public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.5
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 4a9e2d5b1aa1cdc8adbe434abcee3c282707b33c
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2026-01-28T14:59:50+01:00
Stats : +196/-383 in 9 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/4a9e2d5b1aa1cdc8adbe434abcee3c282707b33c?branch=rebase_40beta
Log:
Rebase to OpenSSL 3.5.5
Resolving CVE-2025-15467, CVE-2025-15468, CVE-2025-15469,
CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420,
CVE-2025-69421, CVE-2025-69419, CVE-2026-22795, CVE-2026-22796,
CVE-2025-11187
---
diff --git a/.gitignore b/.gitignore
index c813a35..efab622 100644
--- a/.gitignore
+++ b/.gitignore
@@ -68,3 +68,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-3.5.0.tar.gz
/openssl-3.5.1.tar.gz
/openssl-3.5.4.tar.gz
+/openssl-3.5.5.tar.gz
diff --git a/0056-Add-targets-to-skip-build-of-non-installable-program.patch b/0056-Add-targets-to-skip-build-of-non-installable-program.patch
new file mode 100644
index 0000000..af91d35
--- /dev/null
+++ b/0056-Add-targets-to-skip-build-of-non-installable-program.patch
@@ -0,0 +1,158 @@
+From 4b634bdcc4dedc8516529d39062adc1305c7bf9b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
+Date: Tue, 19 Aug 2025 14:26:07 +0200
+Subject: [PATCH 56/57] Add targets to skip build of non-installable programs
+
+These make it possible to split the build into two
+parts, e.g., when tests should be built with different
+compiler flags than installed software.
+
+Also use these as dependecies where appropriate.
+
+Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/28302)
+---
+ Configurations/descrip.mms.tmpl | 7 +++++--
+ Configurations/unix-Makefile.tmpl | 9 ++++++---
+ Configurations/windows-makefile.tmpl | 8 ++++++--
+ util/help.pl | 2 +-
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
+index db6a1b1799..bc7fc36b46 100644
+--- a/Configurations/descrip.mms.tmpl
++++ b/Configurations/descrip.mms.tmpl
+@@ -491,6 +491,8 @@ NODEBUG=@
+ {- dependmagic('build_libs'); -} : build_libs_nodep
+ {- dependmagic('build_modules'); -} : build_modules_nodep
+ {- dependmagic('build_programs'); -} : build_programs_nodep
++{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
++{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
+
+ build_generated_pods : $(GENERATED_PODS)
+ build_docs : build_html_docs
+@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
+ build_libs_nodep : $(LIBS), $(SHLIBS)
+ build_modules_nodep : $(MODULES)
+ build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
++build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests : build_programs
+@@ -606,7 +609,7 @@ install_docs : install_html_docs
+ uninstall_docs : uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips : build_sw $(INSTALL_FIPSMODULECONF)
++install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @ WRITE SYS$OUTPUT "*** Installing FIPS module"
+ - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
+ - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
+@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
+ @install_shlibs) -}
+ @ {- output_on() if $disabled{shared}; "" -} !
+
+-install_programs : check_INSTALLTOP install_runtime_libs build_programs
++install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
+ @ {- output_off() if $disabled{apps}; "" -} !
+ @ ! Install the main program
+ - CREATE/DIR ossl_installroot:[EXE.'arch']
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 1920d38655..bfede44ce4 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -547,7 +547,9 @@ LANG=C
+ {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
+ {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
+ {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
+-{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
++{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
++{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
+
+ all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
+ debuginfo: $(SHLIBS)
+@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
+ build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
+ build_modules_nodep: $(MODULES)
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
+ $(RM) -r "$(DESTDIR)$(DOCDIR)"
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
+@@ -966,7 +969,7 @@ install_runtime_libs: build_libs
+ : {- output_on() if windowsdll(); "" -}; \
+ done
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
+ @$(ECHO) "*** Installing runtime programs"
+diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
+index 894834cfb7..b5872124de 100644
+--- a/Configurations/windows-makefile.tmpl
++++ b/Configurations/windows-makefile.tmpl
+@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
+ {- dependmagic('build_libs'); -}: build_libs_nodep
+ {- dependmagic('build_modules'); -}: build_modules_nodep
+ {- dependmagic('build_programs'); -}: build_programs_nodep
++{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
++{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
+
+ build_docs: build_html_docs
+ build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
+@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
+ @
+ build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
+ @
++build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
++ @
+
+ # Kept around for backward compatibility
+ build_apps build_tests: build_programs
+@@ -507,7 +511,7 @@ install_docs: install_html_docs
+ uninstall_docs: uninstall_html_docs
+
+ {- output_off() if $disabled{fips}; "" -}
+-install_fips: build_sw $(INSTALL_FIPSMODULECONF)
++install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
+ # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
+ @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
+@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
+ "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
+ "$(INSTALLTOP)\bin"
+
+-install_programs: install_runtime_libs build_programs
++install_programs: install_runtime_libs build_inst_programs
+ @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
+ @$(ECHO) "*** Installing runtime programs"
+ @if not "$(INSTALL_PROGRAMS)"=="" \
+diff --git a/util/help.pl b/util/help.pl
+index a1614fe8a9..e88ff4bae1 100755
+--- a/util/help.pl
++++ b/util/help.pl
+@@ -14,7 +14,7 @@ while (<>) {
+ chomp; # strip record separator
+ @Fld = split($FS, $_, -1);
+ if (/^[a-zA-Z0-9_\-]+:.*?##/) {
+- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
++ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
+ }
+ if (/^##@/) {
+ printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
+--
+2.52.0
+
diff --git a/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch b/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
deleted file mode 100644
index 67f7286..0000000
--- a/0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From bd015ab1f56008f17404ac9511025812646e5e2d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:02:03 +0200
-Subject: [PATCH 56/59] apps/speed.c: Disable testing of composite signature
- algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Creating public key context from name would always fail
-for composite signature algorithms (such as RSA-SHA256)
-because the public key algorithm name (e.g., RSA) does
-not match the name of the composite algorithm.
-
-Relates to #27855.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/28224)
----
- apps/speed.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index ae2f166d24..a51d6a57d4 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -2275,9 +2275,11 @@ int speed_main(int argc, char **argv)
- }
- #endif /* OPENSSL_NO_DSA */
- /* skipping these algs as tested elsewhere - and b/o setup is a pain */
-- else if (strcmp(sig_name, "ED25519") &&
-- strcmp(sig_name, "ED448") &&
-- strcmp(sig_name, "ECDSA") &&
-+ else if (strncmp(sig_name, "RSA", 3) &&
-+ strncmp(sig_name, "DSA", 3) &&
-+ strncmp(sig_name, "ED25519", 7) &&
-+ strncmp(sig_name, "ED448", 5) &&
-+ strncmp(sig_name, "ECDSA", 5) &&
- strcmp(sig_name, "HMAC") &&
- strcmp(sig_name, "SIPHASH") &&
- strcmp(sig_name, "POLY1305") &&
---
-2.51.0
-
diff --git a/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch b/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
new file mode 100644
index 0000000..c02fb9f
--- /dev/null
+++ b/0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
@@ -0,0 +1,27 @@
+From 3ffdc68f16d6b326ff0854053fc9206be3dabcc2 Mon Sep 17 00:00:00 2001
+From: Dmitry Belyavskiy <beldmit@gmail.com>
+Date: Wed, 21 Jan 2026 18:13:43 +0100
+Subject: [PATCH 57/57] Disable RSA-PKCS1.5 FIPS POST, not relevant for RHEL
+
+---
+ providers/fips/self_test_kats.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index f453b2f2fb..5b37387d83 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+ ret = 0;
+ if (!self_test_kems(st, libctx))
+ ret = 0;
+- if (!self_test_asym_ciphers(st, libctx))
+- ret = 0;
++/* if (!self_test_asym_ciphers(st, libctx))
++ ret = 0; */
+
+ RAND_set0_private(libctx, saved_rand);
+ return ret;
+--
+2.52.0
+
diff --git a/0057-apps-speed.c-Support-more-signature-algorithms.patch b/0057-apps-speed.c-Support-more-signature-algorithms.patch
deleted file mode 100644
index ae49a34..0000000
--- a/0057-apps-speed.c-Support-more-signature-algorithms.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From eeb05d8b4b63fdda732fb49201c6769082922c11 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Mon, 11 Aug 2025 12:19:59 +0200
-Subject: [PATCH 57/59] apps/speed.c: Support more signature algorithms
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some signature algorithms (e.g., ML-DSA-65) cannot be initialized
-via EVP_PKEY_sign_init, so try also EVP_PKEY_sign_message_init
-before reporting an error.
-
-Fixes #27108.
-
-Signed-off-by: Pavol Žáčik <zacik.pa@gmail.com>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/28224)
----
- apps/speed.c | 69 ++++++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 53 insertions(+), 16 deletions(-)
-
-diff --git a/apps/speed.c b/apps/speed.c
-index a51d6a57d4..4050f46bce 100644
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -4248,6 +4248,7 @@ int speed_main(int argc, char **argv)
- EVP_PKEY_CTX *sig_gen_ctx = NULL;
- EVP_PKEY_CTX *sig_sign_ctx = NULL;
- EVP_PKEY_CTX *sig_verify_ctx = NULL;
-+ EVP_SIGNATURE *alg = NULL;
- unsigned char md[SHA256_DIGEST_LENGTH];
- unsigned char *sig;
- char sfx[MAX_ALGNAME_SUFFIX];
-@@ -4308,21 +4309,48 @@ int speed_main(int argc, char **argv)
- sig_name);
- goto sig_err_break;
- }
-+
-+ /*
-+ * Try explicitly fetching the signature algoritm implementation to
-+ * use in case the algorithm does not support EVP_PKEY_sign_init
-+ */
-+ ERR_set_mark();
-+ alg = EVP_SIGNATURE_fetch(app_get0_libctx(), sig_name, app_get0_propq());
-+ ERR_pop_to_mark();
-+
- /* Now prepare signature data structs */
- sig_sign_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_sign_ctx == NULL
-- || EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx,
-- RSA_PKCS1_PADDING) <= 0))
-- || EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len,
-- md, md_len) <= 0) {
-- BIO_printf(bio_err,
-- "Error while initializing signing data structs for %s.\n",
-- sig_name);
-- goto sig_err_break;
-+ if (sig_sign_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing signing ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_sign_init(sig_sign_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_sign_message_init(sig_sign_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
-+ BIO_printf(bio_err,
-+ "Error while initializing signing data structs for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_pop_to_mark();
-+ if (use_params == 1 &&
-+ EVP_PKEY_CTX_set_rsa_padding(sig_sign_ctx, RSA_PKCS1_PADDING) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while initializing padding for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ if (EVP_PKEY_sign(sig_sign_ctx, NULL, &max_sig_len, md, md_len) <= 0) {
-+ BIO_printf(bio_err,
-+ "Error while obtaining signature bufffer length for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
- }
- sig = app_malloc(sig_len = max_sig_len, "signature buffer");
- if (sig == NULL) {
-@@ -4338,16 +4366,23 @@ int speed_main(int argc, char **argv)
- sig_verify_ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(),
- pkey,
- app_get0_propq());
-- if (sig_verify_ctx == NULL
-- || EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-- || (use_params == 1
-- && (EVP_PKEY_CTX_set_rsa_padding(sig_verify_ctx,
-- RSA_PKCS1_PADDING) <= 0))) {
-+ if (sig_verify_ctx == NULL) {
-+ BIO_printf(bio_err,
-+ "Error while initializing verify ctx for %s.\n",
-+ sig_name);
-+ goto sig_err_break;
-+ }
-+ ERR_set_mark();
-+ if (EVP_PKEY_verify_init(sig_verify_ctx) <= 0
-+ && (alg == NULL
-+ || EVP_PKEY_verify_message_init(sig_verify_ctx, alg, NULL) <= 0)) {
-+ ERR_clear_last_mark();
- BIO_printf(bio_err,
- "Error while initializing verify data structs for %s.\n",
- sig_name);
- goto sig_err_break;
- }
-+ ERR_pop_to_mark();
- if (EVP_PKEY_verify(sig_verify_ctx, sig, sig_len, md, md_len) <= 0) {
- BIO_printf(bio_err, "Verify error for %s.\n", sig_name);
- goto sig_err_break;
-@@ -4363,12 +4398,14 @@ int speed_main(int argc, char **argv)
- loopargs[i].sig_act_sig_len[testnum] = sig_len;
- loopargs[i].sig_sig[testnum] = sig;
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- pkey = NULL;
- continue;
-
- sig_err_break:
- dofail();
- EVP_PKEY_free(pkey);
-+ EVP_SIGNATURE_free(alg);
- op_count = 1;
- sig_checks = 0;
- break;
---
-2.51.0
-
diff --git a/0058-Add-targets-to-skip-build-of-non-installable-program.patch b/0058-Add-targets-to-skip-build-of-non-installable-program.patch
deleted file mode 100644
index c87c278..0000000
--- a/0058-Add-targets-to-skip-build-of-non-installable-program.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From f320da46f706a8013de532ee1a34703bd814be06 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <zacik.pa@gmail.com>
-Date: Tue, 19 Aug 2025 14:26:07 +0200
-Subject: [PATCH 58/59] Add targets to skip build of non-installable programs
-
-These make it possible to split the build into two
-parts, e.g., when tests should be built with different
-compiler flags than installed software.
-
-Also use these as dependecies where appropriate.
-
-Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/28302)
----
- Configurations/descrip.mms.tmpl | 7 +++++--
- Configurations/unix-Makefile.tmpl | 9 ++++++---
- Configurations/windows-makefile.tmpl | 8 ++++++--
- util/help.pl | 2 +-
- 4 files changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl
-index db6a1b1799..bc7fc36b46 100644
---- a/Configurations/descrip.mms.tmpl
-+++ b/Configurations/descrip.mms.tmpl
-@@ -491,6 +491,8 @@ NODEBUG=@
- {- dependmagic('build_libs'); -} : build_libs_nodep
- {- dependmagic('build_modules'); -} : build_modules_nodep
- {- dependmagic('build_programs'); -} : build_programs_nodep
-+{- dependmagic('build_inst_sw'); -} : build_libs_nodep, build_modules_nodep, build_inst_programs_nodep
-+{- dependmagic('build_inst_programs'); -} : build_inst_programs_nodep
-
- build_generated_pods : $(GENERATED_PODS)
- build_docs : build_html_docs
-@@ -500,6 +502,7 @@ build_generated : $(GENERATED_MANDATORY)
- build_libs_nodep : $(LIBS), $(SHLIBS)
- build_modules_nodep : $(MODULES)
- build_programs_nodep : $(PROGRAMS), $(SCRIPTS)
-+build_inst_programs_nodep : $(INSTALL_PROGRAMS), $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests : build_programs
-@@ -606,7 +609,7 @@ install_docs : install_html_docs
- uninstall_docs : uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips : build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips : build_inst_sw $(INSTALL_FIPSMODULECONF)
- @ WRITE SYS$OUTPUT "*** Installing FIPS module"
- - CREATE/DIR ossl_installroot:[MODULES{- $target{pointer_size} -}.'arch']
- - CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[000000]
-@@ -687,7 +690,7 @@ install_runtime_libs : check_INSTALLTOP build_libs
- @install_shlibs) -}
- @ {- output_on() if $disabled{shared}; "" -} !
-
--install_programs : check_INSTALLTOP install_runtime_libs build_programs
-+install_programs : check_INSTALLTOP install_runtime_libs build_inst_programs
- @ {- output_off() if $disabled{apps}; "" -} !
- @ ! Install the main program
- - CREATE/DIR ossl_installroot:[EXE.'arch']
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 74139ec228..16aab9cd76 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -547,7 +547,9 @@ LANG=C
- {- dependmagic('build_sw', 'Build all the software (default target)'); -}: build_libs_nodep build_modules_nodep build_programs_nodep link-utils
- {- dependmagic('build_libs', 'Build the libraries libssl and libcrypto'); -}: build_libs_nodep
- {- dependmagic('build_modules', 'Build the modules (i.e. providers and engines)'); -}: build_modules_nodep
--{- dependmagic('build_programs', 'Build the openssl executables and scripts'); -}: build_programs_nodep
-+{- dependmagic('build_programs', 'Build the openssl executables, scripts and all other programs as configured (e.g. tests or demos)'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw', 'Build all the software to be installed'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep link-utils
-+{- dependmagic('build_inst_programs', 'Build only the installable openssl executables and scripts'); -}: build_inst_programs_nodep
-
- all: build_sw {- "build_docs" if !$disabled{docs}; -} ## Build software and documentation
- debuginfo: $(SHLIBS)
-@@ -566,6 +568,7 @@ build_generated: $(GENERATED_MANDATORY)
- build_libs_nodep: $(LIBS) {- join(" ",map { platform->sharedlib_simple($_) // platform->sharedlib_import($_) // platform->sharedlib($_) // () } @{$unified_info{libraries}}) -}
- build_modules_nodep: $(MODULES)
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -680,7 +683,7 @@ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and
- $(RM) -r "$(DESTDIR)$(DOCDIR)"
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(MODULESDIR)"
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)"
-@@ -965,7 +968,7 @@ install_runtime_libs: build_libs
- : {- output_on() if windowsdll(); "" -}; \
- done
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(bindir)"
- @$(ECHO) "*** Installing runtime programs"
-diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl
-index 894834cfb7..b5872124de 100644
---- a/Configurations/windows-makefile.tmpl
-+++ b/Configurations/windows-makefile.tmpl
-@@ -418,6 +418,8 @@ PROCESSOR= {- $config{processor} -}
- {- dependmagic('build_libs'); -}: build_libs_nodep
- {- dependmagic('build_modules'); -}: build_modules_nodep
- {- dependmagic('build_programs'); -}: build_programs_nodep
-+{- dependmagic('build_inst_sw'); -}: build_libs_nodep build_modules_nodep build_inst_programs_nodep copy-utils
-+{- dependmagic('build_inst_programs'); -}: build_inst_programs_nodep
-
- build_docs: build_html_docs
- build_html_docs: $(HTMLDOCS1) $(HTMLDOCS3) $(HTMLDOCS5) $(HTMLDOCS7)
-@@ -430,6 +432,8 @@ build_modules_nodep: $(MODULES)
- @
- build_programs_nodep: $(PROGRAMS) $(SCRIPTS)
- @
-+build_inst_programs_nodep: $(INSTALL_PROGRAMS) $(SCRIPTS)
-+ @
-
- # Kept around for backward compatibility
- build_apps build_tests: build_programs
-@@ -507,7 +511,7 @@ install_docs: install_html_docs
- uninstall_docs: uninstall_html_docs
-
- {- output_off() if $disabled{fips}; "" -}
--install_fips: build_sw $(INSTALL_FIPSMODULECONF)
-+install_fips: build_inst_sw $(INSTALL_FIPSMODULECONF)
- # @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(MODULESDIR)"
- @"$(PERL)" "$(SRCDIR)\util\mkdir-p.pl" "$(OPENSSLDIR)"
-@@ -607,7 +611,7 @@ install_runtime_libs: build_libs
- "$(PERL)" "$(SRCDIR)\util\copy.pl" $(INSTALL_SHLIBPDBS) \
- "$(INSTALLTOP)\bin"
-
--install_programs: install_runtime_libs build_programs
-+install_programs: install_runtime_libs build_inst_programs
- @if "$(INSTALLTOP)"=="" ( $(ECHO) "INSTALLTOP should not be empty" & exit 1 )
- @$(ECHO) "*** Installing runtime programs"
- @if not "$(INSTALL_PROGRAMS)"=="" \
-diff --git a/util/help.pl b/util/help.pl
-index a1614fe8a9..e88ff4bae1 100755
---- a/util/help.pl
-+++ b/util/help.pl
-@@ -14,7 +14,7 @@ while (<>) {
- chomp; # strip record separator
- @Fld = split($FS, $_, -1);
- if (/^[a-zA-Z0-9_\-]+:.*?##/) {
-- printf " \033[36m%-15s\033[0m %s\n", $Fld[0], $Fld[1]
-+ printf " \033[36m%-19s\033[0m %s\n", $Fld[0], $Fld[1]
- }
- if (/^##@/) {
- printf "\n\033[1m%s\033[0m\n", substr($Fld[$_], (5)-1);
---
-2.51.0
-
diff --git a/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch b/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
deleted file mode 100644
index 5323d6a..0000000
--- a/0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 4b91d0604643eff849a480f37b22f3bd7029d897 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 17 Oct 2025 17:45:48 +0200
-Subject: [PATCH 59/59] RSA_encrypt/decrypt with padding NONE is not supported
- in
-
-RHEL/CentOS/Fedora FIPS mode
----
- providers/fips/self_test_kats.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
-index acb0b85f73..c69c81bc9c 100644
---- a/providers/fips/self_test_kats.c
-+++ b/providers/fips/self_test_kats.c
-@@ -1190,8 +1190,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
- ret = 0;
- if (!self_test_kems(st, libctx))
- ret = 0;
-- if (!self_test_asym_ciphers(st, libctx))
-- ret = 0;
-+/* if (!self_test_asym_ciphers(st, libctx))
-+ ret = 0; */
-
- RAND_set0_private(libctx, saved_rand);
- return ret;
---
-2.51.0
-
diff --git a/openssl.spec b/openssl.spec
index cd2a7ae..3522651 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -33,8 +33,8 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
-Version: 3.5.4
-Release: 2%{?dist}
+Version: 3.5.5
+Release: 1%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source1: fips-hmacify.sh
@@ -100,10 +100,8 @@ Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
%endif
Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
-Patch0056: 0056-apps-speed.c-Disable-testing-of-composite-signature-.patch
-Patch0057: 0057-apps-speed.c-Support-more-signature-algorithms.patch
-Patch0058: 0058-Add-targets-to-skip-build-of-non-installable-program.patch
-Patch0059: 0059-RSA_encrypt-decrypt-with-padding-NONE-is-not-support.patch
+Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
+Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
License: Apache-2.0
URL: http://www.openssl.org/
@@ -476,6 +474,11 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs
%changelog
+* Wed Jan 28 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.5-1
+- Rebase to OpenSSL 3.5.5, resolving CVE-2025-15467, CVE-2025-15468,
+ CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420,
+ CVE-2025-69421, CVE-2025-69419, CVE-2026-22795, CVE-2026-22796, CVE-2025-11187
+
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.5.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
diff --git a/sources b/sources
index 07e4fea..8551fe3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.5.4.tar.gz) = 365aca6f2e59b5c8261fba683425d177874cf6024b0d216ca309112b879c1f4e8da78617e23c3c95d0b4a26b83ecd0d8348038b999d30e597d19f466c4761227
+SHA512 (openssl-3.5.5.tar.gz) = 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.5
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 1ca5a5357a764c48972f417bd3f5a142aed43458
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2026-01-28T15:01:45+01:00
Stats : +1128/-1158 in 55 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/1ca5a5357a764c48972f417bd3f5a142aed43458?branch=rebase_40beta
Log:
Rebase to OpenSSL 3.5.5
Resolving CVE-2025-15467, CVE-2025-15468, CVE-2025-15469,
CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420,
CVE-2025-69421, CVE-2025-69419, CVE-2026-22795, CVE-2026-22796,
CVE-2025-11187
---
diff --git a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
index 8bba2ec..e7da73a 100644
--- a/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
+++ b/0001-RH-Aarch64-and-ppc64le-use-lib64.patch
@@ -1,7 +1,7 @@
-From 0e03058e3d0a540a330bb42ee8f6dca5604841f9 Mon Sep 17 00:00:00 2001
+From ad6ba90718f814f1db71e86a4156098eb2bbeef5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 01/59] RH: Aarch64 and ppc64le use lib64
+Subject: [PATCH 01/57] RH: Aarch64 and ppc64le use lib64
Patch-name: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch-id: 1
@@ -34,5 +34,5 @@ index cba57b4127..3e327017ef 100644
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
-2.51.0
+2.52.0
diff --git a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
index d925b68..bcbc939 100644
--- a/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
+++ b/0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
@@ -1,7 +1,7 @@
-From 9d127bab38d30e2d3ebafc39c3dd874ae55c72de Mon Sep 17 00:00:00 2001
+From a10a60403c197128ea6d8076b5111c64594a5026 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 6 Mar 2025 08:40:29 -0500
-Subject: [PATCH 02/59] Add a separate config file to use for rpm installs
+Subject: [PATCH 02/57] Add a separate config file to use for rpm installs
In RHEL/Fedora systems we want to use a slightly different set
of defaults, but we do not want to change the standard config file
@@ -452,5 +452,5 @@ index 0000000000..fe2346eb2b
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
--
-2.51.0
+2.52.0
diff --git a/0003-RH-Do-not-install-html-docs.patch b/0003-RH-Do-not-install-html-docs.patch
index 72afe71..5f6117d 100644
--- a/0003-RH-Do-not-install-html-docs.patch
+++ b/0003-RH-Do-not-install-html-docs.patch
@@ -1,7 +1,7 @@
-From 2530f17f6a5fe3733beda49954c5c78f423569d5 Mon Sep 17 00:00:00 2001
+From 44f15e373a78a1fb01edf15e7530cea4c8a1b79b Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 03/59] RH: Do not install html docs
+Subject: [PATCH 03/57] RH: Do not install html docs
Patch-name: 0003-Do-not-install-html-docs.patch
Patch-id: 3
@@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 81f49926ce..516f8d62dc 100644
+index 78be4a3199..962d1330bb 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -669,7 +669,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
@@ -26,5 +26,5 @@ index 81f49926ce..516f8d62dc 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
$(RM) -r "$(DESTDIR)$(DOCDIR)"
--
-2.51.0
+2.52.0
diff --git a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
index f33e200..951849d 100644
--- a/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
+++ b/0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
@@ -1,7 +1,7 @@
-From f2fcdc5171f0b3b0b94fe8b78b6282be078a4e81 Mon Sep 17 00:00:00 2001
+From 3e60b46747eae0aec3171f13da6be706bcac6b48 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 04/59] RH: apps ca fix md option help text.patch - DROP?
+Subject: [PATCH 04/57] RH: apps ca fix md option help text.patch - DROP?
Patch-name: 0005-apps-ca-fix-md-option-help-text.patch
Patch-id: 5
@@ -13,18 +13,18 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/ca.c b/apps/ca.c
-index 6d1d1c0a6e..a7553ba609 100644
+index 02b00c7c03..7f77e069ab 100644
--- a/apps/ca.c
+++ b/apps/ca.c
-@@ -216,7 +216,7 @@ const OPTIONS ca_options[] = {
- {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+@@ -261,7 +261,7 @@ const OPTIONS ca_options[] = {
+ { "noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN" },
OPT_SECTION("Signing"),
-- {"md", OPT_MD, 's', "Digest to use, such as sha256"},
-+ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"},
- {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
- {"keyform", OPT_KEYFORM, 'f',
- "Private key file format (ENGINE, other values ignored)"},
+- { "md", OPT_MD, 's', "Digest to use, such as sha256" },
++ { "md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list" },
+ { "keyfile", OPT_KEYFILE, 's', "The CA private key" },
+ { "keyform", OPT_KEYFORM, 'f',
+ "Private key file format (ENGINE, other values ignored)" },
--
-2.51.0
+2.52.0
diff --git a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
index df06d23..d3d81a9 100644
--- a/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
+++ b/0005-RH-Disable-signature-verification-with-bad-digests-R.patch
@@ -1,7 +1,7 @@
-From c9f17bc73a099735c6e80dd67c93f23175771cb4 Mon Sep 17 00:00:00 2001
+From 04f1fc282cd5f5e7a9fbf2d82a62a9810d2e4acc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 05/59] RH: Disable signature verification with bad digests -
+Subject: [PATCH 05/57] RH: Disable signature verification with bad digests -
REVIEW
Patch-name: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
@@ -14,10 +14,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 5 insertions(+)
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
-index f6cac80962..fbc6ce6e30 100644
+index 55f86ee83f..95483afc00 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
-@@ -151,6 +151,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
+@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
if (ret <= 1)
goto err;
@@ -30,5 +30,5 @@ index f6cac80962..fbc6ce6e30 100644
const EVP_MD *type = NULL;
--
-2.51.0
+2.52.0
diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
index cf3d6c0..d53c49a 100644
--- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
+++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
@@ -1,7 +1,7 @@
-From 61afaf0de1f2c4cd2773f61f3c665e84e1925460 Mon Sep 17 00:00:00 2001
+From ced223dc078708514c65b1903c783062ec568bb7 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:14 +0100
-Subject: [PATCH 06/59] RH: Add support for PROFILE SYSTEM system default
+Subject: [PATCH 06/57] RH: Add support for PROFILE SYSTEM system default
cipher
Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@@ -14,13 +14,13 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
Configure | 11 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
- ssl/ssl_ciph.c | 83 +++++++++++++++++++++++++++----
+ ssl/ssl_ciph.c | 85 ++++++++++++++++++++++++++-----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
- 7 files changed, 105 insertions(+), 14 deletions(-)
+ 7 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 516f8d62dc..74139ec228 100644
+index 962d1330bb..1920d38655 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -355,6 +355,10 @@ MANDIR=$(INSTALLTOP)/share/man
@@ -106,10 +106,10 @@ index 69195bcdcb..a6e0ede570 100644
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
-index 383c5bc411..d1b00e8454 100644
+index bdcc68529b..82410670f4 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
-@@ -209,6 +209,11 @@ extern "C" {
+@@ -211,6 +211,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
@@ -120,9 +120,9 @@ index 383c5bc411..d1b00e8454 100644
+# endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
- # define SSL_SENT_SHUTDOWN 1
+ #define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 6127cb7a4b..19420d6c6a 100644
+index 7dccec6260..15be7e8067 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -9,6 +9,7 @@
@@ -133,7 +133,7 @@ index 6127cb7a4b..19420d6c6a 100644
#include <stdio.h>
#include <ctype.h>
#include <openssl/objects.h>
-@@ -1421,6 +1422,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
+@@ -1404,6 +1405,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
return ret;
}
@@ -181,9 +181,9 @@ index 6127cb7a4b..19420d6c6a 100644
+#endif
+
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
- STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
- STACK_OF(SSL_CIPHER) **cipher_list,
-@@ -1435,15 +1479,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+ STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
+ STACK_OF(SSL_CIPHER) **cipher_list,
+@@ -1418,15 +1462,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@@ -211,16 +211,16 @@ index 6127cb7a4b..19420d6c6a 100644
/*
* To reduce the work to do we only want to process the compiled
-@@ -1465,7 +1519,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+@@ -1448,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
if (num_of_ciphers > 0) {
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL)
-- return NULL; /* Failure */
+- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-@@ -1531,8 +1585,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+@@ -1514,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@@ -230,27 +230,29 @@ index 6127cb7a4b..19420d6c6a 100644
}
/*
-@@ -1576,8 +1629,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+@@ -1559,8 +1612,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
-- return NULL; /* Failure */
+- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
- disabled_mkey, disabled_auth, disabled_enc,
-@@ -1603,8 +1655,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
- OPENSSL_free(ca_list); /* Not needed anymore */
+ disabled_mkey, disabled_auth, disabled_enc,
+@@ -1585,9 +1637,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
- if (!ok) { /* Rule processing failure */
+ OPENSSL_free(ca_list); /* Not needed anymore */
+
+- if (!ok) { /* Rule processing failure */
- OPENSSL_free(co_list);
- return NULL;
++ if (!ok) { /* Rule processing failure */
+ goto err;
}
/*
-@@ -1612,10 +1663,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+@@ -1595,10 +1646,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@@ -266,7 +268,7 @@ index 6127cb7a4b..19420d6c6a 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
-@@ -1667,6 +1721,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+@@ -1653,6 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
*cipher_list = cipherstack;
return cipherstack;
@@ -281,32 +283,32 @@ index 6127cb7a4b..19420d6c6a 100644
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 9696a4c55f..4bd3318407 100644
+index ac77faa677..677b05ba64 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
-@@ -686,7 +686,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
- ctx->tls13_ciphersuites,
- &(ctx->cipher_list),
- &(ctx->cipher_list_by_id),
-- OSSL_default_cipher_list(), ctx->cert);
-+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
+@@ -678,7 +678,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
+ ctx->tls13_ciphersuites,
+ &(ctx->cipher_list),
+ &(ctx->cipher_list_by_id),
+- OSSL_default_cipher_list(), ctx->cert);
++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
-@@ -4136,7 +4136,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
+@@ -4102,7 +4102,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
if (!ssl_create_cipher_list(ret,
- ret->tls13_ciphersuites,
- &ret->cipher_list, &ret->cipher_list_by_id,
-- OSSL_default_cipher_list(), ret->cert)
-+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
+ ret->tls13_ciphersuites,
+ &ret->cipher_list, &ret->cipher_list_by_id,
+- OSSL_default_cipher_list(), ret->cert)
++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
-index c46e431b00..19d05e860b 100644
+index 9874e6bad6..76b6befbad 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
-@@ -261,7 +261,9 @@ end:
+@@ -260,7 +260,9 @@ end:
int setup_tests(void)
{
@@ -317,5 +319,5 @@ index c46e431b00..19d05e860b 100644
ADD_TEST(test_default_cipherlist_clear);
ADD_TEST(test_stdname_cipherlist);
--
-2.51.0
+2.52.0
diff --git a/0007-RH-Add-FIPS_mode-compatibility-macro.patch b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
index 105fc0d..e84a405 100644
--- a/0007-RH-Add-FIPS_mode-compatibility-macro.patch
+++ b/0007-RH-Add-FIPS_mode-compatibility-macro.patch
@@ -1,7 +1,7 @@
-From fb2c952f82064d747dbecb6ce66365ae4cc03513 Mon Sep 17 00:00:00 2001
+From 60f55f072544cb998c42da41ee33ced2b4428b9f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 07/59] RH: Add FIPS_mode compatibility macro
+Subject: [PATCH 07/57] RH: Add FIPS_mode compatibility macro
Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch-id: 8
@@ -47,10 +47,10 @@ index 0000000000..4162cbf88e
+# endif
+#endif
diff --git a/test/property_test.c b/test/property_test.c
-index e62ff247c4..37489e4694 100644
+index d470731e50..0b044ec853 100644
--- a/test/property_test.c
+++ b/test/property_test.c
-@@ -703,6 +703,19 @@ static int test_property_list_to_string_bounds(void)
+@@ -703,6 +703,19 @@ err:
return ret;
}
@@ -79,5 +79,5 @@ index e62ff247c4..37489e4694 100644
ADD_TEST(test_property_list_to_string_bounds);
return 1;
--
-2.51.0
+2.52.0
diff --git a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
index cefd4f0..5a406c3 100644
--- a/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
+++ b/0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
@@ -1,7 +1,7 @@
-From 8d7abff29035508b6208b4742bfaaed42f78ac43 Mon Sep 17 00:00:00 2001
+From 5aa108caf01f482d35aba7acae6b5a8fa1577410 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 08/59] RH: Add Kernel FIPS mode flag support - FIXSTYLE
+Subject: [PATCH 08/57] RH: Add Kernel FIPS mode flag support - FIXSTYLE
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch-id: 9
@@ -10,11 +10,11 @@ Patch-status: |
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/context.c | 35 +++++++++++++++++++++++++++++++++++
- include/internal/provider.h | 3 +++
- 2 files changed, 38 insertions(+)
+ include/internal/provider.h | 5 ++++-
+ 2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/crypto/context.c b/crypto/context.c
-index f15bc3d755..614c8a2c88 100644
+index 1ae88e42aa..62e60f3620 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -7,6 +7,7 @@
@@ -64,7 +64,7 @@ index f15bc3d755..614c8a2c88 100644
struct ossl_lib_ctx_st {
CRYPTO_RWLOCK *lock;
OSSL_EX_DATA_GLOBAL global;
-@@ -393,6 +426,8 @@ static int default_context_inited = 0;
+@@ -391,6 +424,8 @@ static int default_context_inited = 0;
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
{
@@ -74,19 +74,21 @@ index f15bc3d755..614c8a2c88 100644
goto err;
diff --git a/include/internal/provider.h b/include/internal/provider.h
-index 7d94346155..c0f1d00da9 100644
+index 1b4050a81f..eb7f409af0 100644
--- a/include/internal/provider.h
+++ b/include/internal/provider.h
-@@ -114,6 +114,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
- const OSSL_DISPATCH *in);
+@@ -114,7 +114,10 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
+ const OSSL_DISPATCH *in);
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
+-#ifdef __cplusplus
+/* FIPS flag access */
+int ossl_get_kernel_fips_flag(void);
+
- # ifdef __cplusplus
++# ifdef __cplusplus
}
- # endif
+ #endif
+
--
-2.51.0
+2.52.0
diff --git a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
index c28b18a..9e988c8 100644
--- a/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
+++ b/0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
@@ -1,7 +1,7 @@
-From 5151c5a45d130075860256989b1f69694f840554 Mon Sep 17 00:00:00 2001
+From 8f48c77eb1c8f3e59d4d80041893a1dbf3e1a257 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 09/59] RH: Drop weak curve definitions - RENAMED/SQUASHED
+Subject: [PATCH 09/57] RH: Drop weak curve definitions - RENAMED/SQUASHED
Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch-id: 10
@@ -17,61 +17,61 @@ Patch-status: |
# # remove unsupported EC curves
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
- apps/speed.c | 8 +-
- crypto/ec/ec_curve.c | 844 ------------------
+ apps/speed.c | 8 -
+ crypto/ec/ec_curve.c | 769 ------------------
crypto/evp/ec_support.c | 87 --
test/acvp_test.inc | 9 -
test/ecdsatest.h | 17 -
- test/ectest.c | 174 +---
+ test/ectest.c | 175 +---
test/recipes/15-test_genec.t | 27 -
test/recipes/30-test_evp_data/evppkey_ecc.txt | 1 +
- 8 files changed, 10 insertions(+), 1157 deletions(-)
+ 8 files changed, 10 insertions(+), 1083 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
-index 6c1eb59e91..3307a9cb46 100644
+index a8d7cb14f5..13c8505ed9 100644
--- a/apps/speed.c
+++ b/apps/speed.c
-@@ -405,7 +405,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
+@@ -458,8 +458,6 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */
#endif /* OPENSSL_NO_DH */
enum ec_curves_t {
-- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
-+ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521,
- #ifndef OPENSSL_NO_EC2M
- R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
- R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
-@@ -415,8 +415,6 @@ enum ec_curves_t {
+- R_EC_P160,
+- R_EC_P192,
+ R_EC_P224,
+ R_EC_P256,
+ R_EC_P384,
+@@ -486,8 +484,6 @@ enum ec_curves_t {
};
/* list of ecdsa curves */
static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
-- {"ecdsap160", R_EC_P160},
-- {"ecdsap192", R_EC_P192},
- {"ecdsap224", R_EC_P224},
- {"ecdsap256", R_EC_P256},
- {"ecdsap384", R_EC_P384},
-@@ -449,8 +447,6 @@ enum {
+- { "ecdsap160", R_EC_P160 },
+- { "ecdsap192", R_EC_P192 },
+ { "ecdsap224", R_EC_P224 },
+ { "ecdsap256", R_EC_P256 },
+ { "ecdsap384", R_EC_P384 },
+@@ -522,8 +518,6 @@ enum {
};
/* list of ecdh curves, extension of |ecdsa_choices| list above */
static const OPT_PAIR ecdh_choices[EC_NUM] = {
-- {"ecdhp160", R_EC_P160},
-- {"ecdhp192", R_EC_P192},
- {"ecdhp224", R_EC_P224},
- {"ecdhp256", R_EC_P256},
- {"ecdhp384", R_EC_P384},
-@@ -1966,8 +1962,6 @@ int speed_main(int argc, char **argv)
+- { "ecdhp160", R_EC_P160 },
+- { "ecdhp192", R_EC_P192 },
+ { "ecdhp224", R_EC_P224 },
+ { "ecdhp256", R_EC_P256 },
+ { "ecdhp384", R_EC_P384 },
+@@ -2042,8 +2036,6 @@ int speed_main(int argc, char **argv)
*/
static const EC_CURVE ec_curves[EC_NUM] = {
/* Prime Curves */
-- {"secp160r1", NID_secp160r1, 160},
-- {"nistp192", NID_X9_62_prime192v1, 192},
- {"nistp224", NID_secp224r1, 224},
- {"nistp256", NID_X9_62_prime256v1, 256},
- {"nistp384", NID_secp384r1, 384},
+- { "secp160r1", NID_secp160r1, 160 },
+- { "nistp192", NID_X9_62_prime192v1, 192 },
+ { "nistp224", NID_secp224r1, 224 },
+ { "nistp256", NID_X9_62_prime256v1, 256 },
+ { "nistp384", NID_secp384r1, 384 },
diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
-index f46aac5d33..8c5ba5b839 100644
+index c17a7e5477..c6455ff691 100644
--- a/crypto/ec/ec_curve.c
+++ b/crypto/ec/ec_curve.c
-@@ -30,38 +30,6 @@ typedef struct {
+@@ -30,34 +30,6 @@ typedef struct {
} EC_CURVE_DATA;
/* the nist prime curves */
@@ -79,11 +79,8 @@ index f46aac5d33..8c5ba5b839 100644
- EC_CURVE_DATA h;
- unsigned char data[20 + 24 * 6];
-} _EC_NIST_PRIME_192 = {
-- {
-- NID_X9_62_prime_field, 20, 24, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 24, 1 },
+- { /* seed */
- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28,
- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5,
- /* p */
@@ -103,28 +100,24 @@ index f46aac5d33..8c5ba5b839 100644
- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11,
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31
-- }
+- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 }
-};
-
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 28 * 6];
-@@ -200,187 +168,6 @@ static const struct {
- }
+@@ -184,167 +156,6 @@ static const struct {
+ 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 }
};
--# ifndef FIPS_MODULE
+-#ifndef FIPS_MODULE
-/* the x9.62 prime curves (minus the nist prime curves) */
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 24 * 6];
-} _EC_X9_62_PRIME_192V2 = {
-- {
-- NID_X9_62_prime_field, 20, 24, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 24, 1 },
+- { /* seed */
- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E,
- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6,
- /* p */
@@ -144,19 +137,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15,
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
-- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31
-- }
+- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 24 * 6];
-} _EC_X9_62_PRIME_192V3 = {
-- {
-- NID_X9_62_prime_field, 20, 24, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 24, 1 },
+- { /* seed */
- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9,
- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E,
- /* p */
@@ -176,19 +165,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0,
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13
-- }
+- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 30 * 6];
-} _EC_X9_62_PRIME_239V1 = {
-- {
-- NID_X9_62_prime_field, 20, 30, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 30, 1 },
+- { /* seed */
- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79,
- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D,
- /* p */
@@ -214,19 +199,15 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1,
-- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B
-- }
+- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 30 * 6];
-} _EC_X9_62_PRIME_239V2 = {
-- {
-- NID_X9_62_prime_field, 20, 30, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 30, 1 },
+- { /* seed */
- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99,
- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16,
- /* p */
@@ -252,19 +233,15 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0,
-- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63
-- }
+- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 30 * 6];
-} _EC_X9_62_PRIME_239V3 = {
-- {
-- NID_X9_62_prime_field, 20, 30, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 30, 1 },
+- { /* seed */
- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76,
- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF,
- /* p */
@@ -290,15 +267,14 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C,
-- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51
-- }
+- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 }
-};
-#endif /* FIPS_MODULE */
-
static const struct {
EC_CURVE_DATA h;
unsigned char data[20 + 32 * 8];
-@@ -429,294 +216,6 @@ static const struct {
+@@ -389,258 +200,6 @@ static const struct {
#ifndef FIPS_MODULE
/* the secg prime curves (minus the nist and x9.62 prime curves) */
@@ -306,11 +282,8 @@ index f46aac5d33..8c5ba5b839 100644
- EC_CURVE_DATA h;
- unsigned char data[20 + 14 * 6];
-} _EC_SECG_PRIME_112R1 = {
-- {
-- NID_X9_62_prime_field, 20, 14, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 14, 1 },
+- { /* seed */
- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61,
- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1,
- /* p */
@@ -330,19 +303,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x75, 0x00,
- /* order */
- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65,
-- 0x61, 0xC5
-- }
+- 0x61, 0xC5 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 14 * 6];
-} _EC_SECG_PRIME_112R2 = {
-- {
-- NID_X9_62_prime_field, 20, 14, 4
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 14, 4 },
+- { /* seed */
- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61,
- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4,
- /* p */
@@ -362,19 +331,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x6e, 0x97,
- /* order */
- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20,
-- 0xD0, 0x4B
-- }
+- 0xD0, 0x4B }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 16 * 6];
-} _EC_SECG_PRIME_128R1 = {
-- {
-- NID_X9_62_prime_field, 20, 16, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 16, 1 },
+- { /* seed */
- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75,
- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79,
- /* p */
@@ -394,19 +359,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0xdd, 0xed, 0x7a, 0x83,
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B,
-- 0x90, 0x38, 0xA1, 0x15
-- }
+- 0x90, 0x38, 0xA1, 0x15 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 16 * 6];
-} _EC_SECG_PRIME_128R2 = {
-- {
-- NID_X9_62_prime_field, 20, 16, 4
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 16, 4 },
+- { /* seed */
- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8,
- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4,
- /* p */
@@ -426,19 +387,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x5f, 0xc3, 0x4b, 0x44,
- /* order */
- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72,
-- 0x06, 0x13, 0xB5, 0xA3
-- }
+- 0x06, 0x13, 0xB5, 0xA3 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 21 * 6];
-} _EC_SECG_PRIME_160K1 = {
-- {
-- NID_X9_62_prime_field, 0, 21, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 21, 1 },
+- { /* no seed */
- /* p */
- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73,
@@ -456,19 +413,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee,
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8,
-- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3
-- }
+- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 21 * 6];
-} _EC_SECG_PRIME_160R1 = {
-- {
-- NID_X9_62_prime_field, 20, 21, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 21, 1 },
+- { /* seed */
- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56,
- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45,
- /* p */
@@ -488,19 +441,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32,
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4,
-- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57
-- }
+- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[20 + 21 * 6];
-} _EC_SECG_PRIME_160R2 = {
-- {
-- NID_X9_62_prime_field, 20, 21, 1
-- },
-- {
-- /* seed */
+- { NID_X9_62_prime_field, 20, 21, 1 },
+- { /* seed */
- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6,
- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51,
- /* p */
@@ -520,19 +469,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e,
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35,
-- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B
-- }
+- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 24 * 6];
-} _EC_SECG_PRIME_192K1 = {
-- {
-- NID_X9_62_prime_field, 0, 24, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 24, 1 },
+- { /* no seed */
- /* p */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37,
@@ -550,19 +495,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d,
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE,
-- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D
-- }
+- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 29 * 6];
-} _EC_SECG_PRIME_224K1 = {
-- {
-- NID_X9_62_prime_field, 0, 29, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 29, 1 },
+- { /* no seed */
- /* p */
- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -586,15 +527,14 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9,
-- 0x71, 0x76, 0x9F, 0xB1, 0xF7
-- }
+- 0x71, 0x76, 0x9F, 0xB1, 0xF7 }
-};
-
static const struct {
EC_CURVE_DATA h;
unsigned char data[0 + 32 * 6];
-@@ -753,102 +252,6 @@ static const struct {
- }
+@@ -673,90 +232,6 @@ static const struct {
+ 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 }
};
-/* some wap/wtls curves */
@@ -602,11 +542,8 @@ index f46aac5d33..8c5ba5b839 100644
- EC_CURVE_DATA h;
- unsigned char data[0 + 15 * 6];
-} _EC_WTLS_8 = {
-- {
-- NID_X9_62_prime_field, 0, 15, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 15, 1 },
+- { /* no seed */
- /* p */
- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFD, 0xE7,
@@ -624,19 +561,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x00, 0x00, 0x02,
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A,
-- 0xD8, 0x37, 0xE9
-- }
+- 0xD8, 0x37, 0xE9 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 21 * 6];
-} _EC_WTLS_9 = {
-- {
-- NID_X9_62_prime_field, 0, 21, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 21, 1 },
+- { /* no seed */
- /* p */
- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F,
@@ -654,19 +587,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
- /* order */
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD,
-- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33
-- }
+- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 28 * 6];
-} _EC_WTLS_12 = {
-- {
-- NID_X9_62_prime_field, 0, 28, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 28, 1 },
+- { /* no seed */
- /* p */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -690,13 +619,12 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
-- 0x5C, 0x5C, 0x2A, 0x3D
-- }
+- 0x5C, 0x5C, 0x2A, 0x3D }
-};
#endif /* FIPS_MODULE */
#ifndef OPENSSL_NO_EC2M
-@@ -2244,198 +1647,6 @@ static const struct {
+@@ -2004,174 +1479,6 @@ static const struct {
*/
#ifndef FIPS_MODULE
@@ -704,11 +632,8 @@ index f46aac5d33..8c5ba5b839 100644
- EC_CURVE_DATA h;
- unsigned char data[0 + 20 * 6];
-} _EC_brainpoolP160r1 = {
-- {
-- NID_X9_62_prime_field, 0, 20, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 20, 1 },
+- { /* no seed */
- /* p */
- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD,
- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F,
@@ -726,19 +651,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21,
- /* order */
- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91,
-- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09
-- }
+- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 20 * 6];
-} _EC_brainpoolP160t1 = {
-- {
-- NID_X9_62_prime_field, 0, 20, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 20, 1 },
+- { /* no seed */
- /* p */
- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD,
- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F,
@@ -756,19 +677,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD,
- /* order */
- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91,
-- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09
-- }
+- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 24 * 6];
-} _EC_brainpoolP192r1 = {
-- {
-- NID_X9_62_prime_field, 0, 24, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 24, 1 },
+- { /* no seed */
- /* p */
- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30,
- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97,
@@ -786,19 +703,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F,
- /* order */
- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F,
-- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1
-- }
+- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 24 * 6];
-} _EC_brainpoolP192t1 = {
-- {
-- NID_X9_62_prime_field, 0, 24, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 24, 1 },
+- { /* no seed */
- /* p */
- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30,
- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97,
@@ -816,19 +729,15 @@ index f46aac5d33..8c5ba5b839 100644
- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9,
- /* order */
- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F,
-- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1
-- }
+- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 28 * 6];
-} _EC_brainpoolP224r1 = {
-- {
-- NID_X9_62_prime_field, 0, 28, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 28, 1 },
+- { /* no seed */
- /* p */
- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25,
- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5,
@@ -852,19 +761,15 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25,
- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3,
-- 0xA5, 0xA7, 0x93, 0x9F
-- }
+- 0xA5, 0xA7, 0x93, 0x9F }
-};
-
-static const struct {
- EC_CURVE_DATA h;
- unsigned char data[0 + 28 * 6];
-} _EC_brainpoolP224t1 = {
-- {
-- NID_X9_62_prime_field, 0, 28, 1
-- },
-- {
-- /* no seed */
+- { NID_X9_62_prime_field, 0, 28, 1 },
+- { /* no seed */
- /* p */
- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25,
- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5,
@@ -888,209 +793,223 @@ index f46aac5d33..8c5ba5b839 100644
- /* order */
- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25,
- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3,
-- 0xA5, 0xA7, 0x93, 0x9F
-- }
+- 0xA5, 0xA7, 0x93, 0x9F }
-};
-
static const struct {
EC_CURVE_DATA h;
unsigned char data[0 + 32 * 6];
-@@ -2864,8 +2075,6 @@ static const ec_list_element curve_list[] = {
- "NIST/SECG curve over a 521 bit prime field"},
+@@ -2740,8 +2047,6 @@ static const ec_list_element curve_list[] = {
+ "NIST/SECG curve over a 521 bit prime field" },
/* X9.62 curves */
-- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
-- "NIST/X9.62/SECG curve over a 192 bit prime field"},
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
- # if defined(ECP_NISTZ256_ASM)
- EC_GFp_nistz256_method,
-@@ -2909,25 +2118,6 @@ static const ec_list_element curve_list[] = {
+- { NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
+- "NIST/X9.62/SECG curve over a 192 bit prime field" },
+ { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+@@ -2784,26 +2089,6 @@ static const ec_list_element curve_list[] = {
+
static const ec_list_element curve_list[] = {
/* prime field curves */
- /* secg curves */
-- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0,
-- "SECG/WTLS curve over a 112 bit prime field"},
-- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0,
-- "SECG curve over a 112 bit prime field"},
-- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0,
-- "SECG curve over a 128 bit prime field"},
-- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0,
-- "SECG curve over a 128 bit prime field"},
-- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0,
-- "SECG curve over a 160 bit prime field"},
-- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0,
-- "SECG curve over a 160 bit prime field"},
-- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0,
-- "SECG/WTLS curve over a 160 bit prime field"},
+- /* secg curves */
+- { NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0,
+- "SECG/WTLS curve over a 112 bit prime field" },
+- { NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0,
+- "SECG curve over a 112 bit prime field" },
+- { NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0,
+- "SECG curve over a 128 bit prime field" },
+- { NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0,
+- "SECG curve over a 128 bit prime field" },
+- { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0,
+- "SECG curve over a 160 bit prime field" },
+- { NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0,
+- "SECG curve over a 160 bit prime field" },
+- { NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0,
+- "SECG/WTLS curve over a 160 bit prime field" },
- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
-- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0,
-- "SECG curve over a 192 bit prime field"},
-- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0,
-- "SECG curve over a 224 bit prime field"},
- # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
- "NIST/SECG curve over a 224 bit prime field"},
-@@ -2957,18 +2147,6 @@ static const ec_list_element curve_list[] = {
- # endif
- "NIST/SECG curve over a 521 bit prime field"},
+- { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0,
+- "SECG curve over a 192 bit prime field" },
+- { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0,
+- "SECG curve over a 224 bit prime field" },
+ #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+ { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+ "NIST/SECG curve over a 224 bit prime field" },
+@@ -2833,18 +2118,6 @@ static const ec_list_element curve_list[] = {
+ #endif
+ "NIST/SECG curve over a 521 bit prime field" },
/* X9.62 curves */
-- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
-- "NIST/X9.62/SECG curve over a 192 bit prime field"},
-- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0,
-- "X9.62 curve over a 192 bit prime field"},
-- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0,
-- "X9.62 curve over a 192 bit prime field"},
-- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0,
-- "X9.62 curve over a 239 bit prime field"},
-- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0,
-- "X9.62 curve over a 239 bit prime field"},
-- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0,
-- "X9.62 curve over a 239 bit prime field"},
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
- # if defined(ECP_NISTZ256_ASM)
- EC_GFp_nistz256_method,
-@@ -3065,22 +2243,12 @@ static const ec_list_element curve_list[] = {
- {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0,
- "X9.62 curve over a 163 bit binary field"},
- # endif
-- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0,
-- "SECG/WTLS curve over a 112 bit prime field"},
-- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0,
-- "SECG/WTLS curve over a 160 bit prime field"},
-- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0,
-- "WTLS curve over a 112 bit prime field"},
-- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0,
-- "WTLS curve over a 160 bit prime field"},
- # ifndef OPENSSL_NO_EC2M
- {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0,
- "NIST/SECG/WTLS curve over a 233 bit binary field"},
- {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0,
- "NIST/SECG/WTLS curve over a 233 bit binary field"},
- # endif
-- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0,
-- "WTLS curve over a 224 bit prime field"},
- # ifndef OPENSSL_NO_EC2M
+- { NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
+- "NIST/X9.62/SECG curve over a 192 bit prime field" },
+- { NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0,
+- "X9.62 curve over a 192 bit prime field" },
+- { NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0,
+- "X9.62 curve over a 192 bit prime field" },
+- { NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0,
+- "X9.62 curve over a 239 bit prime field" },
+- { NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0,
+- "X9.62 curve over a 239 bit prime field" },
+- { NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0,
+- "X9.62 curve over a 239 bit prime field" },
+ { NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+ EC_GFp_nistz256_method,
+@@ -2928,36 +2201,6 @@ static const ec_list_element curve_list[] = {
+ "X9.62 curve over a 368 bit binary field" },
+ { NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0,
+ "X9.62 curve over a 431 bit binary field" },
+- /*
+- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
+- * from X9.62]
+- */
+- { NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0,
+- "WTLS curve over a 113 bit binary field" },
+- { NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0,
+- "NIST/SECG/WTLS curve over a 163 bit binary field" },
+- { NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0,
+- "SECG curve over a 113 bit binary field" },
+- { NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0,
+- "X9.62 curve over a 163 bit binary field" },
+-#endif
+- { NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0,
+- "SECG/WTLS curve over a 112 bit prime field" },
+- { NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0,
+- "SECG/WTLS curve over a 160 bit prime field" },
+- { NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0,
+- "WTLS curve over a 112 bit prime field" },
+- { NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0,
+- "WTLS curve over a 160 bit prime field" },
+-#ifndef OPENSSL_NO_EC2M
+- { NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0,
+- "NIST/SECG/WTLS curve over a 233 bit binary field" },
+- { NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0,
+- "NIST/SECG/WTLS curve over a 233 bit binary field" },
+-#endif
+- { NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0,
+- "WTLS curve over a 224 bit prime field" },
+-#ifndef OPENSSL_NO_EC2M
/* IPSec curves */
- {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0,
-@@ -3091,18 +2259,6 @@ static const ec_list_element curve_list[] = {
- "\tNot suitable for ECDSA.\n\tQuestionable extension field!"},
- # endif
+ { NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0,
+ "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n"
+@@ -2967,18 +2210,6 @@ static const ec_list_element curve_list[] = {
+ "\tNot suitable for ECDSA.\n\tQuestionable extension field!" },
+ #endif
/* brainpool curves */
-- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0,
-- "RFC 5639 curve over a 160 bit prime field"},
-- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0,
-- "RFC 5639 curve over a 160 bit prime field"},
-- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0,
-- "RFC 5639 curve over a 192 bit prime field"},
-- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0,
-- "RFC 5639 curve over a 192 bit prime field"},
-- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0,
-- "RFC 5639 curve over a 224 bit prime field"},
-- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0,
-- "RFC 5639 curve over a 224 bit prime field"},
- {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0,
- "RFC 5639 curve over a 256 bit prime field"},
- {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0,
+- { NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0,
+- "RFC 5639 curve over a 160 bit prime field" },
+- { NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0,
+- "RFC 5639 curve over a 160 bit prime field" },
+- { NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0,
+- "RFC 5639 curve over a 192 bit prime field" },
+- { NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0,
+- "RFC 5639 curve over a 192 bit prime field" },
+- { NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0,
+- "RFC 5639 curve over a 224 bit prime field" },
+- { NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0,
+- "RFC 5639 curve over a 224 bit prime field" },
+ { NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0,
+ "RFC 5639 curve over a 256 bit prime field" },
+ { NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0,
diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c
-index 1ec10143d2..82b95294b4 100644
+index 20883c48f1..9715c6280d 100644
--- a/crypto/evp/ec_support.c
+++ b/crypto/evp/ec_support.c
@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st {
static const EC_NAME2NID curve_list[] = {
/* prime field curves */
/* secg curves */
-- {"secp112r1", NID_secp112r1 },
-- {"secp112r2", NID_secp112r2 },
-- {"secp128r1", NID_secp128r1 },
-- {"secp128r2", NID_secp128r2 },
-- {"secp160k1", NID_secp160k1 },
-- {"secp160r1", NID_secp160r1 },
-- {"secp160r2", NID_secp160r2 },
-- {"secp192k1", NID_secp192k1 },
-- {"secp224k1", NID_secp224k1 },
- {"secp224r1", NID_secp224r1 },
- {"secp256k1", NID_secp256k1 },
- {"secp384r1", NID_secp384r1 },
- {"secp521r1", NID_secp521r1 },
+- { "secp112r1", NID_secp112r1 },
+- { "secp112r2", NID_secp112r2 },
+- { "secp128r1", NID_secp128r1 },
+- { "secp128r2", NID_secp128r2 },
+- { "secp160k1", NID_secp160k1 },
+- { "secp160r1", NID_secp160r1 },
+- { "secp160r2", NID_secp160r2 },
+- { "secp192k1", NID_secp192k1 },
+- { "secp224k1", NID_secp224k1 },
+ { "secp224r1", NID_secp224r1 },
+ { "secp256k1", NID_secp256k1 },
+ { "secp384r1", NID_secp384r1 },
+ { "secp521r1", NID_secp521r1 },
/* X9.62 curves */
-- {"prime192v1", NID_X9_62_prime192v1 },
-- {"prime192v2", NID_X9_62_prime192v2 },
-- {"prime192v3", NID_X9_62_prime192v3 },
-- {"prime239v1", NID_X9_62_prime239v1 },
-- {"prime239v2", NID_X9_62_prime239v2 },
-- {"prime239v3", NID_X9_62_prime239v3 },
- {"prime256v1", NID_X9_62_prime256v1 },
+- { "prime192v1", NID_X9_62_prime192v1 },
+- { "prime192v2", NID_X9_62_prime192v2 },
+- { "prime192v3", NID_X9_62_prime192v3 },
+- { "prime239v1", NID_X9_62_prime239v1 },
+- { "prime239v2", NID_X9_62_prime239v2 },
+- { "prime239v3", NID_X9_62_prime239v3 },
+ { "prime256v1", NID_X9_62_prime256v1 },
/* characteristic two field curves */
/* NIST/SECG curves */
-- {"sect113r1", NID_sect113r1 },
-- {"sect113r2", NID_sect113r2 },
-- {"sect131r1", NID_sect131r1 },
-- {"sect131r2", NID_sect131r2 },
-- {"sect163k1", NID_sect163k1 },
-- {"sect163r1", NID_sect163r1 },
-- {"sect163r2", NID_sect163r2 },
-- {"sect193r1", NID_sect193r1 },
-- {"sect193r2", NID_sect193r2 },
-- {"sect233k1", NID_sect233k1 },
-- {"sect233r1", NID_sect233r1 },
-- {"sect239k1", NID_sect239k1 },
-- {"sect283k1", NID_sect283k1 },
-- {"sect283r1", NID_sect283r1 },
-- {"sect409k1", NID_sect409k1 },
-- {"sect409r1", NID_sect409r1 },
-- {"sect571k1", NID_sect571k1 },
-- {"sect571r1", NID_sect571r1 },
+- { "sect113r1", NID_sect113r1 },
+- { "sect113r2", NID_sect113r2 },
+- { "sect131r1", NID_sect131r1 },
+- { "sect131r2", NID_sect131r2 },
+- { "sect163k1", NID_sect163k1 },
+- { "sect163r1", NID_sect163r1 },
+- { "sect163r2", NID_sect163r2 },
+- { "sect193r1", NID_sect193r1 },
+- { "sect193r2", NID_sect193r2 },
+- { "sect233k1", NID_sect233k1 },
+- { "sect233r1", NID_sect233r1 },
+- { "sect239k1", NID_sect239k1 },
+- { "sect283k1", NID_sect283k1 },
+- { "sect283r1", NID_sect283r1 },
+- { "sect409k1", NID_sect409k1 },
+- { "sect409r1", NID_sect409r1 },
+- { "sect571k1", NID_sect571k1 },
+- { "sect571r1", NID_sect571r1 },
- /* X9.62 curves */
-- {"c2pnb163v1", NID_X9_62_c2pnb163v1 },
-- {"c2pnb163v2", NID_X9_62_c2pnb163v2 },
-- {"c2pnb163v3", NID_X9_62_c2pnb163v3 },
-- {"c2pnb176v1", NID_X9_62_c2pnb176v1 },
-- {"c2tnb191v1", NID_X9_62_c2tnb191v1 },
-- {"c2tnb191v2", NID_X9_62_c2tnb191v2 },
-- {"c2tnb191v3", NID_X9_62_c2tnb191v3 },
-- {"c2pnb208w1", NID_X9_62_c2pnb208w1 },
-- {"c2tnb239v1", NID_X9_62_c2tnb239v1 },
-- {"c2tnb239v2", NID_X9_62_c2tnb239v2 },
-- {"c2tnb239v3", NID_X9_62_c2tnb239v3 },
-- {"c2pnb272w1", NID_X9_62_c2pnb272w1 },
-- {"c2pnb304w1", NID_X9_62_c2pnb304w1 },
-- {"c2tnb359v1", NID_X9_62_c2tnb359v1 },
-- {"c2pnb368w1", NID_X9_62_c2pnb368w1 },
-- {"c2tnb431r1", NID_X9_62_c2tnb431r1 },
+- { "c2pnb163v1", NID_X9_62_c2pnb163v1 },
+- { "c2pnb163v2", NID_X9_62_c2pnb163v2 },
+- { "c2pnb163v3", NID_X9_62_c2pnb163v3 },
+- { "c2pnb176v1", NID_X9_62_c2pnb176v1 },
+- { "c2tnb191v1", NID_X9_62_c2tnb191v1 },
+- { "c2tnb191v2", NID_X9_62_c2tnb191v2 },
+- { "c2tnb191v3", NID_X9_62_c2tnb191v3 },
+- { "c2pnb208w1", NID_X9_62_c2pnb208w1 },
+- { "c2tnb239v1", NID_X9_62_c2tnb239v1 },
+- { "c2tnb239v2", NID_X9_62_c2tnb239v2 },
+- { "c2tnb239v3", NID_X9_62_c2tnb239v3 },
+- { "c2pnb272w1", NID_X9_62_c2pnb272w1 },
+- { "c2pnb304w1", NID_X9_62_c2pnb304w1 },
+- { "c2tnb359v1", NID_X9_62_c2tnb359v1 },
+- { "c2pnb368w1", NID_X9_62_c2pnb368w1 },
+- { "c2tnb431r1", NID_X9_62_c2tnb431r1 },
- /*
- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves
- * from X9.62]
- */
-- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
-- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
-- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
-- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
-- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
-- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
-- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
-- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
-- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
-- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
-- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
+- { "wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 },
+- { "wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 },
+- { "wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 },
+- { "wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 },
+- { "wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 },
+- { "wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 },
+- { "wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 },
+- { "wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 },
+- { "wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 },
+- { "wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 },
+- { "wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 },
- /* IPSec curves */
-- {"Oakley-EC2N-3", NID_ipsec3 },
-- {"Oakley-EC2N-4", NID_ipsec4 },
+- { "Oakley-EC2N-3", NID_ipsec3 },
+- { "Oakley-EC2N-4", NID_ipsec4 },
/* brainpool curves */
-- {"brainpoolP160r1", NID_brainpoolP160r1 },
-- {"brainpoolP160t1", NID_brainpoolP160t1 },
-- {"brainpoolP192r1", NID_brainpoolP192r1 },
-- {"brainpoolP192t1", NID_brainpoolP192t1 },
-- {"brainpoolP224r1", NID_brainpoolP224r1 },
-- {"brainpoolP224t1", NID_brainpoolP224t1 },
- {"brainpoolP256r1", NID_brainpoolP256r1 },
- {"brainpoolP256t1", NID_brainpoolP256t1 },
- {"brainpoolP320r1", NID_brainpoolP320r1 },
+- { "brainpoolP160r1", NID_brainpoolP160r1 },
+- { "brainpoolP160t1", NID_brainpoolP160t1 },
+- { "brainpoolP192r1", NID_brainpoolP192r1 },
+- { "brainpoolP192t1", NID_brainpoolP192t1 },
+- { "brainpoolP224r1", NID_brainpoolP224r1 },
+- { "brainpoolP224t1", NID_brainpoolP224t1 },
+ { "brainpoolP256r1", NID_brainpoolP256r1 },
+ { "brainpoolP256t1", NID_brainpoolP256t1 },
+ { "brainpoolP320r1", NID_brainpoolP320r1 },
@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = {
- {"brainpoolP384t1", NID_brainpoolP384t1 },
- {"brainpoolP512r1", NID_brainpoolP512r1 },
- {"brainpoolP512t1", NID_brainpoolP512t1 },
+ { "brainpoolP384t1", NID_brainpoolP384t1 },
+ { "brainpoolP512r1", NID_brainpoolP512r1 },
+ { "brainpoolP512t1", NID_brainpoolP512t1 },
- /* SM2 curve */
-- {"SM2", NID_sm2 },
+- { "SM2", NID_sm2 },
};
const char *OSSL_EC_curve_nid2name(int nid)
@@ -1098,20 +1017,20 @@ index 1ec10143d2..82b95294b4 100644
/* Functions to translate between common NIST curve names and NIDs */
static const EC_NAME2NID nist_curves[] = {
-- {"B-163", NID_sect163r2},
-- {"B-233", NID_sect233r1},
-- {"B-283", NID_sect283r1},
-- {"B-409", NID_sect409r1},
-- {"B-571", NID_sect571r1},
-- {"K-163", NID_sect163k1},
-- {"K-233", NID_sect233k1},
-- {"K-283", NID_sect283k1},
-- {"K-409", NID_sect409k1},
-- {"K-571", NID_sect571k1},
-- {"P-192", NID_X9_62_prime192v1},
- {"P-224", NID_secp224r1},
- {"P-256", NID_X9_62_prime256v1},
- {"P-384", NID_secp384r1},
+- { "B-163", NID_sect163r2 },
+- { "B-233", NID_sect233r1 },
+- { "B-283", NID_sect283r1 },
+- { "B-409", NID_sect409r1 },
+- { "B-571", NID_sect571r1 },
+- { "K-163", NID_sect163k1 },
+- { "K-233", NID_sect233k1 },
+- { "K-283", NID_sect283k1 },
+- { "K-409", NID_sect409k1 },
+- { "K-571", NID_sect571k1 },
+- { "P-192", NID_X9_62_prime192v1 },
+ { "P-224", NID_secp224r1 },
+ { "P-256", NID_X9_62_prime256v1 },
+ { "P-384", NID_secp384r1 },
diff --git a/test/acvp_test.inc b/test/acvp_test.inc
index 67787f3740..97ec1ff3e5 100644
--- a/test/acvp_test.inc
@@ -1133,7 +1052,7 @@ index 67787f3740..97ec1ff3e5 100644
"SHA2-512",
"P-521",
diff --git a/test/ecdsatest.h b/test/ecdsatest.h
-index 63fe319025..06b5c0aac5 100644
+index 700d7b5253..6aa4faa461 100644
--- a/test/ecdsatest.h
+++ b/test/ecdsatest.h
@@ -32,23 +32,6 @@ typedef struct {
@@ -1141,30 +1060,30 @@ index 63fe319025..06b5c0aac5 100644
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
- /* prime KATs from X9.62 */
-- {NID_X9_62_prime192v1, NID_sha1,
-- "616263", /* "abc" */
-- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
-- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
-- "5ca5c0d69716dfcb3474373902",
-- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
-- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
-- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
-- {NID_X9_62_prime239v1, NID_sha1,
-- "616263", /* "abc" */
-- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
-- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
-- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
-- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
-- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
-- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
+- { NID_X9_62_prime192v1, NID_sha1,
+- "616263", /* "abc" */
+- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
+- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
+- "5ca5c0d69716dfcb3474373902",
+- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
+- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
+- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686" },
+- { NID_X9_62_prime239v1, NID_sha1,
+- "616263", /* "abc" */
+- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
+- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
+- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
+- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
+- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
+- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf" },
/* prime KATs from NIST CAVP */
- {NID_secp224r1, NID_sha224,
- "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
+ { NID_secp224r1, NID_sha224,
+ "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
diff --git a/test/ectest.c b/test/ectest.c
-index e1cb59d58d..b852381924 100644
+index 0233f870b6..f243f6fb3c 100644
--- a/test/ectest.c
+++ b/test/ectest.c
-@@ -175,184 +175,26 @@ static int prime_field_tests(void)
+@@ -174,183 +174,26 @@ static int prime_field_tests(void)
|| !TEST_ptr(p = BN_new())
|| !TEST_ptr(a = BN_new())
|| !TEST_ptr(b = BN_new())
@@ -1222,7 +1141,7 @@ index e1cb59d58d..b852381924 100644
- TEST_note(" point at infinity");
- } else {
- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y,
-- ctx)))
+- ctx)))
- goto err;
-
- test_output_bignum("x", x);
@@ -1239,64 +1158,63 @@ index e1cb59d58d..b852381924 100644
- || !TEST_true(EC_POINT_is_at_infinity(group, P)))
- goto err;
-
-- len =
-- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
-- sizeof(buf), ctx);
+- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf,
+- sizeof(buf), ctx);
- if (!TEST_size_t_ne(len, 0)
- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
- goto err;
- test_output_memory("Generator as octet string, compressed form:",
-- buf, len);
+- buf, len);
-
- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED,
-- buf, sizeof(buf), ctx);
+- buf, sizeof(buf), ctx);
- if (!TEST_size_t_ne(len, 0)
- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
- goto err;
- test_output_memory("Generator as octet string, uncompressed form:",
-- buf, len);
+- buf, len);
-
- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID,
-- buf, sizeof(buf), ctx);
+- buf, sizeof(buf), ctx);
- if (!TEST_size_t_ne(len, 0)
- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx))
- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx)))
- goto err;
- test_output_memory("Generator as octet string, hybrid form:",
-- buf, len);
+- buf, len);
-
- if (!TEST_true(EC_POINT_invert(group, P, ctx))
- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx))
-
-- /*
-- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
-- * 2000) -- not a NIST curve, but commonly used
-- */
+- /*
+- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2,
+- * 2000) -- not a NIST curve, but commonly used
+- */
-
-- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF"
+- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF"))
- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
-- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF"
+- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF"
- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC"))
-- || !TEST_true(BN_hex2bn(&b, "1C97BEFC"
+- || !TEST_true(BN_hex2bn(&b, "1C97BEFC"
- "54BD7A8B65ACF89F81D4D4ADC565FA45"))
- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
-- || !TEST_true(BN_hex2bn(&x, "4A96B568"
+- || !TEST_true(BN_hex2bn(&x, "4A96B568"
- "8EF573284664698968C38BB913CBFC82"))
-- || !TEST_true(BN_hex2bn(&y, "23a62855"
+- || !TEST_true(BN_hex2bn(&y, "23a62855"
- "3168947d59dcc912042351377ac5fb32"))
- || !TEST_true(BN_add(yplusone, y, BN_value_one()))
-- /*
-- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
-- * and therefore setting the coordinates should fail.
-- */
+- /*
+- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+- * and therefore setting the coordinates should fail.
+- */
- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
-- ctx))
+- ctx))
- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx))
- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
-- || !TEST_true(BN_hex2bn(&z, "0100000000"
+- || !TEST_true(BN_hex2bn(&z, "0100000000"
- "000000000001F4C8F927AED3CA752257"))
- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
@@ -1305,27 +1223,27 @@ index e1cb59d58d..b852381924 100644
- test_output_bignum("x", x);
- test_output_bignum("y", y);
- /* G_y value taken from the standard: */
-- if (!TEST_true(BN_hex2bn(&z, "23a62855"
+- if (!TEST_true(BN_hex2bn(&z, "23a62855"
- "3168947d59dcc912042351377ac5fb32"))
- || !TEST_BN_eq(y, z)
- || !TEST_int_eq(EC_GROUP_get_degree(group), 160)
- || !group_order_tests(group)
-
-- /* Curve P-192 (FIPS PUB 186-2, App. 6) */
+- /* Curve P-192 (FIPS PUB 186-2, App. 6) */
-
-- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF"
+- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"))
- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
-- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF"
+- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF"
- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC"))
-- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7"
+- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7"
- "0FA7E9AB72243049FEB8DEECC146B9B1"))
- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx))
-- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6"
+- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6"
- "7CBF20EB43A18800F4FF0AFD82FF1012"))
- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx))
- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0)
-- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF"
+- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF"
- "FFFFFFFF99DEF836146BC9B1B4D22831"))
- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one()))
- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx)))
@@ -1336,27 +1254,28 @@ index e1cb59d58d..b852381924 100644
- test_output_bignum("x", x);
- test_output_bignum("y", y);
- /* G_y value taken from the standard: */
-- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78"
+- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78"
- "631011ED6B24CDD573F977A11E794811"))
- || !TEST_BN_eq(y, z)
- || !TEST_true(BN_add(yplusone, y, BN_value_one()))
-- /*
-- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
-- * and therefore setting the coordinates should fail.
-- */
+- /*
+- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+- * and therefore setting the coordinates should fail.
+- */
- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone,
-- ctx))
+- ctx))
- || !TEST_int_eq(EC_GROUP_get_degree(group), 192)
- || !group_order_tests(group)
-
- /* Curve P-224 (FIPS PUB 186-2, App. 6) */
+- /* Curve P-224 (FIPS PUB 186-2, App. 6) */
++ /* Curve P-224 (FIPS PUB 186-2, App. 6) */
-- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
-+ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
+- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFF000000000000000000000001"))
|| !TEST_int_eq(1, BN_check_prime(p, ctx, NULL))
- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
-@@ -3130,7 +2972,7 @@ int setup_tests(void)
+ || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF"
+@@ -3522,7 +3365,7 @@ int setup_tests(void)
ADD_TEST(parameter_test);
ADD_TEST(ossl_parameter_test);
@@ -1425,5 +1344,5 @@ index e6a2c9eb59..861c01e177 100644
Ctrl = key-check:0
+Result = KEYGEN_GENERATE_ERROR
--
-2.51.0
+2.52.0
diff --git a/0010-RH-Disable-explicit-ec-curves.patch b/0010-RH-Disable-explicit-ec-curves.patch
index 21ce41f..29acf36 100644
--- a/0010-RH-Disable-explicit-ec-curves.patch
+++ b/0010-RH-Disable-explicit-ec-curves.patch
@@ -1,7 +1,7 @@
-From fdbbe15e433da8556076b84e7612ce5f53f3fa49 Mon Sep 17 00:00:00 2001
+From a925f827ebbd25236c7449e179cfcd716af60379 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 10/59] RH: Disable explicit ec curves
+Subject: [PATCH 10/57] RH: Disable explicit ec curves
Patch-name: 0012-Disable-explicit-ec.patch
Patch-id: 12
@@ -10,18 +10,18 @@ Patch-status: |
# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
- crypto/ec/ec_asn1.c | 11 ++++++++++
- crypto/ec/ec_lib.c | 8 ++++++-
- test/ectest.c | 22 ++++++++++---------
- test/endecode_test.c | 20 ++++++++---------
- .../30-test_evp_data/evppkey_ecdsa.txt | 12 ----------
- 5 files changed, 40 insertions(+), 33 deletions(-)
+ crypto/ec/ec_asn1.c | 11 +++++++
+ crypto/ec/ec_lib.c | 8 ++++-
+ test/ectest.c | 22 +++++++-------
+ test/endecode_test.c | 30 +++++++++----------
+ .../30-test_evp_data/evppkey_ecdsa.txt | 12 --------
+ 5 files changed, 45 insertions(+), 38 deletions(-)
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
-index 643d2d8d7b..5895606176 100644
+index bfd0242c6f..bb462121b5 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
-@@ -901,6 +901,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
+@@ -889,6 +889,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
group->decoded_from_explicit_params = 1;
@@ -34,7 +34,7 @@ index 643d2d8d7b..5895606176 100644
if (a) {
EC_GROUP_free(*a);
*a = group;
-@@ -960,6 +966,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
+@@ -948,6 +954,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
goto err;
}
@@ -47,10 +47,10 @@ index 643d2d8d7b..5895606176 100644
if (priv_key->privateKey) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index b55677fb1f..1df40018ac 100644
+index 13dcd29b11..de21cb2f10 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
-@@ -1554,7 +1554,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+@@ -1551,7 +1551,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
int is_prime_field = 1;
BN_CTX *bnctx = NULL;
const unsigned char *buf = NULL;
@@ -59,7 +59,7 @@ index b55677fb1f..1df40018ac 100644
#endif
/* This is the simple named group case */
-@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+@@ -1726,6 +1726,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
if (named_group == group) {
@@ -71,7 +71,7 @@ index b55677fb1f..1df40018ac 100644
/*
* If we did not find a named group then the encoding should be explicit
* if it was specified
-@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
+@@ -1741,6 +1746,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
goto err;
}
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
@@ -80,16 +80,17 @@ index b55677fb1f..1df40018ac 100644
EC_GROUP_free(group);
group = named_group;
diff --git a/test/ectest.c b/test/ectest.c
-index b852381924..6eac5de4fa 100644
+index f243f6fb3c..d8246524f3 100644
--- a/test/ectest.c
+++ b/test/ectest.c
-@@ -2413,10 +2413,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+@@ -2791,11 +2791,12 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
|| !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
|| !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
+ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
- EVP_PKEY_KEY_PARAMETERS, params), 0))
+ EVP_PKEY_KEY_PARAMETERS, params),
+ 0))
goto err;
-
+/* As creating the key should fail, the rest of the test is pointless */
@@ -97,54 +98,54 @@ index b852381924..6eac5de4fa 100644
/*- Check that all the set values are retrievable -*/
/* There should be no match to a group name since the generator changed */
-@@ -2545,6 +2546,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
+@@ -2924,6 +2925,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx,
#endif
- )
+ )
goto err;
+#endif
ret = 1;
err:
BN_free(order_out);
-@@ -2826,21 +2828,21 @@ static int custom_params_test(int id)
+@@ -3217,21 +3219,21 @@ static int custom_params_test(int id)
/* Compute keyexchange in both directions */
if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
-- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
-- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
-+ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
-+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
- || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
- || !TEST_int_gt(bsize, sslen)
-- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
-+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
+- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
+- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
+ || !TEST_int_gt(bsize, sslen)
+- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
goto err;
if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
-- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
-- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
-+ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
-+/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
- || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
- || !TEST_int_gt(bsize, t)
- || !TEST_int_le(sslen, t)
-- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
-+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
+- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
+- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
+ || !TEST_int_gt(bsize, t)
+ || !TEST_int_le(sslen, t)
+- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
goto err;
-
+#if 0
/* Both sides should expect the same shared secret */
if (!TEST_mem_eq(buf1, sslen, buf2, t))
goto err;
-@@ -2893,7 +2895,7 @@ static int custom_params_test(int id)
- /* compare with previous result */
- || !TEST_mem_eq(buf1, t, buf2, sslen))
+@@ -3286,7 +3288,7 @@ static int custom_params_test(int id)
+ /* compare with previous result */
+ || !TEST_mem_eq(buf1, t, buf2, sslen))
goto err;
-
+#endif
ret = 1;
- err:
+ err:
diff --git a/test/endecode_test.c b/test/endecode_test.c
-index 028deb4ed1..85c84f6592 100644
+index 3f8ed7f392..c3b55af3e7 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -63,7 +63,7 @@ static BN_CTX *bnctx = NULL;
@@ -154,51 +155,59 @@ index 028deb4ed1..85c84f6592 100644
-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;
+/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/
- # ifndef OPENSSL_NO_EC2M
+ #ifndef OPENSSL_NO_EC2M
static OSSL_PARAM_BLD *bld_tri_nc = NULL;
-@@ -1027,9 +1027,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
+@@ -1013,10 +1013,10 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC")
DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1)
IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC")
-DOMAIN_KEYS(ECExplicitPrime2G);
-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)
-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")
+-#ifndef OPENSSL_NO_EC2M
+/*DOMAIN_KEYS(ECExplicitPrime2G);*/
+/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/
+/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/
- # ifndef OPENSSL_NO_EC2M
++# ifndef OPENSSL_NO_EC2M
DOMAIN_KEYS(ECExplicitTriNamedCurve);
IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1)
-@@ -1445,7 +1445,7 @@ int setup_tests(void)
+ IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve, "EC")
+@@ -1458,8 +1458,8 @@ int setup_tests(void)
|| !create_ec_explicit_prime_params_namedcurve(bld_prime_nc)
|| !create_ec_explicit_prime_params(bld_prime)
|| !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc))
- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))
-+/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
- # ifndef OPENSSL_NO_EC2M
+-#ifndef OPENSSL_NO_EC2M
++/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/
++# ifndef OPENSSL_NO_EC2M
|| !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new())
|| !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new())
-@@ -1473,7 +1473,7 @@ int setup_tests(void)
+ || !create_ec_explicit_trinomial_params_namedcurve(bld_tri_nc)
+@@ -1486,8 +1486,8 @@ int setup_tests(void)
TEST_info("Generating EC keys...");
MAKE_DOMAIN_KEYS(EC, "EC", EC_params);
MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc);
- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);
-+/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
- # ifndef OPENSSL_NO_EC2M
+-#ifndef OPENSSL_NO_EC2M
++/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/
++# ifndef OPENSSL_NO_EC2M
MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc);
MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
-@@ -1553,8 +1553,8 @@ int setup_tests(void)
+ #endif
+@@ -1566,9 +1566,9 @@ int setup_tests(void)
ADD_TEST_SUITE_LEGACY(EC);
ADD_TEST_SUITE(ECExplicitPrimeNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve);
- ADD_TEST_SUITE(ECExplicitPrime2G);
- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);
-+/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
-+/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
- # ifndef OPENSSL_NO_EC2M
+-#ifndef OPENSSL_NO_EC2M
++/* ADD_TEST_SUITE(ECExplicitPrime2G);*/
++/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/
++# ifndef OPENSSL_NO_EC2M
ADD_TEST_SUITE(ECExplicitTriNamedCurve);
ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve);
-@@ -1631,7 +1631,7 @@ void cleanup_tests(void)
+ ADD_TEST_SUITE(ECExplicitTri2G);
+@@ -1644,7 +1644,7 @@ void cleanup_tests(void)
{
#ifndef OPENSSL_NO_EC
OSSL_PARAM_free(ec_explicit_prime_params_nc);
@@ -206,16 +215,18 @@ index 028deb4ed1..85c84f6592 100644
+/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/
OSSL_PARAM_BLD_free(bld_prime_nc);
OSSL_PARAM_BLD_free(bld_prime);
- # ifndef OPENSSL_NO_EC2M
-@@ -1653,7 +1653,7 @@ void cleanup_tests(void)
+ #ifndef OPENSSL_NO_EC2M
+@@ -1666,8 +1666,8 @@ void cleanup_tests(void)
#ifndef OPENSSL_NO_EC
FREE_DOMAIN_KEYS(EC);
FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve);
- FREE_DOMAIN_KEYS(ECExplicitPrime2G);
-+/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
- # ifndef OPENSSL_NO_EC2M
+-#ifndef OPENSSL_NO_EC2M
++/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/
++# ifndef OPENSSL_NO_EC2M
FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve);
FREE_DOMAIN_KEYS(ECExplicitTri2G);
+ #endif
diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
index 07dc4b4298..4c47fa68c2 100644
--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
@@ -240,5 +251,5 @@ index 07dc4b4298..4c47fa68c2 100644
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
--
-2.51.0
+2.52.0
diff --git a/0011-RH-skipped-tests-EC-curves.patch b/0011-RH-skipped-tests-EC-curves.patch
index b3547c8..5d2d1b5 100644
--- a/0011-RH-skipped-tests-EC-curves.patch
+++ b/0011-RH-skipped-tests-EC-curves.patch
@@ -1,7 +1,7 @@
-From 4a0a6c5cc9560438cab41e65948b6da9e63d1123 Mon Sep 17 00:00:00 2001
+From 2afc42b7faa263387234aa747d676efd140a7c8a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 11/59] RH: skipped tests EC curves
+Subject: [PATCH 11/57] RH: skipped tests EC curves
Patch-name: 0013-skipped-tests-EC-curves.patch
Patch-id: 13
@@ -78,5 +78,5 @@ index f722800e27..26a01786bb 100644
my @basic_cmd = ("cmp_vfy_test",
data_file("server.crt"), data_file("client.crt"),
--
-2.51.0
+2.52.0
diff --git a/0012-RH-skip-quic-pairwise.patch b/0012-RH-skip-quic-pairwise.patch
index 84dd7ec..19fe4a2 100644
--- a/0012-RH-skip-quic-pairwise.patch
+++ b/0012-RH-skip-quic-pairwise.patch
@@ -1,7 +1,7 @@
-From 82c0d773649909ec1883d43e423f886d6424b9af Mon Sep 17 00:00:00 2001
+From 48b4a63db033730ef98eb9968e45ba66688598c9 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 7 Mar 2024 17:37:09 +0100
-Subject: [PATCH 12/59] RH: skip quic pairwise
+Subject: [PATCH 12/57] RH: skip quic pairwise
Patch-name: 0115-skip-quic-pairwise.patch
Patch-id: 115
@@ -14,10 +14,10 @@ Patch-status: |
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/quicapitest.c b/test/quicapitest.c
-index 4e887c13d1..37acf268cc 100644
+index 6b9ee8e69a..96cd735819 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
-@@ -2916,7 +2916,9 @@ int setup_tests(void)
+@@ -3015,7 +3015,9 @@ int setup_tests(void)
ADD_TEST(test_cipher_find);
ADD_TEST(test_version);
#if defined(DO_SSL_TRACE_TEST)
@@ -29,10 +29,10 @@ index 4e887c13d1..37acf268cc 100644
ADD_TEST(test_quic_forbidden_apis_ctx);
ADD_TEST(test_quic_forbidden_apis);
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 222b1886ae..7e2f65cccb 100644
+index 6c8de64b0b..79a5584099 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
-@@ -185,6 +185,7 @@ foreach (sort keys %stlibname) {
+@@ -187,6 +187,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
@@ -82,5 +82,5 @@ index eaf0dbbb42..21864ad319 100644
"-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])),
"fips provider dsa keygen pairwise failure test");
--
-2.51.0
+2.52.0
diff --git a/0013-RH-version-aliasing.patch b/0013-RH-version-aliasing.patch
index 719de7f..6fcb250 100644
--- a/0013-RH-version-aliasing.patch
+++ b/0013-RH-version-aliasing.patch
@@ -1,7 +1,7 @@
-From 4fb5c4b21a8052f87e02c941c6e7a0e6f0d9384c Mon Sep 17 00:00:00 2001
+From 9a41889c1a026e203f936e0c3b511e6d4ddc4cf2 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 13/59] RH: version aliasing
+Subject: [PATCH 13/57] RH: version aliasing
Patch-name: 0116-version-aliasing.patch
Patch-id: 116
@@ -17,7 +17,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index 6fc201bcfe..3c80b9dfe1 100644
+index 4b1c95c4ab..8a6e87c11a 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -572,7 +572,12 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@@ -35,10 +35,10 @@ index 6fc201bcfe..3c80b9dfe1 100644
EVP_MD_CTX *out = EVP_MD_CTX_new();
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
-index eee00a0780..7c51786515 100644
+index 5584e06d7e..d5ff34a4e2 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
-@@ -1762,7 +1762,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+@@ -1756,7 +1756,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
#endif /* FIPS_MODULE */
}
@@ -53,10 +53,10 @@ index eee00a0780..7c51786515 100644
EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new();
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7e2f65cccb..cc947d4821 100644
+index 79a5584099..a70ebef431 100644
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
-@@ -131,6 +131,7 @@ foreach (sort keys %stlibname) {
+@@ -133,6 +133,7 @@ foreach (sort keys %stlibname) {
s| .*||;
# Drop OpenSSL dynamic version information if there is any
s|\@\@.+$||;
@@ -79,5 +79,5 @@ index ceb4948839..eab3987a6b 100644
BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION:
BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION:
--
-2.51.0
+2.52.0
diff --git a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
index 14e686d..32f3c18 100644
--- a/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
+++ b/0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
@@ -1,7 +1,7 @@
-From 104697d613232de6a96c2c8323eac721c19dbaa2 Mon Sep 17 00:00:00 2001
+From 51d485de6b9e2a714610daa886bde82b45016c0a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 16:09:09 -0500
-Subject: [PATCH 14/59] RH: Export two symbols for OPENSSL_str[n]casecmp
+Subject: [PATCH 14/57] RH: Export two symbols for OPENSSL_str[n]casecmp
We accidentally exported the symbols with the incorrect verison number
in an early version of RHEL-9 so we need to keep the wrong symbols for
@@ -17,7 +17,7 @@ with upstream.
mode change 100644 => 100755 test/recipes/01-test_symbol_presence.t
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index 3c80b9dfe1..8ee9db73dd 100644
+index 8a6e87c11a..638dac8844 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@@ -30,10 +30,10 @@ index 3c80b9dfe1..8ee9db73dd 100644
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
-index 7c51786515..619cf4f385 100644
+index d5ff34a4e2..b4edd825cd 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
-@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+@@ -1757,7 +1757,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
@@ -43,10 +43,10 @@ index 7c51786515..619cf4f385 100644
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
-index 93af73561f..86442a939e 100644
+index 35540630be..fde43421ea 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
-@@ -403,7 +403,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+@@ -406,7 +406,12 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
#endif
}
@@ -60,7 +60,7 @@ index 93af73561f..86442a939e 100644
{
int t;
-@@ -413,7 +418,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
+@@ -416,7 +421,12 @@ int OPENSSL_strcasecmp(const char *s1, const char *s2)
return t;
}
@@ -77,10 +77,10 @@ index 93af73561f..86442a939e 100644
diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
old mode 100644
new mode 100755
-index cc947d4821..de2dcd90c2
+index a70ebef431..a095239652
--- a/test/recipes/01-test_symbol_presence.t
+++ b/test/recipes/01-test_symbol_presence.t
-@@ -186,7 +186,7 @@ foreach (sort keys %stlibname) {
+@@ -188,7 +188,7 @@ foreach (sort keys %stlibname) {
}
}
my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols;
@@ -104,5 +104,5 @@ index eab3987a6b..d377d542db 100644
RAND_set0_public 5559 3_1_0 EXIST::FUNCTION:
RAND_set0_private 5560 3_1_0 EXIST::FUNCTION:
--
-2.51.0
+2.52.0
diff --git a/0015-RH-TMP-KTLS-test-skip.patch b/0015-RH-TMP-KTLS-test-skip.patch
index 747eb81..ffaa92b 100644
--- a/0015-RH-TMP-KTLS-test-skip.patch
+++ b/0015-RH-TMP-KTLS-test-skip.patch
@@ -1,7 +1,7 @@
-From 10e7b2643772ca1c4ee069a625754bfeb971d965 Mon Sep 17 00:00:00 2001
+From a6d43e2d94ba1f8ff57dfb403d9d70d9f6f0f433 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:11:19 -0500
-Subject: [PATCH 15/59] RH: TMP KTLS test skip
+Subject: [PATCH 15/57] RH: TMP KTLS test skip
From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
---
@@ -9,10 +9,10 @@ From-dist-git-commit: 83382cc2a09dfcc55d5740fd08fd95c2333a56c9
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index fbe284b9ff..05c5ab256f 100644
+index 993d9e6018..a94061d974 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -1033,9 +1033,10 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
+@@ -1029,9 +1029,10 @@ end:
/* sock must be connected */
static int ktls_chk_platform(int sock)
{
@@ -26,5 +26,5 @@ index fbe284b9ff..05c5ab256f 100644
static int ping_pong_query(SSL *clientssl, SSL *serverssl)
--
-2.51.0
+2.52.0
diff --git a/0016-RH-Allow-disabling-of-SHA1-signatures.patch b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
index 6fa8bf7..08b87c3 100644
--- a/0016-RH-Allow-disabling-of-SHA1-signatures.patch
+++ b/0016-RH-Allow-disabling-of-SHA1-signatures.patch
@@ -1,7 +1,7 @@
-From 6d93803492f19eeeed8cafd4948badf85a7429c4 Mon Sep 17 00:00:00 2001
+From 1efe3493167934ee77a52eba9a6b2a492885a955 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 21 Aug 2023 13:07:07 +0200
-Subject: [PATCH 16/59] RH: Allow disabling of SHA1 signatures
+Subject: [PATCH 16/57] RH: Allow disabling of SHA1 signatures
Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch
Patch-id: 49
@@ -15,7 +15,7 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
crypto/evp/pmeth_lib.c | 15 ++++
doc/man5/config.pod | 13 ++++
include/crypto/context.h | 8 +++
- include/internal/cryptlib.h | 3 +-
+ include/internal/cryptlib.h | 33 ++++-----
include/internal/sslconf.h | 4 ++
providers/common/include/prov/securitycheck.h | 2 +
providers/common/securitycheck.c | 14 ++++
@@ -25,10 +25,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
providers/implementations/signature/rsa_sig.c | 14 +++-
ssl/t1_lib.c | 8 +++
util/libcrypto.num | 2 +
- 16 files changed, 183 insertions(+), 7 deletions(-)
+ 16 files changed, 198 insertions(+), 22 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
-index 614c8a2c88..323615e300 100644
+index 62e60f3620..4db9d24b78 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -85,6 +85,8 @@ struct ossl_lib_ctx_st {
@@ -74,7 +74,7 @@ index 614c8a2c88..323615e300 100644
/* Low priority. */
#ifndef FIPS_MODULE
ctx->child_provider = ossl_child_prov_ctx_new(ctx);
-@@ -382,6 +404,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
+@@ -381,6 +403,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx)
}
#endif
@@ -86,7 +86,7 @@ index 614c8a2c88..323615e300 100644
/* Low priority. */
#ifndef FIPS_MODULE
if (ctx->child_provider != NULL) {
-@@ -660,6 +687,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
+@@ -658,6 +685,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index)
case OSSL_LIB_CTX_COMP_METHODS:
return (void *)&ctx->comp_methods;
@@ -96,7 +96,7 @@ index 614c8a2c88..323615e300 100644
default:
return NULL;
}
-@@ -714,3 +744,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
+@@ -712,3 +742,43 @@ void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *libctx, int value)
return;
libctx->conf_diagnostics = value;
}
@@ -141,7 +141,7 @@ index 614c8a2c88..323615e300 100644
+ return 1;
+}
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
-index 0e7fe64cf9..b9d3b6d226 100644
+index 184bab933c..2ae7ccea15 100644
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -10,6 +10,7 @@
@@ -170,20 +170,20 @@ index 0e7fe64cf9..b9d3b6d226 100644
+ }
} else {
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
- "name=%s, value=%s", oval->name, oval->value);
+ "name=%s, value=%s", oval->name, oval->value);
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
-index c27ed6dbe9..ea1f6cbed3 100644
+index 0a433adbe4..6c9f71569b 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -15,6 +15,7 @@
#include "internal/provider.h"
- #include "internal/numbers.h" /* includes SIZE_MAX */
+ #include "internal/numbers.h" /* includes SIZE_MAX */
#include "evp_local.h"
+#include "internal/sslconf.h"
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
{
-@@ -253,6 +254,19 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
+@@ -251,6 +252,19 @@ reinitialize:
}
desc = signature->description != NULL ? signature->description : "";
@@ -204,7 +204,7 @@ index c27ed6dbe9..ea1f6cbed3 100644
if (signature->digest_verify_init == NULL) {
ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED,
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 08c0d6a7b2..b936ad4447 100644
+index 2a0fc3ef0b..20e80a447d 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -33,6 +33,7 @@
@@ -215,7 +215,7 @@ index 08c0d6a7b2..b936ad4447 100644
#include "evp_local.h"
#ifndef FIPS_MODULE
-@@ -963,6 +964,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
+@@ -952,6 +953,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
return -2;
}
@@ -277,26 +277,57 @@ index 1c181933e0..35bdfdb52d 100644
+#endif
+
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
-index da442f8a86..44a5e8a99a 100644
+index 50aec7e7f4..9678e150e0 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
-@@ -120,7 +120,8 @@ typedef struct ossl_ex_data_global_st {
- # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
- # define OSSL_LIB_CTX_COMP_METHODS 21
- # define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
--# define OSSL_LIB_CTX_MAX_INDEXES 22
-+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
-+# define OSSL_LIB_CTX_MAX_INDEXES 23
+@@ -102,23 +102,24 @@ typedef struct ossl_ex_data_global_st {
+ #define OSSL_LIB_CTX_DRBG_NONCE_INDEX 6
+ /* slot 7 unused, was CRNG test data and can be reused */
+ #ifdef FIPS_MODULE
+-#define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
++#define OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX 8
+ #endif
+-#define OSSL_LIB_CTX_FIPS_PROV_INDEX 9
+-#define OSSL_LIB_CTX_ENCODER_STORE_INDEX 10
+-#define OSSL_LIB_CTX_DECODER_STORE_INDEX 11
+-#define OSSL_LIB_CTX_SELF_TEST_CB_INDEX 12
+-#define OSSL_LIB_CTX_BIO_PROV_INDEX 13
+-#define OSSL_LIB_CTX_GLOBAL_PROPERTIES 14
+-#define OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX 15
+-#define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
+-#define OSSL_LIB_CTX_BIO_CORE_INDEX 17
+-#define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
+-#define OSSL_LIB_CTX_THREAD_INDEX 19
+-#define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
+-#define OSSL_LIB_CTX_COMP_METHODS 21
+-#define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
+-#define OSSL_LIB_CTX_MAX_INDEXES 22
++#define OSSL_LIB_CTX_FIPS_PROV_INDEX 9
++#define OSSL_LIB_CTX_ENCODER_STORE_INDEX 10
++#define OSSL_LIB_CTX_DECODER_STORE_INDEX 11
++#define OSSL_LIB_CTX_SELF_TEST_CB_INDEX 12
++#define OSSL_LIB_CTX_BIO_PROV_INDEX 13
++#define OSSL_LIB_CTX_GLOBAL_PROPERTIES 14
++#define OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX 15
++#define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
++#define OSSL_LIB_CTX_BIO_CORE_INDEX 17
++#define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
++#define OSSL_LIB_CTX_THREAD_INDEX 19
++#define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20
++#define OSSL_LIB_CTX_COMP_METHODS 21
++#define OSSL_LIB_CTX_INDICATOR_CB_INDEX 22
++#define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 23
++#define OSSL_LIB_CTX_MAX_INDEXES 23
OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx);
int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx);
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
-index fd7f7e3331..05464b0655 100644
+index a7cec01bf6..076e139de4 100644
--- a/include/internal/sslconf.h
+++ b/include/internal/sslconf.h
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
- char **arg);
+ char **arg);
+/* Methods to support disabling all signatures with legacy digests */
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
@@ -314,7 +345,7 @@ index 29a2b7fbf8..a48cbb03d2 100644
+
+int rh_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int mdnid);
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
-index 8ef8dc2a81..79a9c48ce2 100644
+index e883ff4865..6985be0400 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -19,6 +19,7 @@
@@ -325,7 +356,7 @@ index 8ef8dc2a81..79a9c48ce2 100644
#define OSSL_FIPS_MIN_SECURITY_STRENGTH_BITS 112
-@@ -219,3 +220,16 @@ int ossl_dh_check_key(const DH *dh)
+@@ -220,3 +221,16 @@ int ossl_dh_check_key(const DH *dh)
return (L == 2048 && (N == 224 || N == 256));
}
#endif /* OPENSSL_NO_DH */
@@ -343,7 +374,7 @@ index 8ef8dc2a81..79a9c48ce2 100644
+ return mdnid;
+}
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
-index dd71fd91eb..9019fd2a80 100644
+index 42823ffe14..4b80f14b40 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -15,6 +15,7 @@
@@ -355,7 +386,7 @@ index dd71fd91eb..9019fd2a80 100644
/* Disable the security checks in the default provider */
int ossl_fips_config_securitycheck_enabled(OSSL_LIB_CTX *libctx)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
-index 887f6cbb90..595aed7e07 100644
+index 51dcc3f230..31a89133a3 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
@@ -163,6 +163,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
@@ -367,7 +398,7 @@ index 887f6cbb90..595aed7e07 100644
if (md == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 73bfbf4aa9..88d83275b1 100644
+index 0c04fc4ec6..2a4faf4a71 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -197,13 +197,15 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
@@ -381,7 +412,7 @@ index 73bfbf4aa9..88d83275b1 100644
+ /* KECCAK-256 is explicitly allowed for ECDSA despite it doesn't have a NID*/
+ if (md_nid <= 0 && !(EVP_MD_is_a(md, "KECCAK-256"))) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
- "digest=%s", mdname);
+ "digest=%s", mdname);
goto err;
}
-#endif
@@ -390,7 +421,7 @@ index 73bfbf4aa9..88d83275b1 100644
if (EVP_MD_xof(md)) {
ERR_raise(ERR_LIB_PROV, PROV_R_XOF_DIGESTS_NOT_ALLOWED);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index d8357cfe15..29be5f5028 100644
+index fcdfebbbff..bbdd037728 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -26,6 +26,7 @@
@@ -417,9 +448,9 @@ index d8357cfe15..29be5f5028 100644
+ md_nid = rh_digest_signatures_allowed(ctx->libctx, md_nid);
+ if (md_nid <= 0) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
- "digest=%s", mdname);
+ "digest=%s", mdname);
goto err;
-@@ -1765,8 +1768,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+@@ -1760,8 +1763,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
prsactx->pad_mode = pad_mode;
if (prsactx->md == NULL && pmdname == NULL
@@ -436,7 +467,7 @@ index d8357cfe15..29be5f5028 100644
if (pmgf1mdname != NULL
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 2f71f95438..bea5cab253 100644
+index cd471a636d..35d0a6f1bb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -21,6 +21,7 @@
@@ -447,7 +478,7 @@ index 2f71f95438..bea5cab253 100644
#include "internal/nelem.h"
#include "internal/sizes.h"
#include "internal/tlsgroups.h"
-@@ -2178,6 +2179,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+@@ -2175,6 +2176,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
EVP_PKEY *tmpkey = EVP_PKEY_new();
int istls;
int ret = 0;
@@ -455,15 +486,15 @@ index 2f71f95438..bea5cab253 100644
if (ctx == NULL)
goto err;
-@@ -2195,6 +2197,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+@@ -2192,6 +2194,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
goto err;
ERR_set_mark();
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
/* First fill cache and tls12_sigalgs list from legacy algorithm list */
for (i = 0, lu = sigalg_lookup_tbl;
- i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
-@@ -2215,6 +2218,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
+ i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
+@@ -2212,6 +2215,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx)
cache[i].available = 0;
continue;
}
@@ -486,5 +517,5 @@ index d377d542db..c2c55129ae 100644
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
--
-2.51.0
+2.52.0
diff --git a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
index 62a4fca..7ca651f 100644
--- a/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
+++ b/0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
@@ -1,7 +1,7 @@
-From 1797d7e47f7bd2a16f56b5f32e31700b871ece30 Mon Sep 17 00:00:00 2001
+From 074607f7c460cda25654f1ee990ddba98af6d6db Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:12:33 -0500
-Subject: [PATCH 17/59] FIPS: Red Hat's FIPS module name and version
+Subject: [PATCH 17/57] FIPS: Red Hat's FIPS module name and version
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,11 +9,11 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index e260b5b665..e5d798fd54 100644
+index 419878719e..0f006301d7 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -201,13 +201,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
- OSSL_LIB_CTX_FIPS_PROV_INDEX);
+ OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, FIPS_VENDOR))
@@ -30,5 +30,5 @@ index e260b5b665..e5d798fd54 100644
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
--
-2.51.0
+2.52.0
diff --git a/0018-FIPS-disable-fipsinstall.patch b/0018-FIPS-disable-fipsinstall.patch
index 68b00b9..15ff4ea 100644
--- a/0018-FIPS-disable-fipsinstall.patch
+++ b/0018-FIPS-disable-fipsinstall.patch
@@ -1,7 +1,7 @@
-From 08c4167790785c112357fa769b3e0f11654abd2b Mon Sep 17 00:00:00 2001
+From e43a23f06a9e23f1091f88c6dfa6c1bd4e065a7a Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 18/59] FIPS: disable fipsinstall
+Subject: [PATCH 18/57] FIPS: disable fipsinstall
Patch-name: 0034.fipsinstall_disable.patch
Patch-id: 34
@@ -24,10 +24,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
mode change 100644 => 100755 test/recipes/03-test_fipsinstall.t
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
-index 0daa55a1b8..b4e29ac301 100644
+index dcc09a5ed7..e3d5f6e86d 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
-@@ -590,6 +590,9 @@ int fipsinstall_main(int argc, char **argv)
+@@ -636,6 +636,9 @@ int fipsinstall_main(int argc, char **argv)
EVP_MAC *mac = NULL;
CONF *conf = NULL;
@@ -38,7 +38,7 @@ index 0daa55a1b8..b4e29ac301 100644
goto end;
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
-index d44b4a7dac..1c6b783413 100644
+index 2db5acd242..1c6b783413 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -8,484 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation
@@ -406,7 +406,7 @@ index d44b4a7dac..1c6b783413 100644
-
-=item B<-self_test_oninstall>
-
--The converse of B<-self_test_oninstall>. The two fields related to the
+-The converse of B<-self_test_onload>. The two fields related to the
-"test status indicator" and "MAC status indicator" are written to the
-output configuration file.
-This field is not relevant for an OpenSSL FIPS 140-3 provider, since this is no
@@ -530,7 +530,7 @@ index d44b4a7dac..1c6b783413 100644
=head1 COPYRIGHT
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
-index edef2ff598..0762a00d74 100644
+index 635b52aeb1..55bc6e44c6 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -139,10 +139,6 @@ Engine (loadable module) information and manipulation.
@@ -856,5 +856,5 @@ index 3dcbe67c6d..1a5a475d91
# Compatible options for pedantic FIPS compliance
--
-2.51.0
+2.52.0
diff --git a/0019-FIPS-Force-fips-provider-on.patch b/0019-FIPS-Force-fips-provider-on.patch
index 4ab1f7d..f8b7415 100644
--- a/0019-FIPS-Force-fips-provider-on.patch
+++ b/0019-FIPS-Force-fips-provider-on.patch
@@ -1,7 +1,7 @@
-From 91efb2e81287745f7a2817211d00ca5a41f4e8ba Mon Sep 17 00:00:00 2001
+From b8a5ce1fbad62e0f7b023aab827d2888413d5ced Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 19/59] FIPS: Force fips provider on
+Subject: [PATCH 19/57] FIPS: Force fips provider on
Patch-name: 0032-Force-fips.patch
Patch-id: 32
@@ -13,7 +13,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c
-index 9649517dd2..1e5053cbce 100644
+index f2e76ac402..a2a8a9942c 100644
--- a/crypto/provider_conf.c
+++ b/crypto/provider_conf.c
@@ -10,6 +10,8 @@
@@ -75,5 +75,5 @@ index 9649517dd2..1e5053cbce 100644
}
--
-2.51.0
+2.52.0
diff --git a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
index f0bd30a..1172c04 100644
--- a/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
+++ b/0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
@@ -1,7 +1,7 @@
-From f2fc8dd1549cd4662ad073d8d9689eaa0747385a Mon Sep 17 00:00:00 2001
+From 310346f65db4e3b6052cf165f890f13bfd645f5c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 20/59] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
+Subject: [PATCH 20/57] FIPS: INTEG-CHECK: Embed hmac in fips.so - NOTE
Corrected by squashing in:
0052-Restore-the-correct-verify_integrity-function.patch
@@ -20,10 +20,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
create mode 100644 test/fipsmodule.cnf
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index 456efd139e..c89e91b587 100644
+index 008a4fac84..c72e2605c4 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
-@@ -235,13 +235,137 @@ err:
+@@ -237,13 +237,137 @@ err:
return ok;
}
@@ -157,12 +157,12 @@ index 456efd139e..c89e91b587 100644
+}
+
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
-- unsigned char *expected, size_t expected_len,
-+ const unsigned char *expected, size_t expected_len,
- OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
- const char *event_type)
+- unsigned char *expected, size_t expected_len,
++ const unsigned char *expected, size_t expected_len,
+ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
+ const char *event_type)
{
-@@ -253,6 +377,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
+@@ -255,6 +379,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex
EVP_MAC_CTX *ctx = NULL;
OSSL_PARAM params[2], *p = params;
@@ -172,7 +172,7 @@ index 456efd139e..c89e91b587 100644
if (!integrity_self_test(ev, libctx))
goto err;
-@@ -316,7 +443,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -318,7 +445,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
int ok = 0;
long checksum_len;
OSSL_CORE_BIO *bio_module = NULL;
@@ -182,22 +182,22 @@ index 456efd139e..c89e91b587 100644
OSSL_SELF_TEST *ev = NULL;
EVP_RAND *testrand = NULL;
EVP_RAND_CTX *rng;
-@@ -352,8 +480,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -354,8 +482,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
return 0;
}
- if (st == NULL
-- || st->module_checksum_data == NULL) {
+- || st->module_checksum_data == NULL) {
+ if (st == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
goto end;
}
-@@ -362,8 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -364,8 +491,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
-- &checksum_len);
+- &checksum_len);
+ if (st->module_checksum_data == NULL) {
+ module_checksum = fips_hmac_container;
+ checksum_len = sizeof(fips_hmac_container);
@@ -210,14 +210,14 @@ index 456efd139e..c89e91b587 100644
if (module_checksum == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
goto end;
-@@ -371,14 +505,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -373,14 +507,28 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb");
/* Always check the integrity of the fips module */
- if (bio_module == NULL
-- || !verify_integrity(bio_module, st->bio_read_ex_cb,
-- module_checksum, checksum_len, st->libctx,
-- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+- || !verify_integrity(bio_module, st->bio_read_ex_cb,
+- module_checksum, checksum_len, st->libctx,
+- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) {
+ if (bio_module == NULL) {
ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE);
goto end;
@@ -243,7 +243,7 @@ index 456efd139e..c89e91b587 100644
if (!SELF_TEST_kats(ev, st->libctx)) {
ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
goto end;
-@@ -398,7 +546,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -401,7 +549,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
end:
EVP_RAND_free(testrand);
OSSL_SELF_TEST_free(ev);
@@ -261,5 +261,5 @@ index 0000000000..f05d0dedbe
+[fips_sect]
+activate = 1
--
-2.51.0
+2.52.0
diff --git a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
index 21cd432..c67b18c 100644
--- a/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
+++ b/0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
@@ -1,7 +1,7 @@
-From 11959719a0acee26ca505c79f89af7fc5aeca011 Mon Sep 17 00:00:00 2001
+From 7fb0257ff4158f41306b730e0b2851bcd6d22747 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 20 Feb 2025 15:30:32 -0500
-Subject: [PATCH 21/59] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
+Subject: [PATCH 21/57] FIPS: INTEG-CHECK: Add script to hmac-ify fips.so
This script rewrites the fips.so binary to embed the hmac result into it
so that after a build it can be called to make the fips.so as modified
@@ -28,5 +28,5 @@ index 0000000000..54ae60b07f
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
--
-2.51.0
+2.52.0
diff --git a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
index 8302ce5..33aa3ef 100644
--- a/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
+++ b/0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
@@ -1,7 +1,7 @@
-From 2ec805ecc3c89c4db5dea64b2b1f9be756595347 Mon Sep 17 00:00:00 2001
+From a155bf631d4d923ed08f554344c44d07571d6e02 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 22/59] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
+Subject: [PATCH 22/57] FIPS: INTEG-CHECK: Execute KATS before HMAC - REVIEW
Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
@@ -13,10 +13,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
-index c89e91b587..98bf6ad203 100644
+index c72e2605c4..470cf1fc28 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
-@@ -489,6 +489,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -491,6 +491,15 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
if (ev == NULL)
goto end;
@@ -32,7 +32,7 @@ index c89e91b587..98bf6ad203 100644
if (st->module_checksum_data == NULL) {
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
-@@ -527,11 +536,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
+@@ -529,11 +538,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test)
}
}
@@ -45,5 +45,5 @@ index c89e91b587..98bf6ad203 100644
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
--
-2.51.0
+2.52.0
diff --git a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
index 5976d4c..0e42771 100644
--- a/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
+++ b/0023-FIPS-RSA-encrypt-limits-REVIEW.patch
@@ -1,7 +1,7 @@
-From decf5f9abf903fc3609d1aaaf84b9d437afb4072 Mon Sep 17 00:00:00 2001
+From 97d32c648aa0ba85165f40a9b9fca194301420fa Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 23/59] FIPS: RSA: encrypt limits - REVIEW
+Subject: [PATCH 23/57] FIPS: RSA: encrypt limits - REVIEW
Patch-name: 0058-FIPS-limit-rsa-encrypt.patch
Patch-id: 58
@@ -19,10 +19,10 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
mode change 100644 => 100755 test/recipes/80-test_ssl_old.t
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
-index 79a9c48ce2..0e517542bc 100644
+index 6985be0400..37000c8627 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
-@@ -65,6 +65,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
+@@ -66,6 +66,7 @@ int ossl_rsa_key_op_get_protect(const RSA *rsa, int operation, int *outprotect)
* Set protect = 1 for encryption or signing operations, or 0 otherwise. See
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf.
*/
@@ -44,7 +44,7 @@ index 78f9fc0655..6bd783eb0a 100644
OSSL_FIPS_PARAM(rsa_sign_x931_disallowed, RSA_SIGN_X931_PAD_DISABLED, 0)
OSSL_FIPS_PARAM(hkdf_key_check, HKDF_KEY_CHECK, 0)
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
-index e6b676d0f8..6d6650bd81 100644
+index 4995b00102..0b14fbc58d 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -174,6 +174,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
@@ -66,7 +66,7 @@ index e6b676d0f8..6d6650bd81 100644
if (out == NULL) {
*outlen = len;
return 1;
-@@ -235,6 +247,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+@@ -234,6 +246,20 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
if (!ossl_prov_is_running())
return 0;
@@ -911,7 +911,7 @@ index 18e11bdaa9..17ceb59148 100644
Ctrl = rsa_padding_mode:oaep
Ctrl = rsa_mgf1_md:sha1
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 4031dbec77..92a48a09c6 100644
+index 279a498475..c278987186 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -267,7 +267,7 @@ my @smime_pkcs7_tests = (
@@ -981,5 +981,5 @@ index f7be2e1872..568a1ddba4
}
next if $protocol eq "-tls1_3";
--
-2.51.0
+2.52.0
diff --git a/0024-FIPS-RSA-PCTs.patch b/0024-FIPS-RSA-PCTs.patch
index 2c3eca1..59913f1 100644
--- a/0024-FIPS-RSA-PCTs.patch
+++ b/0024-FIPS-RSA-PCTs.patch
@@ -1,7 +1,7 @@
-From e19989c58ad6450428ee68fa4d81e022925872c1 Mon Sep 17 00:00:00 2001
+From 034d02d047e4a4d84d5c8ca2b54557b1679e8610 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:37 -0400
-Subject: [PATCH 24/59] FIPS: RSA: PCTs
+Subject: [PATCH 24/57] FIPS: RSA: PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -10,10 +10,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
2 files changed, 61 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
-index cd74275d60..52087abff6 100644
+index 3582936d67..383c3071a9 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
-@@ -434,6 +434,7 @@ struct rsa_gen_ctx {
+@@ -428,6 +428,7 @@ struct rsa_gen_ctx {
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
/* ACVP test parameters */
OSSL_PARAM *acvp_test_params;
@@ -21,7 +21,7 @@ index cd74275d60..52087abff6 100644
#endif
};
-@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
+@@ -441,6 +442,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
return gctx->cb(params, gctx->cbarg);
}
@@ -32,9 +32,9 @@ index cd74275d60..52087abff6 100644
+#endif
+
static void *gen_init(void *provctx, int selection, int rsa_type,
- const OSSL_PARAM params[])
+ const OSSL_PARAM params[])
{
-@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
+@@ -468,6 +475,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type,
if (!rsa_gen_set_params(gctx, params))
goto err;
@@ -45,7 +45,7 @@ index cd74275d60..52087abff6 100644
return gctx;
err:
-@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -624,6 +635,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
rsa = rsa_tmp;
rsa_tmp = NULL;
@@ -54,10 +54,10 @@ index cd74275d60..52087abff6 100644
+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1)
+ abort();
+#endif
- err:
+ err:
BN_GENCB_free(gencb);
RSA_free(rsa_tmp);
-@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx)
+@@ -639,6 +655,8 @@ static void rsa_gen_cleanup(void *genctx)
#if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params);
gctx->acvp_test_params = NULL;
@@ -67,7 +67,7 @@ index cd74275d60..52087abff6 100644
BN_clear_free(gctx->pub_exp);
OPENSSL_free(gctx);
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 29be5f5028..670125464e 100644
+index bbdd037728..4e0744eeba 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -37,7 +37,7 @@
@@ -97,7 +97,7 @@ index 29be5f5028..670125464e 100644
{
PROV_RSA_CTX *prsactx = NULL;
char *propq_copy = NULL;
-@@ -1316,7 +1316,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
+@@ -1309,7 +1309,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
return ok;
}
@@ -106,7 +106,7 @@ index 29be5f5028..670125464e 100644
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
-@@ -1866,6 +1866,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
+@@ -1861,6 +1861,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx)
return EVP_MD_settable_ctx_params(prsactx->md);
}
@@ -153,5 +153,5 @@ index 29be5f5028..670125464e 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init },
--
-2.51.0
+2.52.0
diff --git a/0025-FIPS-RSA-encapsulate-limits.patch b/0025-FIPS-RSA-encapsulate-limits.patch
index 7aa84db..6a78869 100644
--- a/0025-FIPS-RSA-encapsulate-limits.patch
+++ b/0025-FIPS-RSA-encapsulate-limits.patch
@@ -1,7 +1,7 @@
-From 178f344c1bad06adc0fe187fb24da2b036cc3628 Mon Sep 17 00:00:00 2001
+From ca999ba4305afdf6b8465708ecc1a472543bbad6 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 25/59] FIPS: RSA: encapsulate limits
+Subject: [PATCH 25/57] FIPS: RSA: encapsulate limits
Patch-name: 0091-FIPS-RSA-encapsulate.patch
Patch-id: 91
@@ -14,7 +14,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
2 files changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
-index 7494dcc010..5d6123e8cb 100644
+index f7bf368a0d..a05cf7c748 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -284,6 +284,13 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
@@ -31,7 +31,7 @@ index 7494dcc010..5d6123e8cb 100644
if (out == NULL) {
if (nlen == 0) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
-@@ -360,6 +367,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
+@@ -359,6 +366,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
/* Step (1): get the byte length of n */
nlen = RSA_size(prsactx->rsa);
@@ -55,5 +55,5 @@ index ecab1454e7..8e5edd35fe 100644
Op = RSASVE
+Result = TEST_ENCAPSULATE_LEN_ERROR
--
-2.51.0
+2.52.0
diff --git a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
index 9dd08fa..dafa253 100644
--- a/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
+++ b/0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
@@ -1,7 +1,7 @@
-From 4d1abf9cc029a713b4bf433af06d3c6507ae2ebc Mon Sep 17 00:00:00 2001
+From 05d9c9154e199bb4a84e215f0b20bd06ac5081d8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 26/59] FIPS: RSA: Disallow SHAKE in OAEP and PSS
+Subject: [PATCH 26/57] FIPS: RSA: Disallow SHAKE in OAEP and PSS
According to FIPS 140-3 IG, section C.C, the SHAKE digest algorithms
must not be used in higher-level algorithms (such as RSA-OAEP and
@@ -25,7 +25,7 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
2 files changed, 32 insertions(+)
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
-index 5a1c080fcd..11cd78618b 100644
+index 453205b56c..e45d4bc278 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -76,6 +76,14 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx,
@@ -59,7 +59,7 @@ index 5a1c080fcd..11cd78618b 100644
/* XOF are approved as standalone; Shake256 in Ed448; MGF */
if (EVP_MD_xof(md)) {
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
-index a2bc198a89..2833ca50f3 100644
+index 98d6e70346..7fe78b9055 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -61,6 +61,14 @@ int ossl_rsa_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
@@ -93,5 +93,5 @@ index a2bc198a89..2833ca50f3 100644
if (hLen <= 0)
goto err;
--
-2.51.0
+2.52.0
diff --git a/0027-FIPS-RSA-size-mode-restrictions.patch b/0027-FIPS-RSA-size-mode-restrictions.patch
index 654f678..cc2ca96 100644
--- a/0027-FIPS-RSA-size-mode-restrictions.patch
+++ b/0027-FIPS-RSA-size-mode-restrictions.patch
@@ -1,7 +1,7 @@
-From 564140b9980fba626d7b52c6072b1d9cb87150da Mon Sep 17 00:00:00 2001
+From 4191527585ab1e8923249885cbf87d2f91b8804f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:20:30 -0500
-Subject: [PATCH 27/59] FIPS: RSA: size/mode restrictions
+Subject: [PATCH 27/57] FIPS: RSA: size/mode restrictions
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -12,10 +12,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
4 files changed, 86 insertions(+), 4 deletions(-)
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 670125464e..664c59d2ef 100644
+index 4e0744eeba..f38431fd60 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
-@@ -939,6 +939,19 @@ static int rsa_verify_recover(void *vprsactx,
+@@ -935,6 +935,19 @@ static int rsa_verify_recover(void *vprsactx,
{
PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
int ret;
@@ -35,8 +35,8 @@ index 670125464e..664c59d2ef 100644
if (!ossl_prov_is_running())
return 0;
-@@ -1033,6 +1046,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
- const unsigned char *tbs, size_t tbslen)
+@@ -1027,6 +1040,19 @@ static int rsa_verify_directly(PROV_RSA_CTX *prsactx,
+ const unsigned char *tbs, size_t tbslen)
{
size_t rslen;
+# ifdef FIPS_MODULE
@@ -56,7 +56,7 @@ index 670125464e..664c59d2ef 100644
if (!ossl_prov_is_running())
return 0;
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 19420d6c6a..5ab1ccee93 100644
+index 15be7e8067..823ad48e02 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -350,6 +350,9 @@ int ssl_load_ciphers(SSL_CTX *ctx)
@@ -70,7 +70,7 @@ index 19420d6c6a..5ab1ccee93 100644
* We ignore any errors from the fetches below. They are expected to fail
* if these algorithms are not available.
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt
-index f1dc5dd2a2..6ae973eaac 100644
+index 42819f7c41..65a75469f9 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt
@@ -268,8 +268,19 @@ TwIDAQAB
@@ -437,5 +437,5 @@ index 17ceb59148..972e90f32f 100644
# Signing with SHA1 is not allowed in fips mode
Availablein = fips
--
-2.51.0
+2.52.0
diff --git a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
index cea491f..d472fd7 100644
--- a/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
+++ b/0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
@@ -1,7 +1,7 @@
-From 84323511d9558acb40614ca7cd19436901b02629 Mon Sep 17 00:00:00 2001
+From d72621c7c9fd09b4d6a917b3a721f0fd114b950d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 11:03:45 -0400
-Subject: [PATCH 28/59] FIPS: RSA: Mark x931 as not approved by default
+Subject: [PATCH 28/57] FIPS: RSA: Mark x931 as not approved by default
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -22,5 +22,5 @@ index 6bd783eb0a..c1b029de86 100644
OSSL_FIPS_PARAM(kbkdf_key_check, KBKDF_KEY_CHECK, 0)
OSSL_FIPS_PARAM(tls13_kdf_key_check, TLS13_KDF_KEY_CHECK, 0)
--
-2.51.0
+2.52.0
diff --git a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
index feda848..e8eded5 100644
--- a/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
+++ b/0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
@@ -1,7 +1,7 @@
-From be283ef7233549606bd5f2222c94e2bed92c4a6d Mon Sep 17 00:00:00 2001
+From 3618981a35438119a4027d1bf3cb3902431adaa4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 29/59] FIPS: RSA: Remove X9.31 padding signatures tests
+Subject: [PATCH 29/57] FIPS: RSA: Remove X9.31 padding signatures tests
The current draft of FIPS 186-5 [1] no longer contains specifications
for X9.31 signature padding. Instead, it contains the following
@@ -278,5 +278,5 @@ index 97ec1ff3e5..31fa0eafc6 100644
"pss",
4096,
--
-2.51.0
+2.52.0
diff --git a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
index 0727a78..60a1401 100644
--- a/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
+++ b/0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
@@ -1,7 +1,7 @@
-From dcf7af9b6a78929682a539c30c388d6329460fde Mon Sep 17 00:00:00 2001
+From 83b5a2e3a74780873c8831fd8e3cc6bde0006820 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:12:02 -0500
-Subject: [PATCH 30/59] FIPS: RSA: NEEDS-REWORK:
+Subject: [PATCH 30/57] FIPS: RSA: NEEDS-REWORK:
FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed
Signed-off-by: Simo Sorce <simo@redhat.com>
@@ -383,5 +383,5 @@ index 0000000000..2833a383c1
+--
+
--
-2.51.0
+2.52.0
diff --git a/0031-FIPS-Deny-SHA-1-signature-verification.patch b/0031-FIPS-Deny-SHA-1-signature-verification.patch
index 77dc5f3..df30692 100644
--- a/0031-FIPS-Deny-SHA-1-signature-verification.patch
+++ b/0031-FIPS-Deny-SHA-1-signature-verification.patch
@@ -1,7 +1,7 @@
-From 7e1051bf5a1fb9c3b10e1485550d663b2b1f3ba6 Mon Sep 17 00:00:00 2001
+From 7061b3b659e0386efa58d9dfb94a4f84832884d0 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:15 +0100
-Subject: [PATCH 31/59] FIPS: Deny SHA-1 signature verification
+Subject: [PATCH 31/57] FIPS: Deny SHA-1 signature verification
For RHEL, we already disable SHA-1 signatures by default in the default
provider, so it is unexpected that the FIPS provider would have a more
@@ -31,62 +31,65 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
Bug Id: https://bugzilla.redhat.com/show_bug.cgi?id=2087147
From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
- providers/implementations/signature/dsa_sig.c | 4 +-
- .../implementations/signature/ecdsa_sig.c | 4 +-
- providers/implementations/signature/rsa_sig.c | 8 ++-
+ providers/implementations/signature/dsa_sig.c | 5 +-
+ .../implementations/signature/ecdsa_sig.c | 5 +-
+ providers/implementations/signature/rsa_sig.c | 9 +--
.../30-test_evp_data/evppkey_ecdsa.txt | 11 +++-
.../30-test_evp_data/evppkey_ecdsa_sigalg.txt | 64 ++++++++++++++++---
.../30-test_evp_data/evppkey_rsa_common.txt | 58 +++++++++++++++--
test/recipes/80-test_cms.t | 4 +-
test/recipes/80-test_ssl_old.t | 4 ++
- 8 files changed, 130 insertions(+), 27 deletions(-)
+ 8 files changed, 130 insertions(+), 30 deletions(-)
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
-index 595aed7e07..42085e5ade 100644
+index 31a89133a3..0de750c247 100644
--- a/providers/implementations/signature/dsa_sig.c
+++ b/providers/implementations/signature/dsa_sig.c
-@@ -187,9 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
+@@ -187,10 +187,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
-- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
+- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
- OSSL_FIPS_IND_SETTABLE1,
+ OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 88d83275b1..01b3023891 100644
+index 2a4faf4a71..f5c101005f 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
-@@ -214,9 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
+@@ -214,10 +214,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx,
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
-- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
+- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
- OSSL_FIPS_IND_SETTABLE1,
+ OSSL_FIPS_IND_SETTABLE1,
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
-index 664c59d2ef..1e2394eb7d 100644
+index f38431fd60..e90ce3c223 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
-@@ -407,9 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
+@@ -407,10 +407,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
}
#ifdef FIPS_MODULE
{
- int sha1_allowed
- = ((ctx->operation
-- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG)) == 0);
+- & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_SIGNMSG))
+- == 0);
+ int sha1_allowed = 0;
if (!ossl_fips_ind_digest_sign_check(OSSL_FIPS_IND_GET(ctx),
- OSSL_FIPS_IND_SETTABLE1,
-@@ -1795,11 +1793,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+ OSSL_FIPS_IND_SETTABLE1,
+@@ -1790,11 +1787,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
if (prsactx->md == NULL && pmdname == NULL
&& pad_mode == RSA_PKCS1_PSS_PADDING) {
@@ -660,7 +663,7 @@ index 972e90f32f..61e2b4e3ac 100644
Availablein = fips
FIPSversion = >=3.4.0
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 92a48a09c6..cf4541449b 100644
+index c278987186..91283c5e74 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -183,7 +183,7 @@ my @smime_pkcs7_tests = (
@@ -704,5 +707,5 @@ index 568a1ddba4..6332aaec4b 100755
SKIP: {
skip "No IPv4 available on this machine", 4
--
-2.51.0
+2.52.0
diff --git a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
index d4f500a..44d72df 100644
--- a/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
+++ b/0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
@@ -1,7 +1,7 @@
-From 0e25cdf0be520bcca8e8673e015f938947217d28 Mon Sep 17 00:00:00 2001
+From 80a4d4da42db9711d06953f4dcd6e9f29c001292 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 32/59] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
+Subject: [PATCH 32/57] FIPS: RAND: FIPS-140-3 DRBG - NEEDS REVIEW
providers/implementations/rands/crngt.c is gone
@@ -14,11 +14,11 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
---
crypto/rand/prov_seed.c | 9 ++-
providers/implementations/rands/drbg.c | 11 ++-
- .../implementations/rands/seeding/rand_unix.c | 68 ++-----------------
- 3 files changed, 22 insertions(+), 66 deletions(-)
+ .../implementations/rands/seeding/rand_unix.c | 70 ++-----------------
+ 3 files changed, 23 insertions(+), 67 deletions(-)
diff --git a/crypto/rand/prov_seed.c b/crypto/rand/prov_seed.c
-index 2985c7f2d8..3202a28226 100644
+index 8466ded8ab..24feab20e5 100644
--- a/crypto/rand/prov_seed.c
+++ b/crypto/rand/prov_seed.c
@@ -23,7 +23,14 @@ size_t ossl_rand_get_entropy(ossl_unused OSSL_LIB_CTX *ctx,
@@ -38,10 +38,10 @@ index 2985c7f2d8..3202a28226 100644
ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB);
return 0;
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
-index 4925a3b400..1cdb67b22c 100644
+index f9d90d5d43..6b23d55cf5 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
-@@ -559,6 +559,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
+@@ -556,6 +556,9 @@ static int ossl_prov_drbg_reseed_unlocked(PROV_DRBG *drbg,
#endif
}
@@ -50,13 +50,13 @@ index 4925a3b400..1cdb67b22c 100644
+#endif
/* Reseed using our sources in addition */
entropylen = get_entropy(drbg, &entropy, drbg->strength,
- drbg->min_entropylen, drbg->max_entropylen,
-@@ -680,8 +683,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
+ drbg->min_entropylen, drbg->max_entropylen,
+@@ -677,8 +680,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *drbg, unsigned char *out, size_t outlen,
reseed_required = 1;
}
if (drbg->parent != NULL
-- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
-+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter)
++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) {
+#ifdef FIPS_MODULE
+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/
+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg);
@@ -68,19 +68,26 @@ index 4925a3b400..1cdb67b22c 100644
if (reseed_required || prediction_resistance) {
if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL,
diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c
-index c3a5d8b3bf..b7b34a9345 100644
+index 80ae817313..1e73a1ec28 100644
--- a/providers/implementations/rands/seeding/rand_unix.c
+++ b/providers/implementations/rands/seeding/rand_unix.c
-@@ -53,6 +53,8 @@
- # include <fcntl.h>
- # include <unistd.h>
- # include <sys/time.h>
-+# include <sys/random.h>
-+# include <openssl/evp.h>
+@@ -47,12 +47,14 @@
+ #endif
+
+ #if (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) \
+- || defined(__DJGPP__)
++ || defined(__DJGPP__)
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/time.h>
++#include <sys/random.h>
++#include <openssl/evp.h>
static uint64_t get_time_stamp(void);
-@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
+@@ -338,70 +340,8 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
* between size_t and ssize_t is safe even without a range check.
*/
@@ -97,8 +104,8 @@ index c3a5d8b3bf..b7b34a9345 100644
- * Note: Sometimes getentropy() can be provided but not implemented
- * internally. So we need to check errno for ENOSYS
- */
--# if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
--# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+-#if !defined(__DragonFly__) && !defined(__NetBSD__) && !defined(__FreeBSD__)
+-#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) && !defined(__hpux)
- extern int getentropy(void *buffer, size_t length) __attribute__((weak));
-
- if (getentropy != NULL) {
@@ -107,13 +114,13 @@ index c3a5d8b3bf..b7b34a9345 100644
- if (errno != ENOSYS)
- return -1;
- }
--# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
+-#elif defined(OPENSSL_APPLE_CRYPTO_RANDOM)
-
- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess)
-- return (ssize_t)buflen;
+- return (ssize_t)buflen;
-
- return -1;
--# else
+-#else
- union {
- void *p;
- int (*f)(void *buffer, size_t length);
@@ -128,31 +135,31 @@ index c3a5d8b3bf..b7b34a9345 100644
- ERR_pop_to_mark();
- if (p_getentropy.p != NULL)
- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
--# endif
--# endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
+-#endif
+-#endif /* !__DragonFly__ && !__NetBSD__ && !__FreeBSD__ */
-
- /* Linux supports this since version 3.17 */
--# if defined(__linux) && defined(__NR_getrandom)
+-#if defined(__linux) && defined(__NR_getrandom)
- return syscall(__NR_getrandom, buf, buflen, 0);
--# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
-- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
-- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
+-#elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \
+- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) \
+- || (defined(__FreeBSD__) && __FreeBSD_version >= 1200061)
- return getrandom(buf, buflen, 0);
--# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+-#elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
- return sysctl_random(buf, buflen);
--# elif defined(__wasi__)
+-#elif defined(__wasi__)
- if (getentropy(buf, buflen) == 0)
-- return (ssize_t)buflen;
+- return (ssize_t)buflen;
- return -1;
--# else
+-#else
- errno = ENOSYS;
- return -1;
--# endif
+-#endif
+ /* Red Hat uses downstream patch to always seed from getrandom() */
+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0);
}
- # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
+ #endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
--
-2.51.0
+2.52.0
diff --git a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
index d22e38b..853bd50 100644
--- a/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
+++ b/0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
@@ -1,7 +1,7 @@
-From d0cef8f6f866d1fa37fd1d673e25adba210a3ad3 Mon Sep 17 00:00:00 2001
+From 2d385a2615dd7c6f33f824183ec6f65ef2c9327c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:16 +0100
-Subject: [PATCH 33/59] FIPS: RAND: Forbid truncated hashes & SHA-3
+Subject: [PATCH 33/57] FIPS: RAND: Forbid truncated hashes & SHA-3
Section D.R "Hash Functions Acceptable for Use in the SP 800-90A DRBGs"
of the Implementation Guidance for FIPS 140-3 [1] notes that there is no
@@ -30,12 +30,12 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
3 files changed, 187 insertions(+), 34 deletions(-)
diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c
-index 8bb831ae35..cedf5c3894 100644
+index 92eb443c6e..a63b21eade 100644
--- a/providers/implementations/rands/drbg_hash.c
+++ b/providers/implementations/rands/drbg_hash.c
@@ -579,6 +579,18 @@ static int drbg_hash_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (!ossl_drbg_verify_digest(ctx, libctx, md))
- return 0; /* Error already raised for us */
+ return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
+ if (!EVP_MD_is_a(md, SN_sha1)
@@ -53,12 +53,12 @@ index 8bb831ae35..cedf5c3894 100644
md_size = EVP_MD_get_size(md);
if (md_size <= 0)
diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c
-index 43b3f8766e..64b7610cd1 100644
+index ff8a6cd6f0..d041897bb8 100644
--- a/providers/implementations/rands/drbg_hmac.c
+++ b/providers/implementations/rands/drbg_hmac.c
-@@ -505,6 +505,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
+@@ -522,6 +522,18 @@ static int drbg_hmac_set_ctx_params_locked(void *vctx, const OSSL_PARAM params[]
if (md != NULL && !ossl_drbg_verify_digest(ctx, libctx, md))
- return 0; /* Error already raised for us */
+ return 0; /* Error already raised for us */
+#ifdef FIPS_MODULE
+ if (!EVP_MD_is_a(md, SN_sha1)
@@ -1191,5 +1191,5 @@ index 9756859c0e..9baecf6f31 100644
+#Nonce.0 = 15e32abbae6b7433
+#Output.0 = ee9f
--
-2.51.0
+2.52.0
diff --git a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
index 10999a6..36c7b19 100644
--- a/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
+++ b/0034-FIPS-PBKDF2-Set-minimum-password-length.patch
@@ -1,7 +1,7 @@
-From c72f83a3c8f66e7d6848bf8b67b66fecb9aefe6f Mon Sep 17 00:00:00 2001
+From 0be17f1220667a7c7758e10dead4be80d521b3fc Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 34/59] FIPS: PBKDF2: Set minimum password length
+Subject: [PATCH 34/57] FIPS: PBKDF2: Set minimum password length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -30,13 +30,13 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
-index b383314064..68f9355b7d 100644
+index 581c8f8799..cc15db4c73 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -36,6 +36,21 @@
#define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF
#define KDF_PBKDF2_MIN_ITERATIONS 1000
- #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+ #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8)
+/* The Implementation Guidance for FIPS 140-3 says in section D.N
+ * "Password-Based Key Derivation for Storage Applications" that "the vendor
+ * shall document in the module’s Security Policy the length of
@@ -59,10 +59,10 @@ index b383314064..68f9355b7d 100644
}
static int pbkdf2_lower_bound_check_passed(int saltlen, uint64_t iter,
-- size_t keylen, int *error,
-- const char **desc)
-+ size_t keylen, size_t passlen,
-+ int *error, const char **desc)
+- size_t keylen, int *error,
+- const char **desc)
++ size_t keylen, size_t passlen,
++ int *error, const char **desc)
{
if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) {
*error = PROV_R_KEY_SIZE_TOO_SMALL;
@@ -84,9 +84,9 @@ index b383314064..68f9355b7d 100644
int error = 0;
const char *desc = NULL;
int approved = pbkdf2_lower_bound_check_passed(ctx->salt_len, ctx->iter,
-- keylen, &error, &desc);
-+ keylen, ctx->pass_len,
-+ &error, &desc);
+- keylen, &error, &desc);
++ keylen, ctx->pass_len,
++ &error, &desc);
if (!approved) {
if (!OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, libctx,
@@ -111,11 +111,11 @@ index b383314064..68f9355b7d 100644
if (lower_bound_checks) {
int error = 0;
int passed = pbkdf2_lower_bound_check_passed(saltlen, iter, keylen,
-- &error, NULL);
-+ passlen, &error, NULL);
+- &error, NULL);
++ passlen, &error, NULL);
if (!passed) {
ERR_raise(ERR_LIB_PROV, error);
--
-2.51.0
+2.52.0
diff --git a/0035-FIPS-DH-PCT.patch b/0035-FIPS-DH-PCT.patch
index 52883a6..f8724b4 100644
--- a/0035-FIPS-DH-PCT.patch
+++ b/0035-FIPS-DH-PCT.patch
@@ -1,7 +1,7 @@
-From d982e6a817871b174732027eed8b750aa9f8ae4b Mon Sep 17 00:00:00 2001
+From a1ee967fae9cb6f4a06d4ffbcd62c6efd9ac05f0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:49:00 -0400
-Subject: [PATCH 35/59] FIPS: DH: PCT
+Subject: [PATCH 35/57] FIPS: DH: PCT
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,7 +9,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 26 insertions(+)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 052d4d29ed..ace02bb0db 100644
+index 2d9f7a8100..ae47dc2cd9 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
@@ -46,7 +46,7 @@ index 052d4d29ed..ace02bb0db 100644
if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -371,8 +384,21 @@ static int generate_key(DH *dh)
+@@ -370,8 +383,21 @@ static int generate_key(DH *dh)
if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
goto err;
@@ -67,7 +67,7 @@ index 052d4d29ed..ace02bb0db 100644
+
dh->dirty_cnt++;
ok = 1;
- err:
+ err:
--
-2.51.0
+2.52.0
diff --git a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
index 8cc3a3d..a5d6f55 100644
--- a/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
+++ b/0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
@@ -1,7 +1,7 @@
-From 3f8b36370630e57ad848be5d804df4169d6a35a2 Mon Sep 17 00:00:00 2001
+From a7ddcb6ceef64c92b5c21389900477bc3a38f46d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 36/59] FIPS: DH: Disable FIPS 186-4 type parameters
+Subject: [PATCH 36/57] FIPS: DH: Disable FIPS 186-4 type parameters
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
@@ -29,17 +29,17 @@ NOTE: Dropped changes in test/recipes/80-test_cms.t
crypto/dh/dh_check.c | 12 ++--
crypto/dh/dh_gen.c | 12 +++-
crypto/dh/dh_key.c | 13 ++--
- crypto/dh/dh_pmeth.c | 10 +++-
+ crypto/dh/dh_pmeth.c | 16 +++--
providers/implementations/keymgmt/dh_kmgmt.c | 5 ++
test/endecode_test.c | 4 +-
test/evp_libctx_test.c | 2 +-
test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++
test/helpers/predefined_dhparams.h | 1 +
test/recipes/80-test_ssl_old.t | 3 +
- 11 files changed, 116 insertions(+), 18 deletions(-)
+ 11 files changed, 119 insertions(+), 21 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
-index 1aaa88daca..aa3a491799 100644
+index f68429862c..00b229a295 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
@@ -56,11 +56,11 @@ index 1aaa88daca..aa3a491799 100644
+ }
+#endif
+
- param_priv_len =
- OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
+ param_priv_len = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
+ && (!OSSL_PARAM_get_long(param_priv_len, &priv_len)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 2d899dc96f..a4e6d1dd18 100644
+index 3002609b68..2aabdd2908 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -58,13 +58,15 @@ int DH_check_params(const DH *dh, int *ret)
@@ -75,7 +75,7 @@ index 2d899dc96f..a4e6d1dd18 100644
+ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode.
*/
- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params,
-- FFC_PARAM_TYPE_DH, ret, NULL);
+- FFC_PARAM_TYPE_DH, ret, NULL);
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required validation routines were"
@@ -85,12 +85,12 @@ index 2d899dc96f..a4e6d1dd18 100644
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
-index b73bfb7f3b..275ce2c1af 100644
+index 094b6e70c7..d0c1fc5367 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
- BN_GENCB *cb)
+ BN_GENCB *cb)
{
- int ret, res;
+ int ret = 0;
@@ -100,13 +100,13 @@ index b73bfb7f3b..275ce2c1af 100644
+
if (type == DH_PARAMGEN_TYPE_FIPS_186_2)
ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params,
- FFC_PARAM_TYPE_DH,
- pbits, qbits, &res, cb);
+ FFC_PARAM_TYPE_DH,
+ pbits, qbits, &res, cb);
else
-#endif
ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params,
- FFC_PARAM_TYPE_DH,
- pbits, qbits, &res, cb);
+ FFC_PARAM_TYPE_DH,
+ pbits, qbits, &res, cb);
+#else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
@@ -118,10 +118,10 @@ index b73bfb7f3b..275ce2c1af 100644
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index ace02bb0db..f505f2fa87 100644
+index ae47dc2cd9..4ddc1b83c7 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
-@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
+@@ -335,8 +335,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
@@ -136,7 +136,7 @@ index ace02bb0db..f505f2fa87 100644
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^l < (p-1)/2 */
-@@ -360,9 +364,7 @@ static int generate_key(DH *dh)
+@@ -359,9 +363,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@@ -146,9 +146,9 @@ index ace02bb0db..f505f2fa87 100644
+ } else {
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
- FFC_PARAM_TYPE_DH, NULL))
-@@ -378,6 +380,7 @@ static int generate_key(DH *dh)
- priv_key))
+ FFC_PARAM_TYPE_DH, NULL))
+@@ -377,6 +379,7 @@ static int generate_key(DH *dh)
+ priv_key))
goto err;
}
+#endif
@@ -156,35 +156,38 @@ index ace02bb0db..f505f2fa87 100644
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
-index 74bef9370d..c2c910b9c8 100644
+index dd36dce281..21ac48c1de 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
-@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
- prime_len, subprime_len, &res,
- pcb);
+@@ -301,13 +301,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
+ prime_len, subprime_len, &res,
+ pcb);
else
--# endif
-- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
-- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
- rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
- FFC_PARAM_TYPE_DH,
- prime_len, subprime_len, &res,
- pcb);
-+# else
++ rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
++ FFC_PARAM_TYPE_DH,
++ prime_len, subprime_len, &res,
++ pcb);
++#else
+ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */
+ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS,
+ "FIPS 186-4 type domain parameters no longer allowed in"
+ " FIPS mode, since the required generation routines were"
+ " removed from FIPS 186-5");
-+# endif
+ #endif
+- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */
+- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2)
+- rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params,
+- FFC_PARAM_TYPE_DH,
+- prime_len, subprime_len, &res,
+- pcb);
if (rv <= 0) {
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
-index 0e9e837383..f1eabf071a 100644
+index 8a1afe7907..759ab77e1b 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
-@@ -422,6 +422,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
+@@ -420,6 +420,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
@@ -197,7 +200,7 @@ index 0e9e837383..f1eabf071a 100644
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
-index 85c84f6592..d2ff9e6eb6 100644
+index c3b55af3e7..b15bab217e 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -85,10 +85,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
@@ -210,11 +213,11 @@ index 85c84f6592..d2ff9e6eb6 100644
if (strcmp(type, "X9.42 DH") == 0)
- return get_dhx512(keyctx);
+ return get_dhx_ffdhe2048(keyctx);
- # endif
+ #endif
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
-index 039fca9bb0..2838f343bd 100644
+index 3786c567a7..773210fadb 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -222,7 +222,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
@@ -227,11 +230,11 @@ index 039fca9bb0..2838f343bd 100644
if (expected) {
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
-index 4bdadc4143..e5186e4b4a 100644
+index 28070efdb6..4baeb673f3 100644
--- a/test/helpers/predefined_dhparams.c
+++ b/test/helpers/predefined_dhparams.c
-@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
- dhx512_q, sizeof(dhx512_q));
+@@ -311,6 +311,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
+ dhx512_q, sizeof(dhx512_q));
}
+EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx)
@@ -326,5 +329,5 @@ index 6332aaec4b..4d8c900c00 100755
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
-2.51.0
+2.52.0
diff --git a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
index 74486aa..15ec4f4 100644
--- a/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
+++ b/0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
@@ -1,7 +1,7 @@
-From 9c9716b7a631ef8e3087a3ddec967b18d5c46a1f Mon Sep 17 00:00:00 2001
+From 0f4b67897d87b6cb1bd1f65ca2aafbce1c3c6872 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 6 Mar 2024 19:17:17 +0100
-Subject: [PATCH 37/59] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
+Subject: [PATCH 37/57] FIPS: TLS: Enforce EMS in TLS 1.2 - NOTE
NOTE: Enforcement of EMS in non-FIPS mode has been dropped due to code
change the option to enforce it seem to be available only in FIPS build
@@ -19,16 +19,16 @@ From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce
providers/fips/include/fips_indicator_params.inc | 2 +-
ssl/ssl_conf.c | 1 +
ssl/statem/extensions_srvr.c | 8 +++++++-
- ssl/t1_enc.c | 11 +++++++++--
+ ssl/t1_enc.c | 13 ++++++++++---
test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt | 10 ++++++++++
test/sslapitest.c | 2 +-
- 9 files changed, 46 insertions(+), 5 deletions(-)
+ 9 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
-index 9338ffc01d..911ea21a68 100644
+index 3e2de6e66b..ad9a2dc8bf 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
-@@ -621,6 +621,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
+@@ -626,6 +626,9 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
@@ -63,17 +63,17 @@ index 2505938c13..3887c54f0e 100644
Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
-index d1b00e8454..b815f25dae 100644
+index 82410670f4..1026a9b7b0 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
-@@ -417,6 +417,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
- * interoperability with CryptoPro CSP 3.x
- */
- # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31)
-+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
+@@ -432,6 +432,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
+ #define SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE SSL_OP_BIT(34)
+
+ #define SSL_OP_PREFER_NO_DHE_KEX SSL_OP_BIT(35)
++#define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48)
+
/*
- * Disable RFC8879 certificate compression
- * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates,
+ * Option "collections."
diff --git a/providers/fips/include/fips_indicator_params.inc b/providers/fips/include/fips_indicator_params.inc
index c1b029de86..47d1cf2d01 100644
--- a/providers/fips/include/fips_indicator_params.inc
@@ -86,19 +86,19 @@ index c1b029de86..47d1cf2d01 100644
OSSL_FIPS_PARAM(hmac_key_check, HMAC_KEY_CHECK, 0)
OSSL_FIPS_PARAM(kmac_key_check, KMAC_KEY_CHECK, 0)
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
-index 946d20be52..b52c1675fd 100644
+index 0d93593880..4361edfa49 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
-@@ -394,6 +394,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
+@@ -392,6 +392,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
SSL_FLAG_TBL("ClientRenegotiation",
- SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
+ SSL_OP_ALLOW_CLIENT_RENEGOTIATION),
SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),
+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS),
SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION),
SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX),
SSL_FLAG_TBL("PreferNoDHEKEX", SSL_OP_PREFER_NO_DHE_KEX),
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
-index 1a09913ad6..936be81819 100644
+index cdb914daed..1bcc0fd902 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -12,6 +12,7 @@
@@ -107,11 +107,11 @@ index 1a09913ad6..936be81819 100644
#include "internal/ssl_unwrap.h"
+#include <openssl/fips.h>
- #define COOKIE_STATE_FORMAT_VERSION 1
+ #define COOKIE_STATE_FORMAT_VERSION 1
-@@ -1886,8 +1887,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
- unsigned int context,
- X509 *x, size_t chainidx)
+@@ -1889,8 +1890,13 @@ EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
+ unsigned int context,
+ X509 *x, size_t chainidx)
{
- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) {
@@ -123,9 +123,9 @@ index 1a09913ad6..936be81819 100644
+ }
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
- || !WPACKET_put_bytes_u16(pkt, 0)) {
+ || !WPACKET_put_bytes_u16(pkt, 0)) {
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 474ea7bf5b..e0e595e989 100644
+index 8978e0c630..85d9df0da6 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -21,6 +21,7 @@
@@ -136,12 +136,14 @@ index 474ea7bf5b..e0e595e989 100644
/* seed1 through seed5 are concatenated */
static int tls1_PRF(SSL_CONNECTION *s,
-@@ -78,8 +79,14 @@ static int tls1_PRF(SSL_CONNECTION *s,
+@@ -77,9 +78,15 @@ static int tls1_PRF(SSL_CONNECTION *s,
+ return 1;
}
- err:
+-err:
- if (fatal)
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++ err:
+ if (fatal) {
+ /* The calls to this function are local so it's safe to implement the check */
+ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE
@@ -175,10 +177,10 @@ index 50944328cb..edb2e81273 100644
KDF = TLS1-PRF
Ctrl.digest = digest:SHA256
diff --git a/test/sslapitest.c b/test/sslapitest.c
-index 05c5ab256f..4373bc2865 100644
+index a94061d974..92a33f05db 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
-@@ -585,7 +585,7 @@ static int test_client_cert_verify_cb(void)
+@@ -582,7 +582,7 @@ static int test_client_cert_verify_cb(void)
STACK_OF(X509) *server_chain;
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -186,7 +188,7 @@ index 05c5ab256f..4373bc2865 100644
+ int testresult = 0, status;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
- TLS_client_method(), TLS1_VERSION, 0,
+ TLS_client_method(), TLS1_VERSION, 0,
--
-2.51.0
+2.52.0
diff --git a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
index 7c7f947..1153832 100644
--- a/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
+++ b/0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
@@ -1,7 +1,7 @@
-From 12f5ab8b6d98cf8f2db35bebc48140b61a66fb35 Mon Sep 17 00:00:00 2001
+From c91c7412ab54f8db8cac437e7308a9042c7a4732 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:08:34 -0500
-Subject: [PATCH 38/59] FIPS: CMS: Set default padding to OAEP
+Subject: [PATCH 38/57] FIPS: CMS: Set default padding to OAEP
From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
---
@@ -10,7 +10,7 @@ From-dist-git-commit: d508cbed930481c1960d6a6bc1e1a9593252dbbe
2 files changed, 11 insertions(+)
diff --git a/apps/cms.c b/apps/cms.c
-index 6f19414880..4019d7373e 100644
+index 214eea5bcb..c1fc70ef12 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -20,6 +20,7 @@
@@ -22,7 +22,7 @@ index 6f19414880..4019d7373e 100644
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
-index 375239c78d..e09ad03ece 100644
+index 0828d157fa..e1200a37d4 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -14,6 +14,7 @@
@@ -33,7 +33,7 @@ index 375239c78d..e09ad03ece 100644
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
-@@ -375,6 +376,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
+@@ -372,6 +373,10 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
return 0;
@@ -44,7 +44,7 @@ index 375239c78d..e09ad03ece 100644
} else if (!ossl_cms_env_asn1_ctrl(ri, 0))
return 0;
return 1;
-@@ -540,6 +545,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
+@@ -535,6 +540,11 @@ static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo *cms,
if (EVP_PKEY_encrypt_init(pctx) <= 0)
goto err;
@@ -57,5 +57,5 @@ index 375239c78d..e09ad03ece 100644
if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0)
--
-2.51.0
+2.52.0
diff --git a/0039-FIPS-PKCS12-PBMAC1-defaults.patch b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
index c314b99..2609c2f 100644
--- a/0039-FIPS-PKCS12-PBMAC1-defaults.patch
+++ b/0039-FIPS-PKCS12-PBMAC1-defaults.patch
@@ -1,7 +1,7 @@
-From c791ad4131fb11dc96013abc8e247cbbec5ba8ee Mon Sep 17 00:00:00 2001
+From 51fc5ce32bfe0fbe018934fa88252efe9073c649 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 13 Feb 2025 18:16:29 -0500
-Subject: [PATCH 39/59] FIPS: PKCS12: PBMAC1 defaults
+Subject: [PATCH 39/57] FIPS: PKCS12: PBMAC1 defaults
From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
---
@@ -9,7 +9,7 @@ From-dist-git-commit: 8fc2d4842385584094d57f6f66fcbc2a07865708
1 file changed, 4 insertions(+)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
-index 9964faf21a..59439a8cc0 100644
+index 2c83e43845..20aad27c59 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -17,6 +17,7 @@
@@ -20,7 +20,7 @@ index 9964faf21a..59439a8cc0 100644
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/provider.h>
-@@ -709,6 +710,9 @@ int pkcs12_main(int argc, char **argv)
+@@ -746,6 +747,9 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1) {
@@ -29,7 +29,7 @@ index 9964faf21a..59439a8cc0 100644
+
if (pbmac1_pbkdf2 == 1) {
if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
- macsaltlen, maciter,
+ macsaltlen, maciter,
--
-2.51.0
+2.52.0
diff --git a/0040-FIPS-Fix-encoder-decoder-negative-test.patch b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
index b78e101..2eb94f5 100644
--- a/0040-FIPS-Fix-encoder-decoder-negative-test.patch
+++ b/0040-FIPS-Fix-encoder-decoder-negative-test.patch
@@ -1,7 +1,7 @@
-From 4691661243060cc6ad88902f422f058c547264f6 Mon Sep 17 00:00:00 2001
+From 7b7ade7e1ee2f6b10b34bf7f9e7a0165474f5860 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 5 Mar 2025 13:22:03 -0500
-Subject: [PATCH 40/59] FIPS: Fix encoder/decoder negative test
+Subject: [PATCH 40/57] FIPS: Fix encoder/decoder negative test
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -31,5 +31,5 @@ index 2acc980e90..660d4e1115
my $conf2 = srctop_file("test", "default-and-fips.cnf");
ok(run(test(['decoder_propq_test', '-config', $conf2,
--
-2.51.0
+2.52.0
diff --git a/0041-FIPS-EC-DH-DSA-PCTs.patch b/0041-FIPS-EC-DH-DSA-PCTs.patch
index 3f59c44..84dec4d 100644
--- a/0041-FIPS-EC-DH-DSA-PCTs.patch
+++ b/0041-FIPS-EC-DH-DSA-PCTs.patch
@@ -1,7 +1,7 @@
-From 12871a0a0aaae3ce0dcae0b14a52283b3a4a4808 Mon Sep 17 00:00:00 2001
+From 17caabce423bbcfe0501ebaa11c2d4a8379aca92 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 24 Mar 2025 10:50:06 -0400
-Subject: [PATCH 41/59] FIPS: EC: DH/DSA PCTs
+Subject: [PATCH 41/57] FIPS: EC: DH/DSA PCTs
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -11,10 +11,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
3 files changed, 75 insertions(+), 5 deletions(-)
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
-index 58fbc7bc09..98d4354f3e 100644
+index 43f3515878..0d35fc1590 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
-@@ -560,6 +560,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
+@@ -546,6 +546,25 @@ static ossl_inline int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret,
#endif
ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk);
@@ -41,10 +41,10 @@ index 58fbc7bc09..98d4354f3e 100644
retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL);
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
-index a1d04bc3fd..c9a5b19cfc 100644
+index 305dc3a6b8..04e604c453 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
-@@ -995,9 +995,18 @@ struct ec_gen_ctx {
+@@ -963,9 +963,18 @@ struct ec_gen_ctx {
EC_GROUP *gen_group;
unsigned char *dhkem_ikm;
size_t dhkem_ikmlen;
@@ -61,9 +61,9 @@ index a1d04bc3fd..c9a5b19cfc 100644
+#endif
+
static void *ec_gen_init(void *provctx, int selection,
- const OSSL_PARAM params[])
+ const OSSL_PARAM params[])
{
-@@ -1017,6 +1026,10 @@ static void *ec_gen_init(void *provctx, int selection,
+@@ -985,6 +994,10 @@ static void *ec_gen_init(void *provctx, int selection,
gctx = NULL;
}
}
@@ -74,7 +74,7 @@ index a1d04bc3fd..c9a5b19cfc 100644
return gctx;
}
-@@ -1328,6 +1341,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -1295,6 +1308,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
if (gctx->ecdh_mode != -1)
ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
@@ -86,8 +86,8 @@ index a1d04bc3fd..c9a5b19cfc 100644
+#endif
if (gctx->group_check != NULL)
- ret = ret && ossl_ec_set_check_group_type_from_name(ec,
-@@ -1413,7 +1432,10 @@ static void ec_gen_cleanup(void *genctx)
+ ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
+@@ -1379,7 +1398,10 @@ static void ec_gen_cleanup(void *genctx)
if (gctx == NULL)
return;
@@ -100,7 +100,7 @@ index a1d04bc3fd..c9a5b19cfc 100644
EC_GROUP_free(gctx->gen_group);
BN_free(gctx->p);
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
-index 01b3023891..ad595d531c 100644
+index f5c101005f..b1576977f7 100644
--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
@@ -33,7 +33,7 @@
@@ -130,7 +130,7 @@ index 01b3023891..ad595d531c 100644
{
PROV_ECDSA_CTX *ctx;
-@@ -612,7 +612,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
+@@ -610,7 +610,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig,
return ok;
}
@@ -139,7 +139,7 @@ index 01b3023891..ad595d531c 100644
{
PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
-@@ -861,6 +861,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
+@@ -854,6 +854,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx)
return EVP_MD_settable_ctx_params(ctx->md);
}
@@ -176,5 +176,5 @@ index 01b3023891..ad595d531c 100644
{ OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx },
{ OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init },
--
-2.51.0
+2.52.0
diff --git a/0042-FIPS-EC-disable-weak-curves.patch b/0042-FIPS-EC-disable-weak-curves.patch
index 2592900..763df95 100644
--- a/0042-FIPS-EC-disable-weak-curves.patch
+++ b/0042-FIPS-EC-disable-weak-curves.patch
@@ -1,7 +1,7 @@
-From 134cd6169b6dcbc1e395a38d7e5af0f9691e772b Mon Sep 17 00:00:00 2001
+From 2cda3e9adf5534d6be689cff5eeb81459061f52b Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:06:36 -0500
-Subject: [PATCH 42/59] FIPS: EC: disable weak curves
+Subject: [PATCH 42/57] FIPS: EC: disable weak curves
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 7 insertions(+)
diff --git a/apps/ecparam.c b/apps/ecparam.c
-index f0879dfb11..a6042e7d2a 100644
+index 017dc7568d..596c31a925 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
-@@ -77,6 +77,13 @@ static int list_builtin_curves(BIO *out)
+@@ -90,6 +90,13 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
@@ -27,5 +27,5 @@ index f0879dfb11..a6042e7d2a 100644
comment = "CURVE DESCRIPTION NOT AVAILABLE";
if (sname == NULL)
--
-2.51.0
+2.52.0
diff --git a/0043-FIPS-NO-DSA-Support.patch b/0043-FIPS-NO-DSA-Support.patch
index b71ea9c..a7a1ffa 100644
--- a/0043-FIPS-NO-DSA-Support.patch
+++ b/0043-FIPS-NO-DSA-Support.patch
@@ -1,7 +1,7 @@
-From 5679937e93d2f072cf4f56b27dc6bcce251f6def Mon Sep 17 00:00:00 2001
+From 9fca36a6c0712f3c11e6ba942e99039b17fc75b0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:10:52 -0500
-Subject: [PATCH 43/59] FIPS: NO DSA Support
+Subject: [PATCH 43/57] FIPS: NO DSA Support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -18,10 +18,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
mode change 100644 => 100755 test/recipes/30-test_evp.t
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index e5d798fd54..a807c76fd8 100644
+index 0f006301d7..f8f2822300 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -432,7 +432,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
+@@ -431,7 +431,8 @@ static const OSSL_ALGORITHM fips_keyexch[] = {
};
static const OSSL_ALGORITHM fips_signature[] = {
@@ -31,18 +31,18 @@ index e5d798fd54..a807c76fd8 100644
{ PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
{ PROV_NAMES_DSA_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha1_signature_functions },
{ PROV_NAMES_DSA_SHA224, FIPS_DEFAULT_PROPERTIES, ossl_dsa_sha224_signature_functions },
-@@ -562,8 +563,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
- PROV_DESCS_DHX },
+@@ -559,8 +560,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+ PROV_DESCS_DHX },
#endif
#ifndef OPENSSL_NO_DSA
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
-- PROV_DESCS_DSA },
+- PROV_DESCS_DSA },
+ /* We don't certify DSA in our FIPS provider */
+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
-+ PROV_DESCS_DSA }, */
++ PROV_DESCS_DSA }, */
#endif
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
- PROV_DESCS_RSA },
+ PROV_DESCS_RSA },
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 6abab0a7a1..a7d7684d96 100644
--- a/providers/fips/self_test_data.inc
@@ -83,18 +83,18 @@ index 6abab0a7a1..a7d7684d96 100644
#ifndef OPENSSL_NO_ML_DSA
{
diff --git a/test/acvp_test.c b/test/acvp_test.c
-index 2bcc886fd2..db0282d043 100644
+index 15c87c57a7..e3321874c2 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
-@@ -1735,6 +1735,7 @@ int setup_tests(void)
- OSSL_NELEM(dh_safe_prime_keyver_data));
+@@ -1749,6 +1749,7 @@ int setup_tests(void)
+ OSSL_NELEM(dh_safe_prime_keyver_data));
#endif /* OPENSSL_NO_DH */
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
#ifndef OPENSSL_NO_DSA
dsasign_allowed = fips_provider_version_lt(libctx, 3, 4, 0);
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
-@@ -1743,6 +1744,7 @@ int setup_tests(void)
+@@ -1757,6 +1758,7 @@ int setup_tests(void)
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
#endif /* OPENSSL_NO_DSA */
@@ -103,10 +103,10 @@ index 2bcc886fd2..db0282d043 100644
#ifndef OPENSSL_NO_EC
ec_cofactors = fips_provider_version_ge(libctx, 3, 4, 0);
diff --git a/test/endecode_test.c b/test/endecode_test.c
-index d2ff9e6eb6..dfd5e92f7e 100644
+index b15bab217e..acfb5ef36d 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
-@@ -1536,6 +1536,7 @@ int setup_tests(void)
+@@ -1549,6 +1549,7 @@ int setup_tests(void)
* so no legacy tests.
*/
#endif
@@ -114,9 +114,9 @@ index d2ff9e6eb6..dfd5e92f7e 100644
#ifndef OPENSSL_NO_DSA
ADD_TEST_SUITE(DSA);
ADD_TEST_SUITE_PARAMS(DSA);
-@@ -1546,6 +1547,7 @@ int setup_tests(void)
+@@ -1559,6 +1560,7 @@ int setup_tests(void)
ADD_TEST_SUITE_PROTECTED_PVK(DSA);
- # endif
+ #endif
#endif
+ }
#ifndef OPENSSL_NO_EC
@@ -302,7 +302,7 @@ index 5e5315a5b9..660d1db149 100644
Key = DSA-2048-160
Input = "Hello"
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index cf4541449b..7350baa921 100644
+index 91283c5e74..beadb43cf4 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -116,7 +116,7 @@ my @smime_pkcs7_tests = (
@@ -396,5 +396,5 @@ index cf4541449b..7350baa921 100644
"-signer", $smrsa1,
"-signer", catfile($smdir, "smrsa2.pem"),
--
-2.51.0
+2.52.0
diff --git a/0044-FIPS-NO-DES-support.patch b/0044-FIPS-NO-DES-support.patch
index 5c22fcf..edebf7f 100644
--- a/0044-FIPS-NO-DES-support.patch
+++ b/0044-FIPS-NO-DES-support.patch
@@ -1,53 +1,38 @@
-From 7c75c6f52700efbee8d960601c0b1943295b6ae5 Mon Sep 17 00:00:00 2001
+From 62748c233ae3afb8b0797a7d1ce2f391721d2971 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:15:13 -0500
-Subject: [PATCH 44/59] FIPS: NO DES support
+Subject: [PATCH 44/57] FIPS: NO DES support
Signed-off-by: Simo Sorce <simo@redhat.com>
---
- providers/fips/fipsprov.c | 3 ++-
- providers/fips/self_test_data.inc | 4 ++++
+ providers/fips/fipsprov.c | 4 ----
+ providers/fips/self_test_data.inc | 2 ++
test/evp_libctx_test.c | 4 +++-
.../30-test_evp_data/evpciph_des3_common.txt | 13 ++++---------
test/recipes/30-test_evp_data/evpmac_cmac_des.txt | 10 ----------
test/recipes/80-test_cms.t | 2 +-
- 6 files changed, 14 insertions(+), 22 deletions(-)
+ 6 files changed, 10 insertions(+), 25 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index a807c76fd8..767073fce4 100644
+index f8f2822300..33e1a179cf 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -356,7 +356,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
- ossl_cipher_capable_aes_cbc_hmac_sha256),
+@@ -355,10 +355,6 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = {
+ ossl_cipher_capable_aes_cbc_hmac_sha256),
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
- ossl_cipher_capable_aes_cbc_hmac_sha256),
+ ossl_cipher_capable_aes_cbc_hmac_sha256),
-#ifndef OPENSSL_NO_DES
-+/* We don't certify 3DES in our FIPS provider */
-+#if 0 /* ifndef OPENSSL_NO_DES */
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
- #endif /* OPENSSL_NO_DES */
+- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
+- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
+-#endif /* OPENSSL_NO_DES */
+ { { NULL, NULL, NULL }, NULL }
+ };
+ static OSSL_ALGORITHM exported_fips_ciphers[OSSL_NELEM(fips_ciphers)];
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index a7d7684d96..c9ce8f3340 100644
+index a7d7684d96..d8d23e6f90 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -262,6 +262,7 @@ static const unsigned char aes_128_ecb_ct[] = {
- 0x4e, 0xaa, 0x6f, 0xb4, 0xdb, 0xf7, 0x84, 0x65
- };
-
-+#if 0
- #ifndef OPENSSL_NO_DES
- /*
- * TDES-ECB test data from
-@@ -280,6 +281,7 @@ static const unsigned char tdes_pt[] = {
- 0x4B, 0xAB, 0x3B, 0xE1, 0x50, 0x2E, 0x3B, 0x36
- };
- #endif
-+#endif
-
- static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
- {
-@@ -305,6 +307,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+@@ -305,6 +305,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
CIPHER_MODE_DECRYPT,
ITM(aes_128_ecb_key)
},
@@ -55,7 +40,7 @@ index a7d7684d96..c9ce8f3340 100644
#ifndef OPENSSL_NO_DES
{
{
-@@ -317,6 +320,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
+@@ -317,6 +318,7 @@ static const ST_KAT_CIPHER st_kat_cipher_tests[] = {
ITM(tdes_key)
}
#endif
@@ -64,10 +49,10 @@ index a7d7684d96..c9ce8f3340 100644
static const char hkdf_digest[] = "SHA256";
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
-index 2838f343bd..19dd2c6c63 100644
+index 773210fadb..e0b4efe3f4 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
-@@ -831,7 +831,9 @@ int setup_tests(void)
+@@ -984,7 +984,9 @@ int setup_tests(void)
ADD_TEST(kem_invalid_keytype);
#endif
#ifndef OPENSSL_NO_DES
@@ -156,7 +141,7 @@ index a11e5ffe54..e4a7cbe75e 100644
-Input = FA620C1BBE97319E9A0CF0492121F7A20EB08A6A709DCBD00AAF38E4F99E754E
-Output = 8F49A1B7D6AA2258
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
-index 7350baa921..740823c61e 100644
+index beadb43cf4..71ab4a3910 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -415,7 +415,7 @@ my @smime_cms_tests = (
@@ -169,5 +154,5 @@ index 7350baa921..740823c61e 100644
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "{output}.cms" ],
--
-2.51.0
+2.52.0
diff --git a/0045-FIPS-NO-Kmac.patch b/0045-FIPS-NO-Kmac.patch
index a849a53..97c5cb7 100644
--- a/0045-FIPS-NO-Kmac.patch
+++ b/0045-FIPS-NO-Kmac.patch
@@ -1,38 +1,37 @@
-From 70094ad6af6b81c1e278b6918fc7a143fbad02a9 Mon Sep 17 00:00:00 2001
+From 7afd41a086ff9d3c39ff592e26d006c769e2a6d7 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 7 Mar 2025 18:22:07 -0500
-Subject: [PATCH 45/59] FIPS: NO Kmac
+Subject: [PATCH 45/57] FIPS: NO Kmac
Signed-off-by: Simo Sorce <simo@redhat.com>
---
- providers/fips/fipsprov.c | 10 +-
+ providers/fips/fipsprov.c | 9 +-
providers/fips/self_test_data.inc | 4 +
test/recipes/30-test_evp.t | 2 +-
test/recipes/30-test_evp_data/evpkdf_hkdf.txt | 2 +-
.../30-test_evp_data/evpkdf_kbkdf_counter.txt | 2 +-
test/recipes/30-test_evp_data/evpkdf_ss.txt | 6 +-
.../30-test_evp_data/evpmac_common.txt | 100 ++++--------------
- 7 files changed, 40 insertions(+), 86 deletions(-)
+ 7 files changed, 39 insertions(+), 86 deletions(-)
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
-index 767073fce4..3d6fe1f244 100644
+index 33e1a179cf..7930cf3241 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
-@@ -295,10 +295,11 @@ static const OSSL_ALGORITHM fips_digests[] = {
+@@ -294,10 +294,10 @@ static const OSSL_ALGORITHM fips_digests[] = {
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
* KMAC128 and KMAC256.
*/
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
-+ /* We don't certify KECCAK in our FIPS provider */
+ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
- ossl_keccak_kmac_128_functions },
+ ossl_keccak_kmac_128_functions },
{ PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
-- ossl_keccak_kmac_256_functions },
-+ ossl_keccak_kmac_256_functions }, */
+- ossl_keccak_kmac_256_functions },
++ ossl_keccak_kmac_256_functions }, */
{ NULL, NULL, NULL }
};
-@@ -371,8 +372,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
+@@ -365,8 +365,9 @@ static const OSSL_ALGORITHM fips_macs[] = {
#endif
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
@@ -45,10 +44,10 @@ index 767073fce4..3d6fe1f244 100644
};
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index c9ce8f3340..3e32a5446a 100644
+index d8d23e6f90..43f7c89fd6 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -535,6 +535,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
+@@ -533,6 +533,7 @@ static const ST_KAT_PARAM kbkdf_params[] = {
ST_KAT_PARAM_END()
};
@@ -56,7 +55,7 @@ index c9ce8f3340..3e32a5446a 100644
static const char kbkdf_kmac_mac[] = "KMAC128";
static unsigned char kbkdf_kmac_label[] = {
0xB5, 0xB5, 0xF3, 0x71, 0x9F, 0xBE, 0x5B, 0x3D,
-@@ -561,6 +562,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
+@@ -559,6 +560,7 @@ static const ST_KAT_PARAM kbkdf_kmac_params[] = {
ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_INFO, kbkdf_kmac_context),
ST_KAT_PARAM_END()
};
@@ -64,7 +63,7 @@ index c9ce8f3340..3e32a5446a 100644
static const char tls13_kdf_digest[] = "SHA256";
static int tls13_kdf_extract_mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
-@@ -651,12 +653,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
+@@ -649,12 +651,14 @@ static const ST_KAT_KDF st_kat_kdf_tests[] =
kbkdf_params,
ITM(kbkdf_expected)
},
@@ -422,5 +421,5 @@ index 831eecbac9..af92ceea98 100644
-Custom = ""
-Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69
--
-2.51.0
+2.52.0
diff --git a/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
index 94d5a60..5081a1e 100644
--- a/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
+++ b/0046-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
@@ -1,7 +1,7 @@
-From 552dec327a579572ca17a560bb415d8f407ce990 Mon Sep 17 00:00:00 2001
+From d6a6afdc614ce0e6273554f50c18cd70000cff01 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 10 Mar 2025 13:52:50 -0400
-Subject: [PATCH 46/59] FIPS: Fix some tests due to our versioning change
+Subject: [PATCH 46/57] FIPS: Fix some tests due to our versioning change
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -102,5 +102,5 @@ index af47842fd8..21c75033e8 100644
my @tests_mldsa_tls_1_3 = (
--
-2.51.0
+2.52.0
diff --git a/0047-Current-Rebase-status.patch b/0047-Current-Rebase-status.patch
index d8d68d5..8dff33d 100644
--- a/0047-Current-Rebase-status.patch
+++ b/0047-Current-Rebase-status.patch
@@ -1,7 +1,7 @@
-From 3ce272be66d6e8285e0fa0fddc0ae4b3c8c9e6da Mon Sep 17 00:00:00 2001
+From 607a195b374a6072c87a500713cea78347b7d252 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 12 Feb 2025 17:25:47 -0500
-Subject: [PATCH 47/59] Current Rebase status
+Subject: [PATCH 47/57] Current Rebase status
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -102,5 +102,5 @@ index 2833a383c1..c8f6c992a8 100644
+./Configure --prefix=$HOME/tmp/openssl-rebase --openssldir=$HOME/tmp/openssl-rebase/etc/pki/tls enable-ec_nistp_64_gcc_128 --system-ciphers-file=$HOME/tmp/openssl-rebase/etc/crypto-policies/back-ends/opensslcnf.config zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++ shared linux-x86_64 $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="\"Red Hat Enterprise Linux OpenSSL FIPS Provider\"" -DREDHAT_FIPS_VERSION="\"3.5.0-4c714d97fd77d1a8\""' -Wl,--allow-multiple-definition
+
--
-2.51.0
+2.52.0
diff --git a/0048-FIPS-KDF-key-lenght-errors.patch b/0048-FIPS-KDF-key-lenght-errors.patch
index c59e5e0..a0e76bb 100644
--- a/0048-FIPS-KDF-key-lenght-errors.patch
+++ b/0048-FIPS-KDF-key-lenght-errors.patch
@@ -1,7 +1,7 @@
-From 284c64f2ad8f104b15983f7ff37e90486847c5b1 Mon Sep 17 00:00:00 2001
+From be07c8ed65b9657227d03b905b9a490bd14bd173 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Apr 2025 15:25:40 -0400
-Subject: [PATCH 48/59] FIPS: KDF key lenght errors
+Subject: [PATCH 48/57] FIPS: KDF key lenght errors
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -171,5 +171,5 @@ index 1fb2472001..93c07ede7c 100644
# Test that the key whose length is shorter than 112 bits is reported as
--
-2.51.0
+2.52.0
diff --git a/0049-FIPS-fix-disallowed-digests-tests.patch b/0049-FIPS-fix-disallowed-digests-tests.patch
index cb4caec..0ddd1b7 100644
--- a/0049-FIPS-fix-disallowed-digests-tests.patch
+++ b/0049-FIPS-fix-disallowed-digests-tests.patch
@@ -1,7 +1,7 @@
-From 4373bb2644892e1d788ca2bdd37d7281221c0385 Mon Sep 17 00:00:00 2001
+From 53462749e29bd8f96e52f3f31cf1de2114e896c3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Apr 2025 13:41:42 -0400
-Subject: [PATCH 49/59] FIPS: fix disallowed digests tests
+Subject: [PATCH 49/57] FIPS: fix disallowed digests tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -47,5 +47,5 @@ index 6688c217aa..8347f773e6 100644
# Test that the key whose length is shorter than 112 bits is reported as
# unapproved
--
-2.51.0
+2.52.0
diff --git a/0050-Make-openssl-speed-run-in-FIPS-mode.patch b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
index 674f2e8..7766996 100644
--- a/0050-Make-openssl-speed-run-in-FIPS-mode.patch
+++ b/0050-Make-openssl-speed-run-in-FIPS-mode.patch
@@ -1,18 +1,18 @@
-From 4efc206514085c482a0b2a74a98f3ca285c99db9 Mon Sep 17 00:00:00 2001
+From ed9fd546659e691f51df032d6e364cee45c3bf0b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 9 May 2025 15:09:46 +0200
-Subject: [PATCH 50/59] Make `openssl speed` run in FIPS mode
+Subject: [PATCH 50/57] Make `openssl speed` run in FIPS mode
---
apps/speed.c | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
-index 3307a9cb46..ae2f166d24 100644
+index 13c8505ed9..c31e30f235 100644
--- a/apps/speed.c
+++ b/apps/speed.c
-@@ -3172,18 +3172,18 @@ int speed_main(int argc, char **argv)
- (void *)key32, 16);
+@@ -3231,18 +3231,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 16);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-128", &mac, params, loopargs, loopargs_len) < 1)
@@ -41,8 +41,8 @@ index 3307a9cb46..ae2f166d24 100644
}
if (doit[D_KMAC256]) {
-@@ -3193,18 +3193,18 @@ int speed_main(int argc, char **argv)
- (void *)key32, 32);
+@@ -3252,18 +3252,18 @@ int speed_main(int argc, char **argv)
+ (void *)key32, 32);
params[1] = OSSL_PARAM_construct_end();
- if (mac_setup("KMAC-256", &mac, params, loopargs, loopargs_len) < 1)
@@ -72,5 +72,5 @@ index 3307a9cb46..ae2f166d24 100644
for (i = 0; i < loopargs_len; i++)
--
-2.51.0
+2.52.0
diff --git a/0051-Backport-upstream-27483-for-PKCS11-needs.patch b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
index 358c433..bfcd0bd 100644
--- a/0051-Backport-upstream-27483-for-PKCS11-needs.patch
+++ b/0051-Backport-upstream-27483-for-PKCS11-needs.patch
@@ -1,7 +1,7 @@
-From 5e135e7ceefd5b72cb54a93b13b478af05873318 Mon Sep 17 00:00:00 2001
+From b03deba991f7f0677127f6030fde0011ab30430b Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 14:34:39 +0200
-Subject: [PATCH 51/59] Backport upstream #27483 for PKCS11 needs
+Subject: [PATCH 51/57] Backport upstream #27483 for PKCS11 needs
---
.../implementations/skeymgmt/aes_skmgmt.c | 2 +
@@ -11,7 +11,7 @@ Subject: [PATCH 51/59] Backport upstream #27483 for PKCS11 needs
4 files changed, 76 insertions(+)
diff --git a/providers/implementations/skeymgmt/aes_skmgmt.c b/providers/implementations/skeymgmt/aes_skmgmt.c
-index 6d3b5f377f..17be480131 100644
+index 02370b7fb7..48e3b64580 100644
--- a/providers/implementations/skeymgmt/aes_skmgmt.c
+++ b/providers/implementations/skeymgmt/aes_skmgmt.c
@@ -48,5 +48,7 @@ const OSSL_DISPATCH ossl_aes_skeymgmt_functions[] = {
@@ -23,7 +23,7 @@ index 6d3b5f377f..17be480131 100644
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/generic.c b/providers/implementations/skeymgmt/generic.c
-index b41bf8e12d..5fb3fad7e3 100644
+index 5b8c557f83..faec12374a 100644
--- a/providers/implementations/skeymgmt/generic.c
+++ b/providers/implementations/skeymgmt/generic.c
@@ -65,6 +65,16 @@ end:
@@ -41,7 +41,7 @@ index b41bf8e12d..5fb3fad7e3 100644
+}
+
int generic_export(void *keydata, int selection,
- OSSL_CALLBACK *param_callback, void *cbarg)
+ OSSL_CALLBACK *param_callback, void *cbarg)
{
@@ -89,5 +99,7 @@ const OSSL_DISPATCH ossl_generic_skeymgmt_functions[] = {
{ OSSL_FUNC_SKEYMGMT_FREE, (void (*)(void))generic_free },
@@ -52,7 +52,7 @@ index b41bf8e12d..5fb3fad7e3 100644
OSSL_DISPATCH_END
};
diff --git a/providers/implementations/skeymgmt/skeymgmt_lcl.h b/providers/implementations/skeymgmt/skeymgmt_lcl.h
-index c180c1d303..a7e7605050 100644
+index c75776cce4..7e35b2cc9e 100644
--- a/providers/implementations/skeymgmt/skeymgmt_lcl.h
+++ b/providers/implementations/skeymgmt/skeymgmt_lcl.h
@@ -15,5 +15,6 @@
@@ -63,10 +63,10 @@ index c180c1d303..a7e7605050 100644
#endif
diff --git a/test/evp_skey_test.c b/test/evp_skey_test.c
-index b81df9c8f8..e33bbbe003 100644
+index 7fd70ca732..dddf92f9da 100644
--- a/test/evp_skey_test.c
+++ b/test/evp_skey_test.c
-@@ -92,6 +92,66 @@ end:
+@@ -107,6 +107,66 @@ end:
return ret;
}
@@ -133,7 +133,7 @@ index b81df9c8f8..e33bbbe003 100644
#define IV_SIZE 16
#define DATA_SIZE 32
static int test_aes_raw_skey(void)
-@@ -252,6 +312,7 @@ int setup_tests(void)
+@@ -267,6 +327,7 @@ int setup_tests(void)
return 0;
ADD_TEST(test_skey_cipher);
@@ -142,5 +142,5 @@ index b81df9c8f8..e33bbbe003 100644
ADD_TEST(test_aes_raw_skey);
#ifndef OPENSSL_NO_DES
--
-2.51.0
+2.52.0
diff --git a/0052-Red-Hat-9-FIPS-indicator-defines.patch b/0052-Red-Hat-9-FIPS-indicator-defines.patch
index 0beebdb..b0095ea 100644
--- a/0052-Red-Hat-9-FIPS-indicator-defines.patch
+++ b/0052-Red-Hat-9-FIPS-indicator-defines.patch
@@ -1,7 +1,7 @@
-From e3884eb262fc465ef815d8dff460d38053a9486b Mon Sep 17 00:00:00 2001
+From 4a6768577382850dd3f3580f232a2a2ac7ed09c2 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Mon, 12 May 2025 16:21:23 +0200
-Subject: [PATCH 52/59] Red Hat 9 FIPS indicator defines
+Subject: [PATCH 52/57] Red Hat 9 FIPS indicator defines
---
include/openssl/evp.h | 15 +++++++++++++++
@@ -10,10 +10,10 @@ Subject: [PATCH 52/59] Red Hat 9 FIPS indicator defines
3 files changed, 26 insertions(+)
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
-index e5da1e6415..3849c1779e 100644
+index e83ad13183..afa8f7a542 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
-@@ -779,6 +779,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+@@ -767,6 +767,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags);
@@ -22,21 +22,21 @@ index e5da1e6415..3849c1779e 100644
+# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
- const unsigned char *key, const unsigned char *iv);
+ const unsigned char *key, const unsigned char *iv);
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
-@@ -850,6 +854,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
+@@ -838,6 +842,10 @@ __owur int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
- int *outl);
+ int *outl);
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
__owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
- EVP_PKEY *pkey);
+ EVP_PKEY *pkey);
__owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s,
-@@ -1249,6 +1257,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
- void *arg);
+@@ -1240,6 +1248,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx,
+ void *arg);
/* MAC stuff */
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
@@ -44,35 +44,35 @@ index e5da1e6415..3849c1779e 100644
+# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm,
- const char *properties);
-@@ -1826,6 +1837,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
+ const char *properties);
+@@ -1816,6 +1827,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void);
OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
- # endif
+ #endif
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
- const char *properties);
+ const char *properties);
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
-index 0983230a48..86171635ea 100644
+index d06ca6c69d..e061f0164f 100644
--- a/include/openssl/kdf.h
+++ b/include/openssl/kdf.h
@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf,
- # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
- # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+ #define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1
+ #define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1
+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2
+
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
- #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
+ #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm
-index 059b489735..5a1864309d 100644
+index 262c184ca2..6009253440 100644
--- a/util/perl/OpenSSL/paramnames.pm
+++ b/util/perl/OpenSSL/paramnames.pm
@@ -143,6 +143,8 @@ my %params = (
@@ -125,5 +125,5 @@ index 059b489735..5a1864309d 100644
'KEM_PARAM_FIPS_KEY_CHECK' => '*PKEY_PARAM_FIPS_KEY_CHECK',
'KEM_PARAM_FIPS_APPROVED_INDICATOR' => '*ALG_PARAM_FIPS_APPROVED_INDICATOR',
--
-2.51.0
+2.52.0
diff --git a/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
index 4220f7c..6632b9f 100644
--- a/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
+++ b/0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
@@ -1,21 +1,21 @@
-From 217d8f5853670ae2245ad8d31faee411a68c997a Mon Sep 17 00:00:00 2001
+From 1b1a5447386cf8a149c4cd603c893a691eb210b5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 30 May 2025 16:17:37 +0200
-Subject: [PATCH 53/59] Allow hybrid MLKEM in FIPS mode
+Subject: [PATCH 53/57] Allow hybrid MLKEM in FIPS mode
---
crypto/ml_kem/ml_kem.c | 11 ++--
- include/crypto/ml_kem.h | 2 +
- providers/defltprov.c | 8 +--
+ include/crypto/ml_kem.h | 1 +
+ providers/defltprov.c | 14 ++---
providers/implementations/kem/mlx_kem.c | 33 +++++++++-
providers/implementations/keymgmt/mlx_kmgmt.c | 61 ++++++++++++++++++-
- 5 files changed, 103 insertions(+), 12 deletions(-)
+ 5 files changed, 105 insertions(+), 15 deletions(-)
diff --git a/crypto/ml_kem/ml_kem.c b/crypto/ml_kem/ml_kem.c
-index 716c3bf427..6ae9c9c5b5 100644
+index dd8a39197a..833abf9f1d 100644
--- a/crypto/ml_kem/ml_kem.c
+++ b/crypto/ml_kem/ml_kem.c
-@@ -1613,6 +1613,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+@@ -1924,6 +1924,7 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
{
const ML_KEM_VINFO *vinfo = ossl_ml_kem_get_vinfo(evp_type);
ML_KEM_KEY *key;
@@ -23,7 +23,7 @@ index 716c3bf427..6ae9c9c5b5 100644
if (vinfo == NULL) {
ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_INVALID_ARGUMENT,
-@@ -1623,15 +1624,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
+@@ -1934,15 +1935,17 @@ ML_KEM_KEY *ossl_ml_kem_key_new(OSSL_LIB_CTX *libctx, const char *properties,
if ((key = OPENSSL_malloc(sizeof(*key))) == NULL)
return NULL;
@@ -46,45 +46,51 @@ index 716c3bf427..6ae9c9c5b5 100644
if (key->shake128_md != NULL
&& key->shake256_md != NULL
diff --git a/include/crypto/ml_kem.h b/include/crypto/ml_kem.h
-index 67d55697e9..ab1aaae8ac 100644
+index dbe9192364..35dcbbf32c 100644
--- a/include/crypto/ml_kem.h
+++ b/include/crypto/ml_kem.h
-@@ -278,4 +278,6 @@ int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
- __owur
- int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+@@ -268,4 +268,5 @@ __owur int ossl_ml_kem_decap(uint8_t *shared_secret, size_t slen,
+ /* Compare the public key hashes of two keys */
+ __owur int ossl_ml_kem_pubkey_cmp(const ML_KEM_KEY *key1, const ML_KEM_KEY *key2);
+char *get_adjusted_propq(const char *propq);
-+
- #endif /* OPENSSL_HEADER_ML_KEM_H */
+ #endif /* OPENSSL_HEADER_ML_KEM_H */
diff --git a/providers/defltprov.c b/providers/defltprov.c
-index eee2178b41..0dba017f3f 100644
+index 90655395c1..f74b160d6f 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -517,8 +517,8 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
{ "X448MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
- # endif
- # if !defined(OPENSSL_NO_EC)
+ #endif
+ #if !defined(OPENSSL_NO_EC)
- { "SecP256r1MLKEM768", "provider=default", ossl_mlx_kem_asym_kem_functions },
- { "SecP384r1MLKEM1024", "provider=default", ossl_mlx_kem_asym_kem_functions },
+ { "SecP256r1MLKEM768", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
+ { "SecP384r1MLKEM1024", "provider=default,fips=yes", ossl_mlx_kem_asym_kem_functions },
- # endif
+ #endif
#endif
{ NULL, NULL, NULL }
-@@ -597,9 +597,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
- PROV_DESCS_X448MLKEM1024 },
- # endif
- # if !defined(OPENSSL_NO_EC)
+@@ -594,13 +594,13 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
+ { PROV_NAMES_X25519MLKEM768, "provider=default", ossl_mlx_x25519_kem_kmgmt_functions,
+ PROV_DESCS_X25519MLKEM768 },
+ { PROV_NAMES_X448MLKEM1024, "provider=default", ossl_mlx_x448_kem_kmgmt_functions,
+- PROV_DESCS_X448MLKEM1024 },
++ PROV_DESCS_X448MLKEM1024 },
+ #endif
+ #if !defined(OPENSSL_NO_EC)
- { PROV_NAMES_SecP256r1MLKEM768, "provider=default", ossl_mlx_p256_kem_kmgmt_functions,
-+ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
- PROV_DESCS_SecP256r1MLKEM768 },
+- PROV_DESCS_SecP256r1MLKEM768 },
- { PROV_NAMES_SecP384r1MLKEM1024, "provider=default", ossl_mlx_p384_kem_kmgmt_functions,
-+ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
- PROV_DESCS_SecP384r1MLKEM1024 },
- # endif
+- PROV_DESCS_SecP384r1MLKEM1024 },
++ { PROV_NAMES_SecP256r1MLKEM768, "provider=default,fips=yes", ossl_mlx_p256_kem_kmgmt_functions,
++ PROV_DESCS_SecP256r1MLKEM768 },
++ { PROV_NAMES_SecP384r1MLKEM1024, "provider=default,fips=yes", ossl_mlx_p384_kem_kmgmt_functions,
++ PROV_DESCS_SecP384r1MLKEM1024 },
+ #endif
#endif
+ #ifndef OPENSSL_NO_SLH_DSA
diff --git a/providers/implementations/kem/mlx_kem.c b/providers/implementations/kem/mlx_kem.c
-index 197c345d85..08fbf99a76 100644
+index 376b3342dd..09fa003612 100644
--- a/providers/implementations/kem/mlx_kem.c
+++ b/providers/implementations/kem/mlx_kem.c
@@ -19,6 +19,7 @@
@@ -122,7 +128,7 @@ index 197c345d85..08fbf99a76 100644
+}
+
static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- unsigned char *shsec, size_t *slen)
+ unsigned char *shsec, size_t *slen)
{
@@ -115,6 +138,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
uint8_t *sbuf;
@@ -142,15 +148,15 @@ index 197c345d85..08fbf99a76 100644
if (ctx == NULL
|| EVP_PKEY_encapsulate_init(ctx, NULL) <= 0
|| EVP_PKEY_encapsulate(ctx, cbuf, &encap_clen, sbuf, &encap_slen) <= 0)
-@@ -237,6 +262,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
- end:
+@@ -238,6 +263,7 @@ static int mlx_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
+ end:
EVP_PKEY_free(xkey);
EVP_PKEY_CTX_free(ctx);
+ OPENSSL_free(adjusted_propq);
return ret;
}
-@@ -252,6 +278,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+@@ -253,6 +279,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
size_t decap_clen = key->minfo->ctext_bytes + key->xinfo->pubkey_bytes;
int ml_kem_slot = key->xinfo->ml_kem_slot;
int ret = 0;
@@ -158,7 +164,7 @@ index 197c345d85..08fbf99a76 100644
if (!mlx_kem_have_prvkey(key)) {
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
-@@ -287,7 +314,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+@@ -288,7 +315,8 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
decap_slen = ML_KEM_SHARED_SECRET_BYTES;
cbuf = ctext + ml_kem_slot * key->xinfo->pubkey_bytes;
sbuf = shsec + ml_kem_slot * key->xinfo->shsec_bytes;
@@ -168,8 +174,8 @@ index 197c345d85..08fbf99a76 100644
if (ctx == NULL
|| EVP_PKEY_decapsulate_init(ctx, NULL) <= 0
|| EVP_PKEY_decapsulate(ctx, sbuf, &decap_slen, cbuf, decap_clen) <= 0)
-@@ -325,6 +353,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
- end:
+@@ -326,6 +354,7 @@ static int mlx_kem_decapsulate(void *vctx, uint8_t *shsec, size_t *slen,
+ end:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(xkey);
+ OPENSSL_free(adjusted_propq);
@@ -177,11 +183,11 @@ index 197c345d85..08fbf99a76 100644
}
diff --git a/providers/implementations/keymgmt/mlx_kmgmt.c b/providers/implementations/keymgmt/mlx_kmgmt.c
-index bea8783276..aeef0c8f84 100644
+index 46ed63039e..6ce9aa3c9a 100644
--- a/providers/implementations/keymgmt/mlx_kmgmt.c
+++ b/providers/implementations/keymgmt/mlx_kmgmt.c
-@@ -156,6 +156,52 @@ typedef struct export_cb_arg_st {
- size_t prvlen;
+@@ -155,6 +155,52 @@ typedef struct export_cb_arg_st {
+ size_t prvlen;
} EXPORT_CB_ARG;
+#ifndef FIPS_MODULE
@@ -233,7 +239,7 @@ index bea8783276..aeef0c8f84 100644
/* Copy any exported key material into its storage slot */
static int export_sub_cb(const OSSL_PARAM *params, void *varg)
{
-@@ -176,6 +222,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
+@@ -175,6 +221,10 @@ static int export_sub_cb(const OSSL_PARAM *params, void *varg)
if (OSSL_PARAM_get_octet_string(p, &pub, sub_arg->publen, &len) != 1)
return 0;
@@ -243,8 +249,8 @@ index bea8783276..aeef0c8f84 100644
+#endif
if (len != sub_arg->publen) {
ERR_raise_data(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR,
- "Unexpected %s public key length %lu != %lu",
-@@ -344,12 +394,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ "Unexpected %s public key length %lu != %lu",
+@@ -343,12 +393,14 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
void *val;
int ml_kem_slot = key->xinfo->ml_kem_slot;
int ret = 0;
@@ -258,8 +264,8 @@ index bea8783276..aeef0c8f84 100644
+ adjusted_propq = get_adjusted_propq(propq);
} else {
alg = key->xinfo->algorithm_name;
- group = (char *) key->xinfo->group_name;
-@@ -359,7 +411,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+ group = (char *)key->xinfo->group_name;
+@@ -358,7 +410,8 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
}
val = (void *)(in + off);
@@ -269,34 +275,34 @@ index bea8783276..aeef0c8f84 100644
|| EVP_PKEY_fromdata_init(ctx) <= 0)
goto err;
parr[0] = OSSL_PARAM_construct_octet_string(pname, val, len);
-@@ -370,6 +423,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
+@@ -369,6 +422,7 @@ load_slot(OSSL_LIB_CTX *libctx, const char *propq, const char *pname,
ret = 1;
- err:
+ err:
+ OPENSSL_free(adjusted_propq);
EVP_PKEY_CTX_free(ctx);
return ret;
}
-@@ -688,6 +742,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+@@ -685,6 +739,7 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
PROV_ML_KEM_GEN_CTX *gctx = vgctx;
MLX_KEY *key;
char *propq;
+ char *adjusted_propq = NULL;
if (gctx == NULL
- || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) ==
-@@ -704,8 +759,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ || (gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
+@@ -700,8 +755,10 @@ static void *mlx_kem_gen(void *vgctx, OSSL_CALLBACK *osslcb, void *cbarg)
return key;
/* For now, using the same "propq" for all components */
- key->mkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
+ adjusted_propq = get_adjusted_propq(propq);
+ key->mkey = EVP_PKEY_Q_keygen(key->libctx, adjusted_propq ? adjusted_propq : key->propq,
- key->minfo->algorithm_name);
+ key->minfo->algorithm_name);
+ OPENSSL_free(adjusted_propq);
key->xkey = EVP_PKEY_Q_keygen(key->libctx, key->propq,
- key->xinfo->algorithm_name,
- key->xinfo->group_name);
+ key->xinfo->algorithm_name,
+ key->xinfo->group_name);
--
-2.51.0
+2.52.0
diff --git a/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
index 4b8cd0b..658a8f0 100644
--- a/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
+++ b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
@@ -1,7 +1,7 @@
-From b963982c4b8ede93212c15021d4d251435153aa2 Mon Sep 17 00:00:00 2001
+From 3f73722b8e546a3f8f4e8bc7d74527f4fe7c4413 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 15 Jul 2025 12:32:14 -0400
-Subject: [PATCH 54/59] Temporarily disable SLH-DSA FIPS self-tests
+Subject: [PATCH 54/57] Temporarily disable SLH-DSA FIPS self-tests
Signed-off-by: Simo Sorce <simo@redhat.com>
---
@@ -9,10 +9,10 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
1 file changed, 6 insertions(+)
diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
-index 3e32a5446a..07518a9d7f 100644
+index 43f7c89fd6..7b03aad775 100644
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
-@@ -2888,6 +2888,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
+@@ -2886,6 +2886,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
};
#endif /* OPENSSL_NO_ML_DSA */
@@ -20,7 +20,7 @@ index 3e32a5446a..07518a9d7f 100644
#ifndef OPENSSL_NO_SLH_DSA
/*
* Deterministic SLH_DSA key generation supplies the private key elements and
-@@ -2978,6 +2979,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
+@@ -2976,6 +2977,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
};
#endif /* OPENSSL_NO_SLH_DSA */
@@ -28,7 +28,7 @@ index 3e32a5446a..07518a9d7f 100644
/* Hash DRBG inputs for signature KATs */
static const unsigned char sig_kat_entropyin[] = {
-@@ -3077,6 +3079,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -3075,6 +3077,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
ml_dsa_sig_init
},
#endif /* OPENSSL_NO_ML_DSA */
@@ -36,7 +36,7 @@ index 3e32a5446a..07518a9d7f 100644
#ifndef OPENSSL_NO_SLH_DSA
/*
* FIPS 140-3 IG 10.3.A.16 Note 29 says:
-@@ -3107,6 +3110,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+@@ -3105,6 +3108,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
slh_dsa_sig_params, slh_dsa_sig_params
},
#endif /* OPENSSL_NO_SLH_DSA */
@@ -44,7 +44,7 @@ index 3e32a5446a..07518a9d7f 100644
};
#if !defined(OPENSSL_NO_ML_DSA)
-@@ -3511,6 +3515,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+@@ -3509,6 +3513,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
ml_dsa_key
},
# endif
@@ -52,7 +52,7 @@ index 3e32a5446a..07518a9d7f 100644
# if !defined(OPENSSL_NO_SLH_DSA)
{
OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
-@@ -3519,6 +3524,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+@@ -3517,6 +3522,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
slh_dsa_128f_keygen_expected_params
},
# endif
@@ -61,5 +61,5 @@ index 3e32a5446a..07518a9d7f 100644
#endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
--
-2.51.0
+2.52.0
diff --git a/0055-Add-a-define-to-disable-symver-attributes.patch b/0055-Add-a-define-to-disable-symver-attributes.patch
index b7f3627..24e7d60 100644
--- a/0055-Add-a-define-to-disable-symver-attributes.patch
+++ b/0055-Add-a-define-to-disable-symver-attributes.patch
@@ -1,7 +1,7 @@
-From 8d2f2f11f3875b58f133729dcb907bb64620649f Mon Sep 17 00:00:00 2001
+From 24875d5f4486540cc7baf23c3f94234ee9800862 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 17 Jul 2025 09:40:34 -0400
-Subject: [PATCH 55/59] Add a define to disable symver attributes
+Subject: [PATCH 55/57] Add a define to disable symver attributes
Defininig RHEL_NO_SYMVER_ATTRIBUTES for a build now prevents adding
compatibility symver attributes.
@@ -14,7 +14,7 @@ Signed-off-by: Simo Sorce <simo@redhat.com>
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index 8ee9db73dd..7ed4933934 100644
+index 638dac8844..5b1b54c195 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -573,7 +573,7 @@ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
@@ -27,10 +27,10 @@ index 8ee9db73dd..7ed4933934 100644
symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
-index 619cf4f385..9192898d39 100644
+index b4edd825cd..e7b124a79b 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
-@@ -1763,7 +1763,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
+@@ -1757,7 +1757,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
}
EVP_CIPHER_CTX
@@ -40,10 +40,10 @@ index 619cf4f385..9192898d39 100644
symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0")))
#endif
diff --git a/crypto/o_str.c b/crypto/o_str.c
-index 86442a939e..8c33e4dd63 100644
+index fde43421ea..807e070827 100644
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
-@@ -404,7 +404,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
+@@ -407,7 +407,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen)
}
int
@@ -52,7 +52,7 @@ index 86442a939e..8c33e4dd63 100644
__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"),
symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1")))
#endif
-@@ -419,7 +419,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
+@@ -422,7 +422,7 @@ OPENSSL_strcasecmp(const char *s1, const char *s2)
}
int
@@ -62,5 +62,5 @@ index 86442a939e..8c33e4dd63 100644
symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1")))
#endif
--
-2.51.0
+2.52.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Rebase to OpenSSL 3.5.5 Dmitry Belyavskiy
2026-06-09 12:45 Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox