public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.4
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : b80222307c8c4093f8bf9f10fceb2c94156bb2aa
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2025-10-20T14:53:12+02:00
Stats : +816/-642 in 64 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/b80222307c8c4093f8bf9f10fceb2c94156bb2aa?branch=rebase_40beta
Log:
Rebase to OpenSSL 3.5.4
Resolving CVE-2025-9230 and CVE-2025-9232
---
diff --git a/.gitignore b/.gitignore
index 5d79149..c813a35 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,3 +67,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.5.0-beta1.tar.gz
/openssl-3.5.0.tar.gz
/openssl-3.5.1.tar.gz
+/openssl-3.5.4.tar.gz
diff --git a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
index 1331ab0..8bba2ec 100644
--- a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
+++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
@@ -1,7 +1,7 @@
-From bc8c037733c26d4c4a2a3dfd1e383be9855449b3 Mon Sep 17 00:00:00 2001
+From 0e03058e3d0a540a330bb42ee8f6dca5604841f9 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 01/53] RH: Aarch64 and ppc64le use lib64
+Subject: [PATCH 01/59] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
@@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
-2.50.0
+2.51.0
diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
index bfcf061..d925b68 100644
--- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
+++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
@@ -1,7 +1,7 @@
-From 99e084a168125827163da87f3f1de3f05db99be1 Mon Sep 17 00:00:00 2001
+From 9d127bab38d30e2d3ebafc39c3dd874ae55c72de Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
-Subject: [PATCH 02/53] Add a separate config file to use for rpm installs
+Subject: [PATCH 02/59] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
@@ -452,5 +452,5 @@ index 0000000000..fe2346eb2b
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
-2.50.0
+2.51.0
diff --git a/0003-RH-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch
index 8c2edce..72afe71 100644
--- a/0003-RH-Do-not-install-html-docs.patch
+++ b/0003-RH-Do-not-install-html-docs.patch
@@ -1,7 +1,7 @@
-From 371ef9d39cb5a54d7f22ef1abd6340dbadf88fcd Mon Sep 17 00:00:00 2001
+From 2530f17f6a5fe3733beda49954c5c78f423569d5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 03/53] RH: Do not install html docs
+Subject: [PATCH 03/59] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
@@ -13,10 +13,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index a6f666957e..b1d8b00755 100644
+index 81f49926ce..516f8d62dc 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
-@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
+@@ -669,7 +669,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
@@ -26,5 +26,5 @@ index a6f666957e..b1d8b00755 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
-2.50.0
+2.51.0
diff --git a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
index 2486532..f33e200 100644
--- a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
+++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
@@ -1,7 +1,7 @@
-From 79787a5bb85fed3c6998bfe3aebcdff9ffa56edf Mon Sep 17 00:00:00 2001
+From f2fcdc5171f0b3b0b94fe8b78b6282be078a4e81 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 04/53] RH: apps ca fix md option help text.patch - DROP?
+Subject: [PATCH 04/59] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
@@ -26,5 +26,5 @@ index 6d1d1c0a6e..a7553ba609 100644
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
--
-2.50.0
+2.51.0
diff --git a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
index b52e60b..df06d23 100644
--- a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
+++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
@@ -1,7 +1,7 @@
-From c99e322d8f8ea6835f2d8aff4ca33d36410c4233 Mon Sep 17 00:00:00 2001
+From c9f17bc73a099735c6e80dd67c93f23175771cb4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 05/53] RH: Disable signature verification with bad digests -
+Subject: [PATCH 05/59] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
@@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644
const EVP_MD *type = NULL;
--
-2.50.0
+2.51.0
diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
index 99505a3..cf3d6c0 100644
--- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
+++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
@@ -1,7 +1,7 @@
-From f54b7469e2525ea5f03113fad7169bd23fbcab50 Mon Sep 17 00:00:00 2001
+From 61afaf0de1f2c4cd2773f61f3c665e84e1925460 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 06/53] RH: Add support for PROFILE SYSTEM system default
+Subject: [PATCH 06/59] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@@ -20,10 +20,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
7 files changed, 105 insertions(+), 14 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index b1d8b00755..91fd703afa 100644
+index 516f8d62dc..74139ec228 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
-@@ -344,6 +344,10 @@ MANDIR=$(INSTALLTOP)/share/man
+@@ -355,6 +355,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@@ -34,7 +34,7 @@ index b1d8b00755..91fd703afa 100644
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
-@@ -367,6 +371,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+@@ -378,6 +382,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@@ -317,5 +317,5 @@ index c46e431b00..19d05e860b 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
-2.50.0
+2.51.0
diff --git a/0007-RH-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
index 0be56b9..105fc0d 100644
--- a/0007-RH-Add-FIPS_mode-compatibility-macro.patch
+++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
@@ -1,7 +1,7 @@
-From 6a1b39542597be9a28f94dad23a8e93285368653 Mon Sep 17 00:00:00 2001
+From fb2c952f82064d747dbecb6ce66365ae4cc03513 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 07/53] RH: Add FIPS_mode compatibility macro
+Subject: [PATCH 07/59] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
@@ -47,10 +47,10 @@ index 0000000000..4162cbf88e
+# endif
+#endif
diff --git a/test/property_test.c b/test/property_test.c
-index 18f8cc8740..6864b1a3c1 100644
+index e62ff247c4..37489e4694 100644
--- a/test/property_test.c
+++ b/test/property_test.c
-@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i)
+@@ -703,6 +703,19 @@ static int test_property_list_to_string_bounds(void)
return ret;
}
@@ -70,14 +70,14 @@ index 18f8cc8740..6864b1a3c1 100644
int setup_tests(void)
{
ADD_TEST(test_property_string);
-@@ -700,6 +713,7 @@ int setup_tests(void)
+@@ -716,6 +729,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);
+ ADD_TEST(test_downstream_FIPS_mode);
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
+ ADD_TEST(test_property_list_to_string_bounds);
return 1;
- }
--
-2.50.0
+2.51.0
diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
index 06bdbce..cefd4f0 100644
--- a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
+++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
@@ -1,7 +1,7 @@
-From 15d44a4f1365532f8ebdf24a69c9da7220d5c704 Mon Sep 17 00:00:00 2001
+From 8d7abff29035508b6208b4742bfaaed42f78ac43 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 08/53] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+Subject: [PATCH 08/59] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
@@ -88,5 +88,5 @@ index 7d94346155..c0f1d00da9 100644
}
# endif
--
-2.50.0
+2.51.0
diff --git a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
index ba1900c..c28b18a 100644
--- a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
+++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
@@ -1,7 +1,7 @@
-From 68174cf923fbaaa95469e433c29992cd63f24f99 Mon Sep 17 00:00:00 2001
+From 5151c5a45d130075860256989b1f69694f840554 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 09/53] RH: Drop weak curve definitions - RENAMED/SQUASHED
+Subject: [PATCH 09/59] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
@@ -1425,5 +1425,5 @@ index e6a2c9eb59..861c01e177 100644
Ctrl = key-check:0
+Result = KEYGEN_GENERATE_ERROR
--
-2.50.0
+2.51.0
diff --git a/0010-RH-Disable-explicit-ec-curves.patch b/0010-RH-Disable-explicit-ec-curves.patch
index a39a9df..21ce41f 100644
--- a/0010-RH-Disable-explicit-ec-curves.patch
+++ b/0010-RH-Disable-explicit-ec-curves.patch
@@ -1,7 +1,7 @@
-From 6a2b78bca595435fcbf72d7b2c8bec004d555016 Mon Sep 17 00:00:00 2001
+From fdbbe15e433da8556076b84e7612ce5f53f3fa49 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 10/53] RH: Disable explicit ec curves
+Subject: [PATCH 10/59] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@@ -217,7 +217,7 @@ index 028deb4ed1..85c84f6592 100644
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-index 54b143bead..06ec905be0 100644
+index 07dc4b4298..4c47fa68c2 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj
@@ -240,5 +240,5 @@ index 54b143bead..06ec905be0 100644
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
-2.50.0
+2.51.0
diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch
index d879679..b3547c8 100644
--- a/0011-RH-skipped-tests-EC-curves.patch
+++ b/0011-RH-skipped-tests-EC-curves.patch
@@ -1,7 +1,7 @@
-From 60e56b8d5d031a7169aa4ad07b13bca15faf345b Mon Sep 17 00:00:00 2001
+From 4a0a6c5cc9560438cab41e65948b6da9e63d1123 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 11/53] RH: skipped tests EC curves
+Subject: [PATCH 11/59] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
@@ -16,10 +16,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
4 files changed, 3 insertions(+), 15 deletions(-)
diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t
-index c953fad9f1..906769a12e 100644
+index 9bf946e81b..d6521876e5 100644
--- a/test/recipes/15-test_ec.t
+++ b/test/recipes/15-test_ec.t
-@@ -94,7 +94,7 @@ SKIP: {
+@@ -104,7 +104,7 @@ SKIP: {
subtest 'Check loading of fips and non-fips keys' => sub {
plan skip_all => "FIPS is disabled"
@@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
-2.50.0
+2.51.0
diff --git a/0012-RH-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch
index 3906238..84dd7ec 100644
--- a/0012-RH-skip-quic-pairwise.patch
+++ b/0012-RH-skip-quic-pairwise.patch
@@ -1,7 +1,7 @@
-From e15f0731f753c279a555c6d5d588dbac8dd3f1e4 Mon Sep 17 00:00:00 2001
+From 82c0d773649909ec1883d43e423f886d6424b9af Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
-Subject: [PATCH 12/53] RH: skip quic pairwise
+Subject: [PATCH 12/59] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
-index b98a940553..3d946ae93c 100644
+index 4e887c13d1..37acf268cc 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
-@@ -2937,7 +2937,9 @@ int setup_tests(void)
+@@ -2916,7 +2916,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@@ -82,5 +82,5 @@ index eaf0dbbb42..21864ad319 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
-2.50.0
+2.51.0
diff --git a/0013-RH-version-aliasing.patch b/0013-RH-version-aliasing.patch
index 3ee4695..719de7f 100644
--- a/0013-RH-version-aliasing.patch
+++ b/0013-RH-version-aliasing.patch
@@ -1,7 +1,7 @@
-From 293b5d1bca91e400a9042cc181d17b7facbed71c Mon Sep 17 00:00:00 2001
+From 4fb5c4b21a8052f87e02c941c6e7a0e6f0d9384c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 13/53] RH: version aliasing
+Subject: [PATCH 13/59] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
-2.50.0
+2.51.0
diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
index 8937c02..14e686d 100644
--- a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
+++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
@@ -1,7 +1,7 @@
-From f267ed139ac29efc6d464827024eafb805f06ea2 Mon Sep 17 00:00:00 2001
+From 104697d613232de6a96c2c8323eac721c19dbaa2 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
-Subject: [PATCH 14/53] RH: Export two symbols for OPENSSL_str[n]casecmp
+Subject: [PATCH 14/59] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
@@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
-2.50.0
+2.51.0
diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch
index 58dfd80..747eb81 100644
--- a/0015-RH-TMP-KTLS-test-skip.patch
+++ b/0015-RH-TMP-KTLS-test-skip.patch
@@ -1,7 +1,7 @@
-From 4badd5b30b1caec6c4fd3875cd4c5313ba6095b1 Mon Sep 17 00:00:00 2001
+From 10e7b2643772ca1c4ee069a625754bfeb971d965 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
-Subject: [PATCH 15/53] RH: TMP KTLS test skip
+Subject: [PATCH 15/59] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
@@ -9,10 +9,10 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index b83dd6c552..250a439137 100644
+index fbe284b9ff..05c5ab256f 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -1023,9 +1023,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
+@@ -1033,9 +1033,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
@@ -26,5 +26,5 @@ index b83dd6c552..250a439137 100644
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
-2.50.0
+2.51.0
diff --git a/0016-RH-Allow-disabling-of-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
index fedd85d..6fa8bf7 100644
--- a/0016-RH-Allow-disabling-of-SHA1-signatures.patch
+++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
@@ -1,7 +1,7 @@
-From 3e6196d5791ce3443f54a379a5fd679c1066c76a Mon Sep 17 00:00:00 2001
+From 6d93803492f19eeeed8cafd4948badf85a7429c4 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
-Subject: [PATCH 16/53] RH: Allow disabling of SHA1 signatures
+Subject: [PATCH 16/59] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@@ -172,7 +172,7 @@ index 0e7fe64cf9..b9d3b6d226 100644
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
"name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
-index d5df497da7..53044238a1 100644
+index c27ed6dbe9..ea1f6cbed3 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
@@ -355,7 +355,7 @@ index dd71fd91eb..9019fd2a80 100644
/* Disable the security checks in the default provider */
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
-index c5adbf8002..52ed52482d 100644
+index 887f6cbb90..595aed7e07 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@@ -367,7 +367,7 @@ index c5adbf8002..52ed52482d 100644
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 4018a772ff..04d4009ab5 100644
+index 73bfbf4aa9..88d83275b1 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -197,13 +197,15 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
@@ -390,7 +390,7 @@ index 4018a772ff..04d4009ab5 100644
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index e75b90840b..645304b951 100644
+index d8357cfe15..29be5f5028 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
@@ -486,5 +486,5 @@ index d377d542db..c2c55129ae 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
-2.50.0
+2.51.0
diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
index 77ab57a..62a4fca 100644
--- a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
+++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
@@ -1,7 +1,7 @@
-From 7b1b68328f640d184d6ac769a07aa436b0c3f318 Mon Sep 17 00:00:00 2001
+From 1797d7e47f7bd2a16f56b5f32e31700b871ece30 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
-Subject: [PATCH 17/53] FIPS: Red Hat's FIPS module name and version
+Subject: [PATCH 17/59] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 4b9a057462..1e90f363af 100644
+index e260b5b665..e5d798fd54 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -200,13 +200,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
+@@ -201,13 +201,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
@@ -30,5 +30,5 @@ index 4b9a057462..1e90f363af 100644
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
-2.50.0
+2.51.0
diff --git a/0018-FIPS-disable-fipsinstall.patch b/0018-FIPS-disable-fipsinstall.patch
index 69d078f..68b00b9 100644
--- a/0018-FIPS-disable-fipsinstall.patch
+++ b/0018-FIPS-disable-fipsinstall.patch
@@ -1,7 +1,7 @@
-From 4e6b86b5130552bfee64c7ecaf045ec00749ecbd Mon Sep 17 00:00:00 2001
+From 08c4167790785c112357fa769b3e0f11654abd2b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 18/53] FIPS: disable fipsinstall
+Subject: [PATCH 18/59] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
@@ -10,15 +10,15 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
apps/fipsinstall.c | 3 +
- doc/man1/openssl-fipsinstall.pod.in | 485 +-------------------------
+ doc/man1/openssl-fipsinstall.pod.in | 481 +-------------------------
doc/man1/openssl.pod | 4 -
doc/man5/config.pod | 1 -
- doc/man5/fips_config.pod | 228 +-----------
+ doc/man5/fips_config.pod | 222 +-----------
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
test/recipes/00-prep_fipsmodule_cnf.t | 10 +-
test/recipes/01-test_fipsmodule_cnf.t | 7 +-
test/recipes/03-test_fipsinstall.t | 2 +
- 9 files changed, 22 insertions(+), 719 deletions(-)
+ 9 files changed, 22 insertions(+), 709 deletions(-)
mode change 100644 => 100755 test/recipes/00-prep_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/01-test_fipsmodule_cnf.t
mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
@@ -38,10 +38,10 @@ index 0daa55a1b8..b4e29ac301 100644
goto end;
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
-index 9dd4f5a49f..9a063022a9 100644
+index d44b4a7dac..1c6b783413 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
-@@ -8,488 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
+@@ -8,484 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
=head1 SYNOPSIS
B<openssl fipsinstall>
@@ -274,9 +274,7 @@ index 9dd4f5a49f..9a063022a9 100644
-
-=item B<-hkdf_digest_check>
-
--Configure the module to enable a run-time digest check when deriving a key by
--HKDF.
--See NIST SP 800-56Cr2 for details.
+-This option is deprecated.
-
-=item B<-tls13_kdf_digest_check>
-
@@ -298,9 +296,7 @@ index 9dd4f5a49f..9a063022a9 100644
-
-=item B<-sskdf_digest_check>
-
--Configure the module to enable a run-time digest check when deriving a key by
--SSKDF.
--See NIST SP 800-56Cr2 for details.
+-This option is deprecated.
-
-=item B<-x963kdf_digest_check>
-
@@ -561,10 +557,10 @@ index b994081924..7a6d7fab4a 100644
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
-index a25ced3383..15748c5756 100644
+index c3f7b8f3ab..2505938c13 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
-@@ -6,230 +6,10 @@ fips_config - OpenSSL FIPS configuration
+@@ -6,224 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
@@ -624,17 +620,11 @@ index a25ced3383..15748c5756 100644
-
-=item B<install-status>
-
--An indicator that the self-tests were successfully run.
--This should only be written after the module has
--successfully passed its self tests during installation.
--If this field is not present, then the self tests will run when the module
--loads.
+-This field is deprecated and is no longer used.
-
-=item B<install-mac>
-
--A MAC of the value of the B<install-status> option, to prevent accidental
--changes to that value.
--It is written-to at the same time as B<install-status> is updated.
+-This field is deprecated and is no longer used.
-
-=back
-
@@ -674,7 +664,7 @@ index a25ced3383..15748c5756 100644
-
-=item B<hkdf-digest-check>
-
--See L<openssl-fipsinstall(1)/OPTIONS> B<-hkdf_digest_check>
+-This option is deprecated.
-
-=item B<tls13-kdf-digest-check>
-
@@ -690,7 +680,7 @@ index a25ced3383..15748c5756 100644
-
-=item B<sskdf-digest-check>
-
--See L<openssl-fipsinstall(1)/OPTIONS> B<-sskdf_digest_check>
+-This option is deprecated.
-
-=item B<x963kdf-digest-check>
-
@@ -800,10 +790,10 @@ index a25ced3383..15748c5756 100644
=head1 COPYRIGHT
diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
-index 571a1e99e0..1e384a4ff3 100644
+index d14005a89a..c3797f5682 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod
-@@ -588,7 +588,6 @@ process.
+@@ -574,7 +574,6 @@ process.
=head1 SEE ALSO
@@ -853,7 +843,7 @@ index ce594817d5..4530a46dd0
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
old mode 100644
new mode 100755
-index 1f9110ef60..7e80637bd5
+index 3dcbe67c6d..1a5a475d91
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -22,6 +22,8 @@ use lib srctop_dir('Configurations');
@@ -866,5 +856,5 @@ index 1f9110ef60..7e80637bd5
# Compatible options for pedantic FIPS compliance
--
-2.50.0
+2.51.0
diff --git a/0019-FIPS-Force-fips-provider-on.patch b/0019-FIPS-Force-fips-provider-on.patch
index a931116..4ab1f7d 100644
--- a/0019-FIPS-Force-fips-provider-on.patch
+++ b/0019-FIPS-Force-fips-provider-on.patch
@@ -1,7 +1,7 @@
-From a8e98667597d46e69e492779b9d5daa051f6b3b3 Mon Sep 17 00:00:00 2001
+From 91efb2e81287745f7a2817211d00ca5a41f4e8ba Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 19/53] FIPS: Force fips provider on
+Subject: [PATCH 19/59] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
@@ -75,5 +75,5 @@ index 9649517dd2..1e5053cbce 100644
}
--
-2.50.0
+2.51.0
diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
index ecb98c7..f0bd30a 100644
--- a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
+++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
@@ -1,7 +1,7 @@
-From fff4084252d07eb17e3b944c6438c00aec471c7f Mon Sep 17 00:00:00 2001
+From f2fc8dd1549cd4662ad073d8d9689eaa0747385a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 20/53] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
+Subject: [PATCH 20/59] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
@@ -20,7 +20,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index ef7be26ca7..8b17b8ca94 100644
+index 456efd139e..c89e91b587 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -235,13 +235,137 @@ err:
@@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe
+[fips_sect]
+activate = 1
--
-2.50.0
+2.51.0
diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
index cce845d..21cd432 100644
--- a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
+++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
@@ -1,7 +1,7 @@
-From 9633d1339e383fdb008c25635baa86c58b3dcdc4 Mon Sep 17 00:00:00 2001
+From 11959719a0acee26ca505c79f89af7fc5aeca011 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
-Subject: [PATCH 21/53] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
+Subject: [PATCH 21/59] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
@@ -28,5 +28,5 @@ index 0000000000..54ae60b07f
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
-2.50.0
+2.51.0
diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
index a66c84a..8302ce5 100644
--- a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
+++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
@@ -1,7 +1,7 @@
-From 391ce06974d5efaf8485ac2386a857d7644db30a Mon Sep 17 00:00:00 2001
+From 2ec805ecc3c89c4db5dea64b2b1f9be756595347 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 22/53] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
+Subject: [PATCH 22/59] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
@@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index 8b17b8ca94..0f5074936f 100644
+index c89e91b587..98bf6ad203 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
@@ -45,5 +45,5 @@ index 8b17b8ca94..0f5074936f 100644
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
-2.50.0
+2.51.0
diff --git a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
index 1ae9587..5976d4c 100644
--- a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
+++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
@@ -1,7 +1,7 @@
-From 821f291d29bf73802287ed74922e1d22d840cb46 Mon Sep 17 00:00:00 2001
+From decf5f9abf903fc3609d1aaaf84b9d437afb4072 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 23/53] FIPS: RSA: encrypt limits - REVIEW
+Subject: [PATCH 23/59] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@@ -44,12 +44,12 @@ index 78f9fc0655..6bd783eb0a 100644
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
-index 6ee127caff..2a7c2f159e 100644
+index e6b676d0f8..6d6650bd81 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
-@@ -168,6 +168,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+@@ -174,6 +174,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ return 0;
}
- #endif
+# ifdef FIPS_MODULE
+ if (prsactx->pad_mode == RSA_NO_PADDING) {
@@ -64,9 +64,9 @@ index 6ee127caff..2a7c2f159e 100644
+# endif
+
if (out == NULL) {
- size_t len = RSA_size(prsactx->rsa);
-
-@@ -230,6 +242,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ *outlen = len;
+ return 1;
+@@ -235,6 +247,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
@@ -911,10 +911,10 @@ index 18e11bdaa9..17ceb59148 100644
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 5c967c5818..d13dceaac5 100644
+index 4031dbec77..92a48a09c6 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
-@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = (
+@@ -267,7 +267,7 @@ my @smime_pkcs7_tests = (
if ($no_fips || $old_fips) {
push(@smime_pkcs7_tests,
@@ -923,7 +923,7 @@ index 5c967c5818..d13dceaac5 100644
[ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "{output}.cms",
$smrsa1,
-@@ -1267,6 +1267,9 @@ sub check_availability {
+@@ -1284,6 +1284,9 @@ sub check_availability {
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
@@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4
}
next if $protocol eq "-tls1_3";
--
-2.50.0
+2.51.0
diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch
index 8f0c1a2..2c3eca1 100644
--- a/0024-FIPS-RSA-PCTs.patch
+++ b/0024-FIPS-RSA-PCTs.patch
@@ -1,7 +1,7 @@
-From 84dc66a182dba38876b2b519a8a5c9d38fd967a3 Mon Sep 17 00:00:00 2001
+From e19989c58ad6450428ee68fa4d81e022925872c1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
-Subject: [PATCH 24/53] FIPS: RSA: PCTs
+Subject: [PATCH 24/59] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -10,10 +10,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
2 files changed, 61 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
-index 77d0950094..f0e71beb43 100644
+index cd74275d60..52087abff6 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
-@@ -433,6 +433,7 @@ struct rsa_gen_ctx {
+@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
@@ -21,7 +21,7 @@ index 77d0950094..f0e71beb43 100644
#endif
};
-@@ -446,6 +447,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
+@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
@@ -34,7 +34,7 @@ index 77d0950094..f0e71beb43 100644
static void *gen_init(void *provctx, int selection, int rsa_type,
const OSSL_PARAM params[])
{
-@@ -473,6 +480,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
+@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
@@ -45,7 +45,7 @@ index 77d0950094..f0e71beb43 100644
return gctx;
err:
-@@ -629,6 +640,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
@@ -57,7 +57,7 @@ index 77d0950094..f0e71beb43 100644
err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
-@@ -644,6 +660,8 @@ static void rsa_gen_cleanup(void *genctx)
+@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
@@ -67,7 +67,7 @@ index 77d0950094..f0e71beb43 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 645304b951..3d5af1046a 100644
+index 29be5f5028..670125464e 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -37,7 +37,7 @@
@@ -153,5 +153,5 @@ index 645304b951..3d5af1046a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
-2.50.0
+2.51.0
diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch
index 06591da..7aa84db 100644
--- a/0025-FIPS-RSA-encapsulate-limits.patch
+++ b/0025-FIPS-RSA-encapsulate-limits.patch
@@ -1,7 +1,7 @@
-From 0e23d3fc43bf4ace817542443d772407a809dd19 Mon Sep 17 00:00:00 2001
+From 178f344c1bad06adc0fe187fb24da2b036cc3628 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 25/53] FIPS: RSA: encapsulate limits
+Subject: [PATCH 25/59] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
@@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
-2.50.0
+2.51.0
diff --git a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
index 9a592fa..9dd08fa 100644
--- a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
+++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
@@ -1,7 +1,7 @@
-From bb269a8f52e1be87144247772e2425b2f4911bee Mon Sep 17 00:00:00 2001
+From 4d1abf9cc029a713b4bf433af06d3c6507ae2ebc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 26/53] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+Subject: [PATCH 26/59] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644
if (hLen <= 0)
goto err;
--
-2.50.0
+2.51.0
diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch
index ca83feb..654f678 100644
--- a/0027-FIPS-RSA-size-mode-restrictions.patch
+++ b/0027-FIPS-RSA-size-mode-restrictions.patch
@@ -1,7 +1,7 @@
-From f177c315c190537fe6a1bb0620024ae86bb95c8a Mon Sep 17 00:00:00 2001
+From 564140b9980fba626d7b52c6072b1d9cb87150da Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
-Subject: [PATCH 27/53] FIPS: RSA: size/mode restrictions
+Subject: [PATCH 27/59] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -12,7 +12,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
4 files changed, 86 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 3d5af1046a..09c202f87c 100644
+index 670125464e..664c59d2ef 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -939,6 +939,19 @@ static int rsa_verify_recover(void *vprsactx,
@@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
-2.50.0
+2.51.0
diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
index 068dc29..cea491f 100644
--- a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
+++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
@@ -1,7 +1,7 @@
-From bc8584fab56834724a8aa70aba1c1f56f1d794e2 Mon Sep 17 00:00:00 2001
+From 84323511d9558acb40614ca7cd19436901b02629 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
-Subject: [PATCH 28/53] FIPS: RSA: Mark x931 as not approved by default
+Subject: [PATCH 28/59] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
-2.50.0
+2.51.0
diff --git a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
index 40a7f4c..feda848 100644
--- a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
+++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
@@ -1,7 +1,7 @@
-From 7a34ce0dbb64dd29e412dffb0628815eed4a8b96 Mon Sep 17 00:00:00 2001
+From be283ef7233549606bd5f2222c94e2bed92c4a6d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 29/53] FIPS: RSA: Remove X9.31 padding signatures tests
+Subject: [PATCH 29/59] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644
"pss",
4096,
--
-2.50.0
+2.51.0
diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
index eac058b..0727a78 100644
--- a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
+++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
@@ -1,7 +1,7 @@
-From c031855ff636806e7811513779e494b92808a1e4 Mon Sep 17 00:00:00 2001
+From dcf7af9b6a78929682a539c30c388d6329460fde Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
-Subject: [PATCH 30/53] FIPS: RSA: NEEDS-REWORK:
+Subject: [PATCH 30/59] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
@@ -383,5 +383,5 @@ index 0000000000..2833a383c1
+--
+
--
-2.50.0
+2.51.0
diff --git a/0031-FIPS-Deny-SHA-1-signature-verification.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch
index 97b612a..77dc5f3 100644
--- a/0031-FIPS-Deny-SHA-1-signature-verification.patch
+++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch
@@ -1,7 +1,7 @@
-From 5fd8ab23690e661f785336b95799e74b39089790 Mon Sep 17 00:00:00 2001
+From 7e1051bf5a1fb9c3b10e1485550d663b2b1f3ba6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 31/53] FIPS: Deny SHA-1 signature verification
+Subject: [PATCH 31/59] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@@ -42,7 +42,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
8 files changed, 130 insertions(+), 27 deletions(-)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
-index 52ed52482d..0d3050dbe9 100644
+index 595aed7e07..42085e5ade 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@@ -57,7 +57,7 @@ index 52ed52482d..0d3050dbe9 100644
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 04d4009ab5..4e46eaf9bc 100644
+index 88d83275b1..01b3023891 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -214,9 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
@@ -72,7 +72,7 @@ index 04d4009ab5..4e46eaf9bc 100644
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 09c202f87c..014b17fe49 100644
+index 664c59d2ef..1e2394eb7d 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
@@ -103,7 +103,7 @@ index 09c202f87c..014b17fe49 100644
if (pmgf1mdname != NULL
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
-index 06ec905be0..1602f0c521 100644
+index 4c47fa68c2..484668440f 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC
@@ -176,8 +176,8 @@ index 06ec905be0..1602f0c521 100644
-Result = KEYOP_MISMATCH
+Result = PKEY_CTRL_ERROR
- Title = XOF disallowed
-
+ FIPSversion = >=3.6.0
+ Sign = P-256
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
index 0ff482e4e8..d407ea1ca8 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa_sigalg.txt
@@ -660,10 +660,10 @@ index 972e90f32f..61e2b4e3ac 100644
Availablein = fips
FIPSversion = >=3.4.0
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index d13dceaac5..ece29485f4 100644
+index 92a48a09c6..cf4541449b 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
-@@ -174,7 +174,7 @@ my @smime_pkcs7_tests = (
+@@ -183,7 +183,7 @@ my @smime_pkcs7_tests = (
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", $smroot,
"-signer", $smrsa1, "-out", "{output}.cms" ],
@@ -672,7 +672,7 @@ index d13dceaac5..ece29485f4 100644
"-CAfile", $smroot, "-out", "{output}.txt" ],
\&final_compare
],
-@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
+@@ -191,7 +191,7 @@ my @smime_pkcs7_tests = (
[ "signed zero-length content S/MIME format, RSA key SHA1",
[ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1",
"-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
@@ -704,5 +704,5 @@ index 568a1ddba4..6332aaec4b 100755
SKIP: {
skip "No IPv4 available on this machine", 4
--
-2.50.0
+2.51.0
diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
index 5430a7a..d4f500a 100644
--- a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
+++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
@@ -1,7 +1,7 @@
-From 85acc91ca970f6509e67c93b46be12cf261bd3ad Mon Sep 17 00:00:00 2001
+From 0e25cdf0be520bcca8e8673e015f938947217d28 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 32/53] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
+Subject: [PATCH 32/59] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
@@ -154,5 +154,5 @@ index c3a5d8b3bf..b7b34a9345 100644
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
-2.50.0
+2.51.0
diff --git a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
index 86a363b..d22e38b 100644
--- a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
+++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
@@ -1,7 +1,7 @@
-From d2369dfc75e2b121650bc51f5ac3e0e7c9b75a29 Mon Sep 17 00:00:00 2001
+From d0cef8f6f866d1fa37fd1d673e25adba210a3ad3 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 33/53] FIPS: RAND: Forbid truncated hashes & SHA-3
+Subject: [PATCH 33/59] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
-2.50.0
+2.51.0
diff --git a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
index 936afd1..10999a6 100644
--- a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
+++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
@@ -1,7 +1,7 @@
-From 1a83f0de8b9aaa1cf5727f0599b089346ffd89f4 Mon Sep 17 00:00:00 2001
+From c72f83a3c8f66e7d6848bf8b67b66fecb9aefe6f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 34/53] FIPS: PBKDF2: Set minimum password length
+Subject: [PATCH 34/59] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -117,5 +117,5 @@ index b383314064..68f9355b7d 100644
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
-2.50.0
+2.51.0
diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch
index e7ab885..52883a6 100644
--- a/0035-FIPS-DH-PCT.patch
+++ b/0035-FIPS-DH-PCT.patch
@@ -1,7 +1,7 @@
-From 5276208d8cb9a1504ec5a4f9a9d554daf7918731 Mon Sep 17 00:00:00 2001
+From d982e6a817871b174732027eed8b750aa9f8ae4b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
-Subject: [PATCH 35/53] FIPS: DH: PCT
+Subject: [PATCH 35/59] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,7 +9,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 26 insertions(+)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 7132b9b68e..189bfc3e8b 100644
+index 052d4d29ed..ace02bb0db 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@@ -46,7 +46,7 @@ index 7132b9b68e..189bfc3e8b 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -369,8 +382,21 @@ static int generate_key(DH *dh)
+@@ -371,8 +384,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@@ -60,7 +60,7 @@ index 7132b9b68e..189bfc3e8b 100644
dh->pub_key = pub_key;
dh->priv_key = priv_key;
+#ifdef FIPS_MODULE
-+ if (ossl_dh_check_pairwise(dh) <= 0) {
++ if (ossl_dh_check_pairwise(dh, 0) <= 0) {
+ abort();
+ }
+#endif
@@ -69,5 +69,5 @@ index 7132b9b68e..189bfc3e8b 100644
ok = 1;
err:
--
-2.50.0
+2.51.0
diff --git a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
index 191985f..8cc3a3d 100644
--- a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
+++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
@@ -1,7 +1,7 @@
-From ad3ca70961e0067afd8c8b386fdcc61a576ac11b Mon Sep 17 00:00:00 2001
+From 3f8b36370630e57ad848be5d804df4169d6a35a2 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 36/53] FIPS: DH: Disable FIPS 186-4 type parameters
+Subject: [PATCH 36/59] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@@ -60,10 +60,10 @@ index 1aaa88daca..aa3a491799 100644
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index ae23f61839..6e30a9b735 100644
+index 2d899dc96f..a4e6d1dd18 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
-@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
+@@ -58,13 +58,15 @@ int DH_check_params(const DH *dh, int *ret)
nid = DH_get_nid((DH *)dh);
if (nid != NID_undef)
return 1;
@@ -118,7 +118,7 @@ index b73bfb7f3b..275ce2c1af 100644
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 189bfc3e8b..023d628502 100644
+index ace02bb0db..f505f2fa87 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
@@ -135,8 +135,8 @@ index 189bfc3e8b..023d628502 100644
+ goto err;
#else
if (dh->params.q == NULL) {
- /* secret exponent length, must satisfy 2^(l-1) <= p */
-@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
+ /* secret exponent length, must satisfy 2^l < (p-1)/2 */
+@@ -360,9 +364,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@@ -147,7 +147,7 @@ index 189bfc3e8b..023d628502 100644
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
-@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
+@@ -378,6 +380,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
@@ -156,7 +156,7 @@ index 189bfc3e8b..023d628502 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
-index 3b75a537b3..6ea7a423d5 100644
+index 74bef9370d..c2c910b9c8 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
@@ -181,10 +181,10 @@ index 3b75a537b3..6ea7a423d5 100644
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
-index c2ee859355..51c21e436f 100644
+index 0e9e837383..f1eabf071a 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
-@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
+@@ -422,6 +422,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
@@ -326,5 +326,5 @@ index 6332aaec4b..4d8c900c00 100755
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
-2.50.0
+2.51.0
diff --git a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
index ebeba13..74486aa 100644
--- a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
+++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
@@ -1,7 +1,7 @@
-From 14cddfc71e0eae69aafdf84c1dfb073bb69942f1 Mon Sep 17 00:00:00 2001
+From 9c9716b7a631ef8e3087a3ddec967b18d5c46a1f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 37/53] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
+Subject: [PATCH 37/59] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
@@ -39,7 +39,7 @@ index 9338ffc01d..911ea21a68 100644
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod
-index 15748c5756..34cbfbb2ad 100644
+index 2505938c13..3887c54f0e 100644
--- a/doc/man5/fips_config.pod
+++ b/doc/man5/fips_config.pod
@@ -11,6 +11,19 @@ automatically loaded when the system is booted in FIPS mode, or when the
@@ -61,7 +61,7 @@ index 15748c5756..34cbfbb2ad 100644
+
=head1 COPYRIGHT
- Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index d1b00e8454..b815f25dae 100644
--- a/include/openssl/ssl.h.in
@@ -175,10 +175,10 @@ index 50944328cb..edb2e81273 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 250a439137..acc4751095 100644
+index 05c5ab256f..4373bc2865 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -575,7 +575,7 @@ static int test_client_cert_verify_cb(void)
+@@ -585,7 +585,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -188,5 +188,5 @@ index 250a439137..acc4751095 100644
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
--
-2.50.0
+2.51.0
diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
index 3b9b627..7c7f947 100644
--- a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
+++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
@@ -1,7 +1,7 @@
-From ecc156faf9f4d65fd73a8ef7d8ec87f5b4c0ab88 Mon Sep 17 00:00:00 2001
+From 12f5ab8b6d98cf8f2db35bebc48140b61a66fb35 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
-Subject: [PATCH 38/53] FIPS: CMS: Set default padding to OAEP
+Subject: [PATCH 38/59] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
@@ -10,7 +10,7 @@ From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
2 files changed, 11 insertions(+)
diff --git a/apps/cms.c b/apps/cms.c
-index 919d306ff6..b4950df759 100644
+index 6f19414880..4019d7373e 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -20,6 +20,7 @@
@@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
-2.50.0
+2.51.0
diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
index b26bfaf..c314b99 100644
--- a/0039-FIPS-PKCS12-PBMAC1-defaults.patch
+++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
@@ -1,7 +1,7 @@
-From 16b5a03db729e5977ab88b3107f99586be34006b Mon Sep 17 00:00:00 2001
+From c791ad4131fb11dc96013abc8e247cbbec5ba8ee Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
-Subject: [PATCH 39/53] FIPS: PKCS12: PBMAC1 defaults
+Subject: [PATCH 39/59] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
@@ -31,5 +31,5 @@ index 9964faf21a..59439a8cc0 100644
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
macsaltlen, maciter,
--
-2.50.0
+2.51.0
diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
index e98b350..b78e101 100644
--- a/0040-FIPS-Fix-encoder-decoder-negative-test.patch
+++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
@@ -1,7 +1,7 @@
-From eea9e6867012efa55d7ae48ab9a87fd0da382b6b Mon Sep 17 00:00:00 2001
+From 4691661243060cc6ad88902f422f058c547264f6 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
-Subject: [PATCH 40/53] FIPS: Fix encoder/decoder negative test
+Subject: [PATCH 40/59] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
-2.50.0
+2.51.0
diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch
index f5cdb07..3f59c44 100644
--- a/0041-FIPS-EC-DH-DSA-PCTs.patch
+++ b/0041-FIPS-EC-DH-DSA-PCTs.patch
@@ -1,7 +1,7 @@
-From 1e029f27fe022949adaba959ac3fa3c3c1eccb0b Mon Sep 17 00:00:00 2001
+From 12871a0a0aaae3ce0dcae0b14a52283b3a4a4808 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
-Subject: [PATCH 41/53] FIPS: EC: DH/DSA PCTs
+Subject: [PATCH 41/59] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -41,10 +41,10 @@ index 58fbc7bc09..98d4354f3e 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
-index 9421aabb14..77531c4b59 100644
+index a1d04bc3fd..c9a5b19cfc 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
-@@ -993,9 +993,18 @@ struct ec_gen_ctx {
+@@ -995,9 +995,18 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
@@ -63,7 +63,7 @@ index 9421aabb14..77531c4b59 100644
static void *ec_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
-@@ -1015,6 +1024,10 @@ static void *ec_gen_init(void *provctx, int selection,
+@@ -1017,6 +1026,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
@@ -74,7 +74,7 @@ index 9421aabb14..77531c4b59 100644
return gctx;
}
-@@ -1326,6 +1339,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -1328,6 +1341,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@@ -87,7 +87,7 @@ index 9421aabb14..77531c4b59 100644
if (gctx->group_check != NULL)
ret = ret && ossl_ec_set_check_group_type_from_name(ec,
-@@ -1396,7 +1415,10 @@ static void ec_gen_cleanup(void *genctx)
+@@ -1413,7 +1432,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@@ -100,7 +100,7 @@ index 9421aabb14..77531c4b59 100644
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 4e46eaf9bc..4d7c25728a 100644
+index 01b3023891..ad595d531c 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
@@ -176,5 +176,5 @@ index 4e46eaf9bc..4d7c25728a 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
-2.50.0
+2.51.0
diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch
index f625b85..2592900 100644
--- a/0042-FIPS-EC-disable-weak-curves.patch
+++ b/0042-FIPS-EC-disable-weak-curves.patch
@@ -1,7 +1,7 @@
-From 92b40ca85bbfa7acc9b16f2c7b370f2ea5fa3ffc Mon Sep 17 00:00:00 2001
+From 134cd6169b6dcbc1e395a38d7e5af0f9691e772b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
-Subject: [PATCH 42/53] FIPS: EC: disable weak curves
+Subject: [PATCH 42/59] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
-2.50.0
+2.51.0
diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch
index f58ff19..b71ea9c 100644
--- a/0043-FIPS-NO-DSA-Support.patch
+++ b/0043-FIPS-NO-DSA-Support.patch
@@ -1,7 +1,7 @@
-From 2dbc4a1c31e66fd841a87f62834d8d60aff10d45 Mon Sep 17 00:00:00 2001
+From 5679937e93d2f072cf4f56b27dc6bcce251f6def Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
-Subject: [PATCH 43/53] FIPS: NO DSA Support
+Subject: [PATCH 43/59] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -18,10 +18,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 1e90f363af..84d8e897cc 100644
+index e5d798fd54..a807c76fd8 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+@@ -432,7 +432,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
};
static const OSSL_ALGORITHM fips_signature[] = {
@@ -31,7 +31,7 @@ index 1e90f363af..84d8e897cc 100644
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
-@@ -561,8 +562,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+@@ -562,8 +563,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
@@ -44,10 +44,10 @@ index 1e90f363af..84d8e897cc 100644
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
PROV_DESCS_RSA },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 5cbb5352a5..10ca473764 100644
+index 6abab0a7a1..a7d7684d96 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -1522,8 +1522,9 @@ static const unsigned char ed448_expected_sig[] = {
+@@ -1547,8 +1547,9 @@ static const unsigned char ed448_expected_sig[] = {
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
@@ -58,7 +58,7 @@ index 5cbb5352a5..10ca473764 100644
static const unsigned char dsa_p[] = {
0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23,
0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e,
-@@ -1651,6 +1652,7 @@ static const ST_KAT_PARAM dsa_key[] = {
+@@ -1676,6 +1677,7 @@ static const ST_KAT_PARAM dsa_key[] = {
ST_KAT_PARAM_END()
};
#endif /* OPENSSL_NO_DSA */
@@ -66,7 +66,7 @@ index 5cbb5352a5..10ca473764 100644
#ifndef OPENSSL_NO_ML_DSA
static const unsigned char ml_dsa_65_pub_key[] = {
-@@ -3013,6 +3015,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -3038,6 +3040,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
},
# endif /* OPENSSL_NO_ECX */
#endif /* OPENSSL_NO_EC */
@@ -74,7 +74,7 @@ index 5cbb5352a5..10ca473764 100644
#ifndef OPENSSL_NO_DSA
{
OSSL_SELF_TEST_DESC_SIGN_DSA,
-@@ -3025,6 +3028,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -3050,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ITM(dsa_expected_sig)
},
#endif /* OPENSSL_NO_DSA */
@@ -302,10 +302,10 @@ index 5e5315a5b9..660d1db149 100644
Key = DSA-2048-160
Input = "Hello"
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index ece29485f4..756f90c1bd 100644
+index cf4541449b..7350baa921 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
-@@ -107,7 +107,7 @@ my @smime_pkcs7_tests = (
+@@ -116,7 +116,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -314,7 +314,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
-@@ -115,7 +115,7 @@ my @smime_pkcs7_tests = (
+@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -323,7 +323,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
-@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = (
+@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -332,7 +332,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
[ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
-@@ -135,7 +135,7 @@ my @smime_pkcs7_tests = (
+@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -341,7 +341,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
-@@ -144,7 +144,7 @@ my @smime_pkcs7_tests = (
+@@ -153,7 +153,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -350,7 +350,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-stream",
"-signer", $smrsa1,
-@@ -157,7 +157,7 @@ my @smime_pkcs7_tests = (
+@@ -166,7 +166,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -359,7 +359,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-noattr", "-nodetach", "-stream",
"-signer", $smrsa1,
-@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = (
+@@ -196,7 +196,7 @@ my @smime_pkcs7_tests = (
\&zero_compare
],
@@ -368,7 +368,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach",
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
-@@ -199,7 +199,7 @@ my @smime_pkcs7_tests = (
+@@ -208,7 +208,7 @@ my @smime_pkcs7_tests = (
\&final_compare
],
@@ -377,7 +377,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont,
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
-@@ -265,7 +265,7 @@ if ($no_fips || $old_fips) {
+@@ -282,7 +282,7 @@ if ($no_fips || $old_fips) {
my @smime_cms_tests = (
@@ -386,7 +386,7 @@ index ece29485f4..756f90c1bd 100644
[ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
"-nodetach", "-keyid",
"-signer", $smrsa1,
-@@ -278,7 +278,7 @@ my @smime_cms_tests = (
+@@ -295,7 +295,7 @@ my @smime_cms_tests = (
\&final_compare
],
@@ -396,5 +396,5 @@ index ece29485f4..756f90c1bd 100644
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
-2.50.0
+2.51.0
diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch
index 2f55859..5c22fcf 100644
--- a/0044-FIPS-NO-DES-support.patch
+++ b/0044-FIPS-NO-DES-support.patch
@@ -1,23 +1,23 @@
-From 8774a96fde9355aa32c040c145e4f35d7c09a5bd Mon Sep 17 00:00:00 2001
+From 7c75c6f52700efbee8d960601c0b1943295b6ae5 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
-Subject: [PATCH 44/53] FIPS: NO DES support
+Subject: [PATCH 44/59] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
providers/fips/fipsprov.c | 3 ++-
- providers/fips/self_test_data.inc | 5 ++++-
+ providers/fips/self_test_data.inc | 4 ++++
test/evp_libctx_test.c | 4 +++-
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ----------
test/recipes/80-test_cms.t | 2 +-
- 6 files changed, 14 insertions(+), 23 deletions(-)
+ 6 files changed, 14 insertions(+), 22 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 84d8e897cc..4b394c3e39 100644
+index a807c76fd8..767073fce4 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -355,7 +355,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
+@@ -356,7 +356,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
ossl_cipher_capable_aes_cbc_hmac_sha256),
@@ -28,27 +28,26 @@ index 84d8e897cc..4b394c3e39 100644
ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
#endif /* OPENSSL_NO_DES */
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 10ca473764..6a69e1687b 100644
+index a7d7684d96..c9ce8f3340 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -209,6 +209,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
- /*- CIPHER TEST DATA */
+@@ -262,6 +262,7 @@ static const unsigned char aes_128_ecb_ct[] = {
+ 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65
+ };
- /* DES3 test data */
+#if 0
- static const unsigned char des_ede3_cbc_pt[] = {
- 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
- 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-@@ -229,7 +230,7 @@ static const unsigned char des_ede3_cbc_ct[] = {
- 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
- 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
+ #ifndef OPENSSL_NO_DES
+ /*
+ * TDES-ECB test data from
+@@ -280,6 +281,7 @@ static const unsigned char tdes_pt[] = {
+ 0x4B, 0xAB, 0x3B, 0xE1, 0x50, 0x2E, 0x3B, 0x36
};
--
+ #endif
+#endif
- /* AES-256 GCM test data */
- static const unsigned char aes_256_gcm_key[] = {
- 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
-@@ -315,6 +316,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+
+ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+ {
+@@ -305,6 +307,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
CIPHER_MODE_DECRYPT,
ITM(aes_128_ecb_key)
},
@@ -56,7 +55,7 @@ index 10ca473764..6a69e1687b 100644
#ifndef OPENSSL_NO_DES
{
{
-@@ -327,6 +329,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+@@ -317,6 +320,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
ITM(tdes_key)
}
#endif
@@ -157,10 +156,10 @@ index a11e5ffe54..e4a7cbe75e 100644
-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
-Output = 8F49A1B7D6AA2258
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 756f90c1bd..ac833d2a2f 100644
+index 7350baa921..740823c61e 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
-@@ -398,7 +398,7 @@ my @smime_cms_tests = (
+@@ -415,7 +415,7 @@ my @smime_cms_tests = (
\&final_compare
],
@@ -170,5 +169,5 @@ index 756f90c1bd..ac833d2a2f 100644
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
-2.50.0
+2.51.0
diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch
index 89c3248..a849a53 100644
--- a/0045-FIPS-NO-Kmac.patch
+++ b/0045-FIPS-NO-Kmac.patch
@@ -1,7 +1,7 @@
-From e466bb4e4fa16481cbf44b410933e6dceb8d27d9 Mon Sep 17 00:00:00 2001
+From 70094ad6af6b81c1e278b6918fc7a143fbad02a9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
-Subject: [PATCH 45/53] FIPS: NO Kmac
+Subject: [PATCH 45/59] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -15,10 +15,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
7 files changed, 40 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 4b394c3e39..8f00dfa0ef 100644
+index 767073fce4..3d6fe1f244 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -294,10 +294,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+@@ -295,10 +295,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
@@ -32,7 +32,7 @@ index 4b394c3e39..8f00dfa0ef 100644
{ NULL, NULL, NULL }
};
-@@ -370,8 +371,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+@@ -371,8 +372,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@@ -45,10 +45,10 @@ index 4b394c3e39..8f00dfa0ef 100644
};
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 6a69e1687b..f3059a8446 100644
+index c9ce8f3340..3e32a5446a 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -544,6 +544,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
+@@ -535,6 +535,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
ST_KAT_PARAM_END()
};
@@ -56,7 +56,7 @@ index 6a69e1687b..f3059a8446 100644
static const char kbkdf_kmac_mac[] = "KMAC128";
static unsigned char kbkdf_kmac_label[] = {
0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
-@@ -570,6 +571,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
+@@ -561,6 +562,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
ST_KAT_PARAM_END()
};
@@ -64,7 +64,7 @@ index 6a69e1687b..f3059a8446 100644
static const char tls13_kdf_digest[] = "SHA256";
static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
-@@ -660,12 +662,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
+@@ -651,12 +653,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
kbkdf_params,
ITM(kbkdf_expected)
},
@@ -422,5 +422,5 @@ index 831eecbac9..af92ceea98 100644
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
-2.50.0
+2.51.0
diff --git a/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
index e7e10be..94d5a60 100644
--- a/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
+++ b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
@@ -1,7 +1,7 @@
-From 0d1de1053dc1b4b9a1e14b622311d0449c64e19e Mon Sep 17 00:00:00 2001
+From 552dec327a579572ca17a560bb415d8f407ce990 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
-Subject: [PATCH 46/53] FIPS: Fix some tests due to our versioning change
+Subject: [PATCH 46/59] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -102,5 +102,5 @@ index af47842fd8..21c75033e8 100644
my @tests_mldsa_tls_1_3 = (
--
-2.50.0
+2.51.0
diff --git a/0047-Current-Rebase-status.patch b/0047-Current-Rebase-status.patch
index 317a565..d8d68d5 100644
--- a/0047-Current-Rebase-status.patch
+++ b/0047-Current-Rebase-status.patch
@@ -1,7 +1,7 @@
-From e47db9280144065c4221537f1d44baa750a25d64 Mon Sep 17 00:00:00 2001
+From 3ce272be66d6e8285e0fa0fddc0ae4b3c8c9e6da Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
-Subject: [PATCH 47/53] Current Rebase status
+Subject: [PATCH 47/59] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -102,5 +102,5 @@ index 2833a383c1..c8f6c992a8 100644
+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
+
--
-2.50.0
+2.51.0
diff --git a/0048-FIPS-KDF-key-lenght-errors.patch b/0048-FIPS-KDF-key-lenght-errors.patch
index 42aec19..c59e5e0 100644
--- a/0048-FIPS-KDF-key-lenght-errors.patch
+++ b/0048-FIPS-KDF-key-lenght-errors.patch
@@ -1,7 +1,7 @@
-From d0063158bcf9321daec1ffcbfeb3d7b085aebce3 Mon Sep 17 00:00:00 2001
+From 284c64f2ad8f104b15983f7ff37e90486847c5b1 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
-Subject: [PATCH 48/53] FIPS: KDF key lenght errors
+Subject: [PATCH 48/59] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -171,5 +171,5 @@ index 1fb2472001..93c07ede7c 100644
# Test that the key whose length is shorter than 112 bits is reported as
--
-2.50.0
+2.51.0
diff --git a/0049-FIPS-fix-disallowed-digests-tests.patch b/0049-FIPS-fix-disallowed-digests-tests.patch
index 40edd3c..cb4caec 100644
--- a/0049-FIPS-fix-disallowed-digests-tests.patch
+++ b/0049-FIPS-fix-disallowed-digests-tests.patch
@@ -1,7 +1,7 @@
-From 91000e60a38106701dd76deb37eafe165e7802a3 Mon Sep 17 00:00:00 2001
+From 4373bb2644892e1d788ca2bdd37d7281221c0385 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
-Subject: [PATCH 49/53] FIPS: fix disallowed digests tests
+Subject: [PATCH 49/59] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -47,5 +47,5 @@ index 6688c217aa..8347f773e6 100644
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
--
-2.50.0
+2.51.0
diff --git a/0050-Make-openssl-speed-run-in-FIPS-mode.patch b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
index 3351cb1..674f2e8 100644
--- a/0050-Make-openssl-speed-run-in-FIPS-mode.patch
+++ b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
@@ -1,7 +1,7 @@
-From 99d3ce80ecf3252962a1b79dd57324f08b62cc18 Mon Sep 17 00:00:00 2001
+From 4efc206514085c482a0b2a74a98f3ca285c99db9 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
-Subject: [PATCH 50/53] Make `openssl speed` run in FIPS mode
+Subject: [PATCH 50/59] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
@@ -72,5 +72,5 @@ index 3307a9cb46..ae2f166d24 100644
for (i = 0; i < loopargs_len; i++)
--
-2.50.0
+2.51.0
diff --git a/0051-Backport-upstream-27483-for-PKCS11-needs.patch b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
index c2d8a0f..358c433 100644
--- a/0051-Backport-upstream-27483-for-PKCS11-needs.patch
+++ b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
@@ -1,7 +1,7 @@
-From 5b20574f75a2c525bf30ea304292ecd93eb72091 Mon Sep 17 00:00:00 2001
+From 5e135e7ceefd5b72cb54a93b13b478af05873318 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:34:39 +0200
-Subject: [PATCH 51/53] Backport upstream #27483 for PKCS11 needs
+Subject: [PATCH 51/59] Backport upstream #27483 for PKCS11 needs
---
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
@@ -142,5 +142,5 @@ index b81df9c8f8..e33bbbe003 100644
ADD_TEST(test_aes_raw_skey);
#ifndef OPENSSL_NO_DES
--
-2.50.0
+2.51.0
diff --git a/0052-Red-Hat-9-FIPS-indicator-defines.patch b/0052-Red-Hat-9-FIPS-indicator-defines.patch
index f3e4488..0beebdb 100644
--- a/0052-Red-Hat-9-FIPS-indicator-defines.patch
+++ b/0052-Red-Hat-9-FIPS-indicator-defines.patch
@@ -1,7 +1,7 @@
-From fcba6e3c26d76ce26ef140f3d07f9cc15e7d98fa Mon Sep 17 00:00:00 2001
+From e3884eb262fc465ef815d8dff460d38053a9486b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 16:21:23 +0200
-Subject: [PATCH 52/53] Red Hat 9 FIPS indicator defines
+Subject: [PATCH 52/59] Red Hat 9 FIPS indicator defines
---
include/openssl/evp.h | 15 +++++++++++++++
@@ -125,5 +125,5 @@ index 059b489735..5a1864309d 100644
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
--
-2.50.0
+2.51.0
diff --git a/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
index e3e72f2..4220f7c 100644
--- a/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
+++ b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
@@ -1,7 +1,7 @@
-From 75c77ea5f36dbf6d21940ab5bf87dff6acd5b8d6 Mon Sep 17 00:00:00 2001
+From 217d8f5853670ae2245ad8d31faee411a68c997a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 30 May 2025 16:17:37 +0200
-Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
+Subject: [PATCH 53/59] Allow hybrid MLKEM in FIPS mode
---
crypto/ml_kem/ml_kem.c | 11 ++--
@@ -12,7 +12,7 @@ Subject: [PATCH 53/53] Allow hybrid MLKEM in FIPS mode
5 files changed, 103 insertions(+), 12 deletions(-)
diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
-index 4474af0f87..6eca7dc29d 100644
+index 716c3bf427..6ae9c9c5b5 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
@@ -298,5 +298,5 @@ index bea8783276..aeef0c8f84 100644
key->xinfo->algorithm_name,
key->xinfo->group_name);
--
-2.50.0
+2.51.0
diff --git a/0054-Speed-test-signatures-without-errors.patch b/0054-Speed-test-signatures-without-errors.patch
deleted file mode 100644
index ac65c4e..0000000
--- a/0054-Speed-test-signatures-without-errors.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From 0db63fff91327d06502027441104665f462be922 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:02:03 +0200
-Subject: [PATCH 1/2] apps/speed.c: Disable testing of composite signature
- algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Creating public key context from name would always fail
-for composite signature algorithms (such as RSA-SHA256)
-because the public key algorithm name (e.g., RSA) does
-not match the name of the composite algorithm.
-
-Relates to #27855.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
----
- apps/speed.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index 2c3ec37d1239e..a6d239c8cda81 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -2281,9 +2281,11 @@ int speed_main(int argc, char **argv)
- }
- #endif /* OPENSSL_NO_DSA */
- /* skipping these algs as tested elsewhere - and b/o setup is a pain */
-- else if (strcmp(sig_name, "ED25519") &&
-- strcmp(sig_name, "ED448") &&
-- strcmp(sig_name, "ECDSA") &&
-+ else if (strncmp(sig_name, "RSA", 3) &&
-+ strncmp(sig_name, "DSA", 3) &&
-+ strncmp(sig_name, "ED25519", 7) &&
-+ strncmp(sig_name, "ED448", 5) &&
-+ strncmp(sig_name, "ECDSA", 5) &&
- strcmp(sig_name, "HMAC") &&
- strcmp(sig_name, "SIPHASH") &&
- strcmp(sig_name, "POLY1305") &&
-
-From 30d98de47c63ca84df41ee57f9d230b2f56bf9ef Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:19:59 +0200
-Subject: [PATCH 2/2] apps/speed.c: Support more signature algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
-via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
-before reporting an error.
-
-Fixes #27108.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
----
- apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 53 insertions(+), 16 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index a6d239c8cda81..059183ddc77d3 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -4254,6 +4254,7 @@ int speed_main(int argc, char **argv)
- EVP_PKEY_CTX *sig_gen_ctx = NULL;
- EVP_PKEY_CTX *sig_sign_ctx = NULL;
- EVP_PKEY_CTX *sig_verify_ctx = NULL;
-+ EVP_SIGNATURE *alg = NULL;
- unsigned char md[SHA256_DIGEST_LENGTH];
- unsigned char *sig;
- char sfx[MAX_ALGNAME_SUFFIX];
-@@ -4314,21 +4315,48 @@ int speed_main(int argc, char **argv)
- sig_name);
- goto sig_err_break;
- }
-+
-+ /*
-+ * Try explicitly fetching the signature algoritm implementation to
-+ * use in case the algorithm does not support EVP_PKEY_sign_init
-+ */
-+ ERR_set_mark();
-+ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
-+ ERR_pop_to_mark();
-+
- /* Now prepare signature data structs */
- sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_sign_ctx == NULL
-- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
-- RSA_PKCS1_PADDING) <= 0))
-- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
-- md, md_len) <= 0) {
-- BIO_printf(bio_err,
-- "Error while initializing signing data structs for %s.\n",
-- sig_name);
-- goto sig_err_break;
-+ if (sig_sign_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing signing ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
-+ BIO_printf(bio_err,
-+ "Error while initializing signing data structs for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_pop_to_mark();
-+ if (use_params == 1 &&
-+ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while initializing padding for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while obtaining signature bufffer length for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
- }
- sig = app_malloc(sig_len = max_sig_len, "signature buffer");
- if (sig == NULL) {
-@@ -4344,16 +4372,23 @@ int speed_main(int argc, char **argv)
- sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_verify_ctx == NULL
-- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
-- RSA_PKCS1_PADDING) <= 0))) {
-+ if (sig_verify_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing verify ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
- BIO_printf(bio_err,
- "Error while initializing verify data structs for %s.\n",
- sig_name);
- goto sig_err_break;
- }
-+ ERR_pop_to_mark();
- if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
- BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
- goto sig_err_break;
-@@ -4369,12 +4404,14 @@ int speed_main(int argc, char **argv)
- loopargs[i].sig_act_sig_len[testnum] = sig_len;
- loopargs[i].sig_sig[testnum] = sig;
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- pkey = NULL;
- continue;
-
- sig_err_break:
- dofail();
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- op_count = 1;
- sig_checks = 0;
- break;
diff --git a/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
new file mode 100644
index 0000000..4b8cd0b
--- /dev/null
+++ b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
@@ -0,0 +1,65 @@
+From b963982c4b8ede93212c15021d4d251435153aa2 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 15 Jul 2025 12:32:14 -0400
+Subject: [PATCH 54/59] Temporarily disable SLH-DSA FIPS self-tests
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/self_test_data.inc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index 3e32a5446a..07518a9d7f 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -2888,6 +2888,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
+ };
+ #endif /* OPENSSL_NO_ML_DSA */
+
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+ /*
+ * Deterministic SLH_DSA key generation supplies the private key elements and
+@@ -2978,6 +2979,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
+ 0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
+ };
+ #endif /* OPENSSL_NO_SLH_DSA */
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+
+ /* Hash DRBG inputs for signature KATs */
+ static const unsigned char sig_kat_entropyin[] = {
+@@ -3077,6 +3079,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+ ml_dsa_sig_init
+ },
+ #endif /* OPENSSL_NO_ML_DSA */
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+ /*
+ * FIPS 140-3 IG 10.3.A.16 Note 29 says:
+@@ -3107,6 +3110,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+ slh_dsa_sig_params, slh_dsa_sig_params
+ },
+ #endif /* OPENSSL_NO_SLH_DSA */
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+
+ #if !defined(OPENSSL_NO_ML_DSA)
+@@ -3511,6 +3515,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+ ml_dsa_key
+ },
+ # endif
++#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ # if !defined(OPENSSL_NO_SLH_DSA)
+ {
+ OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
+@@ -3519,6 +3524,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+ slh_dsa_128f_keygen_expected_params
+ },
+ # endif
++#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+ #endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
+
+--
+2.51.0
+
diff --git a/0055-Add-a-define-to-disable-symver-attributes.patch b/0055-Add-a-define-to-disable-symver-attributes.patch
new file mode 100644
index 0000000..b7f3627
--- /dev/null
+++ b/0055-Add-a-define-to-disable-symver-attributes.patch
@@ -0,0 +1,66 @@
+From 8d2f2f11f3875b58f133729dcb907bb64620649f Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 17 Jul 2025 09:40:34 -0400
+Subject: [PATCH 55/59] Add a define to disable symver attributes
+
+Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
+compatibility symver attributes.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/evp/digest.c | 2 +-
+ crypto/evp/evp_enc.c | 2 +-
+ crypto/o_str.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
+index 8ee9db73dd..7ed4933934 100644
+--- a/crypto/evp/digest.c
++++ b/crypto/evp/digest.c
+@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
+ }
+
+ EVP_MD_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"),
+ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index 619cf4f385..9192898d39 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+ }
+
+ EVP_CIPHER_CTX
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"),
+ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
+ #endif
+diff --git a/crypto/o_str.c b/crypto/o_str.c
+index 86442a939e..8c33e4dd63 100644
+--- a/crypto/o_str.c
++++ b/crypto/o_str.c
+@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+ }
+
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
+ #endif
+@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
+ }
+
+ int
+-#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI)
++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) && !defined(RHEL_NO_SYMVER_ATTRIBUTES)
+ __attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"),
+ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
+ #endif
+--
+2.51.0
+
diff --git a/0055-Targets-to-skip-build-of-non-installable-programs.patch b/0055-Targets-to-skip-build-of-non-installable-programs.patch
deleted file mode 100644
index 0634895..0000000
--- a/0055-Targets-to-skip-build-of-non-installable-programs.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From b96746b02cff910f4cd3787fddc042f7e3fb4956 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Tue, 19 Aug 2025 14:26:07 +0200
-Subject: [PATCH] Add targets to skip build of non-installable programs
-
-These make it possible to split the build into two
-parts, e.g., when tests should be built with different
-compiler flags than installed software.
-
-Also use these as dependecies where appropriate.
----
- Configurations/descrip.mms.tmpl | 7 +++++--
- Configurations/unix-Makefile.tmpl | 9 ++++++---
- Configurations/windows-makefile.tmpl | 8 ++++++--
- util/help.pl | 2 +-
- 4 files changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
-index db6a1b1799..bc7fc36b46 100644
---- a/Configurations/descrip.mms.tmpl
-+++ b/Configurations/descrip.mms.tmpl
-@@ -491,6 +491,8 @@ NODEBUG=@
- {- dependmagic('build_libs'); -} : build_libs_nodep
- {- dependmagic('build_modules'); -} : build_modules_nodep
- {- dependmagic('build_programs'); -} : build_programs_nodep
-+{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
-+{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
-
- build_generated_pods : $(GENERATED_PODS)
- build_docs : build_html_docs
-@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
- build_libs_nodep : $(LIBS), $(SHLIBS)
- build_modules_nodep : $(MODULES)
- build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
-+build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests : build_programs
-@@ -606,7 +609,7 @@ install_docs : install_html_docs
- uninstall_docs : uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips : build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
- @ WRITE SYS$OUTPUT "*** Installing FIPS module"
- - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
-@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
- @install_shlibs) -}
- @ {- output_on() if $disabled{shared}; "" -} !
-
--install_programs : check_INSTALLTOP install_runtime_libs build_programs
-+install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
- @ {- output_off() if $disabled{apps}; "" -} !
- @ ! Install the main program
- - CREATE/DIR ossl_installroot:[EXE.'arch']
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 70ac47b73c..98c11f7a0f 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -531,7 +531,9 @@ LANG=C
- {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
- {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
- {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
--{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
-+{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
-+{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
-
- all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
- debuginfo: $(SHLIBS)
-@@ -553,6 +555,7 @@ build_generated: $(GENERATED_MANDATORY)
- build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
- build_modules_nodep: $(MODULES)
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -671,7 +674,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
- $(RM) -r "$(DESTDIR)$(DOCDIR)"
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
-@@ -956,7 +959,7 @@ install_runtime_libs: build_libs
- : {- output_on() if windowsdll(); "" -}; \
- done
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
- @$(ECHO) "*** Installing runtime programs"
-diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
-index 894834cfb7..b5872124de 100644
---- a/Configurations/windows-makefile.tmpl
-+++ b/Configurations/windows-makefile.tmpl
-@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
- {- dependmagic('build_libs'); -}: build_libs_nodep
- {- dependmagic('build_modules'); -}: build_modules_nodep
- {- dependmagic('build_programs'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
-+{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
-
- build_docs: build_html_docs
- build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
-@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
- @
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
- @
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-+ @
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -507,7 +511,7 @@ install_docs: install_html_docs
- uninstall_docs: uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
-@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
- "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
- "$(INSTALLTOP)\bin"
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
- @$(ECHO) "*** Installing runtime programs"
- @if not "$(INSTALL_PROGRAMS)"=="" \
-diff --git a/util/help.pl b/util/help.pl
-index a1614fe8a9..e88ff4bae1 100755
---- a/util/help.pl
-+++ b/util/help.pl
-@@ -14,7 +14,7 @@ while (<>) {
- chomp; # strip record separator
- @Fld = split($FS, $_, -1);
- if (/^[a-zA-Z0-9_\-]+:.*?##/) {
-- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
-+ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
- }
- if (/^##@/) {
- printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
---
-2.50.1
-
diff --git a/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch b/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
new file mode 100644
index 0000000..67f7286
--- /dev/null
+++ b/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
@@ -0,0 +1,47 @@
+From bd015ab1f56008f17404ac9511025812646e5e2d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Mon, 11 Aug 2025 12:02:03 +0200
+Subject: [PATCH 56/59] apps/speed.c: Disable testing of composite signature
+ algorithms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Creating public key context from name would always fail
+for composite signature algorithms (such as RSA-SHA256)
+because the public key algorithm name (e.g., RSA) does
+not match the name of the composite algorithm.
+
+Relates to #27855.
+
+Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/28224)
+---
+ apps/speed.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index ae2f166d24..a51d6a57d4 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -2275,9 +2275,11 @@ int speed_main(int argc, char **argv)
+ }
+ #endif /* OPENSSL_NO_DSA */
+ /* skipping these algs as tested elsewhere - and b/o setup is a pain */
+- else if (strcmp(sig_name, "ED25519") &&
+- strcmp(sig_name, "ED448") &&
+- strcmp(sig_name, "ECDSA") &&
++ else if (strncmp(sig_name, "RSA", 3) &&
++ strncmp(sig_name, "DSA", 3) &&
++ strncmp(sig_name, "ED25519", 7) &&
++ strncmp(sig_name, "ED448", 5) &&
++ strncmp(sig_name, "ECDSA", 5) &&
+ strcmp(sig_name, "HMAC") &&
+ strcmp(sig_name, "SIPHASH") &&
+ strcmp(sig_name, "POLY1305") &&
+--
+2.51.0
+
diff --git a/0057-apps-speed.c-Support-more-signature-algorithms.patch b/0057-apps-speed.c-Support-more-signature-algorithms.patch
new file mode 100644
index 0000000..ae49a34
--- /dev/null
+++ b/0057-apps-speed.c-Support-more-signature-algorithms.patch
@@ -0,0 +1,142 @@
+From eeb05d8b4b63fdda732fb49201c6769082922c11 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Mon, 11 Aug 2025 12:19:59 +0200
+Subject: [PATCH 57/59] apps/speed.c: Support more signature algorithms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
+via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
+before reporting an error.
+
+Fixes #27108.
+
+Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/28224)
+---
+ apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 53 insertions(+), 16 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index a51d6a57d4..4050f46bce 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -4248,6 +4248,7 @@ int speed_main(int argc, char **argv)
+ EVP_PKEY_CTX *sig_gen_ctx = NULL;
+ EVP_PKEY_CTX *sig_sign_ctx = NULL;
+ EVP_PKEY_CTX *sig_verify_ctx = NULL;
++ EVP_SIGNATURE *alg = NULL;
+ unsigned char md[SHA256_DIGEST_LENGTH];
+ unsigned char *sig;
+ char sfx[MAX_ALGNAME_SUFFIX];
+@@ -4308,21 +4309,48 @@ int speed_main(int argc, char **argv)
+ sig_name);
+ goto sig_err_break;
+ }
++
++ /*
++ * Try explicitly fetching the signature algoritm implementation to
++ * use in case the algorithm does not support EVP_PKEY_sign_init
++ */
++ ERR_set_mark();
++ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
++ ERR_pop_to_mark();
++
+ /* Now prepare signature data structs */
+ sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
+ pkey,
+ app_get0_propq());
+- if (sig_sign_ctx == NULL
+- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
+- || (use_params == 1
+- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
+- RSA_PKCS1_PADDING) <= 0))
+- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
+- md, md_len) <= 0) {
+- BIO_printf(bio_err,
+- "Error while initializing signing data structs for %s.\n",
+- sig_name);
+- goto sig_err_break;
++ if (sig_sign_ctx == NULL) {
++ BIO_printf(bio_err,
++ "Error while initializing signing ctx for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_set_mark();
++ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
++ && (alg == NULL
++ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
++ ERR_clear_last_mark();
++ BIO_printf(bio_err,
++ "Error while initializing signing data structs for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_pop_to_mark();
++ if (use_params == 1 &&
++ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
++ BIO_printf(bio_err,
++ "Error while initializing padding for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
++ BIO_printf(bio_err,
++ "Error while obtaining signature bufffer length for %s.\n",
++ sig_name);
++ goto sig_err_break;
+ }
+ sig = app_malloc(sig_len = max_sig_len, "signature buffer");
+ if (sig == NULL) {
+@@ -4338,16 +4366,23 @@ int speed_main(int argc, char **argv)
+ sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
+ pkey,
+ app_get0_propq());
+- if (sig_verify_ctx == NULL
+- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
+- || (use_params == 1
+- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
+- RSA_PKCS1_PADDING) <= 0))) {
++ if (sig_verify_ctx == NULL) {
++ BIO_printf(bio_err,
++ "Error while initializing verify ctx for %s.\n",
++ sig_name);
++ goto sig_err_break;
++ }
++ ERR_set_mark();
++ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
++ && (alg == NULL
++ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
++ ERR_clear_last_mark();
+ BIO_printf(bio_err,
+ "Error while initializing verify data structs for %s.\n",
+ sig_name);
+ goto sig_err_break;
+ }
++ ERR_pop_to_mark();
+ if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
+ BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
+ goto sig_err_break;
+@@ -4363,12 +4398,14 @@ int speed_main(int argc, char **argv)
+ loopargs[i].sig_act_sig_len[testnum] = sig_len;
+ loopargs[i].sig_sig[testnum] = sig;
+ EVP_PKEY_free(pkey);
++ EVP_SIGNATURE_free(alg);
+ pkey = NULL;
+ continue;
+
+ sig_err_break:
+ dofail();
+ EVP_PKEY_free(pkey);
++ EVP_SIGNATURE_free(alg);
+ op_count = 1;
+ sig_checks = 0;
+ break;
+--
+2.51.0
+
diff --git a/0058-Add-targets-to-skip-build-of-non-installable-program.patch b/0058-Add-targets-to-skip-build-of-non-installable-program.patch
new file mode 100644
index 0000000..c87c278
--- /dev/null
+++ b/0058-Add-targets-to-skip-build-of-non-installable-program.patch
@@ -0,0 +1,158 @@
+From f320da46f706a8013de532ee1a34703bd814be06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Tue, 19 Aug 2025 14:26:07 +0200
+Subject: [PATCH 58/59] Add targets to skip build of non-installable programs
+
+These make it possible to split the build into two
+parts, e.g., when tests should be built with different
+compiler flags than installed software.
+
+Also use these as dependecies where appropriate.
+
+Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/28302)
+---
+ Configurations/descrip.mms.tmpl | 7 +++++--
+ Configurations/unix-Makefile.tmpl | 9 ++++++---
+ Configurations/windows-makefile.tmpl | 8 ++++++--
+ util/help.pl | 2 +-
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
+index db6a1b1799..bc7fc36b46 100644
+--- a/Configurations/descrip.mms.tmpl
++++ b/Configurations/descrip.mms.tmpl
+@@ -491,6 +491,8 @@ NODEBUG=@
+ {- dependmagic('build_libs'); -} : build_libs_nodep
+ {- dependmagic('build_modules'); -} : build_modules_nodep
+ {- dependmagic('build_programs'); -} : build_programs_nodep
++{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
++{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
+
+ build_generated_pods : $(GENERATED_PODS)
+ build_docs : build_html_docs
+@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
+ build_libs_nodep : $(LIBS), $(SHLIBS)
+ build_modules_nodep : $(MODULES)
+ build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
++build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests : build_programs
+@@ -606,7 +609,7 @@ install_docs : install_html_docs
+ uninstall_docs : uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips : build_sw $(INSTALL_FIPSMODULECONF)
++install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
+ - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
+@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
+ @install_shlibs) -}
+ @ {- output_on() if $disabled{shared}; "" -} !
+
+-install_programs : check_INSTALLTOP install_runtime_libs build_programs
++install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
+ @ {- output_off() if $disabled{apps}; "" -} !
+ @ ! Install the main program
+ - CREATE/DIR ossl_installroot:[EXE.'arch']
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 74139ec228..16aab9cd76 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -547,7 +547,9 @@ LANG=C
+ {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
+ {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
+ {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
+-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
++{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
++{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
+
+ all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
+ debuginfo: $(SHLIBS)
+@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
+ build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
+ build_modules_nodep: $(MODULES)
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
+ $(RM) -r "$(DESTDIR)$(DOCDIR)"
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
+@@ -965,7 +968,7 @@ install_runtime_libs: build_libs
+ : {- output_on() if windowsdll(); "" -}; \
+ done
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
+ @$(ECHO) "*** Installing runtime programs"
+diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
+index 894834cfb7..b5872124de 100644
+--- a/Configurations/windows-makefile.tmpl
++++ b/Configurations/windows-makefile.tmpl
+@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
+ {- dependmagic('build_libs'); -}: build_libs_nodep
+ {- dependmagic('build_modules'); -}: build_modules_nodep
+ {- dependmagic('build_programs'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
++{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
+
+ build_docs: build_html_docs
+ build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
+@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
+ @
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
+ @
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
++ @
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -507,7 +511,7 @@ install_docs: install_html_docs
+ uninstall_docs: uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
+@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
+ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
+ "$(INSTALLTOP)\bin"
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
+ @$(ECHO) "*** Installing runtime programs"
+ @if not "$(INSTALL_PROGRAMS)"=="" \
+diff --git a/util/help.pl b/util/help.pl
+index a1614fe8a9..e88ff4bae1 100755
+--- a/util/help.pl
++++ b/util/help.pl
+@@ -14,7 +14,7 @@ while (<>) {
+ chomp; # strip record separator
+ @Fld = split($FS, $_, -1);
+ if (/^[a-zA-Z0-9_\-]+:.*?##/) {
+- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
++ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
+ }
+ if (/^##@/) {
+ printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
+--
+2.51.0
+
diff --git a/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch b/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
new file mode 100644
index 0000000..5323d6a
--- /dev/null
+++ b/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
@@ -0,0 +1,29 @@
+From 4b91d0604643eff849a480f37b22f3bd7029d897 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Fri, 17 Oct 2025 17:45:48 +0200
+Subject: [PATCH 59/59] RSA_encrypt/decrypt with padding NONE is not supported
+ in
+
+RHEL/CentOS/Fedora FIPS mode
+---
+ providers/fips/self_test_kats.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index acb0b85f73..c69c81bc9c 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ ret = 0;
+ if (!self_test_kems(st, libctx))
+ ret = 0;
+- if (!self_test_asym_ciphers(st, libctx))
+- ret = 0;
++/* if (!self_test_asym_ciphers(st, libctx))
++ ret = 0; */
+
+ RAND_set0_private(libctx, saved_rand);
+ return ret;
+--
+2.51.0
+
diff --git a/openssl.spec b/openssl.spec
index 9b5e799..d3fccfa 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -33,8 +33,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.5.1
-Release: 4%{?dist}
+Version: 3.5.4
+Release: 1%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -98,9 +98,12 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
-Patch0054: 0054-Speed-test-signatures-without-errors.patch
-Patch0055: 0055-Targets-to-skip-build-of-non-installable-programs.patch
-
+Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
+Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
+Patch0056: 0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
+Patch0057: 0057-apps-speed.c-Support-more-signature-algorithms.patch
+Patch0058: 0058-Add-targets-to-skip-build-of-non-installable-program.patch
+Patch0059: 0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -473,6 +476,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Wed Oct 15 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.4-1
+- Rebase to OpenSSL 3.5.4, resolving CVE-2025-9230 and CVE-2025-9232
+
* Thu Sep 04 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-4
- Fix globally disabled LTO
diff --git a/sources b/sources
index 951b06e..07e4fea 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.5.1.tar.gz) = 0fa152ae59ab5ea066319de039dfb1d24cbb247172d7512feb5dd920db3740f219d76b0195ea562f84fe5eae36c23772302eddfbb3509df13761452b4dafb9d3
+SHA512 (openssl-3.5.4.tar.gz) = 365aca6f2e59b5c8261fba683425d177874cf6024b0d216ca309112b879c1f4e8da78617e23c3c95d0b4a26b83ecd0d8348038b999d30e597d19f466c4761227
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.4 Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox