Blame SOURCES/rhbz1952381.patch

6c08f9
diff --git a/src/crypto/ecdsa/ecdsa_test.go b/src/crypto/ecdsa/ecdsa_test.go
6c08f9
index d60fdb8..b90782a 100644
6c08f9
--- a/src/crypto/ecdsa/ecdsa_test.go
6c08f9
+++ b/src/crypto/ecdsa/ecdsa_test.go
6c08f9
@@ -323,6 +323,10 @@ func TestVectors(t *testing.T) {
6c08f9
 			h.Write(msg)
6c08f9
 			hashed := h.Sum(hashed[:0])
6c08f9
 			if boring.Enabled() {
6c08f9
+				// SHA-1 signatures not supported in OpenSSL 3.0
6c08f9
+			        if ch == crypto.SHA1 {
6c08f9
+					expected = false
6c08f9
+				}
6c08f9
 				if HashVerify(pub, msg, r, s, ch) != expected {
6c08f9
 					t.Fatalf("incorrect result on line %d", lineNo)
6c08f9
 				}
6c08f9
diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
6c08f9
index 457decf..961795a 100644
6c08f9
--- a/src/crypto/internal/boring/aes.go
6c08f9
+++ b/src/crypto/internal/boring/aes.go
6c08f9
@@ -130,7 +130,11 @@ func (c *aesCipher) Decrypt(dst, src []byte) {
6c08f9
 			panic("cipher: unable to initialize EVP cipher ctx")
6c08f9
 		}
6c08f9
 	}
6c08f9
-
6c08f9
+	// Workaround - padding detection is broken but we don't need it
6c08f9
+	// since we check for full blocks
6c08f9
+	if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(c.dec_ctx, 0) != 1 {
6c08f9
+		panic("crypto/cipher: could not disable cipher padding")
6c08f9
+	}
6c08f9
 	outlen := C.int(0)
6c08f9
 	C._goboringcrypto_EVP_CipherUpdate(c.dec_ctx, (*C.uchar)(unsafe.Pointer(&dst[0])), &outlen, (*C.uchar)(unsafe.Pointer(&src[0])), C.int(aesBlockSize))
6c08f9
 	runtime.KeepAlive(c)
6c08f9
@@ -157,6 +161,11 @@ func (x *aesCBC) CryptBlocks(dst, src []byte) {
6c08f9
 	}
6c08f9
 	if len(src) > 0 {
6c08f9
 		outlen := C.int(0)
6c08f9
+		// Workaround - padding detection is broken but we don't need it
6c08f9
+		// since we check for full blocks
6c08f9
+		if C._goboringcrypto_EVP_CIPHER_CTX_set_padding(x.ctx, 0) != 1 {
6c08f9
+			panic("crypto/cipher: could not disable cipher padding")
6c08f9
+		}
6c08f9
 		if C._goboringcrypto_EVP_CipherUpdate(
6c08f9
 			x.ctx,
6c08f9
 			base(dst), &outlen,
6c08f9
diff --git a/src/crypto/internal/boring/boring.go b/src/crypto/internal/boring/boring.go
6c08f9
index e7ae80c..45c856b 100644
6c08f9
--- a/src/crypto/internal/boring/boring.go
6c08f9
+++ b/src/crypto/internal/boring/boring.go
6c08f9
@@ -20,7 +20,8 @@ import (
6c08f9
 	"math/big"
6c08f9
 	"os"
6c08f9
 	"runtime"
6c08f9
-	"strings"
6c08f9
+	"unsafe"
6c08f9
+	"fmt"
6c08f9
 )
6c08f9
 
6c08f9
 const (
6c08f9
@@ -68,8 +69,22 @@ func enableBoringFIPSMode() {
6c08f9
 }
6c08f9
 
6c08f9
 func fipsModeEnabled() bool {
6c08f9
-	return os.Getenv("GOLANG_FIPS") == "1" ||
6c08f9
-		C._goboringcrypto_FIPS_mode() == fipsOn
6c08f9
+	// Due to the way providers work in openssl 3, the FIPS methods are not
6c08f9
+	// necessarily going to be available for us to load based on the GOLANG_FIPS
6c08f9
+	// environment variable alone. For now, we must rely on the config to tell
6c08f9
+	// us if the provider is configured and active.
6c08f9
+
6c08f9
+	fipsConfigured := C._goboringcrypto_FIPS_mode() == fipsOn
6c08f9
+	openSSLVersion := C._goboringcrypto_internal_OPENSSL_VERSION_NUMBER()
6c08f9
+	if openSSLVersion >= C.ulong(0x30000000) {
6c08f9
+		if !fipsConfigured && os.Getenv("GOLANG_FIPS") == "1" {
6c08f9
+			panic("GOLANG_FIPS=1 specified but OpenSSL FIPS provider is not configured")
6c08f9
+		}
6c08f9
+		return fipsConfigured
6c08f9
+
6c08f9
+	} else {
6c08f9
+		return os.Getenv("GOLANG_FIPS") == "1" || fipsConfigured
6c08f9
+	}
6c08f9
 }
6c08f9
 
6c08f9
 var randstub bool
6c08f9
@@ -126,23 +141,31 @@ func PanicIfStrictFIPS(msg string) {
6c08f9
 }
6c08f9
 
6c08f9
 func NewOpenSSLError(msg string) error {
6c08f9
-	var b strings.Builder
6c08f9
 	var e C.ulong
6c08f9
 
6c08f9
-	b.WriteString(msg)
6c08f9
-	b.WriteString("\nopenssl error(s):\n")
6c08f9
+	message := fmt.Sprintf("\n%v\nopenssl error(s):", msg)
6c08f9
 
6c08f9
 	for {
6c08f9
-		e = C._goboringcrypto_internal_ERR_get_error()
6c08f9
+		var file *C.char
6c08f9
+		var line C.int
6c08f9
+		var fnc  *C.char
6c08f9
+		var data  *C.char
6c08f9
+		var flags C.int
6c08f9
+		e = C._goboringcrypto_internal_ERR_get_error_all(&file, &line, &fnc, &data, &flags)
6c08f9
 		if e == 0 {
6c08f9
 			break
6c08f9
 		}
6c08f9
-		var buf [256]byte
6c08f9
-		C._goboringcrypto_internal_ERR_error_string_n(e, base(buf[:]), 256)
6c08f9
-		b.Write(buf[:])
6c08f9
-		b.WriteByte('\n')
6c08f9
+		var buf [256]C.char
6c08f9
+                C._goboringcrypto_internal_ERR_error_string_n(e, (*C.uchar)(unsafe.Pointer (&buf[0])), 256)
6c08f9
+		message = fmt.Sprintf("%v\nfile: %v\nline: %v\nfunction: %v\nflags: %v\nerror string: %s\n",
6c08f9
+			message,
6c08f9
+			C.GoString(file),
6c08f9
+			line,
6c08f9
+			C.GoString(fnc),
6c08f9
+			flags,
6c08f9
+		        C.GoString(&(buf[0])))
6c08f9
 	}
6c08f9
-	return errors.New(b.String())
6c08f9
+	return errors.New(message)
6c08f9
 }
6c08f9
 
6c08f9
 type fail string
6c08f9
diff --git a/src/crypto/internal/boring/goopenssl.h b/src/crypto/internal/boring/goopenssl.h
6c08f9
index 355638b..2737441 100644
6c08f9
--- a/src/crypto/internal/boring/goopenssl.h
6c08f9
+++ b/src/crypto/internal/boring/goopenssl.h
6c08f9
@@ -14,6 +14,15 @@
6c08f9
 
6c08f9
 #include <openssl/ossl_typ.h>
6c08f9
 
6c08f9
+#if OPENSSL_VERSION_NUMBER < 0x30000000
6c08f9
+#define OPENSSL_DLSYM_CALL(handle, func) dlsym(handle, func)
6c08f9
+#else
6c08f9
+#define __USE_GNU
6c08f9
+#define OPENSSL_DLSYM_CALL(handle, func) dlvsym(handle, func, "OPENSSL_3.0.0")
6c08f9
+#endif
6c08f9
+
6c08f9
+#include <dlfcn.h>
6c08f9
+
6c08f9
 #define unlikely(x) __builtin_expect(!!(x), 0)
6c08f9
 #define DEFINEFUNC(ret, func, args, argscall)        \
6c08f9
 	typedef ret(*_goboringcrypto_PTR_##func) args;   \
6c08f9
@@ -22,7 +31,7 @@
6c08f9
 	{                                                \
6c08f9
 		if (unlikely(!_g_##func))                    \
6c08f9
 		{                                            \
6c08f9
-			_g_##func = dlsym(handle, #func);        \
6c08f9
+			_g_##func = OPENSSL_DLSYM_CALL(handle, #func); \
6c08f9
 		}                                            \
6c08f9
 		return _g_##func argscall;                   \
6c08f9
 	}
6c08f9
@@ -34,7 +43,7 @@
6c08f9
 	{                                                \
6c08f9
 		if (unlikely(!_g_internal_##func))                    \
6c08f9
 		{                                            \
6c08f9
-			_g_internal_##func = dlsym(handle, #func);        \
6c08f9
+			_g_internal_##func = OPENSSL_DLSYM_CALL(handle, #func); \
6c08f9
 		}                                            \
6c08f9
 		return _g_internal_##func argscall;                   \
6c08f9
 	}
6c08f9
@@ -45,7 +54,6 @@
6c08f9
 		return func argscall;                     \
6c08f9
 	}
6c08f9
 
6c08f9
-#include <dlfcn.h>
6c08f9
 
6c08f9
 static void* handle;
6c08f9
 static void*
6c08f9
@@ -57,8 +65,10 @@ _goboringcrypto_DLOPEN_OPENSSL(void)
6c08f9
 	}
6c08f9
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
6c08f9
 	handle = dlopen("libcrypto.so.10", RTLD_NOW | RTLD_GLOBAL);
6c08f9
-#else
6c08f9
+#elif OPENSSL_VERSION_NUMBER < 0x30000000L
6c08f9
 	handle = dlopen("libcrypto.so.1.1", RTLD_NOW | RTLD_GLOBAL);
6c08f9
+#else
6c08f9
+	handle = dlopen("libcrypto.so.3", RTLD_NOW | RTLD_GLOBAL);
6c08f9
 #endif
6c08f9
 	return handle;
6c08f9
 }
6c08f9
@@ -68,6 +78,10 @@ _goboringcrypto_DLOPEN_OPENSSL(void)
6c08f9
 
6c08f9
 DEFINEFUNCINTERNAL(int, OPENSSL_init, (void), ())
6c08f9
 
6c08f9
+static unsigned long _goboringcrypto_internal_OPENSSL_VERSION_NUMBER(void) {
6c08f9
+	return OPENSSL_VERSION_NUMBER;
6c08f9
+}
6c08f9
+
6c08f9
 static void
6c08f9
 _goboringcrypto_OPENSSL_setup(void) {
6c08f9
 	_goboringcrypto_internal_OPENSSL_init();
6c08f9
@@ -76,6 +90,9 @@ _goboringcrypto_OPENSSL_setup(void) {
6c08f9
 #include <openssl/err.h>
6c08f9
 DEFINEFUNCINTERNAL(void, ERR_print_errors_fp, (FILE* fp), (fp))
6c08f9
 DEFINEFUNCINTERNAL(unsigned long, ERR_get_error, (void), ())
6c08f9
+DEFINEFUNCINTERNAL(unsigned long, ERR_get_error_all,
6c08f9
+		(const char **file, int *line, const char **func, const char **data, int *flags),
6c08f9
+		(file, line, func, data, flags))
6c08f9
 DEFINEFUNCINTERNAL(void, ERR_error_string_n, (unsigned long e, unsigned char *buf, size_t len), (e, buf, len))
6c08f9
 
6c08f9
 #include <openssl/crypto.h>
6c08f9
@@ -112,8 +129,15 @@ _goboringcrypto_CRYPTO_set_locking_callback(void (*locking_function)(int mode, i
6c08f9
 
6c08f9
 int _goboringcrypto_OPENSSL_thread_setup(void);
6c08f9
 
6c08f9
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
6c08f9
 DEFINEFUNC(int, FIPS_mode, (void), ())
6c08f9
 DEFINEFUNC(int, FIPS_mode_set, (int r), (r))
6c08f9
+#else
6c08f9
+DEFINEFUNC(int, EVP_default_properties_is_fips_enabled, (OSSL_LIB_CTX *libctx), (libctx))
6c08f9
+static inline int _goboringcrypto_FIPS_mode(void) {
6c08f9
+	return _goboringcrypto_EVP_default_properties_is_fips_enabled(NULL);
6c08f9
+}
6c08f9
+#endif
6c08f9
 
6c08f9
 #include <openssl/rand.h>
6c08f9
 
6c08f9
@@ -711,12 +735,9 @@ _goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(GO_EVP_PKEY_CTX* ctx, int pad) {
6c08f9
 #endif
6c08f9
 }
6c08f9
 
6c08f9
-static inline int
6c08f9
-_goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen)
6c08f9
-{
6c08f9
-
6c08f9
-	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)l);
6c08f9
-}
6c08f9
+DEFINEFUNC(int, EVP_PKEY_CTX_set0_rsa_oaep_label,
6c08f9
+		(GO_EVP_PKEY_CTX *ctx, uint8_t *l, int llen),
6c08f9
+		(ctx, l, llen))
6c08f9
 
6c08f9
 static inline int
6c08f9
 _goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(GO_EVP_PKEY_CTX *ctx, const GO_EVP_MD *md)
6c08f9
@@ -736,6 +757,7 @@ static inline int
6c08f9
 _goboringcrypto_EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {
6c08f9
 	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0, (void *)md);
6c08f9
 }
6c08f9
+
6c08f9
 static inline int
6c08f9
 _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX * ctx, const GO_EVP_MD *md) {
6c08f9
 	return _goboringcrypto_EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,
6c08f9
diff --git a/src/crypto/internal/boring/openssl_port_rsa.c b/src/crypto/internal/boring/openssl_port_rsa.c
6c08f9
index 92fbb36..781975c 100644
6c08f9
--- a/src/crypto/internal/boring/openssl_port_rsa.c
6c08f9
+++ b/src/crypto/internal/boring/openssl_port_rsa.c
6c08f9
@@ -91,31 +91,40 @@ int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA *rsa, unsigned int *out_len, uint8_
6c08f9
 
6c08f9
 	if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
6c08f9
 		goto err;
6c08f9
-
6c08f9
+	
6c08f9
 	ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
6c08f9
 	if (!ctx)
6c08f9
 		goto err;
6c08f9
 
6c08f9
-	if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0)
6c08f9
-		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0)
6c08f9
+	if (_goboringcrypto_EVP_PKEY_sign_init(ctx) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
6c08f9
+	}
6c08f9
+	// This is moved earlier because openssl 3.0 alpha defaults
6c08f9
+	// to sha1 in EVP_PKEY_CTRL_RSA_PADDING if unset and produces an error
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) {
6c08f9
 		goto err;
6c08f9
-
6c08f9
+	}
6c08f9
+	// doesnt take null anymore
6c08f9
+	if (mgf1_md)
6c08f9
+		if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) {
6c08f9
+			goto err;
6c08f9
+		}
6c08f9
 	/* Determine buffer length */
6c08f9
-	if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0)
6c08f9
+	if (_goboringcrypto_EVP_PKEY_sign(ctx, NULL, &siglen, in, in_len) <= 0) {
6c08f9
 		goto err;
6c08f9
-
6c08f9
-	if (max_out < siglen)
6c08f9
+	}
6c08f9
+	if (max_out < siglen) {
6c08f9
 		goto err;
6c08f9
-
6c08f9
-	if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_sign(ctx, out, &siglen, in, in_len) <= 0) {
6c08f9
 		goto err;
6c08f9
+	}
6c08f9
 
6c08f9
 	*out_len = siglen;
6c08f9
 	ret = 1;
6c08f9
@@ -142,23 +151,31 @@ int _goboringcrypto_RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg, unsigned i
6c08f9
 
6c08f9
 	if (_goboringcrypto_EVP_PKEY_set1_RSA(pkey, rsa) <= 0)
6c08f9
 		goto err;
6c08f9
-
6c08f9
+	
6c08f9
 	ctx = _goboringcrypto_EVP_PKEY_CTX_new(pkey, NULL /* no engine */);
6c08f9
 	if (!ctx)
6c08f9
 		goto err;
6c08f9
 
6c08f9
-	if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0)
6c08f9
+	if (_goboringcrypto_EVP_PKEY_verify_init(ctx) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0)
6c08f9
-		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, salt_len) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0)
6c08f9
+	}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {
6c08f9
 		goto err;
6c08f9
-	if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0)
6c08f9
+	}
6c08f9
+	// doesnt take null anymore
6c08f9
+	if (mgf1_md)
6c08f9
+		if (_goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgf1_md) <= 0) {
6c08f9
+			goto err;
6c08f9
+		}
6c08f9
+	if (_goboringcrypto_EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) <= 0) {
6c08f9
 		goto err;
6c08f9
+	}
6c08f9
 
6c08f9
 	ret = 1;
6c08f9
 
6c08f9
diff --git a/src/crypto/internal/boring/rand.go b/src/crypto/internal/boring/rand.go
6c08f9
index ff5c439..6047d65 100644
6c08f9
--- a/src/crypto/internal/boring/rand.go
6c08f9
+++ b/src/crypto/internal/boring/rand.go
6c08f9
@@ -20,7 +20,7 @@ func (randReader) Read(b []byte) (int, error) {
6c08f9
 	// Note: RAND_bytes should never fail; the return value exists only for historical reasons.
6c08f9
 	// We check it even so.
6c08f9
 	if len(b) > 0 && C._goboringcrypto_RAND_bytes((*C.uint8_t)(unsafe.Pointer(&b[0])), C.size_t(len(b))) == 0 {
6c08f9
-		return 0, fail("RAND_bytes")
6c08f9
+		return 0, NewOpenSSLError("RAND_bytes")
6c08f9
 	}
6c08f9
 	return len(b), nil
6c08f9
 }
6c08f9
diff --git a/src/crypto/internal/boring/rsa.go b/src/crypto/internal/boring/rsa.go
6c08f9
index b3a907f..b74e7a9 100644
6c08f9
--- a/src/crypto/internal/boring/rsa.go
6c08f9
+++ b/src/crypto/internal/boring/rsa.go
6c08f9
@@ -120,7 +120,9 @@ func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int {
6c08f9
 
6c08f9
 func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
6c08f9
 	padding C.int, h hash.Hash, label []byte, saltLen int, ch crypto.Hash,
6c08f9
-	init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) {
6c08f9
+	init func(*C.GO_EVP_PKEY_CTX) C.int) (_pkey *C.GO_EVP_PKEY, _ctx *C.GO_EVP_PKEY_CTX, err error) {
6c08f9
+	var pkey *C.GO_EVP_PKEY
6c08f9
+	var ctx *C.GO_EVP_PKEY_CTX
6c08f9
 	defer func() {
6c08f9
 		if err != nil {
6c08f9
 			if pkey != nil {
6c08f9
@@ -141,7 +143,7 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
6c08f9
 	if withKey(func(key *C.GO_RSA) C.int {
6c08f9
 		return C._goboringcrypto_EVP_PKEY_set1_RSA(pkey, key)
6c08f9
 	}) == 0 {
6c08f9
-		return nil, nil, fail("EVP_PKEY_set1_RSA")
6c08f9
+		return nil, nil, NewOpenSSLError("EVP_PKEY_set1_RSA")
6c08f9
 	}
6c08f9
 	ctx = C._goboringcrypto_EVP_PKEY_CTX_new(pkey, nil)
6c08f9
 	if ctx == nil {
6c08f9
@@ -162,23 +164,12 @@ func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int,
6c08f9
 			return nil, nil, NewOpenSSLError("EVP_PKEY_set_rsa_oaep_md failed")
6c08f9
 		}
6c08f9
 		// ctx takes ownership of label, so malloc a copy for BoringCrypto to free.
6c08f9
-		var clabel *C.uint8_t
6c08f9
-		clabel = nil
6c08f9
-		// OpenSSL 1.1.1 does not take ownership of the label if the length is zero.
6c08f9
-		// Depending on the malloc implementation, if clabel is allocated with malloc(0),
6c08f9
-		// metadata for the size-zero allocation is never cleaned up, which is a memory leak.
6c08f9
-		// As such, we must only allocate clabel if the label is of non zero length.
6c08f9
-		if len(label) > 0 {
6c08f9
-			clabel = (*C.uint8_t)(C.malloc(C.size_t(len(label))))
6c08f9
-			if clabel == nil {
6c08f9
-				return nil, nil, fail("OPENSSL_malloc")
6c08f9
-			}
6c08f9
-			copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
6c08f9
+		clabel := (*C.uint8_t)(C.malloc(C.size_t(len(label))))
6c08f9
+		if clabel == nil {
6c08f9
+			return nil, nil, NewOpenSSLError("OPENSSL_malloc")
6c08f9
 		}
6c08f9
-		if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) != 1 {
6c08f9
-			if clabel != nil {
6c08f9
-				C.free(unsafe.Pointer(clabel))
6c08f9
-			}
6c08f9
+		copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
6c08f9
+		if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.int(len(label))) == 0 {
6c08f9
 			return nil, nil, NewOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
6c08f9
 		}
6c08f9
 	}
6c08f9
@@ -276,12 +267,13 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int)
6c08f9
 	}
6c08f9
 	var out []byte
6c08f9
 	var outLen C.uint
6c08f9
-	if priv.withKey(func(key *C.GO_RSA) C.int {
6c08f9
+	result := priv.withKey(func(key *C.GO_RSA) C.int {
6c08f9
 		out = make([]byte, C._goboringcrypto_RSA_size(key))
6c08f9
 		return C._goboringcrypto_RSA_sign_pss_mgf1(key, &outLen, base(out), C.uint(len(out)),
6c08f9
 			base(hashed), C.uint(len(hashed)), md, nil, C.int(saltLen))
6c08f9
-	}) == 0 {
6c08f9
-		return nil, fail("RSA_sign_pss_mgf1")
6c08f9
+	})
6c08f9
+	if result != 1 {
6c08f9
+		return nil, NewOpenSSLError("RSA_sign_pss_mgf1: returned " + strconv.Itoa(int(result)))
6c08f9
 	}
6c08f9
 
6c08f9
 	return out[:outLen], nil
6c08f9
@@ -295,11 +287,12 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen
6c08f9
 	if saltLen == 0 {
6c08f9
 		saltLen = -2 // auto-recover
6c08f9
 	}
6c08f9
-	if pub.withKey(func(key *C.GO_RSA) C.int {
6c08f9
+	result := pub.withKey(func(key *C.GO_RSA) C.int {
6c08f9
 		return C._goboringcrypto_RSA_verify_pss_mgf1(key, base(hashed), C.uint(len(hashed)),
6c08f9
 			md, nil, C.int(saltLen), base(sig), C.uint(len(sig)))
6c08f9
-	}) == 0 {
6c08f9
-		return fail("RSA_verify_pss_mgf1")
6c08f9
+		})
6c08f9
+	if result != 1 {
6c08f9
+		return NewOpenSSLError("RSA_verify_pss_mgf1: returned " + strconv.Itoa(int(result)))
6c08f9
 	}
6c08f9
 	return nil
6c08f9
 }
6c08f9
diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
6c08f9
index 2d425f9..ceb32d0 100644
6c08f9
--- a/src/crypto/rsa/pkcs1v15.go
6c08f9
+++ b/src/crypto/rsa/pkcs1v15.go
6c08f9
@@ -102,7 +102,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt
6c08f9
 		}
6c08f9
 		out, err := boring.DecryptRSAPKCS1(bkey, ciphertext)
6c08f9
 		if err != nil {
6c08f9
-			return nil, ErrDecryption
6c08f9
+			return nil, err
6c08f9
 		}
6c08f9
 		return out, nil
6c08f9
 	}
6c08f9
diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go
6c08f9
index 3dd1ec9..60c769c 100644
6c08f9
--- a/src/crypto/rsa/pkcs1v15_test.go
6c08f9
+++ b/src/crypto/rsa/pkcs1v15_test.go
6c08f9
@@ -9,7 +9,6 @@ import (
6c08f9
 	"crypto"
6c08f9
 	"crypto/internal/boring"
6c08f9
 	"crypto/rand"
6c08f9
-	"crypto/sha1"
6c08f9
 	"crypto/sha256"
6c08f9
 	"encoding/base64"
6c08f9
 	"encoding/hex"
6c08f9
@@ -32,22 +31,22 @@ type DecryptPKCS1v15Test struct {
6c08f9
 	in, out string
6c08f9
 }
6c08f9
 
6c08f9
-// These test vectors were generated with `openssl rsautl -pkcs -encrypt`
6c08f9
+// Test vectors for testRSA2048PrivateKey
6c08f9
 var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
6c08f9
 	{
6c08f9
-		"gIcUIoVkD6ATMBk/u/nlCZCCWRKdkfjCgFdo35VpRXLduiKXhNz1XupLLzTXAybEq15juc+EgY5o0DHv/nt3yg==",
6c08f9
+		"Ppg5lRhQZ8zLMgU8jFWURwm+Oj3t1+9x8qIDZwWMlP6O1QVO4xXxHdheVnLRa0Iq+L5HTgjk/PNNkSLIMD11ERxbMD5NtXoj64qaQDkyIBXaN0FNc5Nga/Lbb+vXVYSJ5F4KIOUYaOwzgNSCMensYNz5/7TloMy2Zoqa6vsWzcU+ujfyFaNjJXC26ZM0zv/4v9Aqqb/WIsLjEgdVvplqL1jwbI8Vv/MLEpQRay3S2RHoS9PIcvGKe3Ze0nOE8rAPiRQKfAsX+zlMkw1+LDttb5Dg/vM4lGF6jTg/nmfgCb6gjWE+QpapLKuZIN3WOwG/zslKeROErPn71xAlVeHI1Q==",
6c08f9
 		"x",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"Y7TOCSqofGhkRb+jaVRLzK8xw2cSo1IVES19utzv6hwvx+M8kFsoWQm5DzBeJCZTCVDPkTpavUuEbgp8hnUGDw==",
6c08f9
+		"kjtn1z9R67b0t7RydEoXeK9GC9wWt1J47i+14alOLCuWr9aqnJxYJS+jr2Z3/TWf4qqTiEujIP5bzvM8vnU2cnJqOGUqoH5xH1+8gq9aD0RbVY0auvUxPUKI3foLoMlp6M1fTSJGiuD9DASp7BZfiMvsU1kKPrLlHpu4azOKbAfIojyyt64Dl3cIpha8FBakym1SRM2iJKKBVae3Reu58uGX9lHroJAWiIdDT4VDIGXQv9dvsViPn4hvWKls5xYtf3V5GPHyvrptsLYcqBOUXM1Wnu2SpZxKRuyz9tWA3w377XNByDMchLJeC4qxdA6ayo53ckXr0no0fU0JrRHkdg==",
6c08f9
 		"testing.",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"arReP9DJtEVyV2Dg3dDp4c/PSk1O6lxkoJ8HcFupoRorBZG+7+1fDAwT1olNddFnQMjmkb8vxwmNMoTAT/BFjQ==",
6c08f9
+		"gljV2jJNON8RwzgVezwG/ddFWPSpGHgnUgEot42vU7Kow5TMvd43f9QAJsPQd0ocT9YIp/3km+2CSWWr+5E3fWW0p2cQBxUfnsJFsNKPvQt6Ct7Bn8HzkhxLJuvIShFzQlBuph4hBuN33dWhAFFDESsZnPvU6EFJlmTHrmqY+H9cdECU4hXQ1R7Z+lHlvT8RxDNBu1fdAarRXcKrw9EeN2ZwSvVx62aXnAcAQQkijmOn9dkObgqeii/wHPI28SR/Aa/hTw1XE5DoZmDBCx6EFJ4hcY7MKAX0iSQiaxinM+IxkqiCftOnvYv737cD/vKG6llhGCCDx0Et5xYu2JWakw==",
6c08f9
 		"testing.\n",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"WtaBXIoGC54+vH0NH0CHHE+dRDOsMc/6BrfFu2lEqcKL9+uDuWaf+Xj9mrbQCjjZcpQuX733zyok/jsnqe/Ftw==",
6c08f9
+		"iJiYwVBtLhZBmYngT5u+YR5+raI33OvpShPR9arl4zSss+eK5krMANZUTrRCsw8Tho6kpyDgVohfH5V/8zX4Rtslak1peZdvnmcEkJCFk0FpnlcALRBGTCXUJEwxlSgaTz00awCjkfLzMYNCwTAlEP9QxUX2kSIABKSUw4ARwZ5jQTGCdJNl696Q/cF1JjEqsjpPbjn4UYkV3gNl0xXPiTVgfNJKZir1caEGOKfOsfbTFixvA5oANgRySxwZfoj/6dW9xIVgcq/ssmkTl8TnTKQTY0dRTNWs8+HuQxp2I4MSmAun6LYdr8pom1IazJtp1BEaSDZ+thRIQ/oMsYDJXQ==",
6c08f9
 		"01234567890123456789012345678901234567890123456789012",
6c08f9
 	},
6c08f9
 }
6c08f9
@@ -55,10 +54,10 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{
6c08f9
 func TestDecryptPKCS1v15(t *testing.T) {
6c08f9
 	decryptionFuncs := []func([]byte) ([]byte, error){
6c08f9
 		func(ciphertext []byte) (plaintext []byte, err error) {
6c08f9
-			return DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext)
6c08f9
+			return DecryptPKCS1v15(nil, testRSA2048PrivateKey, ciphertext)
6c08f9
 		},
6c08f9
 		func(ciphertext []byte) (plaintext []byte, err error) {
6c08f9
-			return rsaPrivateKey.Decrypt(nil, ciphertext, nil)
6c08f9
+			return testRSA2048PrivateKey.Decrypt(nil, ciphertext, nil)
6c08f9
 		},
6c08f9
 	}
6c08f9
 
6c08f9
@@ -78,14 +77,14 @@ func TestDecryptPKCS1v15(t *testing.T) {
6c08f9
 
6c08f9
 func TestEncryptPKCS1v15(t *testing.T) {
6c08f9
 	random := rand.Reader
6c08f9
-	k := (rsaPrivateKey.N.BitLen() + 7) / 8
6c08f9
+	k := (testRSA2048PrivateKey.N.BitLen() + 7) / 8
6c08f9
 
6c08f9
 	tryEncryptDecrypt := func(in []byte, blind bool) bool {
6c08f9
 		if len(in) > k-11 {
6c08f9
 			in = in[0 : k-11]
6c08f9
 		}
6c08f9
 
6c08f9
-		ciphertext, err := EncryptPKCS1v15(random, &rsaPrivateKey.PublicKey, in)
6c08f9
+		ciphertext, err := EncryptPKCS1v15(random, &testRSA2048PrivateKey.PublicKey, in)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("error encrypting: %s", err)
6c08f9
 			return false
6c08f9
@@ -97,7 +96,7 @@ func TestEncryptPKCS1v15(t *testing.T) {
6c08f9
 		} else {
6c08f9
 			rand = random
6c08f9
 		}
6c08f9
-		plaintext, err := DecryptPKCS1v15(rand, rsaPrivateKey, ciphertext)
6c08f9
+		plaintext, err := DecryptPKCS1v15(rand, testRSA2048PrivateKey, ciphertext)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("error decrypting: %s", err)
6c08f9
 			return false
6c08f9
@@ -117,22 +116,22 @@ func TestEncryptPKCS1v15(t *testing.T) {
6c08f9
 	quick.Check(tryEncryptDecrypt, config)
6c08f9
 }
6c08f9
 
6c08f9
-// These test vectors were generated with `openssl rsautl -pkcs -encrypt`
6c08f9
+// Test vectors for testRSA2048PrivateKey
6c08f9
 var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
6c08f9
 	{
6c08f9
-		"e6ukkae6Gykq0fKzYwULpZehX+UPXYzMoB5mHQUDEiclRbOTqas4Y0E6nwns1BBpdvEJcilhl5zsox/6DtGsYg==",
6c08f9
+		"cSBy/rsocfCY2L/WDP7+oyI/uk0qf3BuJvWo1VwV/DG9XLuu7J1Gb2e7hYl3kmdf6rSnoqDuVE3viOsGeq1OsW9w0uw08syTwdOp34z90qxlrrKsGjjz9XIgErqwlWvfQ5KQQb8KA29Ub7q0sqQMMQD75bUxN3P4GhtOG6kNVY33QoCIVR65vHLcqe3SlrxAfYzlOjMNwdPsNP1GGVyAZpccxOiBJSUrssAFvRJ3g62wj2xrrtneRztmOGOy8ZSiEjGNjJ4/lmJXt2GyPXapTTKeHFbyqh5Xu8PNgMxaCgtWgMqnK6CPbJOGgski9axyaxPzjKEjUcs99dJ1mTT+qw==",
6c08f9
 		"1234",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"Dtis4uk/q/LQGGqGk97P59K03hkCIVFMEFZRgVWOAAhxgYpCRG0MX2adptt92l67IqMki6iVQyyt0TtX3IdtEw==",
6c08f9
+		"lcsS8tzZSJSiaaOSQSO4pT3Je5vvrNfAVUy3Axojr4uRreMuLRTIOOmEYRM/JcWakpJelPd+EHG/aXxId8aCoBg1MkH5q8AHW3zUARhlOd91rpASVs03v5wuk0jtiQiqr0HLNyxifSEzj04VPklc6n00yuHbI+DNTATTVkxj3a5hgOECqKi2matXGcJ5FtMEPAi2V+36y2dQ+DA/tgQrhlZ4ycA2FJnjvOHRJbC6QwNzPkzbjTlCqNzq92nwWKDypVJ29CrIQ2HYXG63DOuT96gIa08hyeZEeIrAUjtb9DK1TSEF/9BDASffHevW3/CqfpRYnFSNOj2xli3wBn1Dvg==",
6c08f9
 		"FAIL",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"LIyFyCYCptPxrvTxpol8F3M7ZivlMsf53zs0vHRAv+rDIh2YsHS69ePMoPMe3TkOMZ3NupiL3takPxIs1sK+dw==",
6c08f9
+		"Bsrz5yYuevhqx1Pxx4zEsegU2aVBZ2h9ebtAgQkq3N/og0t+8O92XpPBoNH/HT2jHclh01aij1niCqdBn2/6GBN4irnVjrWQkoAV2Q5Q+gVS0ZYeTzeX/15M/iq9xeLjBPXqj5PmNYh+vbL05FyPB+CcY8MPyv7HmtDsAWRVDxQVWy6y4lmC1/VwnG5jtmAbapE+Vyty0iVb9/Q6UaaV7DVKVssEDmwnychibJ4ACcTQ18kLkB1AE73dXp1B/XHh6ExbHXoaPeaRYr2gEI0No6VBTrMrG5eVz3dub/a5MVeat9n/oU2QQ3s/Pm0FlF9n2mwgvKm/4nLjwjiTFt3ToQ==",
6c08f9
 		"abcd",
6c08f9
 	},
6c08f9
 	{
6c08f9
-		"bafnobel46bKy76JzqU/RIVOH0uAYvzUtauKmIidKgM0sMlvobYVAVQPeUQ/oTGjbIZ1v/6Gyi5AO4DtHruGdw==",
6c08f9
+		"FKynVeuuoYxonMoXWwIw3mY7KTV3yS3fe2D+h5v6FXs/0xb5PeINCEq0+Ub5LFAZcx/lIbnt4bkLZcaKDxLpBCxpvpZNdgGxP970BvE5xmOuagF47VaqCciiERTTztRjwKTu0PZ5VtcpsxiSN4axlC1NOpJnIpDsNOWUaf5G6fCCEdfZWwgxaHLbxSAy+IdUHBH+honCPPZAyGyhERdcDRGJ8a6R20MFXC18e8asHtF5VWaicaYe0fy1Mrii46WqFY8hwoSrbHOGEQkjRymM/IQvXFdxQ1vtzAFavUsr5taiVe84DvcFJ5eRZ2jpVQTdO4gBy6RyD64iNSrv8a5dqA==",
6c08f9
 		"FAIL",
6c08f9
 	},
6c08f9
 }
6c08f9
@@ -140,7 +139,7 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{
6c08f9
 func TestEncryptPKCS1v15SessionKey(t *testing.T) {
6c08f9
 	for i, test := range decryptPKCS1v15SessionKeyTests {
6c08f9
 		key := []byte("FAIL")
6c08f9
-		err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, decodeBase64(test.in), key)
6c08f9
+		err := DecryptPKCS1v15SessionKey(nil, testRSA2048PrivateKey, decodeBase64(test.in), key)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("#%d error decrypting", i)
6c08f9
 		}
6c08f9
@@ -153,7 +152,7 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) {
6c08f9
 
6c08f9
 func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) {
6c08f9
 	for i, test := range decryptPKCS1v15SessionKeyTests {
6c08f9
-		plaintext, err := rsaPrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
6c08f9
+		plaintext, err := testRSA2048PrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4})
6c08f9
 		if err != nil {
6c08f9
 			t.Fatalf("#%d: error decrypting: %s", i, err)
6c08f9
 		}
6c08f9
@@ -187,19 +186,19 @@ type signPKCS1v15Test struct {
6c08f9
 	in, out string
6c08f9
 }
6c08f9
 
6c08f9
-// These vectors have been tested with
6c08f9
-//   `openssl rsautl -verify -inkey pk -in signature | hexdump -C`
6c08f9
-var signPKCS1v15Tests = []signPKCS1v15Test{
6c08f9
-	{"Test.\n", "a4f3fa6ea93bcdd0c57be020c1193ecbfd6f200a3d95c409769b029578fa0e336ad9a347600e40d3ae823b8c7e6bad88cc07c1d54c3a1523cbbb6d58efc362ae"},
6c08f9
+// Test vector for testRSA2048PrivateKey
6c08f9
+// generated with `openssl pkeyutl -rawin -digest sha256 -sign -inkey <key>`
6c08f9
+ var signPKCS1v15Tests = []signPKCS1v15Test{
6c08f9
+	{"Test.\n", "467c3c8f16223ba09aecfe44488d6b34b3f91f11379949b1d8af31636ee8b3aa51eebb96ee11678323cb1f909af17c9d0fe4b6012078af8120474474efd1bb51765e1647369ddba6525c6608113857bb0e2aaed9ad01fe041b476b162f7d4db55bb31fa957046616ce463cecb2a66f38fa62c594d07afcc870582d545853b31fa705ab8565e4085804c32e73459720bf4e08f097843b0845116d4376231fa2472abc89b1e42462002bf70f9a1df31db6d2ab6dc52c8223798a4f57c40d6a9123b80739846d779044eac28d8c783e8ce73919f1d4a6efe8fb601b8d36c5c9b61654d6f8717d1fb9fcafa19669200900899dd08ce921a1745312eb06040a405903"},
6c08f9
 }
6c08f9
 
6c08f9
 func TestSignPKCS1v15(t *testing.T) {
6c08f9
 	for i, test := range signPKCS1v15Tests {
6c08f9
-		h := sha1.New()
6c08f9
+		h := sha256.New()
6c08f9
 		h.Write([]byte(test.in))
6c08f9
 		digest := h.Sum(nil)
6c08f9
 
6c08f9
-		s, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA1, digest)
6c08f9
+		s, err := SignPKCS1v15(nil, testRSA2048PrivateKey, crypto.SHA256, digest)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("#%d %s", i, err)
6c08f9
 		}
6c08f9
@@ -213,13 +212,13 @@ func TestSignPKCS1v15(t *testing.T) {
6c08f9
 
6c08f9
 func TestVerifyPKCS1v15(t *testing.T) {
6c08f9
 	for i, test := range signPKCS1v15Tests {
6c08f9
-		h := sha1.New()
6c08f9
+		h := sha256.New()
6c08f9
 		h.Write([]byte(test.in))
6c08f9
 		digest := h.Sum(nil)
6c08f9
 
6c08f9
 		sig, _ := hex.DecodeString(test.out)
6c08f9
 
6c08f9
-		err := VerifyPKCS1v15(&rsaPrivateKey.PublicKey, crypto.SHA1, digest, sig)
6c08f9
+		err := VerifyPKCS1v15(&testRSA2048PrivateKey.PublicKey, crypto.SHA256, digest, sig)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("#%d %s", i, err)
6c08f9
 		}
6c08f9
@@ -230,7 +229,7 @@ func TestHashVerifyPKCS1v15(t *testing.T) {
6c08f9
 	for i, test := range signPKCS1v15Tests {
6c08f9
 		sig, _ := hex.DecodeString(test.out)
6c08f9
 
6c08f9
-		err := HashVerifyPKCS1v15(&rsaPrivateKey.PublicKey, crypto.SHA1, []byte(test.in), sig)
6c08f9
+		err := HashVerifyPKCS1v15(&testRSA2048PrivateKey.PublicKey, crypto.SHA256, []byte(test.in), sig)
6c08f9
 		if err != nil {
6c08f9
 			t.Errorf("#%d %s", i, err)
6c08f9
 		}
6c08f9
@@ -273,19 +272,47 @@ func TestUnpaddedSignature(t *testing.T) {
6c08f9
 func TestShortSessionKey(t *testing.T) {
6c08f9
 	// This tests that attempting to decrypt a session key where the
6c08f9
 	// ciphertext is too small doesn't run outside the array bounds.
6c08f9
-	ciphertext, err := EncryptPKCS1v15(rand.Reader, &rsaPrivateKey.PublicKey, []byte{1})
6c08f9
-	if err != nil {
6c08f9
-		t.Fatalf("Failed to encrypt short message: %s", err)
6c08f9
+	var keys []*PrivateKey
6c08f9
+	if boring.Enabled() {
6c08f9
+		keys = GenerateTestPrivateKeys()
6c08f9
+	} else {
6c08f9
+		keys = []*PrivateKey{rsaPrivateKey}
6c08f9
 	}
6c08f9
 
6c08f9
-	var key [32]byte
6c08f9
-	if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, ciphertext, key[:]); err != nil {
6c08f9
-		t.Fatalf("Failed to decrypt short message: %s", err)
6c08f9
-	}
6c08f9
+        for i, k := range keys {
6c08f9
+
6c08f9
+		if k.Size() >= 256 || !boring.Enabled() {
6c08f9
+			ciphertext, err := EncryptPKCS1v15(rand.Reader, &k.PublicKey, []byte{1})
6c08f9
+			if err != nil {
6c08f9
+				t.Fatalf("Failed to encrypt short message: key: %v, %s", i, err)
6c08f9
+				continue
6c08f9
+			}
6c08f9
+
6c08f9
+			var key [32]byte
6c08f9
+			if err := DecryptPKCS1v15SessionKey(nil, k, ciphertext, key[:]); err != nil {
6c08f9
+				t.Fatalf("Failed to decrypt short message: key: %v, %s", i, err)
6c08f9
+				continue
6c08f9
+			}
6c08f9
+
6c08f9
+			for _, v := range key {
6c08f9
+				if v != 0 {
6c08f9
+					t.Fatal("key was modified when ciphertext was invalid")
6c08f9
+				}
6c08f9
+			}
6c08f9
+		} else {
6c08f9
+			ciphertext, err := EncryptPKCS1v15(rand.Reader, &k.PublicKey, []byte{1})
6c08f9
+			if err == nil {
6c08f9
+				t.Errorf("EncryptPKCS1v15: Should reject key smaller than 2048 bits")
6c08f9
+			} else {
6c08f9
+				continue
6c08f9
+			}
6c08f9
+
6c08f9
+			var key [32]byte
6c08f9
+			err = DecryptPKCS1v15SessionKey(nil, k, ciphertext, key[:]);
6c08f9
+			if err != nil {
6c08f9
+				t.Errorf("DecryptPKCS1v15SessionKey: Should reject key smaller than 2048 bits")
6c08f9
+			}
6c08f9
 
6c08f9
-	for _, v := range key {
6c08f9
-		if v != 0 {
6c08f9
-			t.Fatal("key was modified when ciphertext was invalid")
6c08f9
 		}
6c08f9
 	}
6c08f9
 }
6c08f9
@@ -313,6 +340,28 @@ var rsaPrivateKey = &PrivateKey{
6c08f9
 	},
6c08f9
 }
6c08f9
 
6c08f9
+func generateKey(size int) *PrivateKey {
6c08f9
+	result, err := GenerateKey(rand.Reader, size)
6c08f9
+	if err != nil {
6c08f9
+		panic("could not generate key")
6c08f9
+	}
6c08f9
+	return result
6c08f9
+}
6c08f9
+
6c08f9
+func GenerateTestPrivateKeys() []*PrivateKey {
6c08f9
+
6c08f9
+	keys := []*PrivateKey{
6c08f9
+		generateKey(128),
6c08f9
+		generateKey(256),
6c08f9
+		generateKey(768),
6c08f9
+		generateKey(1024),
6c08f9
+		generateKey(2048),
6c08f9
+		generateKey(3072),
6c08f9
+		generateKey(4096),
6c08f9
+	}
6c08f9
+	return keys
6c08f9
+}
6c08f9
+
6c08f9
 func TestShortPKCS1v15Signature(t *testing.T) {
6c08f9
 	pub := &PublicKey{
6c08f9
 		E: 65537,
6c08f9
diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go
6c08f9
index 6a5a93f..2032b4b 100644
6c08f9
--- a/src/crypto/rsa/pss_test.go
6c08f9
+++ b/src/crypto/rsa/pss_test.go
6c08f9
@@ -132,7 +132,6 @@ func TestPSSGolden(t *testing.T) {
6c08f9
 	opts := &PSSOptions{
6c08f9
 		SaltLength: PSSSaltLengthEqualsHash,
6c08f9
 	}
6c08f9
-
6c08f9
 	for marker := range values {
6c08f9
 		switch marker {
6c08f9
 		case newKeyMarker:
6c08f9
@@ -174,18 +173,13 @@ func TestPSSOpenSSL(t *testing.T) {
6c08f9
 	h.Write(hashed)
6c08f9
 	hashed = h.Sum(nil)
6c08f9
 
6c08f9
+	// Test vector for testRSA2048PrivateKey
6c08f9
 	// Generated with `echo -n testing | openssl dgst -sign key.pem -sigopt rsa_padding_mode:pss -sha256 > sig`
6c08f9
 	sig := []byte{
6c08f9
-		0x95, 0x59, 0x6f, 0xd3, 0x10, 0xa2, 0xe7, 0xa2, 0x92, 0x9d,
6c08f9
-		0x4a, 0x07, 0x2e, 0x2b, 0x27, 0xcc, 0x06, 0xc2, 0x87, 0x2c,
6c08f9
-		0x52, 0xf0, 0x4a, 0xcc, 0x05, 0x94, 0xf2, 0xc3, 0x2e, 0x20,
6c08f9
-		0xd7, 0x3e, 0x66, 0x62, 0xb5, 0x95, 0x2b, 0xa3, 0x93, 0x9a,
6c08f9
-		0x66, 0x64, 0x25, 0xe0, 0x74, 0x66, 0x8c, 0x3e, 0x92, 0xeb,
6c08f9
-		0xc6, 0xe6, 0xc0, 0x44, 0xf3, 0xb4, 0xb4, 0x2e, 0x8c, 0x66,
6c08f9
-		0x0a, 0x37, 0x9c, 0x69,
6c08f9
+		0x50, 0x97, 0xc1, 0xe2, 0x7c, 0x67, 0x99, 0x50, 0xdc, 0x5a, 0x43, 0xc6, 0xc6, 0xf2, 0xf1, 0xff, 0xcd, 0xe7, 0x66, 0xef, 0x61, 0x41, 0x5f, 0x49, 0x4f, 0xf0, 0x11, 0xfc, 0x3d, 0xa8, 0xf9, 0x3c, 0x3a, 0x8a, 0x71, 0x5c, 0xfa, 0xbc, 0x48, 0x73, 0x37, 0xec, 0x68, 0x6d, 0x6c, 0xca, 0xe, 0x30, 0x74, 0xe1, 0xbd, 0x88, 0xb6, 0x42, 0x92, 0x8d, 0x41, 0x5f, 0x7, 0x80, 0xc5, 0xef, 0xa3, 0x2e, 0x68, 0x47, 0x83, 0xb4, 0x96, 0x4c, 0x53, 0x61, 0x2c, 0xe8, 0xb8, 0x3, 0xae, 0x44, 0x5e, 0xb3, 0x44, 0x10, 0x58, 0xfd, 0x68, 0x9c, 0x33, 0xac, 0x63, 0xfe, 0x9d, 0x84, 0xab, 0x45, 0x70, 0x54, 0xc5, 0x90, 0x1e, 0x80, 0xd4, 0x31, 0x16, 0x15, 0x4b, 0x60, 0x13, 0x24, 0xa, 0xa8, 0xbc, 0xe5, 0xeb, 0xf8, 0x7d, 0x32, 0xd9, 0xcd, 0x8b, 0xef, 0x55, 0x60, 0x1, 0xa6, 0x99, 0xa2, 0xde, 0xb0, 0x68, 0xc1, 0x64, 0x8b, 0x6, 0xe6, 0x75, 0xcf, 0x2d, 0x7a, 0x8b, 0xd6, 0xa3, 0x99, 0xf1, 0xc9, 0xaf, 0x9a, 0x81, 0xe4, 0xac, 0x2e, 0x17, 0x8c, 0x49, 0xfc, 0x12, 0x79, 0xfb, 0x4a, 0xba, 0x68, 0xd8, 0xdb, 0x43, 0x6c, 0x15, 0xaf, 0xa4, 0x16, 0x2f, 0xc9, 0x1e, 0xbe, 0xef, 0xb3, 0x35, 0x14, 0x2f, 0x35, 0x41, 0x10, 0xf8, 0x32, 0xf8, 0x0, 0x5c, 0xbf, 0x77, 0xa, 0xbb, 0x77, 0x49, 0x47, 0x54, 0x7a, 0x58, 0xfd, 0xb3, 0x2c, 0x46, 0xa0, 0x5c, 0x3, 0x7a, 0xf7, 0xab, 0x77, 0xdb, 0xca, 0x9a, 0x38, 0x89, 0xb, 0x3e, 0xb0, 0x13, 0xe8, 0x16, 0xc0, 0xca, 0x29, 0xbb, 0x4a, 0x97, 0x46, 0x53, 0x59, 0x66, 0x81, 0x84, 0x6d, 0xe5, 0xda, 0x26, 0xc9, 0x83, 0xfc, 0x67, 0xd0, 0x96, 0x72, 0x81, 0x1c, 0xe0, 0x4, 0xb7, 0x0, 0xca, 0xe0, 0x4a, 0x51, 0x4e, 0x83, 0xc8, 0xeb, 0xf7, 0x6d,
6c08f9
 	}
6c08f9
 
6c08f9
-	if err := VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, nil); err != nil {
6c08f9
+	if err := VerifyPSS(&testRSA2048PrivateKey.PublicKey, hash, hashed, sig, nil); err != nil {
6c08f9
 		t.Error(err)
6c08f9
 	}
6c08f9
 }
6c08f9
@@ -212,24 +206,47 @@ func TestPSSSigning(t *testing.T) {
6c08f9
 		{8, 8, true},
6c08f9
 	}
6c08f9
 
6c08f9
+	var opts PSSOptions
6c08f9
 	hash := crypto.SHA1
6c08f9
+	keys := []*PrivateKey{rsaPrivateKey}
6c08f9
+	if boring.Enabled() {
6c08f9
+		hash = crypto.SHA256
6c08f9
+		keys = GenerateTestPrivateKeys()
6c08f9
+	}
6c08f9
 	h := hash.New()
6c08f9
 	h.Write([]byte("testing"))
6c08f9
 	hashed := h.Sum(nil)
6c08f9
-	var opts PSSOptions
6c08f9
 
6c08f9
-	for i, test := range saltLengthCombinations {
6c08f9
-		opts.SaltLength = test.signSaltLength
6c08f9
-		sig, err := SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, &opts)
6c08f9
-		if err != nil {
6c08f9
-			t.Errorf("#%d: error while signing: %s", i, err)
6c08f9
-			continue
6c08f9
-		}
6c08f9
+	for _, key := range keys {
6c08f9
+		if !boring.Enabled() || key.Size() >= 256 {
6c08f9
+			for i, test := range saltLengthCombinations {
6c08f9
+				opts.SaltLength = test.signSaltLength
6c08f9
+				sig, err := SignPSS(rand.Reader, key, hash, hashed, &opts)
6c08f9
+				if err != nil {
6c08f9
+					t.Errorf("#%d: ALG: %v, error while signing: %s", i, hash, err)
6c08f9
+					continue
6c08f9
+				}
6c08f9
+				opts.SaltLength = test.verifySaltLength
6c08f9
+				err = VerifyPSS(&key.PublicKey, hash, hashed, sig, &opts)
6c08f9
+				if (err == nil) != test.good {
6c08f9
+					t.Errorf("#%d: bad result, wanted: %t, got: %s", i, test.good, err)
6c08f9
+				}
6c08f9
+			}
6c08f9
+		} else {
6c08f9
+			 for _, test := range saltLengthCombinations {
6c08f9
+				opts.SaltLength = test.signSaltLength
6c08f9
+				sig, err := SignPSS(rand.Reader, key, hash, hashed, &opts)
6c08f9
+				if err == nil {
6c08f9
+					t.Errorf("SignPSS should reject key of size: %v\n%v", key.Size() * 8, err)
6c08f9
+					continue
6c08f9
+				}
6c08f9
+				opts.SaltLength = test.verifySaltLength
6c08f9
+				err = VerifyPSS(&key.PublicKey, hash, hashed, sig, &opts)
6c08f9
+				if (err == nil) {
6c08f9
+					t.Errorf("VerifyPSS should reject key of size: %v\n%v", key.Size() * 8, err)
6c08f9
+				}
6c08f9
+			}
6c08f9
 
6c08f9
-		opts.SaltLength = test.verifySaltLength
6c08f9
-		err = VerifyPSS(&rsaPrivateKey.PublicKey, hash, hashed, sig, &opts)
6c08f9
-		if (err == nil) != test.good {
6c08f9
-			t.Errorf("#%d: bad result, wanted: %t, got: %s", i, test.good, err)
6c08f9
 		}
6c08f9
 	}
6c08f9
 }
6c08f9
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go
6c08f9
index 24e2d22..1fd5a9a 100644
6c08f9
--- a/src/crypto/rsa/rsa.go
6c08f9
+++ b/src/crypto/rsa/rsa.go
6c08f9
@@ -35,6 +35,7 @@ import (
6c08f9
 	"crypto/internal/boring"
6c08f9
 	"crypto/internal/randutil"
6c08f9
 	"unsafe"
6c08f9
+	"fmt"
6c08f9
 )
6c08f9
 
6c08f9
 var bigZero = big.NewInt(0)
6c08f9
@@ -664,7 +665,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext
6c08f9
 		}
6c08f9
 		out, err := boring.DecryptRSAOAEP(hash, bkey, ciphertext, label)
6c08f9
 		if err != nil {
6c08f9
-			return nil, ErrDecryption
6c08f9
+			return nil, fmt.Errorf("decryption error: %s", err)
6c08f9
 		}
6c08f9
 		return out, nil
6c08f9
 	}
6c08f9
diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go
6c08f9
index d9693a7..cfe020e 100644
6c08f9
--- a/src/crypto/rsa/rsa_test.go
6c08f9
+++ b/src/crypto/rsa/rsa_test.go
6c08f9
@@ -13,6 +13,7 @@ import (
6c08f9
 	"fmt"
6c08f9
 	"math/big"
6c08f9
 	"testing"
6c08f9
+
6c08f9
 )
6c08f9
 
6c08f9
 import "crypto/internal/boring"
6c08f9
@@ -34,34 +35,42 @@ func TestKeyGeneration(t *testing.T) {
6c08f9
 }
6c08f9
 
6c08f9
 func Test3PrimeKeyGeneration(t *testing.T) {
6c08f9
-	size := 768
6c08f9
+	var sizes []int
6c08f9
 	if testing.Short() {
6c08f9
-		size = 256
6c08f9
+		sizes = []int{256}
6c08f9
+	} else {
6c08f9
+		sizes = []int{128, 768, 1024, 2048, 3072}
6c08f9
 	}
6c08f9
+	for _, size := range sizes {
6c08f9
 
6c08f9
-	priv, err := GenerateMultiPrimeKey(rand.Reader, 3, size)
6c08f9
-	if err != nil {
6c08f9
-		t.Errorf("failed to generate key")
6c08f9
+		priv, err := GenerateMultiPrimeKey(rand.Reader, 3, size)
6c08f9
+		if err != nil {
6c08f9
+			t.Errorf("failed to generate key")
6c08f9
+		}
6c08f9
+		testKeyBasics(t, priv)
6c08f9
 	}
6c08f9
-	testKeyBasics(t, priv)
6c08f9
 }
6c08f9
 
6c08f9
 func Test4PrimeKeyGeneration(t *testing.T) {
6c08f9
-	size := 768
6c08f9
+	var sizes []int
6c08f9
 	if testing.Short() {
6c08f9
-		size = 256
6c08f9
+		sizes = []int{256}
6c08f9
+	} else {
6c08f9
+		sizes = []int{128, 768, 1024, 2048, 3072}
6c08f9
 	}
6c08f9
+	for _, size := range sizes {
6c08f9
 
6c08f9
-	priv, err := GenerateMultiPrimeKey(rand.Reader, 4, size)
6c08f9
-	if err != nil {
6c08f9
-		t.Errorf("failed to generate key")
6c08f9
+		priv, err := GenerateMultiPrimeKey(rand.Reader, 4, size)
6c08f9
+		if err != nil {
6c08f9
+			t.Errorf("failed to generate key")
6c08f9
+		}
6c08f9
+		testKeyBasics(t, priv)
6c08f9
 	}
6c08f9
-	testKeyBasics(t, priv)
6c08f9
 }
6c08f9
 
6c08f9
 func TestNPrimeKeyGeneration(t *testing.T) {
6c08f9
 	primeSize := 64
6c08f9
-	maxN := 24
6c08f9
+	maxN := 32
6c08f9
 	if testing.Short() {
6c08f9
 		primeSize = 16
6c08f9
 		maxN = 16
6c08f9
@@ -117,18 +126,32 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
6c08f9
 	if boring.Enabled() {
6c08f9
 		// Cannot call encrypt/decrypt directly. Test via PKCS1v15.
6c08f9
 		msg := []byte("hi!")
6c08f9
-		enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
6c08f9
-		if err != nil {
6c08f9
-			t.Errorf("EncryptPKCS1v15: %v", err)
6c08f9
-			return
6c08f9
-		}
6c08f9
-		dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
6c08f9
-		if err != nil {
6c08f9
-			t.Errorf("DecryptPKCS1v15: %v", err)
6c08f9
-			return
6c08f9
-		}
6c08f9
-		if !bytes.Equal(dec, msg) {
6c08f9
-			t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
6c08f9
+		// Should not accept keys smaller than 2048 bits (256 bytes)
6c08f9
+		if priv.Size() >= 256 {
6c08f9
+			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
6c08f9
+			if err != nil {
6c08f9
+				t.Errorf("EncryptPKCS1v15: %v", err)
6c08f9
+				return
6c08f9
+			}
6c08f9
+			dec, err := DecryptPKCS1v15(rand.Reader, priv, enc)
6c08f9
+			if err != nil {
6c08f9
+				t.Errorf("DecryptPKCS1v15: %v", err)
6c08f9
+				return
6c08f9
+			}
6c08f9
+			if !bytes.Equal(dec, msg) {
6c08f9
+				t.Errorf("got:%x want:%x (%+v)", dec, msg, priv)
6c08f9
+			}
6c08f9
+		} else {
6c08f9
+			enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg)
6c08f9
+			if err == nil {
6c08f9
+				t.Errorf("EncryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8)
6c08f9
+				return
6c08f9
+			}
6c08f9
+			_ , err = DecryptPKCS1v15(rand.Reader, priv, enc)
6c08f9
+			if err == nil {
6c08f9
+				t.Errorf("DecryptPKCS1v15: Should not accept key of size %v", priv.Size() * 8)
6c08f9
+				return
6c08f9
+			}
6c08f9
 		}
6c08f9
 		return
6c08f9
 	}
6c08f9
@@ -164,6 +187,7 @@ func fromBase10(base10 string) *big.Int {
6c08f9
 }
6c08f9
 
6c08f9
 var test2048Key *PrivateKey
6c08f9
+var testRSA2048PrivateKey *PrivateKey
6c08f9
 
6c08f9
 func init() {
6c08f9
 	test2048Key = &PrivateKey{
6c08f9
@@ -178,6 +202,21 @@ func init() {
6c08f9
 		},
6c08f9
 	}
6c08f9
 	test2048Key.Precompute()
6c08f9
+	// This is the same testRSA2048PrivateKey from src/crypto/tls/boring_test.go,
6c08f9
+	// just formatted without using the x509 Parser
6c08f9
+	testRSA2048PrivateKey = &PrivateKey {
6c08f9
+		PublicKey: PublicKey{
6c08f9
+                        N: fromBase10("20191212046465051006148469115982609963794084216822290493008497548603282433337961188011759317867632936762484431807200684727542982286641865915343951546098189846608892055894575224375729344858650310374442622904229900868894242623139807621975608166515302294530216022389036816474348374698399654955992710180316983674809047409565569027596663420090767109285120403886497729233127551307356270679924351259776100107640885071765865832767303853854517356000385050677175012549806941229051812974721510192346810990827150439838227830352248569839727388943852973737249863837089274675024496841834194785931485429238306703429257731792443735979"),
6c08f9
+                        E: 65537,
6c08f9
+                },
6c08f9
+                D: fromBase10("17880854551669112566868255345124108779447961606053558991611260520405836487267781427740459393783689829925402008838157275130340717548134956040019107677074732476577915942750039777107871579671122369249613210066309031335411813988461299033587444447689322284662780986426216011635232478916424602504476935371549462113036228740820951710434375466081011497256196435741125837599218374223248197677547321257961509961401385322723627033844333644253777689603896264679633990939957571483400832267925506777396569554295752505112186882586887396943424085633026984063372469902814987050483471096892524886948283571883744403645335501920852525393"),
6c08f9
+                Primes: []*big.Int{
6c08f9
+                        fromBase10("135564917074042739008372452399559667250812269638554028593490636590148234941034106656615266472037321030780472224077878987192393666277731486488609490961161995141171813440923127505183021899359310251888145112092740773465142711876177808655062479870526201006500762429604105802612357839979630776094264195301632424911"),
6c08f9
+                        fromBase10("148941278335581696308445609123523329975323575697232717856977715718810138995490768513650108277383732380774181214791356462453504708304090734692215322335879527529217737837271384209093576836051031684425884921572908683147368296418243939771852059523598364231128661438022752350148969064661946939745752818523498309989"),
6c08f9
+                },
6c08f9
+	}
6c08f9
+	testRSA2048PrivateKey.Precompute()
6c08f9
+
6c08f9
 }
6c08f9
 
6c08f9
 func BenchmarkRSA2048Decrypt(b *testing.B) {
6c08f9
@@ -317,6 +356,11 @@ func TestEncryptDecryptOAEP(t *testing.T) {
6c08f9
 		priv.PublicKey = PublicKey{N: n, E: test.e}
6c08f9
 		priv.D = d
6c08f9
 
6c08f9
+		if boring.Enabled() && priv.PublicKey.Size() < 256 {
6c08f9
+			t.Logf("skipping check for unsupported key less than 2048 bits")
6c08f9
+			continue;
6c08f9
+		}
6c08f9
+		t.Logf("running check for supported key size")
6c08f9
 		for j, message := range test.msgs {
6c08f9
 			label := []byte(fmt.Sprintf("hi#%d", j))
6c08f9
 			enc, err := EncryptOAEP(sha256, rand.Reader, &priv.PublicKey, message.in, label)
6c08f9
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go
6c08f9
index 94a24ff..577bc73 100644
6c08f9
--- a/src/crypto/tls/boring_test.go
6c08f9
+++ b/src/crypto/tls/boring_test.go
6c08f9
@@ -26,7 +26,7 @@ import (
6c08f9
 func TestBoringServerProtocolVersion(t *testing.T) {
6c08f9
 	test := func(name string, v uint16, msg string) {
6c08f9
 		t.Run(name, func(t *testing.T) {
6c08f9
-			serverConfig := testConfig.Clone()
6c08f9
+			serverConfig := testConfigTemplate()
6c08f9
 			serverConfig.MinVersion = VersionSSL30
6c08f9
 			clientHello := &clientHelloMsg{
6c08f9
 				vers:               v,
6c08f9
@@ -108,7 +108,7 @@ func isBoringSignatureScheme(alg SignatureScheme) bool {
6c08f9
 }
6c08f9
 
6c08f9
 func TestBoringServerCipherSuites(t *testing.T) {
6c08f9
-	serverConfig := testConfig.Clone()
6c08f9
+	serverConfig := testConfigTemplate()
6c08f9
 	serverConfig.CipherSuites = allCipherSuites()
6c08f9
 	serverConfig.Certificates = make([]Certificate, 1)
6c08f9
 
6c08f9
@@ -148,7 +148,7 @@ func TestBoringServerCipherSuites(t *testing.T) {
6c08f9
 }
6c08f9
 
6c08f9
 func TestBoringServerCurves(t *testing.T) {
6c08f9
-	serverConfig := testConfig.Clone()
6c08f9
+	serverConfig := testConfigTemplate()
6c08f9
 	serverConfig.Certificates = make([]Certificate, 1)
6c08f9
 	serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
6c08f9
 	serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
6c08f9
@@ -204,7 +204,7 @@ func TestBoringServerSignatureAndHash(t *testing.T) {
6c08f9
 
6c08f9
 	for _, sigHash := range defaultSupportedSignatureAlgorithms {
6c08f9
 		t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) {
6c08f9
-			serverConfig := testConfig.Clone()
6c08f9
+			serverConfig := testConfigTemplate()
6c08f9
 			serverConfig.Certificates = make([]Certificate, 1)
6c08f9
 
6c08f9
 			testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
6c08f9
@@ -263,7 +263,7 @@ func TestBoringClientHello(t *testing.T) {
6c08f9
 	defer c.Close()
6c08f9
 	defer s.Close()
6c08f9
 
6c08f9
-	clientConfig := testConfig.Clone()
6c08f9
+	clientConfig := testConfigTemplate()
6c08f9
 	// All sorts of traps for the client to avoid.
6c08f9
 	clientConfig.MinVersion = VersionSSL30
6c08f9
 	clientConfig.MaxVersion = VersionTLS13
6c08f9
@@ -337,12 +337,12 @@ func TestBoringCertAlgs(t *testing.T) {
6c08f9
 
6c08f9
 	// client verifying server cert
6c08f9
 	testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
6c08f9
-		clientConfig := testConfig.Clone()
6c08f9
+		clientConfig := testConfigTemplate()
6c08f9
 		clientConfig.RootCAs = pool
6c08f9
 		clientConfig.InsecureSkipVerify = false
6c08f9
 		clientConfig.ServerName = "example.com"
6c08f9
 
6c08f9
-		serverConfig := testConfig.Clone()
6c08f9
+		serverConfig := testConfigTemplate()
6c08f9
 		serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
6c08f9
 		serverConfig.BuildNameToCertificate()
6c08f9
 
6c08f9
@@ -365,11 +365,11 @@ func TestBoringCertAlgs(t *testing.T) {
6c08f9
 
6c08f9
 	// server verifying client cert
6c08f9
 	testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
6c08f9
-		clientConfig := testConfig.Clone()
6c08f9
+		clientConfig := testConfigTemplate()
6c08f9
 		clientConfig.ServerName = "example.com"
6c08f9
 		clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}}
6c08f9
 
6c08f9
-		serverConfig := testConfig.Clone()
6c08f9
+		serverConfig := testConfigTemplate()
6c08f9
 		serverConfig.ClientCAs = pool
6c08f9
 		serverConfig.ClientAuth = RequireAndVerifyClientCert
6c08f9
 
6c08f9
@@ -394,8 +394,13 @@ func TestBoringCertAlgs(t *testing.T) {
6c08f9
 	// exhaustive test with computed answers.
6c08f9
 	r1pool := x509.NewCertPool()
6c08f9
 	r1pool.AddCert(R1.cert)
6c08f9
-	testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
6c08f9
-	testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true)
6c08f9
+	// openssl 3 FIPS provider fails these now without fipstls.Force()
6c08f9
+	shouldPass := true
6c08f9
+	if boring.Enabled() {
6c08f9
+		shouldPass = false
6c08f9
+	}
6c08f9
+	testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, shouldPass)
6c08f9
+	testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, shouldPass)
6c08f9
 	fipstls.Force()
6c08f9
 	testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
6c08f9
 	testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false)
6c08f9
@@ -458,6 +463,10 @@ func TestBoringCertAlgs(t *testing.T) {
6c08f9
 				addRoot(r&1, R1)
6c08f9
 				addRoot(r&2, R2)
6c08f9
 				rootName = rootName[1:] // strip leading comma
6c08f9
+				// openssl 3 FIPS provider fails these now without fipstls.Force()
6c08f9
+				if boring.Enabled() {
6c08f9
+					shouldVerify = shouldVerifyFIPS
6c08f9
+				}
6c08f9
 				testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify)
6c08f9
 				testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify)
6c08f9
 				fipstls.Force()
6c08f9
@@ -577,6 +586,16 @@ var (
6c08f9
 	testRSA2048PrivateKey  *rsa.PrivateKey
6c08f9
 )
6c08f9
 
6c08f9
+func testConfigTemplate() *Config {
6c08f9
+	config := testConfig.Clone()
6c08f9
+	if boring.Enabled() {
6c08f9
+		config.Certificates[0].Certificate = [][]byte{testRSA2048Certificate}
6c08f9
+		config.Certificates[0].PrivateKey = testRSA2048PrivateKey
6c08f9
+	}
6c08f9
+	return config
6c08f9
+
6c08f9
+}
6c08f9
+
6c08f9
 func init() {
6c08f9
 	block, _ := pem.Decode([]byte(`
6c08f9
 -----BEGIN CERTIFICATE-----
6c08f9
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
6c08f9
index 449379f..801a954 100644
6c08f9
--- a/src/crypto/x509/x509_test.go
6c08f9
+++ b/src/crypto/x509/x509_test.go
6c08f9
@@ -151,6 +151,7 @@ func TestPKIXMismatchPublicKeyFormat(t *testing.T) {
6c08f9
 }
6c08f9
 
6c08f9
 var testPrivateKey *rsa.PrivateKey
6c08f9
+var testPrivateKey2048 *rsa.PrivateKey
6c08f9
 
6c08f9
 func init() {
6c08f9
 	block, _ := pem.Decode([]byte(pemPrivateKey))
6c08f9
@@ -159,6 +160,9 @@ func init() {
6c08f9
 	if testPrivateKey, err = ParsePKCS1PrivateKey(block.Bytes); err != nil {
6c08f9
 		panic("Failed to parse private key: " + err.Error())
6c08f9
 	}
6c08f9
+	if testPrivateKey2048, err = rsa.GenerateKey(rand.Reader, 2048); err != nil {
6c08f9
+		panic("Failed to generate key: " + err.Error())
6c08f9
+	}
6c08f9
 }
6c08f9
 
6c08f9
 func bigFromString(s string) *big.Int {
6c08f9
@@ -589,8 +593,9 @@ func TestCreateSelfSignedCertificate(t *testing.T) {
6c08f9
 		{"RSA/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384},
6c08f9
 		{"ECDSA/RSA", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSA},
6c08f9
 		{"ECDSA/ECDSA", &ecdsaPriv.PublicKey, ecdsaPriv, true, ECDSAWithSHA1},
6c08f9
-		{"RSAPSS/RSAPSS", &testPrivateKey.PublicKey, testPrivateKey, true, SHA256WithRSAPSS},
6c08f9
-		{"ECDSA/RSAPSS", &ecdsaPriv.PublicKey, testPrivateKey, false, SHA256WithRSAPSS},
6c08f9
+		// TODO: hardcode the next two keys
6c08f9
+		{"RSAPSS/RSAPSS", &testPrivateKey2048.PublicKey, testPrivateKey2048, true, SHA256WithRSAPSS},
6c08f9
+		{"ECDSA/RSAPSS", &ecdsaPriv.PublicKey, testPrivateKey2048, false, SHA256WithRSAPSS},
6c08f9
 		{"RSAPSS/ECDSA", &testPrivateKey.PublicKey, ecdsaPriv, false, ECDSAWithSHA384},
6c08f9
 		{"Ed25519", ed25519Pub, ed25519Priv, true, PureEd25519},
6c08f9
 	}