8bcb78cd2d 100644
--- a/test/recipes/30-test_evp_data/evpciph_des3_common.txt
+++ b/test/recipes/30-test_evp_data/evpciph_des3_common.txt
@@ -14,7 +14,7 @@
@@ -132,7 +132,7 @@ index 1947e21f74..119b75d9ce 100644
Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
# Test that DES3 ECB mode encryption is not FIPS approved
--Availablein = fipss
+-Availablein = fips
-FIPSversion = >=3.4.0
+Availablein = none
Cipher = DES-EDE3-ECB
@@ -170,5 +170,5 @@ index 756f90c1bd..ac833d2a2f 100644
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
-2.49.0
+2.50.0
diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch
index bf948cf..89c3248 100644
--- a/0045-FIPS-NO-Kmac.patch
+++ b/0045-FIPS-NO-Kmac.patch
@@ -1,7 +1,7 @@
-From 3928272f2d86188ef8796c7d18b1ec7d617cae97 Mon Sep 17 00:00:00 2001
+From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
-Subject: [PATCH 45/58] FIPS: NO Kmac
+Subject: [PATCH 45/53] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -15,10 +15,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
7 files changed, 40 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 30f0c8ca14..00b7d1e2aa 100644
+index 4b394c3e39..8f00dfa0ef 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -293,10 +293,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
@@ -32,7 +32,7 @@ index 30f0c8ca14..00b7d1e2aa 100644
{ NULL, NULL, NULL }
};
-@@ -369,8 +370,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@@ -422,5 +422,5 @@ index 831eecbac9..af92ceea98 100644
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
-2.49.0
+2.50.0
diff --git a/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
new file mode 100644
index 0000000..e7e10be
--- /dev/null
+++ b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
@@ -0,0 +1,106 @@
+From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 10 Mar 2025 13:52:50 -0400
+Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/ssl-tests/13-fragmentation.cnf.in | 4 ++--
+ test/ssl-tests/17-renegotiate.cnf.in | 4 ++--
+ test/ssl-tests/18-dtls-renegotiate.cnf.in | 2 +-
+ test/ssl-tests/19-mac-then-encrypt.cnf.in | 2 +-
+ test/ssl-tests/20-cert-select.cnf.in | 6 +++---
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in
+index 318fd65960..87ec08ee5b 100644
+--- a/test/ssl-tests/13-fragmentation.cnf.in
++++ b/test/ssl-tests/13-fragmentation.cnf.in
+@@ -14,7 +14,7 @@ use warnings;
+
+ package ssltests;
+
+-our $fips_3_4;
++our $fips_mode;
+
+ our @tests = (
+ # Default fragment size is 512.
+@@ -273,4 +273,4 @@ my @tests_rsa = (
+ );
+
+ push @tests, @tests_rsa
+- unless $fips_3_4;
++ unless $fips_mode;
+diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
+index 2812e4c38b..9cbd972eba 100644
+--- a/test/ssl-tests/17-renegotiate.cnf.in
++++ b/test/ssl-tests/17-renegotiate.cnf.in
+@@ -15,7 +15,7 @@ use warnings;
+ package ssltests;
+ use OpenSSL::Test::Utils;
+
+-our $fips_3_4;
++our $fips_mode;
+
+ our @tests = (
+ {
+@@ -318,5 +318,5 @@ our @tests_tls1_2 = (
+ }
+ );
+
+-push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
++push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_mode;
+ push @tests, @tests_tls1_2 unless disabled("tls1_2");
+diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
+index 8996849a2c..415dc2978d 100644
+--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
++++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
+@@ -133,7 +133,7 @@ foreach my $sctp ("No", "Yes")
+ );
+ push @tests, @tests_basic;
+
+- next if disabled("dtls1_2") || $fips_3_4;
++ next if disabled("dtls1_2") || $fips_mode;
+ our @tests_dtls1_2 = (
+ {
+ name => "renegotiate-aead-to-non-aead".$suffix,
+diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
+index 32bcec4be4..2f8a123c20 100644
+--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
++++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
+@@ -17,7 +17,7 @@ our $fips_mode;
+ our $fips_3_4;
+
+ # Nothing to test with newer fips providers
+-return if $fips_3_4;
++return if $fips_mode;
+
+ our @tests = (
+ {
+diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
+index af47842fd8..21c75033e8 100644
+--- a/test/ssl-tests/20-cert-select.cnf.in
++++ b/test/ssl-tests/20-cert-select.cnf.in
+@@ -266,7 +266,7 @@ our @tests = (
+ },
+ test => {
+ "ExpectedServerCertType" =>, "RSA",
+- "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success"
++ "ExpectedResult" => $fips_mode ? "ClientFail" : "Success"
+ },
+ },
+ {
+@@ -1005,8 +1005,8 @@ my @tests_dsa_tls_1_3 = (
+ );
+
+ if (!disabled("dsa")) {
+- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4;
+- push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
++ push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
++ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3") || $fips_mode;
+ }
+
+ my @tests_mldsa_tls_1_3 = (
+--
+2.50.0
+
diff --git a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch b/0046-FIPS-NO-PQ-ML-SLH-DSA.patch
deleted file mode 100644
index 5822c05..0000000
--- a/0046-FIPS-NO-PQ-ML-SLH-DSA.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From a6dce07d8e44e79dc3db9538d269bbbc903a8e15 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Fri, 7 Mar 2025 18:24:36 -0500
-Subject: [PATCH 46/58] FIPS: NO PQ (ML/SLH-DSA)
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- providers/fips/self_test_data.inc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index f3059a8446..9659f10613 100644
---- a/providers/fips/self_test_data.inc
-+++ b/providers/fips/self_test_data.inc
-@@ -3037,6 +3037,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
- #endif /* OPENSSL_NO_DSA */
- #endif
-
-+#if 0
- #ifndef OPENSSL_NO_ML_DSA
- {
- OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
-@@ -3081,6 +3082,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
- slh_dsa_sig_params, slh_dsa_sig_params
- },
- #endif /* OPENSSL_NO_SLH_DSA */
-+#endif
- };
-
- #if !defined(OPENSSL_NO_ML_DSA)
---
-2.49.0
-
diff --git a/0047-Current-Rebase-status.patch b/0047-Current-Rebase-status.patch
new file mode 100644
index 0000000..317a565
--- /dev/null
+++ b/0047-Current-Rebase-status.patch
@@ -0,0 +1,106 @@
+From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Wed, 12 Feb 2025 17:25:47 -0500
+Subject: [PATCH 47/53] Current Rebase status
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ REBASE.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 81 insertions(+)
+
+diff --git a/REBASE.txt b/REBASE.txt
+index 2833a383c1..c8f6c992a8 100644
+--- a/REBASE.txt
++++ b/REBASE.txt
+@@ -1,3 +1,6 @@
++REBASED on TOP of tagged openssl-3.5.0
++
++
+ 0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
+
+ Some asym testing has been dropped upstream, unclear if this needs to survive,
+@@ -8,3 +11,81 @@ if so we may need to resurrect deleted code in upstream patch:
+ fips: remove redundant RSA encrypt/decrypt KAT
+ --
+
++This does not apply cleanly and I can't figure out the original intent exactly
++to modify the existing code correctly.
++
++--
++0030-0075-FIPS-Use-FFDHE2048-in-self-test.patch.patch
++
++Unnecessary, upstream aleady change to use ffsh2048
++
++--
++0032-0077-FIPS-140-3-zeroization.patch.patch
++
++Unnecessary, but MUST define OPENSSL_PEDANTIC_ZEROIZATION to do the same
++
++--
++0048-Spec-cleanup.patch
++
++Not applied as I did not get in the initial patch that imports into packit
++--
++0049-0117-ignore-unknown-sigalgorithms-groups.patch.patch
++
++Unnecessary, already included in 3.5
++
++--
++0050-0118-no-crl-memleak.patch.patch
++
++Unnecessary, already included in 3.5
++
++--
++0051-0119-provider-sigalgs-in-signaturealgorithms-conf.pa.patch
++
++Unnecessary, already included in 3.5
++
++--
++
++Recheck
++======
++
++- Dropped: openssl speed - skip unavailable dgst
++
++- Dropped: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signa.patch
++
++- Dropped patch to disable ECX algorihms
++
++Needed build/spec changes
++====================
++
++Add -DOPENSSL_PEDANTIC_ZEROIZATION to ./Configure line
++This is needed for zeroizations required for FIPS
++
++Add -DREDHAT_FIPS_VENDOR for the module name
++
++Drop 0025-for-tests.patch from dist-git
++We now use a separate config file for tests and for install
++Copy rh-openssl.cnf over the openssl default conf file in the install section.
++
++Testing
++=======
++./Configure \
++ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
++ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
++ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
++ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
++ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
++ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
++ -Wl,--allow-multiple-definition
++
++prefix=$HOME/tmp/openssl-rebase
++sysconfigdir=$prefix/etc
++fips="Rebase Testing"
++sslarch=linux-x86_64
++sslflags=enable-ec_nistp_64_gcc_128
++ktlsopt=enable-ktls
++
++Example Testing
++===============
++
++./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
++
+--
+2.50.0
+
diff --git a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
deleted file mode 100644
index d593bc5..0000000
--- a/0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 50c0087bdd6c15e2c63c8324f35221fd45a10518 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Mon, 10 Mar 2025 13:52:50 -0400
-Subject: [PATCH 47/58] FIPS: Fix some tests due to our versioning change
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- test/ssl-tests/13-fragmentation.cnf.in | 4 ++--
- test/ssl-tests/17-renegotiate.cnf.in | 4 ++--
- test/ssl-tests/18-dtls-renegotiate.cnf.in | 2 +-
- test/ssl-tests/19-mac-then-encrypt.cnf.in | 2 +-
- test/ssl-tests/20-cert-select.cnf.in | 6 +++---
- 5 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in
-index 318fd65960..87ec08ee5b 100644
---- a/test/ssl-tests/13-fragmentation.cnf.in
-+++ b/test/ssl-tests/13-fragmentation.cnf.in
-@@ -14,7 +14,7 @@ use warnings;
-
- package ssltests;
-
--our $fips_3_4;
-+our $fips_mode;
-
- our @tests = (
- # Default fragment size is 512.
-@@ -273,4 +273,4 @@ my @tests_rsa = (
- );
-
- push @tests, @tests_rsa
-- unless $fips_3_4;
-+ unless $fips_mode;
-diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
-index 2812e4c38b..9cbd972eba 100644
---- a/test/ssl-tests/17-renegotiate.cnf.in
-+++ b/test/ssl-tests/17-renegotiate.cnf.in
-@@ -15,7 +15,7 @@ use warnings;
- package ssltests;
- use OpenSSL::Test::Utils;
-
--our $fips_3_4;
-+our $fips_mode;
-
- our @tests = (
- {
-@@ -318,5 +318,5 @@ our @tests_tls1_2 = (
- }
- );
-
--push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
-+push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_mode;
- push @tests, @tests_tls1_2 unless disabled("tls1_2");
-diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
-index 8996849a2c..415dc2978d 100644
---- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
-+++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
-@@ -133,7 +133,7 @@ foreach my $sctp ("No", "Yes")
- );
- push @tests, @tests_basic;
-
-- next if disabled("dtls1_2") || $fips_3_4;
-+ next if disabled("dtls1_2") || $fips_mode;
- our @tests_dtls1_2 = (
- {
- name => "renegotiate-aead-to-non-aead".$suffix,
-diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
-index 32bcec4be4..2f8a123c20 100644
---- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
-+++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
-@@ -17,7 +17,7 @@ our $fips_mode;
- our $fips_3_4;
-
- # Nothing to test with newer fips providers
--return if $fips_3_4;
-+return if $fips_mode;
-
- our @tests = (
- {
-diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
-index af47842fd8..21c75033e8 100644
---- a/test/ssl-tests/20-cert-select.cnf.in
-+++ b/test/ssl-tests/20-cert-select.cnf.in
-@@ -266,7 +266,7 @@ our @tests = (
- },
- test => {
- "ExpectedServerCertType" =>, "RSA",
-- "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success"
-+ "ExpectedResult" => $fips_mode ? "ClientFail" : "Success"
- },
- },
- {
-@@ -1005,8 +1005,8 @@ my @tests_dsa_tls_1_3 = (
- );
-
- if (!disabled("dsa")) {
-- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4;
-- push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
-+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
-+ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3") || $fips_mode;
- }
-
- my @tests_mldsa_tls_1_3 = (
---
-2.49.0
-
diff --git a/0048-Current-Rebase-status.patch b/0048-Current-Rebase-status.patch
deleted file mode 100644
index 4c64f0a..0000000
--- a/0048-Current-Rebase-status.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 3bc3a6514c078564ac8addbdf24172a5fb90f4d7 Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Wed, 12 Feb 2025 17:25:47 -0500
-Subject: [PATCH 48/58] Current Rebase status
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- REBASE.txt | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 81 insertions(+)
-
-diff --git a/REBASE.txt b/REBASE.txt
-index 2833a383c1..c8f6c992a8 100644
---- a/REBASE.txt
-+++ b/REBASE.txt
-@@ -1,3 +1,6 @@
-+REBASED on TOP of tagged openssl-3.5.0
-+
-+
- 0028-0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.p.patch
-
- Some asym testing has been dropped upstream, unclear if this needs to survive,
-@@ -8,3 +11,81 @@ if so we may need to resurrect deleted code in upstream patch:
- fips: remove redundant RSA encrypt/decrypt KAT
- --
-
-+This does not apply cleanly and I can't figure out the original intent exactly
-+to modify the existing code correctly.
-+
-+--
-+0030-0075-FIPS-Use-FFDHE2048-in-self-test.patch.patch
-+
-+Unnecessary, upstream aleady change to use ffsh2048
-+
-+--
-+0032-0077-FIPS-140-3-zeroization.patch.patch
-+
-+Unnecessary, but MUST define OPENSSL_PEDANTIC_ZEROIZATION to do the same
-+
-+--
-+0048-Spec-cleanup.patch
-+
-+Not applied as I did not get in the initial patch that imports into packit
-+--
-+0049-0117-ignore-unknown-sigalgorithms-groups.patch.patch
-+
-+Unnecessary, already included in 3.5
-+
-+--
-+0050-0118-no-crl-memleak.patch.patch
-+
-+Unnecessary, already included in 3.5
-+
-+--
-+0051-0119-provider-sigalgs-in-signaturealgorithms-conf.pa.patch
-+
-+Unnecessary, already included in 3.5
-+
-+--
-+
-+Recheck
-+======
-+
-+- Dropped: openssl speed - skip unavailable dgst
-+
-+- Dropped: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signa.patch
-+
-+- Dropped patch to disable ECX algorihms
-+
-+Needed build/spec changes
-+====================
-+
-+Add -DOPENSSL_PEDANTIC_ZEROIZATION to ./Configure line
-+This is needed for zeroizations required for FIPS
-+
-+Add -DREDHAT_FIPS_VENDOR for the module name
-+
-+Drop 0025-for-tests.patch from dist-git
-+We now use a separate config file for tests and for install
-+Copy rh-openssl.cnf over the openssl default conf file in the install section.
-+
-+Testing
-+=======
-+./Configure \
-+ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
-+ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
-+ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
-+ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
-+ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
-+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-+ -Wl,--allow-multiple-definition
-+
-+prefix=$HOME/tmp/openssl-rebase
-+sysconfigdir=$prefix/etc
-+fips="Rebase Testing"
-+sslarch=linux-x86_64
-+sslflags=enable-ec_nistp_64_gcc_128
-+ktlsopt=enable-ktls
-+
-+Example Testing
-+===============
-+
-+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
-+
---
-2.49.0
-
diff --git a/0048-FIPS-KDF-key-lenght-errors.patch b/0048-FIPS-KDF-key-lenght-errors.patch
new file mode 100644
index 0000000..42aec19
--- /dev/null
+++ b/0048-FIPS-KDF-key-lenght-errors.patch
@@ -0,0 +1,175 @@
+From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Apr 2025 15:25:40 -0400
+Subject: [PATCH 48/53] FIPS: KDF key lenght errors
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/30-test_evp_data/evpkdf_ss.txt | 8 ++++----
+ test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 6 +++---
+ test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 11 ++++++-----
+ test/recipes/30-test_evp_data/evpkdf_x942.txt | 3 +--
+ test/recipes/30-test_evp_data/evpkdf_x963.txt | 6 ++----
+ test/recipes/30-test_evp_data/evpmac_common.txt | 2 +-
+ test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt | 2 +-
+ 7 files changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+index 4503af711f..7ef2894ae6 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
+@@ -1189,8 +1189,8 @@ KDF = SSKDF
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexsecret = hexsecret:d7e6
+ Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++#Reason = invalid key length
+
+ Availablein = fips
+ FIPSversion = >=3.4.0
+@@ -1200,8 +1200,8 @@ Ctrl.digest = digest:SHA224
+ Ctrl.salt = hexsalt:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96C
+ Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++#Reason = invalid key length
+
+ Availablein = fips
+ FIPSversion = >=3.4.0
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+index edb2e81273..d663e5e5a5 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
+@@ -104,8 +104,8 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55
+ Ctrl.label = seed:extended master secret
+ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_DERIVE_ERROR
++Reason = invalid key length
+
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -131,7 +131,7 @@ Ctrl.Secret = hexsecret:0102030405060708090a0b
+ Ctrl.label = seed:extended master secret
+ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+ Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+
+ # Test that the key whose length is shorter than 112 bits is reported as
+diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+index f2ea9ac44a..0f2f6e3904 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
+@@ -4963,7 +4963,7 @@ KDF = TLS13-KDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+ Ctrl.digest = digest:SHA512-256
+ Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
+-Result = KDF_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -4985,20 +4985,21 @@ KDF = TLS13-KDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+ Ctrl.digest = digest:SHA2-256
+ Ctrl.key = hexkey:0102030405060708090a0b
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
++Reason = wrong output buffer size
+
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = TLS13-KDF
++Unapproved = 1
+ Ctrl.mode = mode:EXPAND_ONLY
+ Ctrl.digest = digest:SHA2-256
+ Ctrl.key = hexkey:0102030405060708090a0b
+ Ctrl.data = hexdata:7c92f68bd5bf3638ea338a6494722e1b44127e1b7e8aad535f2322a644ff22b3
+ Ctrl.prefix = hexprefix:746c73313320
+ Ctrl.label = hexlabel:6320652074726166666963
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_MISMATCH
++#Reason = invalid key length
+
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt
+index b1774592e9..6869fd0f20 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_x942.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt
+@@ -124,11 +124,10 @@ Reason = xof digests not allowed
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = X942KDF-ASN1
++Unapproved = 1
+ Ctrl.digest = digest:SHA256
+ Ctrl.hexsecret = hexsecret:6B
+ Ctrl.use-keybits = use-keybits:0
+ Ctrl.cekalg = cekalg:id-aes128-wrap
+ Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC
+ Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
+diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt
+index b8f3cff3d3..74524c4694 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_x963.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt
+@@ -148,8 +148,7 @@ KDF = X963KDF
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2
+ Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_DERIVE_ERROR
+
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -170,8 +169,7 @@ KDF = X963KDF
+ Ctrl.digest = digest:SHA224
+ Ctrl.hexsecret = hexsecret:0102030405060908090a0b
+ Ctrl.hexinfo = hexinfo:0102030405060708090a0b0c0d0e0f10
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_DERIVE_ERROR
+
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
+index af92ceea98..a1541bf226 100644
+--- a/test/recipes/30-test_evp_data/evpmac_common.txt
++++ b/test/recipes/30-test_evp_data/evpmac_common.txt
+@@ -271,7 +271,7 @@ MAC = HMAC
+ Algorithm = SHA256
+ Input = "Test Input"
+ Key = 0001020304
+-Result = MAC_INIT_ERROR
++Output = db70da6176d87813b059879ccc27bc53e295c6eca74db8bdc4e77d7e951d894b
+
+ Title = HMAC FIPS short key indicator test
+
+diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+index 1fb2472001..93c07ede7c 100644
+--- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
++++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
+@@ -216,7 +216,7 @@ Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+-Result = PKEY_CTRL_ERROR
++Result = KDF_DERIVE_ERROR
+ Reason = invalid key length
+
+ # Test that the key whose length is shorter than 112 bits is reported as
+--
+2.50.0
+
diff --git a/0049-FIPS-KDF-key-lenght-errors.patch b/0049-FIPS-KDF-key-lenght-errors.patch
deleted file mode 100644
index c557654..0000000
--- a/0049-FIPS-KDF-key-lenght-errors.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-From 573cde99e796fbd76f9be7f6a553c681abbfb55a Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Mon, 14 Apr 2025 15:25:40 -0400
-Subject: [PATCH 49/58] FIPS: KDF key lenght errors
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- test/recipes/30-test_evp_data/evpkdf_ss.txt | 8 ++++----
- test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 6 +++---
- test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt | 11 ++++++-----
- test/recipes/30-test_evp_data/evpkdf_x942.txt | 3 +--
- test/recipes/30-test_evp_data/evpkdf_x963.txt | 6 ++----
- test/recipes/30-test_evp_data/evpmac_common.txt | 2 +-
- test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt | 2 +-
- 7 files changed, 18 insertions(+), 20 deletions(-)
-
-diff --git a/test/recipes/30-test_evp_data/evpkdf_ss.txt b/test/recipes/30-test_evp_data/evpkdf_ss.txt
-index 4503af711f..7ef2894ae6 100644
---- a/test/recipes/30-test_evp_data/evpkdf_ss.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_ss.txt
-@@ -1189,8 +1189,8 @@ KDF = SSKDF
- Ctrl.digest = digest:SHA1
- Ctrl.hexsecret = hexsecret:d7e6
- Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_DERIVE_ERROR
-+#Reason = invalid key length
-
- Availablein = fips
- FIPSversion = >=3.4.0
-@@ -1200,8 +1200,8 @@ Ctrl.digest = digest:SHA224
- Ctrl.salt = hexsalt:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- Ctrl.hexsecret = hexsecret:40B6E03711EBEBA14011ACE96C
- Ctrl.hexinfo = hexinfo:5D437C2F1035A4F1F751E59CF10650171EF5769FCFBE438DFBC5BD8EA724100076447AB804F91DFA680E592FE2621A45DAB4C6A77B678059FC29E572DE4424EB5459F53523002ED38AAB1D9DD96C3523D1907C5EFBAE93DFFE680F716498720110D2A3B9CE9B66DB2884C83E9BEB546754874C0CA1967AF000000400
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_DERIVE_ERROR
-+#Reason = invalid key length
-
- Availablein = fips
- FIPSversion = >=3.4.0
-diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
-index edb2e81273..d663e5e5a5 100644
---- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt
-@@ -104,8 +104,8 @@ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55
- Ctrl.label = seed:extended master secret
- Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
- Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
--Result = KDF_CTRL_ERROR
--Reason = digest not allowed
-+Result = KDF_DERIVE_ERROR
-+Reason = invalid key length
-
- # Test that the operation with unapproved digest function is is reported as
- # unapproved
-@@ -131,7 +131,7 @@ Ctrl.Secret = hexsecret:0102030405060708090a0b
- Ctrl.label = seed:extended master secret
- Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
- Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
--Result = KDF_CTRL_ERROR
-+Result = KDF_DERIVE_ERROR
- Reason = invalid key length
-
- # Test that the key whose length is shorter than 112 bits is reported as
-diff --git a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
-index f2ea9ac44a..0f2f6e3904 100644
---- a/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_tls13_kdf.txt
-@@ -4963,7 +4963,7 @@ KDF = TLS13-KDF
- Ctrl.mode = mode:EXTRACT_ONLY
- Ctrl.digest = digest:SHA512-256
- Ctrl.key = hexkey:f8af6aea2d397baf2948a25b2834200692cff17eee9165e4e27babee9edefd05
--Result = KDF_CTRL_ERROR
-+Result = KDF_DERIVE_ERROR
-
- # Test that the operation with unapproved digest function is is reported as
- # unapproved
-@@ -4985,20 +4985,21 @@ KDF = TLS13-KDF
- Ctrl.mode = mode:EXTRACT_ONLY
- Ctrl.digest = digest:SHA2-256
- Ctrl.key = hexkey:0102030405060708090a0b
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_DERIVE_ERROR
-+Reason = wrong output buffer size
-
- Availablein = fips
- FIPSversion = >=3.4.0
- KDF = TLS13-KDF
-+Unapproved = 1
- Ctrl.mode = mode:EXPAND_ONLY
- Ctrl.digest = digest:SHA2-256
- Ctrl.key = hexkey:0102030405060708090a0b
- Ctrl.data = hexdata:7c92f68bd5bf3638ea338a6494722e1b44127e1b7e8aad535f2322a644ff22b3
- Ctrl.prefix = hexprefix:746c73313320
- Ctrl.label = hexlabel:6320652074726166666963
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_MISMATCH
-+#Reason = invalid key length
-
- # Test that the key whose length is shorter than 112 bits is reported as
- # unapproved
-diff --git a/test/recipes/30-test_evp_data/evpkdf_x942.txt b/test/recipes/30-test_evp_data/evpkdf_x942.txt
-index b1774592e9..6869fd0f20 100644
---- a/test/recipes/30-test_evp_data/evpkdf_x942.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_x942.txt
-@@ -124,11 +124,10 @@ Reason = xof digests not allowed
- Availablein = fips
- FIPSversion = >=3.4.0
- KDF = X942KDF-ASN1
-+Unapproved = 1
- Ctrl.digest = digest:SHA256
- Ctrl.hexsecret = hexsecret:6B
- Ctrl.use-keybits = use-keybits:0
- Ctrl.cekalg = cekalg:id-aes128-wrap
- Ctrl.hexacvp-info = hexacvp-info:a020299D468D60BC6A257E0B6523D691A3FC1602453B35F308C762FBBAC6069A88BCa12080D49BFE5BE01C7D56489AB017663C22B8CBB34C3174D1D71F00CB7505AC759Aa2203C21A5EA5988562C007986E0503D039E7231D9F152FE72A231A1FD98C59BCA6Aa320FD47477542989B51E4A0845DFABD6EEAA465F69B3D75349B2520051782C7F3FC
- Output = C2E6A0978C24AF3932F478583ADBFB5F57D491822592EAD3C538875F46EB057A
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-diff --git a/test/recipes/30-test_evp_data/evpkdf_x963.txt b/test/recipes/30-test_evp_data/evpkdf_x963.txt
-index b8f3cff3d3..74524c4694 100644
---- a/test/recipes/30-test_evp_data/evpkdf_x963.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_x963.txt
-@@ -148,8 +148,7 @@ KDF = X963KDF
- Ctrl.digest = digest:SHA1
- Ctrl.hexsecret = hexsecret:fd17198b89ab39c4ab5d7cca363b82f9fd7e23c3984dc8a2
- Ctrl.hexinfo = hexinfo:856a53f3e36a26bbc5792879f307cce2
--Result = KDF_CTRL_ERROR
--Reason = digest not allowed
-+Result = KDF_DERIVE_ERROR
-
- # Test that the operation with unapproved digest function is is reported as
- # unapproved
-@@ -170,8 +169,7 @@ KDF = X963KDF
- Ctrl.digest = digest:SHA224
- Ctrl.hexsecret = hexsecret:0102030405060908090a0b
- Ctrl.hexinfo = hexinfo:0102030405060708090a0b0c0d0e0f10
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_DERIVE_ERROR
-
- # Test that the key whose length is shorter than 112 bits is reported as
- # unapproved
-diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt
-index af92ceea98..a1541bf226 100644
---- a/test/recipes/30-test_evp_data/evpmac_common.txt
-+++ b/test/recipes/30-test_evp_data/evpmac_common.txt
-@@ -271,7 +271,7 @@ MAC = HMAC
- Algorithm = SHA256
- Input = "Test Input"
- Key = 0001020304
--Result = MAC_INIT_ERROR
-+Output = db70da6176d87813b059879ccc27bc53e295c6eca74db8bdc4e77d7e951d894b
-
- Title = HMAC FIPS short key indicator test
-
-diff --git a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
-index 1fb2472001..93c07ede7c 100644
---- a/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
-+++ b/test/recipes/30-test_evp_data/evppkey_kdf_hkdf.txt
-@@ -216,7 +216,7 @@ Ctrl.digest = digest:SHA1
- Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
- Ctrl.salt = hexsalt:000102030405060708090a0b0c
- Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
--Result = PKEY_CTRL_ERROR
-+Result = KDF_DERIVE_ERROR
- Reason = invalid key length
-
- # Test that the key whose length is shorter than 112 bits is reported as
---
-2.49.0
-
diff --git a/0049-FIPS-fix-disallowed-digests-tests.patch b/0049-FIPS-fix-disallowed-digests-tests.patch
new file mode 100644
index 0000000..40edd3c
--- /dev/null
+++ b/0049-FIPS-fix-disallowed-digests-tests.patch
@@ -0,0 +1,51 @@
+From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 15 Apr 2025 13:41:42 -0400
+Subject: [PATCH 49/53] FIPS: fix disallowed digests tests
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ test/recipes/30-test_evp_data/evpkdf_ssh.txt | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+index 6688c217aa..8347f773e6 100644
+--- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt
++++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
+@@ -4894,13 +4894,14 @@ Title = FIPS indicator tests
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = SSHKDF
++Unapproved = 1
+ Ctrl.digest = digest:SHA512-256
+ Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
+ Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.type = type:A
+-Result = KDF_CTRL_ERROR
+-Reason = digest not allowed
++Result = KDF_MISMATCH
++#Reason = digest not allowed
+
+ # Test that the operation with unapproved digest function is is reported as
+ # unapproved
+@@ -4920,13 +4921,14 @@ Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2
+ Availablein = fips
+ FIPSversion = >=3.4.0
+ KDF = SSHKDF
++Unapproved = 1
+ Ctrl.digest = digest:SHA1
+ Ctrl.hexkey = hexkey:0102030405060708090a0b
+ Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
+ Ctrl.type = type:A
+-Result = KDF_CTRL_ERROR
+-Reason = invalid key length
++Result = KDF_MISMATCH
++#Reason = invalid key length
+
+ # Test that the key whose length is shorter than 112 bits is reported as
+ # unapproved
+--
+2.50.0
+
diff --git a/0050-FIPS-fix-disallowed-digests-tests.patch b/0050-FIPS-fix-disallowed-digests-tests.patch
deleted file mode 100644
index a062ce1..0000000
--- a/0050-FIPS-fix-disallowed-digests-tests.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 48498bd445161f1d0fffb60bce8d9474acfe840b Mon Sep 17 00:00:00 2001
-From: Simo Sorce <simo@redhat.com>
-Date: Tue, 15 Apr 2025 13:41:42 -0400
-Subject: [PATCH 50/58] FIPS: fix disallowed digests tests
-
-Signed-off-by: Simo Sorce <simo@redhat.com>
----
- test/recipes/30-test_evp_data/evpkdf_ssh.txt | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/test/recipes/30-test_evp_data/evpkdf_ssh.txt b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
-index 6688c217aa..8347f773e6 100644
---- a/test/recipes/30-test_evp_data/evpkdf_ssh.txt
-+++ b/test/recipes/30-test_evp_data/evpkdf_ssh.txt
-@@ -4894,13 +4894,14 @@ Title = FIPS indicator tests
- Availablein = fips
- FIPSversion = >=3.4.0
- KDF = SSHKDF
-+Unapproved = 1
- Ctrl.digest = digest:SHA512-256
- Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
- Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
- Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
- Ctrl.type = type:A
--Result = KDF_CTRL_ERROR
--Reason = digest not allowed
-+Result = KDF_MISMATCH
-+#Reason = digest not allowed
-
- # Test that the operation with unapproved digest function is is reported as
- # unapproved
-@@ -4920,13 +4921,14 @@ Output = d37ea221cbcc026d95e8c10b7d28a1b41e4ec1b497bae0e4cdbc1446e5bd59e2
- Availablein = fips
- FIPSversion = >=3.4.0
- KDF = SSHKDF
-+Unapproved = 1
- Ctrl.digest = digest:SHA1
- Ctrl.hexkey = hexkey:0102030405060708090a0b
- Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
- Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
- Ctrl.type = type:A
--Result = KDF_CTRL_ERROR
--Reason = invalid key length
-+Result = KDF_MISMATCH
-+#Reason = invalid key length
-
- # Test that the key whose length is shorter than 112 bits is reported as
- # unapproved
---
-2.49.0
-
diff --git a/0050-Make-openssl-speed-run-in-FIPS-mode.patch b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
new file mode 100644
index 0000000..3351cb1
--- /dev/null
+++ b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
@@ -0,0 +1,76 @@
+From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 9 May 2025 15:09:46 +0200
+Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode
+
+---
+ apps/speed.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index 3307a9cb46..ae2f166d24 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 16);
+ params[1] = OSSL_PARAM_construct_end();
+
+- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
+- goto end;
+- for (testnum = 0; testnum < size_num; testnum++) {
+- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
+- Time_F(START);
+- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
+- d = Time_F(STOP);
+- print_result(D_KMAC128, testnum, count, d);
+- if (count < 0)
+- break;
++ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
++ for (testnum = 0; testnum < size_num; testnum++) {
++ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
++ Time_F(START);
++ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
++ d = Time_F(STOP);
++ print_result(D_KMAC128, testnum, count, d);
++ if (count < 0)
++ break;
++ }
++ mac_teardown(&mac, loopargs, loopargs_len);
+ }
+- mac_teardown(&mac, loopargs, loopargs_len);
+ }
+
+ if (doit[D_KMAC256]) {
+@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 32);
+ params[1] = OSSL_PARAM_construct_end();
+
+- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
+- goto end;
+- for (testnum = 0; testnum < size_num; testnum++) {
+- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
+- Time_F(START);
+- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
+- d = Time_F(STOP);
+- print_result(D_KMAC256, testnum, count, d);
+- if (count < 0)
+- break;
++ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
++ for (testnum = 0; testnum < size_num; testnum++) {
++ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
++ Time_F(START);
++ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
++ d = Time_F(STOP);
++ print_result(D_KMAC256, testnum, count, d);
++ if (count < 0)
++ break;
++ }
++ mac_teardown(&mac, loopargs, loopargs_len);
+ }
+- mac_teardown(&mac, loopargs, loopargs_len);
+ }
+
+ for (i = 0; i < loopargs_len; i++)
+--
+2.50.0
+
diff --git a/0051-Backport-upstream-27483-for-PKCS11-needs.patch b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
new file mode 100644
index 0000000..c2d8a0f
--- /dev/null
+++ b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
@@ -0,0 +1,146 @@
+From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 14:34:39 +0200
+Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
+
+---
+ .../implementations/skeymgmt/aes_skmgmt.c | 2 +
+ providers/implementations/skeymgmt/generic.c | 12 ++++
+ .../implementations/skeymgmt/skeymgmt_lcl.h | 1 +
+ test/evp_skey_test.c | 61 +++++++++++++++++++
+ 4 files changed, 76 insertions(+)
+
+diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
+index 6d3b5f377f..17be480131 100644
+--- a/providers/implementations/skeymgmt/aes_skmgmt.c
++++ b/providers/implementations/skeymgmt/aes_skmgmt.c
+@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
+ { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+ { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
+ { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++ (void (*)(void))generic_imp_settable_params },
+ OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
+index b41bf8e12d..5fb3fad7e3 100644
+--- a/providers/implementations/skeymgmt/generic.c
++++ b/providers/implementations/skeymgmt/generic.c
+@@ -65,6 +65,16 @@ end:
+ return generic;
+ }
+
++static const OSSL_PARAM generic_import_params[] = {
++ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
++ OSSL_PARAM_END
++};
++
++const OSSL_PARAM *generic_imp_settable_params(void *provctx)
++{
++ return generic_import_params;
++}
++
+ int generic_export(void *keydata, int selection,
+ OSSL_CALLBACK *param_callback, void *cbarg)
+ {
+@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
+ { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
+ { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
+ { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
++ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
++ (void (*)(void))generic_imp_settable_params },
+ OSSL_DISPATCH_END
+ };
+diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+index c180c1d303..a7e7605050 100644
+--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
++++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
+@@ -15,5 +15,6 @@
+ OSSL_FUNC_skeymgmt_import_fn generic_import;
+ OSSL_FUNC_skeymgmt_export_fn generic_export;
+ OSSL_FUNC_skeymgmt_free_fn generic_free;
++OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
+
+ #endif
+diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
+index b81df9c8f8..e33bbbe003 100644
+--- a/test/evp_skey_test.c
++++ b/test/evp_skey_test.c
+@@ -92,6 +92,66 @@ end:
+ return ret;
+ }
+
++static int test_skey_skeymgmt(void)
++{
++ int ret = 0;
++ EVP_SKEYMGMT *skeymgmt = NULL;
++ EVP_SKEY *key = NULL;
++ const unsigned char import_key[KEY_SIZE] = {
++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
++ };
++ OSSL_PARAM params[2];
++ const OSSL_PARAM *imp_params;
++ const OSSL_PARAM *p;
++ OSSL_PARAM *exp_params = NULL;
++ const void *export_key = NULL;
++ size_t export_len;
++
++ deflprov = OSSL_PROVIDER_load(libctx, "default");
++ if (!TEST_ptr(deflprov))
++ return 0;
++
++ /* Fetch our SKYMGMT for Generic Secrets */
++ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
++ NULL)))
++ goto end;
++
++ /* Check the parameter we need is available */
++ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
++ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
++ OSSL_SKEY_PARAM_RAW_BYTES)))
++ goto end;
++
++ /* Import EVP_SKEY */
++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
++ (void *)import_key, KEY_SIZE);
++ params[1] = OSSL_PARAM_construct_end();
++
++ if (!TEST_ptr(key = EVP_SKEY_import(libctx,
++ EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
++ OSSL_SKEYMGMT_SELECT_ALL, params)))
++ goto end;
++
++ /* Export EVP_SKEY */
++ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
++ ossl_pkey_todata_cb, &exp_params), 0)
++ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
++ OSSL_SKEY_PARAM_RAW_BYTES))
++ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
++ &export_len), 0)
++ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
++ goto end;
++
++ ret = 1;
++end:
++ OSSL_PARAM_free(exp_params);
++ EVP_SKEYMGMT_free(skeymgmt);
++ EVP_SKEY_free(key);
++
++ return ret;
++}
++
+ #define IV_SIZE 16
+ #define DATA_SIZE 32
+ static int test_aes_raw_skey(void)
+@@ -252,6 +312,7 @@ int setup_tests(void)
+ return 0;
+
+ ADD_TEST(test_skey_cipher);
++ ADD_TEST(test_skey_skeymgmt);
+
+ ADD_TEST(test_aes_raw_skey);
+ #ifndef OPENSSL_NO_DES
+--
+2.50.0
+
diff --git a/0051-Make-openssl-speed-run-in-FIPS-mode.patch b/0051-Make-openssl-speed-run-in-FIPS-mode.patch
deleted file mode 100644
index 6a232f0..0000000
--- a/0051-Make-openssl-speed-run-in-FIPS-mode.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 0895e273cacec26a4bd027bef7ab07bae12d9741 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 9 May 2025 15:09:46 +0200
-Subject: [PATCH 51/58] Make `openssl speed` run in FIPS mode
-
----
- apps/speed.c | 44 ++++++++++++++++++++++----------------------
- 1 file changed, 22 insertions(+), 22 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index 1edf9b8485..d4e707074c 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
- (void *)key32, 16);
- params[1] = OSSL_PARAM_construct_end();
-
-- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
-- goto end;
-- for (testnum = 0; testnum < size_num; testnum++) {
-- print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
-- Time_F(START);
-- count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
-- d = Time_F(STOP);
-- print_result(D_KMAC128, testnum, count, d);
-- if (count < 0)
-- break;
-+ if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) == 1) {
-+ for (testnum = 0; testnum < size_num; testnum++) {
-+ print_message(names[D_KMAC128], lengths[testnum], seconds.sym);
-+ Time_F(START);
-+ count = run_benchmark(async_jobs, KMAC128_loop, loopargs);
-+ d = Time_F(STOP);
-+ print_result(D_KMAC128, testnum, count, d);
-+ if (count < 0)
-+ break;
-+ }
-+ mac_teardown(&mac, loopargs, loopargs_len);
- }
-- mac_teardown(&mac, loopargs, loopargs_len);
- }
-
- if (doit[D_KMAC256]) {
-@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
- (void *)key32, 32);
- params[1] = OSSL_PARAM_construct_end();
-
-- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
-- goto end;
-- for (testnum = 0; testnum < size_num; testnum++) {
-- print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
-- Time_F(START);
-- count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
-- d = Time_F(STOP);
-- print_result(D_KMAC256, testnum, count, d);
-- if (count < 0)
-- break;
-+ if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) == 1) {
-+ for (testnum = 0; testnum < size_num; testnum++) {
-+ print_message(names[D_KMAC256], lengths[testnum], seconds.sym);
-+ Time_F(START);
-+ count = run_benchmark(async_jobs, KMAC256_loop, loopargs);
-+ d = Time_F(STOP);
-+ print_result(D_KMAC256, testnum, count, d);
-+ if (count < 0)
-+ break;
-+ }
-+ mac_teardown(&mac, loopargs, loopargs_len);
- }
-- mac_teardown(&mac, loopargs, loopargs_len);
- }
-
- for (i = 0; i < loopargs_len; i++)
---
-2.49.0
-
diff --git a/0052-Backport-upstream-27483-for-PKCS11-needs.patch b/0052-Backport-upstream-27483-for-PKCS11-needs.patch
deleted file mode 100644
index afbce9a..0000000
--- a/0052-Backport-upstream-27483-for-PKCS11-needs.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 120558807e15d3cb2959020bacc928988e512a78 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Mon, 12 May 2025 14:34:39 +0200
-Subject: [PATCH 52/58] Backport upstream #27483 for PKCS11 needs
-
----
- .../implementations/skeymgmt/aes_skmgmt.c | 2 +
- providers/implementations/skeymgmt/generic.c | 12 ++++
- .../implementations/skeymgmt/skeymgmt_lcl.h | 1 +
- test/evp_skey_test.c | 61 +++++++++++++++++++
- 4 files changed, 76 insertions(+)
-
-diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
-index 6d3b5f377f..17be480131 100644
---- a/providers/implementations/skeymgmt/aes_skmgmt.c
-+++ b/providers/implementations/skeymgmt/aes_skmgmt.c
-@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
- { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
- { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))aes_import },
- { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))aes_export },
-+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
-+ (void (*)(void))generic_imp_settable_params },
- OSSL_DISPATCH_END
- };
-diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
-index b41bf8e12d..5fb3fad7e3 100644
---- a/providers/implementations/skeymgmt/generic.c
-+++ b/providers/implementations/skeymgmt/generic.c
-@@ -65,6 +65,16 @@ end:
- return generic;
- }
-
-+static const OSSL_PARAM generic_import_params[] = {
-+ OSSL_PARAM_octet_string(OSSL_SKEY_PARAM_RAW_BYTES, NULL, 0),
-+ OSSL_PARAM_END
-+};
-+
-+const OSSL_PARAM *generic_imp_settable_params(void *provctx)
-+{
-+ return generic_import_params;
-+}
-+
- int generic_export(void *keydata, int selection,
- OSSL_CALLBACK *param_callback, void *cbarg)
- {
-@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
- { OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
- { OSSL_FUNC_SKEYMGMT_IMPORT, (void (*)(void))generic_import },
- { OSSL_FUNC_SKEYMGMT_EXPORT, (void (*)(void))generic_export },
-+ { OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS,
-+ (void (*)(void))generic_imp_settable_params },
- OSSL_DISPATCH_END
- };
-diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
-index c180c1d303..a7e7605050 100644
---- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
-+++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
-@@ -15,5 +15,6 @@
- OSSL_FUNC_skeymgmt_import_fn generic_import;
- OSSL_FUNC_skeymgmt_export_fn generic_export;
- OSSL_FUNC_skeymgmt_free_fn generic_free;
-+OSSL_FUNC_skeymgmt_imp_settable_params_fn generic_imp_settable_params;
-
- #endif
-diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
-index b81df9c8f8..e33bbbe003 100644
---- a/test/evp_skey_test.c
-+++ b/test/evp_skey_test.c
-@@ -92,6 +92,66 @@ end:
- return ret;
- }
-
-+static int test_skey_skeymgmt(void)
-+{
-+ int ret = 0;
-+ EVP_SKEYMGMT *skeymgmt = NULL;
-+ EVP_SKEY *key = NULL;
-+ const unsigned char import_key[KEY_SIZE] = {
-+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
-+ 0x53, 0x4B, 0x45, 0x59, 0x53, 0x4B, 0x45, 0x59,
-+ };
-+ OSSL_PARAM params[2];
-+ const OSSL_PARAM *imp_params;
-+ const OSSL_PARAM *p;
-+ OSSL_PARAM *exp_params = NULL;
-+ const void *export_key = NULL;
-+ size_t export_len;
-+
-+ deflprov = OSSL_PROVIDER_load(libctx, "default");
-+ if (!TEST_ptr(deflprov))
-+ return 0;
-+
-+ /* Fetch our SKYMGMT for Generic Secrets */
-+ if (!TEST_ptr(skeymgmt = EVP_SKEYMGMT_fetch(libctx, OSSL_SKEY_TYPE_GENERIC,
-+ NULL)))
-+ goto end;
-+
-+ /* Check the parameter we need is available */
-+ if (!TEST_ptr(imp_params = EVP_SKEYMGMT_get0_imp_settable_params(skeymgmt))
-+ || !TEST_ptr(p = OSSL_PARAM_locate_const(imp_params,
-+ OSSL_SKEY_PARAM_RAW_BYTES)))
-+ goto end;
-+
-+ /* Import EVP_SKEY */
-+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_SKEY_PARAM_RAW_BYTES,
-+ (void *)import_key, KEY_SIZE);
-+ params[1] = OSSL_PARAM_construct_end();
-+
-+ if (!TEST_ptr(key = EVP_SKEY_import(libctx,
-+ EVP_SKEYMGMT_get0_name(skeymgmt), NULL,
-+ OSSL_SKEYMGMT_SELECT_ALL, params)))
-+ goto end;
-+
-+ /* Export EVP_SKEY */
-+ if (!TEST_int_gt(EVP_SKEY_export(key, OSSL_SKEYMGMT_SELECT_SECRET_KEY,
-+ ossl_pkey_todata_cb, &exp_params), 0)
-+ || !TEST_ptr(p = OSSL_PARAM_locate_const(exp_params,
-+ OSSL_SKEY_PARAM_RAW_BYTES))
-+ || !TEST_int_gt(OSSL_PARAM_get_octet_string_ptr(p, &export_key,
-+ &export_len), 0)
-+ || !TEST_mem_eq(import_key, KEY_SIZE, export_key, export_len))
-+ goto end;
-+
-+ ret = 1;
-+end:
-+ OSSL_PARAM_free(exp_params);
-+ EVP_SKEYMGMT_free(skeymgmt);
-+ EVP_SKEY_free(key);
-+
-+ return ret;
-+}
-+
- #define IV_SIZE 16
- #define DATA_SIZE 32
- static int test_aes_raw_skey(void)
-@@ -252,6 +312,7 @@ int setup_tests(void)
- return 0;
-
- ADD_TEST(test_skey_cipher);
-+ ADD_TEST(test_skey_skeymgmt);
-
- ADD_TEST(test_aes_raw_skey);
- #ifndef OPENSSL_NO_DES
---
-2.49.0
-
diff --git a/0052-Red-Hat-9-FIPS-indicator-defines.patch b/0052-Red-Hat-9-FIPS-indicator-defines.patch
new file mode 100644
index 0000000..f3e4488
--- /dev/null
+++ b/0052-Red-Hat-9-FIPS-indicator-defines.patch
@@ -0,0 +1,129 @@
+From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Mon, 12 May 2025 16:21:23 +0200
+Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
+
+---
+ include/openssl/evp.h | 15 +++++++++++++++
+ include/openssl/kdf.h | 4 ++++
+ util/perl/OpenSSL/paramnames.pm | 7 +++++++
+ 3 files changed, 26 insertions(+)
+
+diff --git a/include/openssl/evp.h b/include/openssl/evp.h
+index e5da1e6415..3849c1779e 100644
+--- a/include/openssl/evp.h
++++ b/include/openssl/evp.h
+@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+ void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
+
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+ const unsigned char *key, const unsigned char *iv);
+ __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
+@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
+ __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+ int *outl);
+
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+ EVP_PKEY *pkey);
+ __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
+@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+ void *arg);
+
+ /* MAC stuff */
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
+ EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
+ const char *properties);
+@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
+ # endif
+
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+ const char *properties);
+ int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 0983230a48..86171635ea 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
++
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
+ #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
+diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
+index 059b489735..5a1864309d 100644
+--- a/util/perl/OpenSSL/paramnames.pm
++++ b/util/perl/OpenSSL/paramnames.pm
+@@ -143,6 +143,8 @@ my %params = (
+ 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
+ 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+ 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
++ #Old RedHat FIPS provider compatibility
++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
+ # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
+ # time being, the old libcrypto functions will use both, so old providers
+ # continue to work.
+@@ -190,6 +192,7 @@ my %params = (
+ 'MAC_PARAM_SIZE' => "size", # size_t
+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
+ 'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
+ 'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+@@ -234,6 +237,7 @@ my %params = (
+ 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
+ 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
+ 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
+ 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
+ 'KDF_PARAM_THREADS' => "threads", # uint32_t
+@@ -474,6 +478,7 @@ my %params = (
+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
+ 'SIGNATURE_PARAM_INSTANCE' => "instance",
+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
+@@ -508,6 +513,7 @@ my %params = (
+ 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
+ 'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+
+ # Encoder / decoder parameters
+
+@@ -541,6 +547,7 @@ my %params = (
+
+ # KEM parameters
+ 'KEM_PARAM_OPERATION' => "operation",
++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
+ 'KEM_PARAM_IKME' => "ikme",
+ 'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
+ 'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
+--
+2.50.0
+
diff --git a/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
new file mode 100644
index 0000000..e3e72f2
--- /dev/null
+++ b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
@@ -0,0 +1,302 @@
+From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 30 May 2025 16:17:37 +0200
+Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
+
+---
+ crypto/ml_kem/ml_kem.c | 11 ++--
+ include/crypto/ml_kem.h | 2 +
+ providers/defltprov.c | 8 +--
+ providers/implementations/kem/mlx_kem.c | 33 +++++++++-
+ providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
+ 5 files changed, 103 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
+index 4474af0f87..6eca7dc29d 100644
+--- a/crypto/ml_kem/ml_kem.c
++++ b/crypto/ml_kem/ml_kem.c
+@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+ {
+ const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
+ ML_KEM_KEY *key;
++ char *adjusted_propq = NULL;
+
+ if (vinfo == NULL) {
+ ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT,
+@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+ if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
+ return NULL;
+
++ adjusted_propq = get_adjusted_propq(properties);
+ key->vinfo = vinfo;
+ key->libctx = libctx;
+ key->prov_flags = ML_KEM_KEY_PROV_FLAGS_DEFAULT;
+- key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", properties);
+- key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", properties);
+- key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", properties);
+- key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", properties);
++ key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", adjusted_propq ? adjusted_propq : properties);
++ key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", adjusted_propq ? adjusted_propq : properties);
++ key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", adjusted_propq ? adjusted_propq : properties);
++ key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", adjusted_propq ? adjusted_propq : properties);
+ key->d = key->z = key->rho = key->pkhash = key->encoded_dk = NULL;
+ key->s = key->m = key->t = NULL;
++ OPENSSL_free(adjusted_propq);
+
+ if (key->shake128_md != NULL
+ && key->shake256_md != NULL
+diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
+index 67d55697e9..ab1aaae8ac 100644
+--- a/include/crypto/ml_kem.h
++++ b/include/crypto/ml_kem.h
+@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
+ __owur
+ int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+
++char *get_adjusted_propq(const char *propq);
++
+ #endif /* OPENSSL_HEADER_ML_KEM_H */
+diff --git a/providers/defltprov.c b/providers/defltprov.c
+index eee2178b41..0dba017f3f 100644
+--- a/providers/defltprov.c
++++ b/providers/defltprov.c
+@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
+ { "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+- { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
+- { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
++ { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
++ { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
+ # endif
+ #endif
+ { NULL, NULL, NULL }
+@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
+ PROV_DESCS_X448MLKEM1024 },
+ # endif
+ # if !defined(OPENSSL_NO_EC)
+- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
++ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
+ PROV_DESCS_SecP256r1MLKEM768 },
+- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
++ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
+ PROV_DESCS_SecP384r1MLKEM1024 },
+ # endif
+ #endif
+diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
+index 197c345d85..08fbf99a76 100644
+--- a/providers/implementations/kem/mlx_kem.c
++++ b/providers/implementations/kem/mlx_kem.c
+@@ -19,6 +19,7 @@
+ #include "prov/mlx_kem.h"
+ #include "prov/provider_ctx.h"
+ #include "prov/providercommon.h"
++#include <string.h>
+
+ static OSSL_FUNC_kem_newctx_fn mlx_kem_newctx;
+ static OSSL_FUNC_kem_freectx_fn mlx_kem_freectx;
+@@ -103,6 +104,28 @@ mlx_kem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
+ return 1;
+ }
+
++char *get_adjusted_propq(const char *propq)
++{
++ char *adjusted_propq = NULL;
++ const char *nofips = "-fips";
++ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
++ strlen(nofips) + 1;
++ char *ptr = NULL;
++
++ adjusted_propq = OPENSSL_zalloc(len);
++ if (adjusted_propq != NULL) {
++ ptr = adjusted_propq;
++ if (propq && strlen(propq) > 0) {
++ memcpy(ptr, propq, strlen(propq));
++ ptr += strlen(propq);
++ *ptr = ',';
++ ptr++;
++ }
++ memcpy(ptr, nofips, strlen(nofips));
++ }
++ return adjusted_propq;
++}
++
+ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ unsigned char *shsec, size_t *slen)
+ {
+@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ uint8_t *sbuf;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (!mlx_kem_have_pubkey(key)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -167,7 +191,8 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ encap_slen = ML_KEM_SHARED_SECRET_BYTES;
+ cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+ sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++ adjusted_propq = get_adjusted_propq(key->propq);
++ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+ if (ctx == NULL
+ || EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
+ || EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
+@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ end:
+ EVP_PKEY_free(xkey);
+ EVP_PKEY_CTX_free(ctx);
++ OPENSSL_free(adjusted_propq);
+ return ret;
+ }
+
+@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (!mlx_kem_have_prvkey(key)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
+@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ decap_slen = ML_KEM_SHARED_SECRET_BYTES;
+ cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
+ sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
+- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
++ adjusted_propq = get_adjusted_propq(key->propq);
++ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
+ if (ctx == NULL
+ || EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
+ || EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
+@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ end:
+ EVP_PKEY_CTX_free(ctx);
+ EVP_PKEY_free(xkey);
++ OPENSSL_free(adjusted_propq);
+ return ret;
+ }
+
+diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
+index bea8783276..aeef0c8f84 100644
+--- a/providers/implementations/keymgmt/mlx_kmgmt.c
++++ b/providers/implementations/keymgmt/mlx_kmgmt.c
+@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
+ size_t prvlen;
+ } EXPORT_CB_ARG;
+
++#ifndef FIPS_MODULE
++# include <openssl/bn.h>
++# include <openssl/ec.h>
++static size_t decompress_pub_key(void *pub, size_t compressed_len, size_t decompressed_len)
++{
++ EC_GROUP *group = NULL;
++ EC_POINT *point = NULL;
++ BN_CTX *ctx = NULL;
++ size_t len = compressed_len;
++ int group_nid = NID_undef;
++
++ switch (len) {
++ case 33:
++ group_nid = NID_X9_62_prime256v1;
++ break;
++ case 49:
++ group_nid = NID_secp384r1;
++ break;
++ default:
++ return len;
++ break;
++ }
++
++ ctx = BN_CTX_new();
++ group = EC_GROUP_new_by_curve_name(group_nid);
++ if (ctx == NULL || group == NULL)
++ goto err;
++
++ point = EC_POINT_new(group);
++ if (point == NULL)
++ goto err;
++
++ if (!EC_POINT_oct2point(group, point, pub, len, ctx))
++ goto err;
++
++ len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, pub, decompressed_len, ctx);
++
++err:
++ EC_POINT_free(point);
++ EC_GROUP_free(group);
++ BN_CTX_free(ctx);
++
++ return len;
++}
++#endif
++
+ /* Copy any exported key material into its storage slot */
+ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+ {
+@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+
+ if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
+ return 0;
++#ifndef FIPS_MODULE
++ if (len < sub_arg->publen)
++ len = decompress_pub_key(pub, len, sub_arg->publen);
++#endif
+ if (len != sub_arg->publen) {
+ ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
+ "Unexpected %s public key length %lu != %lu",
+@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ void *val;
+ int ml_kem_slot = key->xinfo->ml_kem_slot;
+ int ret = 0;
++ char *adjusted_propq = NULL;
+
+ if (slot == ml_kem_slot) {
+ alg = key->minfo->algorithm_name;
+ ppkey = &key->mkey;
+ off = slot * xbytes;
+ len = mbytes;
++ adjusted_propq = get_adjusted_propq(propq);
+ } else {
+ alg = key->xinfo->algorithm_name;
+ group = (char *) key->xinfo->group_name;
+@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ }
+ val = (void *)(in + off);
+
+- if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg, propq)) == NULL
++ if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg,
++ adjusted_propq ? adjusted_propq : propq)) == NULL
+ || EVP_PKEY_fromdata_init(ctx) <= 0)
+ goto err;
+ parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
+@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ ret = 1;
+
+ err:
++ OPENSSL_free(adjusted_propq);
+ EVP_PKEY_CTX_free(ctx);
+ return ret;
+ }
+@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ PROV_ML_KEM_GEN_CTX *gctx = vgctx;
+ MLX_KEY *key;
+ char *propq;
++ char *adjusted_propq = NULL;
+
+ if (gctx == NULL
+ || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
+@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ return key;
+
+ /* For now, using the same "propq" for all components */
+- key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
++ adjusted_propq = get_adjusted_propq(propq);
++ key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
+ key->minfo->algorithm_name);
++ OPENSSL_free(adjusted_propq);
+ key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
+ key->xinfo->algorithm_name,
+ key->xinfo->group_name);
+--
+2.50.0
+
diff --git a/0053-Red-Hat-9-FIPS-indicator-defines.patch b/0053-Red-Hat-9-FIPS-indicator-defines.patch
deleted file mode 100644
index dea0da0..0000000
--- a/0053-Red-Hat-9-FIPS-indicator-defines.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From ee9a3d993eb82f98e4670adc9ccb015065b81555 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Mon, 12 May 2025 16:21:23 +0200
-Subject: [PATCH 53/58] Red Hat 9 FIPS indicator defines
-
----
- include/openssl/evp.h | 15 +++++++++++++++
- include/openssl/kdf.h | 4 ++++
- util/perl/OpenSSL/paramnames.pm | 7 +++++++
- 3 files changed, 26 insertions(+)
-
-diff --git a/include/openssl/evp.h b/include/openssl/evp.h
-index e5da1e6415..3849c1779e 100644
---- a/include/openssl/evp.h
-+++ b/include/openssl/evp.h
-@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
- void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
- int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
-
-+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-+
- __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
- const unsigned char *key, const unsigned char *iv);
- __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
-@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
- __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
-
-+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-+
- __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
- EVP_PKEY *pkey);
- __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
-@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
- void *arg);
-
- /* MAC stuff */
-+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-
- EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
- const char *properties);
-@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
- OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
- # endif
-
-+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-+
- EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
- const char *properties);
- int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
-diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
-index 0983230a48..86171635ea 100644
---- a/include/openssl/kdf.h
-+++ b/include/openssl/kdf.h
-@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
- # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
- # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
-
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
-+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
-+
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
- #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
-diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
-index 059b489735..5a1864309d 100644
---- a/util/perl/OpenSSL/paramnames.pm
-+++ b/util/perl/OpenSSL/paramnames.pm
-@@ -143,6 +143,8 @@ my %params = (
- 'CIPHER_PARAM_FIPS_ENCRYPT_CHECK' => "encrypt-check", # int
- 'CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
- 'CIPHER_PARAM_ALGORITHM_ID' => '*ALG_PARAM_ALGORITHM_ID',
-+ #Old RedHat FIPS provider compatibility
-+ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int
- # Historically, CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD was used. For the
- # time being, the old libcrypto functions will use both, so old providers
- # continue to work.
-@@ -190,6 +192,7 @@ my %params = (
- 'MAC_PARAM_SIZE' => "size", # size_t
- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t
- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t
-+ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t
- 'MAC_PARAM_FIPS_NO_SHORT_MAC' =>'*PROV_PARAM_NO_SHORT_MAC',
- 'MAC_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
- 'MAC_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
-@@ -234,6 +237,7 @@ my %params = (
- 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo",
- 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo",
- 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits",
-+ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
- 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy",
- 'KDF_PARAM_HMACDRBG_NONCE' => "nonce",
- 'KDF_PARAM_THREADS' => "threads", # uint32_t
-@@ -474,6 +478,7 @@ my %params = (
- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST',
- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES',
- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE',
-+ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type",
- 'SIGNATURE_PARAM_INSTANCE' => "instance",
- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string",
-@@ -508,6 +513,7 @@ my %params = (
- 'ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED' => '*PROV_PARAM_RSA_PKCS15_PAD_DISABLED',
- 'ASYM_CIPHER_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
- 'ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
-+ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
-
- # Encoder / decoder parameters
-
-@@ -541,6 +547,7 @@ my %params = (
-
- # KEM parameters
- 'KEM_PARAM_OPERATION' => "operation",
-+ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator",
- 'KEM_PARAM_IKME' => "ikme",
- 'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
- 'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
---
-2.49.0
-
diff --git a/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch b/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
deleted file mode 100644
index cc3db16..0000000
--- a/0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 92e50723ae6aa29476b7ebb66d262f78677ee68d Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 7 Apr 2025 12:58:54 +0200
-Subject: [PATCH 54/58] crypto: disable OSSL_PARAM_REAL on UEFI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Floating point types like double can't be used on UEFI.
-Fix build on UEFI by disabling the OSSL_PARAM_REAL branch.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/27284)
----
- crypto/params_from_text.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/params_from_text.c b/crypto/params_from_text.c
-index 7532d4d439..fb25400dc1 100644
---- a/crypto/params_from_text.c
-+++ b/crypto/params_from_text.c
-@@ -220,9 +220,9 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
- BIGNUM *bn;
- #ifndef OPENSSL_SYS_UEFI
- double d;
-+ int dok;
- #endif
- int ok = -1;
-- int dok;
-
- /*
- * Iterate through each key in the array printing its key and value
-@@ -280,16 +280,16 @@ int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio, int print_values)
- case OSSL_PARAM_OCTET_STRING:
- ok = BIO_dump(bio, (char *)p->data, p->data_size);
- break;
-+#ifndef OPENSSL_SYS_UEFI
- case OSSL_PARAM_REAL:
- dok = 0;
--#ifndef OPENSSL_SYS_UEFI
- dok = OSSL_PARAM_get_double(p, &d);
--#endif
- if (dok == 1)
- ok = BIO_printf(bio, "%f\n", d);
- else
- ok = BIO_printf(bio, "error getting value\n");
- break;
-+#endif
- default:
- ok = BIO_printf(bio, "unknown type (%u) of %zu bytes\n",
- p->data_type, p->data_size);
---
-2.49.0
-
diff --git a/0055-hashfunc-add-stddef.h-include.patch b/0055-hashfunc-add-stddef.h-include.patch
deleted file mode 100644
index 7c894c0..0000000
--- a/0055-hashfunc-add-stddef.h-include.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From fb8649ec423277d50936a6a7848a1b6705e208cc Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 7 Apr 2025 13:29:36 +0200
-Subject: [PATCH 55/58] hashfunc: add stddef.h include
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-size_t is declared in stddef.h, so include the header file to
-make sure it is available. Fixes build on UEFI.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/27284)
----
- include/internal/hashfunc.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/internal/hashfunc.h b/include/internal/hashfunc.h
-index cabc7beed4..fae8a275fa 100644
---- a/include/internal/hashfunc.h
-+++ b/include/internal/hashfunc.h
-@@ -11,6 +11,7 @@
- # define OPENSSL_HASHFUNC_H
-
- # include <openssl/e_os2.h>
-+# include <stddef.h>
- /**
- * Generalized fnv1a 64 bit hash function
- */
---
-2.49.0
-
diff --git a/0056-rio-add-RIO_POLL_METHOD_NONE.patch b/0056-rio-add-RIO_POLL_METHOD_NONE.patch
deleted file mode 100644
index 5c7b9c1..0000000
--- a/0056-rio-add-RIO_POLL_METHOD_NONE.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 60699bc32870a3325a79234158740aac917b39a6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 7 Apr 2025 14:06:28 +0200
-Subject: [PATCH 56/58] rio: add RIO_POLL_METHOD_NONE
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes build on UEFI.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/27284)
----
- ssl/rio/poll_builder.c | 4 +++-
- ssl/rio/poll_builder.h | 4 +++-
- ssl/rio/poll_method.h | 5 ++++-
- 3 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
-index 007e360d87..3cfbe3b0ac 100644
---- a/ssl/rio/poll_builder.c
-+++ b/ssl/rio/poll_builder.c
-@@ -16,7 +16,9 @@ OSSL_SAFE_MATH_UNSIGNED(size_t, size_t)
-
- int ossl_rio_poll_builder_init(RIO_POLL_BUILDER *rpb)
- {
--#if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
-+#if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
-+ return 0;
-+#elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
- FD_ZERO(&rpb->rfd);
- FD_ZERO(&rpb->wfd);
- FD_ZERO(&rpb->efd);
-diff --git a/ssl/rio/poll_builder.h b/ssl/rio/poll_builder.h
-index ffc9bbf9fc..985e4713b2 100644
---- a/ssl/rio/poll_builder.h
-+++ b/ssl/rio/poll_builder.h
-@@ -23,7 +23,9 @@
- * FDs.
- */
- typedef struct rio_poll_builder_st {
--# if RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
-+# if RIO_POLL_METHOD == RIO_POLL_METHOD_NONE
-+ /* nothing */;
-+# elif RIO_POLL_METHOD == RIO_POLL_METHOD_SELECT
- fd_set rfd, wfd, efd;
- int hwm_fd;
- # elif RIO_POLL_METHOD == RIO_POLL_METHOD_POLL
-diff --git a/ssl/rio/poll_method.h b/ssl/rio/poll_method.h
-index 9a6de89270..d5af8663c2 100644
---- a/ssl/rio/poll_method.h
-+++ b/ssl/rio/poll_method.h
-@@ -14,9 +14,12 @@
-
- # define RIO_POLL_METHOD_SELECT 1
- # define RIO_POLL_METHOD_POLL 2
-+# define RIO_POLL_METHOD_NONE 3
-
- # ifndef RIO_POLL_METHOD
--# if !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
-+# if defined(OPENSSL_SYS_UEFI)
-+# define RIO_POLL_METHOD RIO_POLL_METHOD_NONE
-+# elif !defined(OPENSSL_SYS_WINDOWS) && defined(POLLIN)
- # define RIO_POLL_METHOD RIO_POLL_METHOD_POLL
- # else
- # define RIO_POLL_METHOD RIO_POLL_METHOD_SELECT
---
-2.49.0
-
diff --git a/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch b/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
deleted file mode 100644
index 765a4f3..0000000
--- a/0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From d7ab338f85b55ed6aa6d0187123dbab8684551a5 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 20 May 2025 16:34:10 +0200
-Subject: [PATCH 57/58] apps/x509.c: Fix the -addreject option adding trust
- instead of rejection
-
-Fixes CVE-2025-4575
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/27672)
----
- apps/x509.c | 2 +-
- test/recipes/25-test_x509.t | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/apps/x509.c b/apps/x509.c
-index fdae8f383a..0c340c15b3 100644
---- a/apps/x509.c
-+++ b/apps/x509.c
-@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
- prog, opt_arg());
- goto opthelp;
- }
-- if (!sk_ASN1_OBJECT_push(trust, objtmp))
-+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
- goto end;
- trustout = 1;
- break;
-diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
-index 09b61708ff..dfa0a428f5 100644
---- a/test/recipes/25-test_x509.t
-+++ b/test/recipes/25-test_x509.t
-@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
-
- setup("test_x509");
-
--plan tests => 134;
-+plan tests => 138;
-
- # Prevent MSys2 filename munging for arguments that look like file paths but
- # aren't
-@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
- && run(app(["openssl", "verify", "-no_check_time",
- "-trusted", $ca, "-partial_chain", $caout])));
-
-+# test trust decoration
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
-+ "-out", "ca-trusted.pem"])));
-+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
-+ 1, 'trusted use - E-mail Protection');
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
-+ "-out", "ca-rejected.pem"])));
-+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
-+ 1, 'rejected use - E-mail Protection');
-+
- subtest 'x509 -- x.509 v1 certificate' => sub {
- tconversion( -type => 'x509', -prefix => 'x509v1',
- -in => srctop_file("test", "testx509.pem") );
---
-2.49.0
-
diff --git a/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
deleted file mode 100644
index b139ecc..0000000
--- a/0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
+++ /dev/null
@@ -1,302 +0,0 @@
-From 26ad3b905a6d4b1fa50b304f21f67aa0d35265e9 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 30 May 2025 16:17:37 +0200
-Subject: [PATCH 58/58] Allow hybrid MLKEM in FIPS mode
-
----
- crypto/ml_kem/ml_kem.c | 11 ++--
- include/crypto/ml_kem.h | 2 +
- providers/defltprov.c | 8 +--
- providers/implementations/kem/mlx_kem.c | 33 +++++++++-
- providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
- 5 files changed, 103 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
-index ec75233435..8d0cc1a82c 100644
---- a/crypto/ml_kem/ml_kem.c
-+++ b/crypto/ml_kem/ml_kem.c
-@@ -1581,6 +1581,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
- {
- const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
- ML_KEM_KEY *key;
-+ char *adjusted_propq = NULL;
-
- if (vinfo == NULL)
- return NULL;
-@@ -1588,15 +1589,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
- if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
- return NULL;
-
-+ adjusted_propq = get_adjusted_propq(properties);
- key->vinfo = vinfo;
- key->libctx = libctx;
- key->prov_flags = ML_KEM_KEY_PROV_FLAGS_DEFAULT;
-- key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", properties);
-- key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", properties);
-- key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", properties);
-- key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", properties);
-+ key->shake128_md = EVP_MD_fetch(libctx, "SHAKE128", adjusted_propq ? adjusted_propq : properties);
-+ key->shake256_md = EVP_MD_fetch(libctx, "SHAKE256", adjusted_propq ? adjusted_propq : properties);
-+ key->sha3_256_md = EVP_MD_fetch(libctx, "SHA3-256", adjusted_propq ? adjusted_propq : properties);
-+ key->sha3_512_md = EVP_MD_fetch(libctx, "SHA3-512", adjusted_propq ? adjusted_propq : properties);
- key->d = key->z = key->rho = key->pkhash = key->encoded_dk = NULL;
- key->s = key->m = key->t = NULL;
-+ OPENSSL_free(adjusted_propq);
-
- if (key->shake128_md != NULL
- && key->shake256_md != NULL
-diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
-index 67d55697e9..ab1aaae8ac 100644
---- a/include/crypto/ml_kem.h
-+++ b/include/crypto/ml_kem.h
-@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
- __owur
- int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
-
-+char *get_adjusted_propq(const char *propq);
-+
- #endif /* OPENSSL_HEADER_ML_KEM_H */
-diff --git a/providers/defltprov.c b/providers/defltprov.c
-index eee2178b41..0dba017f3f 100644
---- a/providers/defltprov.c
-+++ b/providers/defltprov.c
-@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
- { "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
- # endif
- # if !defined(OPENSSL_NO_EC)
-- { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
-- { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
-+ { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
-+ { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
- # endif
- #endif
- { NULL, NULL, NULL }
-@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
- PROV_DESCS_X448MLKEM1024 },
- # endif
- # if !defined(OPENSSL_NO_EC)
-- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
-+ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
- PROV_DESCS_SecP256r1MLKEM768 },
-- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
-+ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
- PROV_DESCS_SecP384r1MLKEM1024 },
- # endif
- #endif
-diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
-index 197c345d85..08fbf99a76 100644
---- a/providers/implementations/kem/mlx_kem.c
-+++ b/providers/implementations/kem/mlx_kem.c
-@@ -19,6 +19,7 @@
- #include "prov/mlx_kem.h"
- #include "prov/provider_ctx.h"
- #include "prov/providercommon.h"
-+#include <string.h>
-
- static OSSL_FUNC_kem_newctx_fn mlx_kem_newctx;
- static OSSL_FUNC_kem_freectx_fn mlx_kem_freectx;
-@@ -103,6 +104,28 @@ mlx_kem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
- return 1;
- }
-
-+char *get_adjusted_propq(const char *propq)
-+{
-+ char *adjusted_propq = NULL;
-+ const char *nofips = "-fips";
-+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
-+ strlen(nofips) + 1;
-+ char *ptr = NULL;
-+
-+ adjusted_propq = OPENSSL_zalloc(len);
-+ if (adjusted_propq != NULL) {
-+ ptr = adjusted_propq;
-+ if (propq && strlen(propq) > 0) {
-+ memcpy(ptr, propq, strlen(propq));
-+ ptr += strlen(propq);
-+ *ptr = ',';
-+ ptr++;
-+ }
-+ memcpy(ptr, nofips, strlen(nofips));
-+ }
-+ return adjusted_propq;
-+}
-+
- static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- unsigned char *shsec, size_t *slen)
- {
-@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- uint8_t *sbuf;
- int ml_kem_slot = key->xinfo->ml_kem_slot;
- int ret = 0;
-+ char *adjusted_propq = NULL;
-
- if (!mlx_kem_have_pubkey(key)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
-@@ -167,7 +191,8 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- encap_slen = ML_KEM_SHARED_SECRET_BYTES;
- cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
- sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
-- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
-+ adjusted_propq = get_adjusted_propq(key->propq);
-+ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
- if (ctx == NULL
- || EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
- || EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
-@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- end:
- EVP_PKEY_free(xkey);
- EVP_PKEY_CTX_free(ctx);
-+ OPENSSL_free(adjusted_propq);
- return ret;
- }
-
-@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
- size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
- int ml_kem_slot = key->xinfo->ml_kem_slot;
- int ret = 0;
-+ char *adjusted_propq = NULL;
-
- if (!mlx_kem_have_prvkey(key)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
-@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
- decap_slen = ML_KEM_SHARED_SECRET_BYTES;
- cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
- sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
-- ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, key->propq);
-+ adjusted_propq = get_adjusted_propq(key->propq);
-+ ctx = EVP_PKEY_CTX_new_from_pkey(key->libctx, key->mkey, adjusted_propq ? adjusted_propq : key->propq);
- if (ctx == NULL
- || EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
- || EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
-@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
- end:
- EVP_PKEY_CTX_free(ctx);
- EVP_PKEY_free(xkey);
-+ OPENSSL_free(adjusted_propq);
- return ret;
- }
-
-diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
-index bea8783276..aeef0c8f84 100644
---- a/providers/implementations/keymgmt/mlx_kmgmt.c
-+++ b/providers/implementations/keymgmt/mlx_kmgmt.c
-@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
- size_t prvlen;
- } EXPORT_CB_ARG;
-
-+#ifndef FIPS_MODULE
-+# include <openssl/bn.h>
-+# include <openssl/ec.h>
-+static size_t decompress_pub_key(void *pub, size_t compressed_len, size_t decompressed_len)
-+{
-+ EC_GROUP *group = NULL;
-+ EC_POINT *point = NULL;
-+ BN_CTX *ctx = NULL;
-+ size_t len = compressed_len;
-+ int group_nid = NID_undef;
-+
-+ switch (len) {
-+ case 33:
-+ group_nid = NID_X9_62_prime256v1;
-+ break;
-+ case 49:
-+ group_nid = NID_secp384r1;
-+ break;
-+ default:
-+ return len;
-+ break;
-+ }
-+
-+ ctx = BN_CTX_new();
-+ group = EC_GROUP_new_by_curve_name(group_nid);
-+ if (ctx == NULL || group == NULL)
-+ goto err;
-+
-+ point = EC_POINT_new(group);
-+ if (point == NULL)
-+ goto err;
-+
-+ if (!EC_POINT_oct2point(group, point, pub, len, ctx))
-+ goto err;
-+
-+ len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, pub, decompressed_len, ctx);
-+
-+err:
-+ EC_POINT_free(point);
-+ EC_GROUP_free(group);
-+ BN_CTX_free(ctx);
-+
-+ return len;
-+}
-+#endif
-+
- /* Copy any exported key material into its storage slot */
- static int export_sub_cb(const OSSL_PARAM *params, void *varg)
- {
-@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
-
- if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
- return 0;
-+#ifndef FIPS_MODULE
-+ if (len < sub_arg->publen)
-+ len = decompress_pub_key(pub, len, sub_arg->publen);
-+#endif
- if (len != sub_arg->publen) {
- ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
- "Unexpected %s public key length %lu != %lu",
-@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
- void *val;
- int ml_kem_slot = key->xinfo->ml_kem_slot;
- int ret = 0;
-+ char *adjusted_propq = NULL;
-
- if (slot == ml_kem_slot) {
- alg = key->minfo->algorithm_name;
- ppkey = &key->mkey;
- off = slot * xbytes;
- len = mbytes;
-+ adjusted_propq = get_adjusted_propq(propq);
- } else {
- alg = key->xinfo->algorithm_name;
- group = (char *) key->xinfo->group_name;
-@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
- }
- val = (void *)(in + off);
-
-- if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg, propq)) == NULL
-+ if ((ctx = EVP_PKEY_CTX_new_from_name(libctx, alg,
-+ adjusted_propq ? adjusted_propq : propq)) == NULL
- || EVP_PKEY_fromdata_init(ctx) <= 0)
- goto err;
- parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
-@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
- ret = 1;
-
- err:
-+ OPENSSL_free(adjusted_propq);
- EVP_PKEY_CTX_free(ctx);
- return ret;
- }
-@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
- PROV_ML_KEM_GEN_CTX *gctx = vgctx;
- MLX_KEY *key;
- char *propq;
-+ char *adjusted_propq = NULL;
-
- if (gctx == NULL
- || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
-@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
- return key;
-
- /* For now, using the same "propq" for all components */
-- key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
-+ adjusted_propq = get_adjusted_propq(propq);
-+ key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
- key->minfo->algorithm_name);
-+ OPENSSL_free(adjusted_propq);
- key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
- key->xinfo->algorithm_name,
- key->xinfo->group_name);
---
-2.49.0
-
diff --git a/openssl.spec b/openssl.spec
index 3ee56d8..84d0ee7 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -33,8 +33,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.5.0
-Release: 5%{?dist}
+Version: 3.5.1
+Release: 1%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -88,20 +88,15 @@ Patch0042: 0042-FIPS-EC-disable-weak-curves.patch
Patch0043: 0043-FIPS-NO-DSA-Support.patch
Patch0044: 0044-FIPS-NO-DES-support.patch
Patch0045: 0045-FIPS-NO-Kmac.patch
-Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch
-Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
-Patch0048: 0048-Current-Rebase-status.patch
-Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
-Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
-Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
-Patch0052: 0052-Backport-upstream-27483-for-PKCS11-needs.patch
-Patch0053: 0053-Red-Hat-9-FIPS-indicator-defines.patch
-Patch0054: 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
-Patch0055: 0055-hashfunc-add-stddef.h-include.patch
-Patch0056: 0056-rio-add-RIO_POLL_METHOD_NONE.patch
-Patch0057: 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
+Patch0046: 0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
+Patch0047: 0047-Current-Rebase-status.patch
+Patch0048: 0048-FIPS-KDF-key-lenght-errors.patch
+Patch0049: 0049-FIPS-fix-disallowed-digests-tests.patch
+Patch0050: 0050-Make-openssl-speed-run-in-FIPS-mode.patch
+Patch0051: 0051-Backport-upstream-27483-for-PKCS11-needs.patch
+Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
-Patch0058: 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
+Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
@@ -228,8 +223,7 @@ sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
-#POWER8 support
-#sslflags=enable-ec_nistp_64_gcc_128
+sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
@@ -473,6 +467,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Tue Jul 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-1
+- Rebasing to OpenSSL 3.5.1
+
* Thu Jun 05 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.0-5
- Sync patches from RHEL
diff --git a/sources b/sources
index 423bcc8..951b06e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.5.0.tar.gz) = 39cc80e2843a2ee30f3f5de25cd9d0f759ad8de71b0b39f5a679afaaa74f4eb58d285ae50e29e4a27b139b49343ac91d1f05478f96fb0c6b150f16d7b634676f
+SHA512 (openssl-3.5.1.tar.gz) = 0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Rebasing to OpenSSL 3.5 Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox