[openssl] master update

Dr. Paul Dale pauli at openssl.org
Thu Mar 11 22:33:56 UTC 2021


The branch master has been updated
       via  8bf611bc7f68ae6480f30e4ef085d141f3a2b884 (commit)
       via  20b8dc6fb1964ca16b85799b25c5f46d23b1a7cb (commit)
       via  5a6b62bb427e828edecf52c2280f9958d97142b6 (commit)
       via  c983a0e5214db7f0a668f5e9ddda9362ca0d6ac9 (commit)
       via  f59612fed8def965c61cdb002fa20f61943f50a0 (commit)
       via  f187d4f9f8d69a9d6d9e35e41284bff28649ea13 (commit)
       via  12ddfa6b3461698543381a6087bd3f5d3a38d3f0 (commit)
       via  1036bb64a7af960a4abf9ff3c782668062030786 (commit)
       via  83da94ffa8ef3589d48db5453a68e4d7a5fbb534 (commit)
       via  deee9672723f1cfaaf6770f856345bccf94217d6 (commit)
       via  8b81a89d06ab0eb4121c7f9eaf1454aef3180289 (commit)
       via  f336f98dbf80af632ea142ea3d43fe1e9d727e14 (commit)
       via  8f42380a21e7732cc0931be1921e24d360285278 (commit)
       via  556b8937d0fc323da2b206d6c13f0ddee8a7d340 (commit)
       via  5506cd0bbd874b164f59e3e6a6a530426a2b38bf (commit)
       via  5a7e999114562e5d9b696effac550d9d141ff087 (commit)
       via  d7ec1dda2ec543153a7a1602aa8421849d33f9b5 (commit)
       via  408def8b30756469c1b657b9271832f7c1bdce12 (commit)
       via  8ea34a6efa0cfe61abc413525be5b8aaee5f603f (commit)
       via  af6171b35aa4d066f6834c4fb917372b81d92489 (commit)
       via  d38b6ae96fa810891e38d2f952ff7fe857be80c9 (commit)
       via  ebbf3563bdc41595eb0dacc932b7e8d440b6d267 (commit)
       via  5a084c5f0b5ebd9be6de0e09b75215e9c3094db1 (commit)
       via  2b2f4f9b1bba61e989adddc7affcdbe5d89c7c05 (commit)
       via  1666eec83722ff9e2c80ec8fe86c71b317959591 (commit)
       via  ee22fca5cec53c9775cbdf1c44677ba5ee9b5049 (commit)
       via  4b58d9b41b7e43b2f6f4171df9e84bf6a0866b99 (commit)
       via  480c8ef8b5804b15ef97320290bc326adfaa0f84 (commit)
       via  cbdeb04c90d2ab3e3b497f9cc7dce8c2ac828f4d (commit)
       via  c4c422e0ccd2d72c22f3787570d075f56f089298 (commit)
       via  2faea85380a5ffd17169e0624493c11658ea193e (commit)
       via  f9562909b73f02f0ca5f411f87a2e73de654f3bd (commit)
       via  1be63b3e962097f20db2172e2c468a2a51d01da0 (commit)
       via  10ffdda4209371dcd839d78081e1a65d2a8b67b0 (commit)
      from  3d8905f85945d899192b113ae495e99894687c4f (commit)


- Log -----------------------------------------------------------------
commit 8bf611bc7f68ae6480f30e4ef085d141f3a2b884
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 10 18:40:00 2021 +1000

    update set_ctx_param store management calls to return 1 for a NULL params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 20b8dc6fb1964ca16b85799b25c5f46d23b1a7cb
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 10 18:38:04 2021 +1000

    update set_ctx_param DRBG calls to return 1 for a NULL params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 5a6b62bb427e828edecf52c2280f9958d97142b6
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 10 18:37:07 2021 +1000

    update set_ctx_param MAC calls to return 1 for a NULL params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit c983a0e5214db7f0a668f5e9ddda9362ca0d6ac9
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 10 18:28:35 2021 +1000

    prov: add extra params argument to KDF implementations
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit f59612fed8def965c61cdb002fa20f61943f50a0
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 11:32:39 2021 +1000

    doc: note that get_params and set_params calls should return true if the param array is null
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit f187d4f9f8d69a9d6d9e35e41284bff28649ea13
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 11:26:51 2021 +1000

    doc: document the additional params argument to the various init() calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 12ddfa6b3461698543381a6087bd3f5d3a38d3f0
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:46:24 2021 +1000

    support params argument to AES cipher init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 1036bb64a7af960a4abf9ff3c782668062030786
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 10:59:18 2021 +1000

    doc: update cipher documentation to include the new init functions with params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 83da94ffa8ef3589d48db5453a68e4d7a5fbb534
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:46:04 2021 +1000

    prov: support params argument to common cipher init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit deee9672723f1cfaaf6770f856345bccf94217d6
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:45:34 2021 +1000

    prov: support param argument to DES cipher init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 8b81a89d06ab0eb4121c7f9eaf1454aef3180289
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:45:13 2021 +1000

    prov: support param argument to null cipher init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit f336f98dbf80af632ea142ea3d43fe1e9d727e14
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:44:53 2021 +1000

    prov: support params argument to CHACHA20 ciphers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 8f42380a21e7732cc0931be1921e24d360285278
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:44:25 2021 +1000

    prov: support params argument to RCx ciphers
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 556b8937d0fc323da2b206d6c13f0ddee8a7d340
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:43:36 2021 +1000

    prov: support params arguments to signature init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 5506cd0bbd874b164f59e3e6a6a530426a2b38bf
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 09:20:21 2021 +1000

    prov: update digests to support modified ctx params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 5a7e999114562e5d9b696effac550d9d141ff087
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 10:59:01 2021 +1000

    doc: update digest documentation to include the new init functions with params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit d7ec1dda2ec543153a7a1602aa8421849d33f9b5
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:42:41 2021 +1000

    prov: support param argument to digest init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 408def8b30756469c1b657b9271832f7c1bdce12
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:42:10 2021 +1000

    doc: document param argument to RSA calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 8ea34a6efa0cfe61abc413525be5b8aaee5f603f
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:41:58 2021 +1000

    doc: document param argument to cipher init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit af6171b35aa4d066f6834c4fb917372b81d92489
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:41:24 2021 +1000

    test: support params arguments to init functions
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit d38b6ae96fa810891e38d2f952ff7fe857be80c9
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:41:10 2021 +1000

    ssl: support params arguments to init functions
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit ebbf3563bdc41595eb0dacc932b7e8d440b6d267
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:40:25 2021 +1000

    apps: support param argument to init functions
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 5a084c5f0b5ebd9be6de0e09b75215e9c3094db1
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:01:12 2021 +1000

    prov: update KEM to support params on init()
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 2b2f4f9b1bba61e989adddc7affcdbe5d89c7c05
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 22:00:53 2021 +1000

    prov: update exchange algorithms to support params on the init call
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 1666eec83722ff9e2c80ec8fe86c71b317959591
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 20:21:00 2021 +1000

    misc: other init function param additions
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit ee22fca5cec53c9775cbdf1c44677ba5ee9b5049
Author: Pauli <ppzgs1 at gmail.com>
Date:   Wed Mar 3 11:02:42 2021 +1000

    doc: update PKEY documentation to include the new init functions with params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 4b58d9b41b7e43b2f6f4171df9e84bf6a0866b99
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 20:20:25 2021 +1000

    evp: add params arguments to init functions
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 480c8ef8b5804b15ef97320290bc326adfaa0f84
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 19:05:39 2021 +1000

    core: add params arguments to init calls
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit cbdeb04c90d2ab3e3b497f9cc7dce8c2ac828f4d
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 19:04:55 2021 +1000

    prov: asym ciphers take an extra init() params argument
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit c4c422e0ccd2d72c22f3787570d075f56f089298
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 09:05:15 2021 +1000

    doc: add params argument to key manager's gen_init call
    
    Fixes #14286
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 2faea85380a5ffd17169e0624493c11658ea193e
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 09:03:00 2021 +1000

    core: add params argument to key manager's gen_init call
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit f9562909b73f02f0ca5f411f87a2e73de654f3bd
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 09:02:25 2021 +1000

    provider: add params argument to key manager's gen_init call
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 1be63b3e962097f20db2172e2c468a2a51d01da0
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 09:01:33 2021 +1000

    evp: add params argument to key manager's gen_init call
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

commit 10ffdda4209371dcd839d78081e1a65d2a8b67b0
Author: Pauli <ppzgs1 at gmail.com>
Date:   Tue Mar 2 09:01:14 2021 +1000

    test: add params argument to key manager's gen_init call
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/14383)

-----------------------------------------------------------------------

Summary of changes:
 apps/pkeyutl.c                                     |  6 +-
 crypto/cms/cms_sd.c                                |  7 +-
 crypto/ct/ct_vfy.c                                 |  2 +-
 crypto/evp/asymcipher.c                            | 21 +++--
 crypto/evp/digest.c                                | 28 +++++--
 crypto/evp/evp_enc.c                               | 58 ++++++++++---
 crypto/evp/exchange.c                              |  7 +-
 crypto/evp/kem.c                                   | 15 ++--
 crypto/evp/keymgmt_meth.c                          |  5 +-
 crypto/evp/m_sigver.c                              | 25 ++++--
 crypto/evp/pmeth_gn.c                              |  5 +-
 crypto/evp/signature.c                             | 32 ++++++--
 crypto/pkcs7/pk7_doit.c                            |  3 +-
 doc/man3/EVP_DigestInit.pod                        | 39 ++++++---
 doc/man3/EVP_EncryptInit.pod                       | 96 ++++++++++++++--------
 doc/man3/EVP_PKEY_decapsulate.pod                  | 10 +--
 doc/man3/EVP_PKEY_decrypt.pod                      | 18 ++--
 doc/man3/EVP_PKEY_derive.pod                       | 12 ++-
 doc/man3/EVP_PKEY_encapsulate.pod                  |  9 +-
 doc/man3/EVP_PKEY_encrypt.pod                      | 16 +++-
 doc/man3/EVP_PKEY_sign.pod                         | 11 ++-
 doc/man3/EVP_PKEY_verify.pod                       | 11 ++-
 doc/man3/EVP_PKEY_verify_recover.pod               | 14 +++-
 doc/man3/RSA_private_encrypt.pod                   |  5 +-
 doc/man3/RSA_public_encrypt.pod                    |  5 +-
 doc/man7/provider-asym_cipher.pod                  | 14 +++-
 doc/man7/provider-cipher.pod                       |  8 +-
 doc/man7/provider-digest.pod                       |  6 +-
 doc/man7/provider-encoder.pod                      |  1 +
 doc/man7/provider-kdf.pod                          |  2 +
 doc/man7/provider-kem.pod                          |  8 +-
 doc/man7/provider-keyexch.pod                      | 10 ++-
 doc/man7/provider-keymgmt.pod                      |  5 +-
 doc/man7/provider-mac.pod                          |  2 +
 doc/man7/provider-rand.pod                         |  2 +
 doc/man7/provider-signature.pod                    | 39 +++++++--
 doc/man7/provider-storemgmt.pod                    |  1 +
 include/crypto/evp.h                               |  3 +-
 include/openssl/core_dispatch.h                    | 50 ++++++-----
 include/openssl/evp.h                              | 30 ++++++-
 providers/implementations/asymciphers/rsa_enc.c    | 21 +++--
 providers/implementations/asymciphers/sm2_enc.c    | 10 ++-
 .../ciphers/cipher_aes_cbc_hmac_sha.c              | 25 +++++-
 .../implementations/ciphers/cipher_aes_cts.inc     | 24 +++++-
 providers/implementations/ciphers/cipher_aes_ocb.c | 21 +++--
 providers/implementations/ciphers/cipher_aes_siv.c | 23 ++++--
 providers/implementations/ciphers/cipher_aes_wrp.c | 18 ++--
 providers/implementations/ciphers/cipher_aes_xts.c | 21 +++--
 .../implementations/ciphers/cipher_chacha20.c      | 17 +++-
 .../ciphers/cipher_chacha20_poly1305.c             | 15 +++-
 .../ciphers/cipher_chacha20_poly1305_hw.c          |  8 +-
 providers/implementations/ciphers/cipher_des.c     | 18 ++--
 providers/implementations/ciphers/cipher_null.c    |  6 +-
 providers/implementations/ciphers/cipher_rc2.c     | 32 +++++++-
 providers/implementations/ciphers/cipher_rc4.c     | 24 +++++-
 .../implementations/ciphers/cipher_rc4_hmac_md5.c  | 25 +++++-
 providers/implementations/ciphers/cipher_rc5.c     | 28 ++++++-
 .../implementations/ciphers/cipher_tdes_common.c   | 18 ++--
 providers/implementations/ciphers/ciphercommon.c   | 21 +++--
 .../implementations/ciphers/ciphercommon_ccm.c     | 21 +++--
 .../implementations/ciphers/ciphercommon_gcm.c     | 21 +++--
 providers/implementations/digests/blake2_prov.c    |  3 -
 providers/implementations/digests/md5_sha1_prov.c  | 17 ++--
 providers/implementations/digests/mdc2_prov.c      | 16 ++--
 providers/implementations/digests/sha2_prov.c      | 17 ++--
 providers/implementations/digests/sha3_prov.c      | 28 +++++--
 providers/implementations/exchange/dh_exch.c       | 10 ++-
 providers/implementations/exchange/ecdh_exch.c     | 11 ++-
 providers/implementations/exchange/ecx_exch.c      |  3 +-
 providers/implementations/exchange/kdf_exch.c      |  4 +-
 .../implementations/include/prov/digestcommon.h    | 31 ++++---
 providers/implementations/kdfs/hkdf.c              |  3 +
 providers/implementations/kdfs/kbkdf.c             |  3 +
 providers/implementations/kdfs/krb5kdf.c           |  3 +
 providers/implementations/kdfs/pbkdf2.c            |  3 +
 providers/implementations/kdfs/pkcs12kdf.c         |  3 +
 providers/implementations/kdfs/scrypt.c            |  3 +
 providers/implementations/kdfs/sshkdf.c            |  3 +
 providers/implementations/kdfs/sskdf.c             |  3 +
 providers/implementations/kdfs/tls1_prf.c          |  3 +
 providers/implementations/kdfs/x942kdf.c           |  2 +
 providers/implementations/kem/rsa_kem.c            | 24 +++---
 providers/implementations/keymgmt/dh_kmgmt.c       | 20 +++--
 providers/implementations/keymgmt/dsa_kmgmt.c      | 10 ++-
 providers/implementations/keymgmt/ec_kmgmt.c       | 10 ++-
 providers/implementations/keymgmt/ecx_kmgmt.c      | 32 ++++++--
 .../implementations/keymgmt/mac_legacy_kmgmt.c     | 29 ++++++-
 providers/implementations/keymgmt/rsa_kmgmt.c      | 20 +++--
 providers/implementations/macs/blake2_mac_impl.c   |  3 +
 providers/implementations/macs/cmac_prov.c         |  3 +
 providers/implementations/macs/hmac_prov.c         |  3 +
 providers/implementations/macs/kmac_prov.c         |  3 +
 providers/implementations/macs/siphash_prov.c      |  3 +
 providers/implementations/rands/drbg.c             |  3 +
 providers/implementations/rands/test_rng.c         |  3 +
 providers/implementations/signature/dsa.c          | 40 +++++----
 providers/implementations/signature/ecdsa.c        | 38 +++++----
 providers/implementations/signature/eddsa.c        |  5 +-
 providers/implementations/signature/mac_legacy.c   |  5 +-
 providers/implementations/signature/rsa.c          | 43 ++++++----
 providers/implementations/signature/sm2sig.c       | 17 ++--
 providers/implementations/storemgmt/file_store.c   |  3 +
 ssl/s3_lib.c                                       |  4 +-
 ssl/statem/extensions.c                            |  2 +-
 ssl/statem/extensions_srvr.c                       |  4 +-
 ssl/statem/statem_clnt.c                           |  3 +-
 ssl/statem/statem_lib.c                            |  6 +-
 ssl/statem/statem_srvr.c                           |  3 +-
 ssl/t1_enc.c                                       |  3 +-
 test/acvp_test.c                                   |  6 +-
 test/algorithmid_test.c                            |  2 +-
 test/evp_extra_test.c                              |  2 +-
 test/evp_libctx_test.c                             | 16 ++--
 test/evp_test.c                                    |  6 +-
 test/tls-provider.c                                | 16 ++--
 util/libcrypto.num                                 | 10 +++
 116 files changed, 1172 insertions(+), 455 deletions(-)

diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index f2efa1d5b8..27ade9f079 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -606,11 +606,13 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
 
         switch (pkey_op) {
         case EVP_PKEY_OP_SIGN:
-            rv = EVP_DigestSignInit_ex(mctx, NULL, digestname, libctx, propq, pkey);
+            rv = EVP_DigestSignInit_ex(mctx, NULL, digestname, libctx, propq,
+                                       pkey, NULL);
             break;
 
         case EVP_PKEY_OP_VERIFY:
-            rv = EVP_DigestVerifyInit_ex(mctx, NULL, digestname, libctx, propq, pkey);
+            rv = EVP_DigestVerifyInit_ex(mctx, NULL, digestname, libctx, propq,
+                                         pkey, NULL);
             break;
         }
 
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index cc980d4e58..0c3f04388b 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -419,7 +419,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
         } else if (EVP_DigestSignInit_ex(si->mctx, &si->pctx, EVP_MD_name(md),
                                          ossl_cms_ctx_get0_libctx(ctx),
                                          ossl_cms_ctx_get0_propq(ctx),
-                                         pk) <= 0) {
+                                         pk, NULL) <= 0) {
             goto err;
         }
     }
@@ -743,7 +743,8 @@ int CMS_SignerInfo_sign(CMS_SignerInfo *si)
         EVP_MD_CTX_reset(mctx);
         if (EVP_DigestSignInit_ex(mctx, &pctx, md_name,
                                   ossl_cms_ctx_get0_libctx(ctx),
-                                  ossl_cms_ctx_get0_propq(ctx), si->pkey) <= 0)
+                                  ossl_cms_ctx_get0_propq(ctx), si->pkey,
+                                  NULL) <= 0)
             goto err;
         si->pctx = pctx;
     }
@@ -853,7 +854,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si)
     }
     mctx = si->mctx;
     if (EVP_DigestVerifyInit_ex(mctx, &si->pctx, EVP_MD_name(md), libctx,
-                                propq, si->pkey) <= 0)
+                                propq, si->pkey, NULL) <= 0)
         goto err;
 
     if (!cms_sd_asn1_ctrl(si, 1))
diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c
index 2ffca19400..0226dbf0c5 100644
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -123,7 +123,7 @@ int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
         goto end;
 
     if (!EVP_DigestVerifyInit_ex(ctx, NULL, "SHA2-256", sctx->libctx,
-                                 sctx->propq, sctx->pkey))
+                                 sctx->propq, sctx->pkey, NULL))
         goto end;
 
     if (!sct_ctx_update(ctx, sctx, sct))
diff --git a/crypto/evp/asymcipher.c b/crypto/evp/asymcipher.c
index b30b05bfa9..e74aafcb13 100644
--- a/crypto/evp/asymcipher.c
+++ b/crypto/evp/asymcipher.c
@@ -16,7 +16,8 @@
 #include "internal/provider.h"
 #include "evp_local.h"
 
-static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation)
+static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation,
+                                     const OSSL_PARAM params[])
 {
     int ret = 0;
     void *provkey = NULL;
@@ -111,7 +112,7 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = cipher->encrypt_init(ctx->op.ciph.ciphprovctx, provkey);
+        ret = cipher->encrypt_init(ctx->op.ciph.ciphprovctx, provkey, params);
         break;
     case EVP_PKEY_OP_DECRYPT:
         if (cipher->decrypt_init == NULL) {
@@ -119,7 +120,7 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = cipher->decrypt_init(ctx->op.ciph.ciphprovctx, provkey);
+        ret = cipher->decrypt_init(ctx->op.ciph.ciphprovctx, provkey, params);
         break;
     default:
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -168,7 +169,12 @@ static int evp_pkey_asym_cipher_init(EVP_PKEY_CTX *ctx, int operation)
 
 int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx)
 {
-    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_ENCRYPT);
+    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_ENCRYPT, NULL);
+}
+
+int EVP_PKEY_encrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
+{
+    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_ENCRYPT, params);
 }
 
 int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
@@ -205,7 +211,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
 
 int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx)
 {
-    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_DECRYPT);
+    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_DECRYPT, NULL);
+}
+
+int EVP_PKEY_decrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
+{
+    return evp_pkey_asym_cipher_init(ctx, EVP_PKEY_OP_DECRYPT, params);
 }
 
 int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 069eb192c1..dbbc44f046 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -124,13 +124,8 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
     return;
 }
 
-int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
-{
-    EVP_MD_CTX_reset(ctx);
-    return EVP_DigestInit_ex(ctx, type, NULL);
-}
-
-int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type,
+                                const OSSL_PARAM params[], ENGINE *impl)
 {
 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
     ENGINE *tmpimpl = NULL;
@@ -272,7 +267,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         return 0;
     }
 
-    return ctx->digest->dinit(ctx->provctx);
+    return ctx->digest->dinit(ctx->provctx, params);
 
     /* Code below to be removed when legacy support is dropped. */
  legacy:
@@ -346,6 +341,23 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
     return ctx->digest->init(ctx);
 }
 
+int EVP_DigestInit_ex2(EVP_MD_CTX *ctx, const EVP_MD *type,
+                       const OSSL_PARAM params[])
+{
+    return evp_md_init_internal(ctx, type, params, NULL);
+}
+
+int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
+{
+    EVP_MD_CTX_reset(ctx);
+    return evp_md_init_internal(ctx, type, NULL, NULL);
+}
+
+int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+{
+    return evp_md_init_internal(ctx, type, NULL, impl);
+}
+
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
 {
     if (count == 0)
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 40e9f0b6c3..eb174c2d9f 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -72,17 +72,11 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
     OPENSSL_free(ctx);
 }
 
-int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-                   const unsigned char *key, const unsigned char *iv, int enc)
-{
-    if (cipher != NULL)
-        EVP_CIPHER_CTX_reset(ctx);
-    return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);
-}
-
-int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-                      ENGINE *impl, const unsigned char *key,
-                      const unsigned char *iv, int enc)
+static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
+                                    const EVP_CIPHER *cipher,
+                                    ENGINE *impl, const unsigned char *key,
+                                    const unsigned char *iv, int enc,
+                                    const OSSL_PARAM params[])
 {
 #if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE)
     ENGINE *tmpimpl = NULL;
@@ -221,7 +215,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                                               : EVP_CIPHER_CTX_key_length(ctx),
                                   iv,
                                   iv == NULL ? 0
-                                             : EVP_CIPHER_CTX_iv_length(ctx));
+                                             : EVP_CIPHER_CTX_iv_length(ctx),
+                                  params);
     }
 
     if (ctx->cipher->dinit == NULL) {
@@ -235,7 +230,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                                           : EVP_CIPHER_CTX_key_length(ctx),
                               iv,
                               iv == NULL ? 0
-                                         : EVP_CIPHER_CTX_iv_length(ctx));
+                                         : EVP_CIPHER_CTX_iv_length(ctx),
+                                  params);
 
     /* Code below to be removed when legacy support is dropped. */
  legacy:
@@ -370,6 +366,28 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
     return 1;
 }
 
+int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                       const unsigned char *key, const unsigned char *iv,
+                       int enc, const OSSL_PARAM params[])
+{
+    return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, params);
+}
+
+int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                   const unsigned char *key, const unsigned char *iv, int enc)
+{
+    if (cipher != NULL)
+        EVP_CIPHER_CTX_reset(ctx);
+    return evp_cipher_init_internal(ctx, cipher, NULL, key, iv, enc, NULL);
+}
+
+int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                      ENGINE *impl, const unsigned char *key,
+                      const unsigned char *iv, int enc)
+{
+    return evp_cipher_init_internal(ctx, cipher, impl, key, iv, enc, NULL);
+}
+
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                      const unsigned char *in, int inl)
 {
@@ -408,6 +426,13 @@ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
 }
 
+int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                        const unsigned char *key, const unsigned char *iv,
+                        const OSSL_PARAM params[])
+{
+    return EVP_CipherInit_ex2(ctx, cipher, key, iv, 1, params);
+}
+
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                     const unsigned char *key, const unsigned char *iv)
 {
@@ -421,6 +446,13 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
     return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
 }
 
+int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                        const unsigned char *key, const unsigned char *iv,
+                        const OSSL_PARAM params[])
+{
+    return EVP_CipherInit_ex2(ctx, cipher, key, iv, 0, params);
+}
+
 /*
  * According to the letter of standard difference between pointers
  * is specified to be valid only within same object. This makes
diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
index 1a512c4283..e0e0597b3b 100644
--- a/crypto/evp/exchange.c
+++ b/crypto/evp/exchange.c
@@ -175,6 +175,11 @@ EVP_KEYEXCH *EVP_KEYEXCH_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
 }
 
 int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx)
+{
+    return EVP_PKEY_derive_init_ex(ctx, NULL);
+}
+
+int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
 {
     int ret;
     void *provkey = NULL;
@@ -279,7 +284,7 @@ int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx)
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
         goto err;
     }
-    ret = exchange->init(ctx->op.kex.exchprovctx, provkey);
+    ret = exchange->init(ctx->op.kex.exchprovctx, provkey, params);
 
     return ret ? 1 : 0;
  err:
diff --git a/crypto/evp/kem.c b/crypto/evp/kem.c
index 353c51a3ff..a4183e8311 100644
--- a/crypto/evp/kem.c
+++ b/crypto/evp/kem.c
@@ -16,7 +16,8 @@
 #include "internal/provider.h"
 #include "evp_local.h"
 
-static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation)
+static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation,
+                        const OSSL_PARAM params[])
 {
     int ret = 0;
     EVP_KEM *kem = NULL;
@@ -79,7 +80,7 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = kem->encapsulate_init(ctx->op.encap.kemprovctx, provkey);
+        ret = kem->encapsulate_init(ctx->op.encap.kemprovctx, provkey, params);
         break;
     case EVP_PKEY_OP_DECAPSULATE:
         if (kem->decapsulate_init == NULL) {
@@ -87,7 +88,7 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = kem->decapsulate_init(ctx->op.encap.kemprovctx, provkey);
+        ret = kem->decapsulate_init(ctx->op.encap.kemprovctx, provkey, params);
         break;
     default:
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -104,9 +105,9 @@ static int evp_kem_init(EVP_PKEY_CTX *ctx, int operation)
     return ret;
 }
 
-int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx)
+int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
 {
-    return evp_kem_init(ctx, EVP_PKEY_OP_ENCAPSULATE);
+    return evp_kem_init(ctx, EVP_PKEY_OP_ENCAPSULATE, params);
 }
 
 int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
@@ -133,9 +134,9 @@ int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
                                           out, outlen, secret, secretlen);
 }
 
-int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx)
+int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
 {
-    return evp_kem_init(ctx, EVP_PKEY_OP_DECAPSULATE);
+    return evp_kem_init(ctx, EVP_PKEY_OP_DECAPSULATE, params);
 }
 
 int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c
index 3142996cab..b42e2b77c9 100644
--- a/crypto/evp/keymgmt_meth.c
+++ b/crypto/evp/keymgmt_meth.c
@@ -302,13 +302,14 @@ void evp_keymgmt_freedata(const EVP_KEYMGMT *keymgmt, void *keydata)
     keymgmt->free(keydata);
 }
 
-void *evp_keymgmt_gen_init(const EVP_KEYMGMT *keymgmt, int selection)
+void *evp_keymgmt_gen_init(const EVP_KEYMGMT *keymgmt, int selection,
+                           const OSSL_PARAM params[])
 {
     void *provctx = ossl_provider_ctx(EVP_KEYMGMT_provider(keymgmt));
 
     if (keymgmt->gen_init == NULL)
         return NULL;
-    return keymgmt->gen_init(provctx, selection);
+    return keymgmt->gen_init(provctx, selection, params);
 }
 
 int evp_keymgmt_gen_set_template(const EVP_KEYMGMT *keymgmt, void *genctx,
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
index 7650512d2a..3fca9bc529 100644
--- a/crypto/evp/m_sigver.c
+++ b/crypto/evp/m_sigver.c
@@ -39,7 +39,8 @@ static const char *canon_mdname(const char *mdname)
 static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                           const EVP_MD *type, const char *mdname,
                           OSSL_LIB_CTX *libctx, const char *props,
-                          ENGINE *e, EVP_PKEY *pkey, int ver)
+                          ENGINE *e, EVP_PKEY *pkey, int ver,
+                          OSSL_PARAM params[])
 {
     EVP_PKEY_CTX *locpctx = NULL;
     EVP_SIGNATURE *signature = NULL;
@@ -202,14 +203,14 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
             goto err;
         }
         ret = signature->digest_verify_init(locpctx->op.sig.sigprovctx,
-                                            mdname, provkey);
+                                            mdname, provkey, params);
     } else {
         if (signature->digest_sign_init == NULL) {
             ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
             goto err;
         }
         ret = signature->digest_sign_init(locpctx->op.sig.sigprovctx,
-                                          mdname, provkey);
+                                          mdname, provkey, params);
     }
 
     goto end;
@@ -301,28 +302,34 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 
 int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                           const char *mdname, OSSL_LIB_CTX *libctx,
-                          const char *props, EVP_PKEY *pkey)
+                          const char *props, EVP_PKEY *pkey,
+                          OSSL_PARAM params[])
 {
-    return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 0);
+    return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 0,
+                          params);
 }
 
 int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
 {
-    return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 0);
+    return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 0,
+                          NULL);
 }
 
 int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                             const char *mdname, OSSL_LIB_CTX *libctx,
-                            const char *props, EVP_PKEY *pkey)
+                            const char *props, EVP_PKEY *pkey,
+                            OSSL_PARAM params[])
 {
-    return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 1);
+    return do_sigver_init(ctx, pctx, NULL, mdname, libctx, props, NULL, pkey, 1,
+                          params);
 }
 
 int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                          const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey)
 {
-    return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1);
+    return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1,
+                          NULL);
 }
 #endif /* FIPS_MDOE */
 
diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c
index 091d387795..7383fbe072 100644
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@@ -37,11 +37,12 @@ static int gen_init(EVP_PKEY_CTX *ctx, int operation)
     case EVP_PKEY_OP_PARAMGEN:
         ctx->op.keymgmt.genctx =
             evp_keymgmt_gen_init(ctx->keymgmt,
-                                 OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
+                                 OSSL_KEYMGMT_SELECT_ALL_PARAMETERS, NULL);
         break;
     case EVP_PKEY_OP_KEYGEN:
         ctx->op.keymgmt.genctx =
-            evp_keymgmt_gen_init(ctx->keymgmt, OSSL_KEYMGMT_SELECT_KEYPAIR);
+            evp_keymgmt_gen_init(ctx->keymgmt, OSSL_KEYMGMT_SELECT_KEYPAIR,
+                                 NULL);
         break;
     }
 
diff --git a/crypto/evp/signature.c b/crypto/evp/signature.c
index bb99ff3095..09cf4539d9 100644
--- a/crypto/evp/signature.c
+++ b/crypto/evp/signature.c
@@ -361,7 +361,8 @@ const OSSL_PARAM *EVP_SIGNATURE_settable_ctx_params(const EVP_SIGNATURE *sig)
     return sig->settable_ctx_params(NULL, provctx);
 }
 
-static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
+static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation,
+                                   const OSSL_PARAM params[])
 {
     int ret = 0;
     void *provkey = NULL;
@@ -456,7 +457,7 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = signature->sign_init(ctx->op.sig.sigprovctx, provkey);
+        ret = signature->sign_init(ctx->op.sig.sigprovctx, provkey, params);
         break;
     case EVP_PKEY_OP_VERIFY:
         if (signature->verify_init == NULL) {
@@ -464,7 +465,7 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = signature->verify_init(ctx->op.sig.sigprovctx, provkey);
+        ret = signature->verify_init(ctx->op.sig.sigprovctx, provkey, params);
         break;
     case EVP_PKEY_OP_VERIFYRECOVER:
         if (signature->verify_recover_init == NULL) {
@@ -472,7 +473,8 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
             ret = -2;
             goto err;
         }
-        ret = signature->verify_recover_init(ctx->op.sig.sigprovctx, provkey);
+        ret = signature->verify_recover_init(ctx->op.sig.sigprovctx, provkey,
+                                             params);
         break;
     default:
         ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
@@ -540,7 +542,12 @@ static int evp_pkey_signature_init(EVP_PKEY_CTX *ctx, int operation)
 
 int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx)
 {
-    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_SIGN);
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_SIGN, NULL);
+}
+
+int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
+{
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_SIGN, params);
 }
 
 int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
@@ -579,7 +586,12 @@ int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
 
 int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx)
 {
-    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFY);
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFY, NULL);
+}
+
+int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[])
+{
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFY, params);
 }
 
 int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
@@ -616,7 +628,13 @@ int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
 
 int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx)
 {
-    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFYRECOVER);
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFYRECOVER, NULL);
+}
+
+int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx,
+                                    const OSSL_PARAM params[])
+{
+    return evp_pkey_signature_init(ctx, EVP_PKEY_OP_VERIFYRECOVER, params);
 }
 
 int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index ab23100f49..c9e4d719aa 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -928,7 +928,8 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
 
     if (EVP_DigestSignInit_ex(mctx, &pctx, EVP_MD_name(md),
                               ossl_pkcs7_ctx_get0_libctx(ctx),
-                              ossl_pkcs7_ctx_get0_propq(ctx), si->pkey) <= 0)
+                              ossl_pkcs7_ctx_get0_propq(ctx), si->pkey,
+                              NULL) <= 0)
         goto err;
 
     /*
diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index ac527e407e..043717758e 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -10,8 +10,8 @@ EVP_MD_CTX_set_params, EVP_MD_CTX_get_params,
 EVP_MD_settable_ctx_params, EVP_MD_gettable_ctx_params,
 EVP_MD_CTX_settable_params, EVP_MD_CTX_gettable_params,
 EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
-EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate,
-EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
+EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit,
+EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
 EVP_MD_is_a, EVP_MD_name, EVP_MD_number, EVP_MD_names_do_all, EVP_MD_provider,
 EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags,
 EVP_MD_CTX_name,
@@ -49,6 +49,8 @@ EVP_MD_do_all_provided
 
  int EVP_Digest(const void *data, size_t count, unsigned char *md,
                 unsigned int *size, const EVP_MD *type, ENGINE *impl);
+ int EVP_DigestInit_ex2(EVP_MD_CTX *ctx, const EVP_MD *type,
+                        const OSSL_PARAM params[]);
  int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
  int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
  int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
@@ -154,7 +156,7 @@ providers.>
 
 Performs digest-specific control actions on context I<ctx>. The control command
 is indicated in I<cmd> and any additional arguments in I<p1> and I<p2>.
-EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex(). Other restrictions
+EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex2(). Other restrictions
 may apply depending on the control type and digest implementation.
 
 If this function happens to be used with a fetched B<EVP_MD>, it will
@@ -216,6 +218,18 @@ I<impl>. The digest value is placed in I<md> and its length is written at I<size
 if the pointer is not NULL. At most B<EVP_MAX_MD_SIZE> bytes will be written.
 If I<impl> is NULL the default implementation of digest I<type> is used.
 
+=item EVP_DigestInit_ex2()
+
+Sets up digest context I<ctx> to use a digest I<type>.
+I<type> is typically supplied by a function such as EVP_sha1(), or a
+value explicitly fetched with EVP_MD_fetch().
+
+The parameters B<params> are set on the context after initialisation.
+
+The I<type> parameter can be NULL if I<ctx> has been already initialized
+with another EVP_DigestInit_ex() call and has not been reset with
+EVP_MD_CTX_reset().
+
 =item EVP_DigestInit_ex()
 
 Sets up digest context I<ctx> to use a digest I<type>.
@@ -242,14 +256,14 @@ parameter is not NULL then the number of bytes of data written (i.e. the
 length of the digest) will be written to the integer at I<s>, at most
 B<EVP_MAX_MD_SIZE> bytes will be written.  After calling EVP_DigestFinal_ex()
 no additional calls to EVP_DigestUpdate() can be made, but
-EVP_DigestInit_ex() can be called to initialize a new digest operation.
+EVP_DigestInit_ex2() can be called to initialize a new digest operation.
 
 =item EVP_DigestFinalXOF()
 
 Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256.
 It retrieves the digest value from I<ctx> and places it in I<len>-sized I<md>.
 After calling this function no additional calls to EVP_DigestUpdate() can be
-made, but EVP_DigestInit_ex() can be called to initialize a new operation.
+made, but EVP_DigestInit_ex2() can be called to initialize a new operation.
 
 =item EVP_MD_CTX_copy_ex()
 
@@ -259,9 +273,9 @@ few bytes.
 
 =item EVP_DigestInit()
 
-Behaves in the same way as EVP_DigestInit_ex() except it always uses the
-default digest implementation and calls EVP_MD_CTX_reset() so it cannot
-be used with an I<type> of NULL.
+Behaves in the same way as EVP_DigestInit_ex2() except it doesn't set any
+parameters and calls EVP_MD_CTX_reset() so it cannot be used with an I<type>
+of NULL.
 
 =item EVP_DigestFinal()
 
@@ -333,7 +347,7 @@ EVP_MD_meth_set_app_datasize().
 =item EVP_MD_CTX_md()
 
 Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. This
-will be the same B<EVP_MD> object originally passed to EVP_DigestInit_ex() (or
+will be the same B<EVP_MD> object originally passed to EVP_DigestInit_ex2() (or
 other similar function) when the EVP_MD_CTX was first initialised. Note that
 where explicit fetch is in use (see L<EVP_MD_fetch(3)>) the value returned from
 this function will not have its reference count incremented and therefore it
@@ -500,7 +514,8 @@ Returns a pointer to a B<EVP_MD> for success or NULL for failure.
 
 Returns 1 for success or 0 for failure.
 
-=item EVP_DigestInit_ex(),
+=item EVP_DigestInit_ex2(),
+EVP_DigestInit_ex(),
 EVP_DigestUpdate(),
 EVP_DigestFinal_ex()
 
@@ -620,7 +635,7 @@ digest name passed on the command line.
      }
 
      mdctx = EVP_MD_CTX_new();
-     EVP_DigestInit_ex(mdctx, md, NULL);
+     EVP_DigestInit_ex2(mdctx, md, NULL);
      EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
      EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
      EVP_DigestFinal_ex(mdctx, md_value, &md_len);
@@ -669,7 +684,7 @@ The EVP_dss1() function was removed in OpenSSL 1.1.0.
 
 The EVP_MD_CTX_set_pkey_ctx() function was added in OpenSSL 1.1.1.
 
-The EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(),
+The EVP_DigestInit_ex2(), EVP_MD_fetch(), EVP_MD_free(), EVP_MD_up_ref(),
 EVP_MD_get_params(), EVP_MD_CTX_set_params(), EVP_MD_CTX_get_params(),
 EVP_MD_gettable_params(), EVP_MD_gettable_ctx_params(),
 EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params() and
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index e31621b24a..d2880b20f2 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -9,12 +9,15 @@ EVP_CIPHER_CTX_new,
 EVP_CIPHER_CTX_reset,
 EVP_CIPHER_CTX_free,
 EVP_EncryptInit_ex,
+EVP_EncryptInit_ex2,
 EVP_EncryptUpdate,
 EVP_EncryptFinal_ex,
 EVP_DecryptInit_ex,
+EVP_DecryptInit_ex2,
 EVP_DecryptUpdate,
 EVP_DecryptFinal_ex,
 EVP_CipherInit_ex,
+EVP_CipherInit_ex2,
 EVP_CipherUpdate,
 EVP_CipherFinal_ex,
 EVP_CIPHER_CTX_set_key_length,
@@ -84,18 +87,27 @@ EVP_CIPHER_do_all_provided
 
  int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
                         ENGINE *impl, const unsigned char *key, const unsigned char *iv);
+ int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+                         const unsigned char *key, const unsigned char *iv,
+                         const OSSL_PARAM params[]);
  int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        int *outl, const unsigned char *in, int inl);
  int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 
  int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
                         ENGINE *impl, const unsigned char *key, const unsigned char *iv);
+ int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+                         const unsigned char *key, const unsigned char *iv,
+                         const OSSL_PARAM params[]);
  int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        int *outl, const unsigned char *in, int inl);
  int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 
  int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
                        ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
+ int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+                        const unsigned char *key, const unsigned char *iv,
+                        int enc, const OSSL_PARAM params[]);
  int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                       int *outl, const unsigned char *in, int inl);
  int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
@@ -196,6 +208,20 @@ itself. This function should be called after all operations using a
 cipher are complete so sensitive information does not remain in
 memory.
 
+EVP_EncryptInit_ex2() sets up cipher context B<ctx> for encryption
+with cipher B<type>. B<type> is typically supplied by a function such
+as EVP_aes_256_cbc(), or a value explicitly fetched with
+EVP_CIPHER_fetch(). B<key> is the symmetric key to use
+and B<iv> is the IV to use (if necessary), the actual number of bytes
+used for the key and IV depends on the cipher. The parameters B<params> will
+be set on the context after initialisation. It is possible to set
+all parameters to NULL except B<type> in an initial call and supply
+the remaining parameters in subsequent calls, all of which have B<type>
+set to NULL. This is done when the default cipher parameters are not
+appropriate.
+For EVP_CIPH_GCM_MODE the IV will be generated internally if it is not
+specified.
+
 EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
 with cipher B<type>. B<type> is typically supplied by a function such
 as EVP_aes_256_cbc(), or a value explicitly fetched with
@@ -239,20 +265,22 @@ If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
 data and it will return an error if any data remains in a partial block:
 that is if the total data length is not a multiple of the block size.
 
-EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
-corresponding decryption operations. EVP_DecryptFinal() will return an
-error code if padding is enabled and the final block is not correctly
-formatted. The parameters and restrictions are identical to the encryption
-operations except that if padding is enabled the decrypted data buffer B<out>
-passed to EVP_DecryptUpdate() should have sufficient room for
-(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
-which case B<inl> bytes is sufficient.
-
-EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
-functions that can be used for decryption or encryption. The operation
-performed depends on the value of the B<enc> parameter. It should be set
-to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
-(the actual value of 'enc' being supplied in a previous call).
+EVP_DecryptInit_ex2(), EVP_DecryptInit_ex(), EVP_DecryptUpdate()
+and EVP_DecryptFinal_ex() are the corresponding decryption
+operations. EVP_DecryptFinal() will return an error code if padding is
+enabled and the final block is not correctly formatted. The parameters
+and restrictions are identical to the encryption operations except
+that if padding is enabled the decrypted data buffer B<out> passed
+to EVP_DecryptUpdate() should have sufficient room for (B<inl> +
+cipher_block_size) bytes unless the cipher block size is 1 in which case
+B<inl> bytes is sufficient.
+
+EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and
+EVP_CipherFinal_ex() are functions that can be used for decryption or
+encryption. The operation performed depends on the value of the B<enc>
+parameter. It should be set to 1 for encryption, 0 for decryption and -1
+to leave the value unchanged (the actual value of 'enc' being supplied
+in a previous call).
 
 EVP_CIPHER_CTX_reset() clears all information from a cipher context
 and free up any allocated memory associate with it, except the B<ctx>
@@ -290,8 +318,8 @@ IDENTIFIER.
 
 EVP_CIPHER_CTX_set_padding() enables or disables padding. This
 function should be called after the context is set up for encryption
-or decryption with EVP_EncryptInit_ex(), EVP_DecryptInit_ex() or
-EVP_CipherInit_ex(). By default encryption operations are padded using
+or decryption with EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
+EVP_CipherInit_ex2(). By default encryption operations are padded using
 standard block padding and the padding is checked and removed when
 decrypting. If the B<pad> parameter is zero then no padding is
 performed, the total amount of data encrypted or decrypted must then
@@ -436,13 +464,13 @@ EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise.
 EVP_CIPHER_CTX_new() returns a pointer to a newly created
 B<EVP_CIPHER_CTX> for success and B<NULL> for failure.
 
-EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
+EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
 return 1 for success and 0 for failure.
 
-EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
+EVP_DecryptInit_ex2() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
 
-EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
+EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
 EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
 
 EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1
@@ -692,12 +720,14 @@ the input data earlier on will not produce a final decrypt error.
 If padding is disabled then the decryption operation will always succeed if
 the total amount of data decrypted is a multiple of the block size.
 
-The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
-EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
-compatibility with existing code. New code should use EVP_EncryptInit_ex(),
-EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
-EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
-existing context without allocating and freeing it up on each call.
+The functions EVP_EncryptInit(), EVP_EncryptInit_ex1(),
+EVP_EncryptFinal(), EVP_DecryptInit(), EVP_DecryptInit_ex1(),
+EVP_CipherInit(), EVP_CipherInit_ex1() and EVP_CipherFinal() are obsolete
+but are retained for compatibility with existing code. New code should
+use EVP_EncryptInit_ex2(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex2(),
+EVP_DecryptFinal_ex(), EVP_CipherInit_ex2() and EVP_CipherFinal_ex()
+because they can reuse an existing context without allocating and freeing
+it up on each call.
 
 There are some differences between functions EVP_CipherInit() and
 EVP_CipherInit_ex(), significant in some circumstances. EVP_CipherInit() fills
@@ -740,7 +770,7 @@ Encrypt a string using IDEA:
      FILE *out;
 
      ctx = EVP_CIPHER_CTX_new();
-     EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv);
+     EVP_EncryptInit_ex2(ctx, EVP_idea_cbc(), key, iv, NULL);
 
      if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
          /* Error */
@@ -798,13 +828,13 @@ with a 128-bit key:
 
      /* Don't set key or IV right away; we want to check lengths */
      ctx = EVP_CIPHER_CTX_new();
-     EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
-                       do_encrypt);
+     EVP_CipherInit_ex2(ctx, EVP_aes_128_cbc(), NULL, NULL,
+                        do_encrypt, NULL);
      OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
      OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
 
      /* Now we can set key and IV */
-     EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt);
+     EVP_CipherInit_ex2(ctx, NULL, key, iv, do_encrypt, NULL);
 
      for (;;) {
          inlen = fread(inbuf, 1, 1024, in);
@@ -849,8 +879,6 @@ Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
      if (ctx == NULL || cipher == NULL)
          goto err;
 
-     if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt))
-         goto err;
      /*
       * The default is "CS1" so this is not really needed,
       * but would be needed to set either "CS2" or "CS3".
@@ -858,7 +886,8 @@ Encryption using AES-CBC with a 256-bit key with "CS1" ciphertext stealing.
      params[0] = OSSL_PARAM_construct_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE,
                                                   "CS1", 0);
      params[1] = OSSL_PARAM_construct_end();
-     if (!EVP_CIPHER_CTX_set_params(ctx, params))
+
+     if (!EVP_CipherInit_ex2(ctx, cipher, key, iv, encrypt, params))
          goto err;
 
      /* NOTE: CTS mode does not support multiple calls to EVP_CipherUpdate() */
@@ -903,7 +932,8 @@ EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
 disappeared.  EVP_CIPHER_CTX_init() remains as an alias for
 EVP_CIPHER_CTX_reset().
 
-The EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
+The EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), EVP_CipherInit_ex2(),
+EVP_CIPHER_fetch(), EVP_CIPHER_free(), EVP_CIPHER_up_ref(),
 EVP_CIPHER_get_params(), EVP_CIPHER_CTX_set_params(),
 EVP_CIPHER_CTX_get_params(), EVP_CIPHER_gettable_params(),
 EVP_CIPHER_settable_ctx_params(), EVP_CIPHER_gettable_ctx_params(),
diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod
index 7dd47a1e58..36e8f9c9d4 100644
--- a/doc/man3/EVP_PKEY_decapsulate.pod
+++ b/doc/man3/EVP_PKEY_decapsulate.pod
@@ -9,7 +9,7 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
 
  #include <openssl/evp.h>
 
- int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
                           unsigned char *secret, size_t *secretlen,
                           const unsigned char *wrapped, size_t wrappedlen);
@@ -17,7 +17,8 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
 =head1 DESCRIPTION
 
 The EVP_PKEY_decapsulate_init() function initializes a private key algorithm
-context I<ctx> for a decapsulation operation.
+context I<ctx> for a decapsulation operation and then sets the I<params>
+on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
 
 The EVP_PKEY_decapsulate() function performs a private key decapsulation
 operation using I<ctx>. The data to be decapsulated is specified using the
@@ -30,8 +31,7 @@ the amount of data written to I<secretlen>.
 =head1 NOTES
 
 After the call to EVP_PKEY_decapsulate_init() algorithm specific parameters
-for the operation may be set using L<EVP_PKEY_CTX_set_params(3)>. There are no
-settable parameters currently.
+for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
 
 =head1 RETURN VALUES
 
@@ -57,7 +57,7 @@ Decapsulate data using RSA:
  ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_priv_key, NULL);
  if (ctx = NULL)
      /* Error */
- if (EVP_PKEY_decapsulate_init(ctx) <= 0)
+ if (EVP_PKEY_decapsulate_init(ctx, NULL) <= 0)
      /* Error */
 
  /* Set the mode - only 'RSASVE' is currently supported */
diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
index a78c1ee8e4..0528663d67 100644
--- a/doc/man3/EVP_PKEY_decrypt.pod
+++ b/doc/man3/EVP_PKEY_decrypt.pod
@@ -2,13 +2,15 @@
 
 =head1 NAME
 
-EVP_PKEY_decrypt_init, EVP_PKEY_decrypt - decrypt using a public key algorithm
+EVP_PKEY_decrypt_init, EVP_PKEY_decrypt_init_ex,
+EVP_PKEY_decrypt - decrypt using a public key algorithm
 
 =head1 SYNOPSIS
 
  #include <openssl/evp.h>
 
  int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_decrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
                       unsigned char *out, size_t *outlen,
                       const unsigned char *in, size_t inlen);
@@ -18,6 +20,10 @@ EVP_PKEY_decrypt_init, EVP_PKEY_decrypt - decrypt using a public key algorithm
 The EVP_PKEY_decrypt_init() function initializes a public key algorithm
 context using key B<pkey> for a decryption operation.
 
+The EVP_PKEY_decrypt_init_ex() function initializes a public key algorithm
+context using key B<pkey> for a decryption operation and sets the
+algorithm specific B<params>.
+
 The EVP_PKEY_decrypt() function performs a public key decryption operation
 using B<ctx>. The data to be decrypted is specified using the B<in> and
 B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
@@ -30,16 +36,18 @@ B<out> and the amount of data written to B<outlen>.
 
 After the call to EVP_PKEY_decrypt_init() algorithm specific control
 operations can be performed to set any appropriate parameters for the
-operation.
+operation.  These operations can be included in the EVP_PKEY_decrypt_init_ex()
+call.
 
 The function EVP_PKEY_decrypt() can be called more than once on the same
 context if several operations are performed using the same parameters.
 
 =head1 RETURN VALUES
 
-EVP_PKEY_decrypt_init() and EVP_PKEY_decrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
+EVP_PKEY_decrypt_init(), EVP_PKEY_decrypt_init_ex() and EVP_PKEY_decrypt()
+return 1 for success and 0 or a negative value for failure. In particular a
+return value of -2 indicates the operation is not supported by the public key
+algorithm.
 
 =head1 EXAMPLES
 
diff --git a/doc/man3/EVP_PKEY_derive.pod b/doc/man3/EVP_PKEY_derive.pod
index 5bfb316382..be5cf3945e 100644
--- a/doc/man3/EVP_PKEY_derive.pod
+++ b/doc/man3/EVP_PKEY_derive.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive
+EVP_PKEY_derive_init, EVP_PKEY_derive_init_ex,
+EVP_PKEY_derive_set_peer, EVP_PKEY_derive
 - derive public key algorithm shared secret
 
 =head1 SYNOPSIS
@@ -10,6 +11,7 @@ EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive
  #include <openssl/evp.h>
 
  int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
  int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
 
@@ -21,6 +23,9 @@ using L<EVP_PKEY_CTX_new(3)> or variants thereof.  The algorithm is used to
 fetch a B<EVP_KEYEXCH> method implicitly, see L<provider(7)/Implicit fetch> for
 more information about implicit fetches.
 
+EVP_PKEY_derive_init_ex() is the same as EVP_PKEY_derive_init() but additionally
+sets the passed parameters I<params> on the context before returning.
+
 EVP_PKEY_derive_set_peer() sets the peer key: this will normally
 be a public key.
 
@@ -95,7 +100,10 @@ L<EVP_KEYEXCH_fetch(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.0.
+The EVP_PKEY_derive_init(), EVP_PKEY_derive_set_peer() and EVP_PKEY_derive()
+functions were originally added in OpenSSL 1.0.0.
+
+The EVP_PKEY_derive_init_ex() function was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod
index 0e911f71cf..7547c7ae34 100644
--- a/doc/man3/EVP_PKEY_encapsulate.pod
+++ b/doc/man3/EVP_PKEY_encapsulate.pod
@@ -9,7 +9,7 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
 
  #include <openssl/evp.h>
 
- int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
                           unsigned char *out, size_t *outlen,
                           unsigned char *genkey, size_t *genkeylen);
@@ -17,7 +17,8 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
 =head1 DESCRIPTION
 
 The EVP_PKEY_encapsulate_init() function initializes a public key algorithm
-context I<ctx> for an encapsulation operation.
+context I<ctx> for an encapsulation operation and then sets the I<params>
+on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
 
 The EVP_PKEY_encapsulate() function performs a public key encapsulation
 operation using I<ctx> with the name I<name>.
@@ -31,7 +32,7 @@ I<out> and its size is written to I<*outlen>.
 =head1 NOTES
 
 After the call to EVP_PKEY_encapsulate_init() algorithm specific parameters
-for the operation may be set using L<EVP_PKEY_CTX_set_params(3)>.
+for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
 
 =head1 RETURN VALUES
 
@@ -56,7 +57,7 @@ Encapsulate an RSASVE key (for RSA keys).
  ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_pub_key, NULL);
  if (ctx = NULL)
      /* Error */
- if (EVP_PKEY_encapsulate_init(ctx) <= 0)
+ if (EVP_PKEY_encapsulate_init(ctx, NULL) <= 0)
      /* Error */
 
  /* Set the mode - only 'RSASVE' is currently supported */
diff --git a/doc/man3/EVP_PKEY_encrypt.pod b/doc/man3/EVP_PKEY_encrypt.pod
index 73ca8bae3e..5a8fe0ece7 100644
--- a/doc/man3/EVP_PKEY_encrypt.pod
+++ b/doc/man3/EVP_PKEY_encrypt.pod
@@ -2,6 +2,7 @@
 
 =head1 NAME
 
+EVP_PKEY_encrypt_init_ex, 
 EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm
 
 =head1 SYNOPSIS
@@ -9,6 +10,7 @@ EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm
  #include <openssl/evp.h>
 
  int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_encrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
                       unsigned char *out, size_t *outlen,
                       const unsigned char *in, size_t inlen);
@@ -18,6 +20,10 @@ EVP_PKEY_encrypt_init, EVP_PKEY_encrypt - encrypt using a public key algorithm
 The EVP_PKEY_encrypt_init() function initializes a public key algorithm
 context using key B<pkey> for an encryption operation.
 
+The EVP_PKEY_encrypt_init_ex() function initializes a public key algorithm
+context using key B<pkey> for an encryption operation and sets the
+algorithm specific B<params>.
+
 The EVP_PKEY_encrypt() function performs a public key encryption operation
 using B<ctx>. The data to be encrypted is specified using the B<in> and
 B<inlen> parameters. If B<out> is B<NULL> then the maximum size of the output
@@ -30,16 +36,18 @@ B<out> and the amount of data written to B<outlen>.
 
 After the call to EVP_PKEY_encrypt_init() algorithm specific control
 operations can be performed to set any appropriate parameters for the
-operation.
+operation.  These operations can be included in the EVP_PKEY_encrypt_init_ex()
+call.
 
 The function EVP_PKEY_encrypt() can be called more than once on the same
 context if several operations are performed using the same parameters.
 
 =head1 RETURN VALUES
 
-EVP_PKEY_encrypt_init() and EVP_PKEY_encrypt() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2
-indicates the operation is not supported by the public key algorithm.
+EVP_PKEY_encrypt_init(), EVP_PKEY_encrypt_init_ex() and EVP_PKEY_encrypt()
+return 1 for success and 0 or a negative value for failure. In particular a
+return value of -2 indicates the operation is not supported by the public key
+algorithm.
 
 =head1 EXAMPLES
 
diff --git a/doc/man3/EVP_PKEY_sign.pod b/doc/man3/EVP_PKEY_sign.pod
index bd65bd9237..1e2f71862a 100644
--- a/doc/man3/EVP_PKEY_sign.pod
+++ b/doc/man3/EVP_PKEY_sign.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-EVP_PKEY_sign_init, EVP_PKEY_sign
+EVP_PKEY_sign_init, EVP_PKEY_sign_init_ex, EVP_PKEY_sign
 - sign using a public key algorithm
 
 =head1 SYNOPSIS
@@ -10,6 +10,7 @@ EVP_PKEY_sign_init, EVP_PKEY_sign
  #include <openssl/evp.h>
 
  int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
                    unsigned char *sig, size_t *siglen,
                    const unsigned char *tbs, size_t tbslen);
@@ -22,6 +23,9 @@ using L<EVP_PKEY_CTX_new(3)> or variants thereof.  The algorithm is used to
 fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
 for more information about implicit fetches.
 
+EVP_PKEY_sign_init_ex() is the same as EVP_PKEY_sign_init() but additionally
+sets the passed parameters I<params> on the context before returning.
+
 The EVP_PKEY_sign() function performs a public key signing operation
 using I<ctx>. The data to be signed is specified using the I<tbs> and
 I<tbslen> parameters. If I<sig> is NULL then the maximum size of the output
@@ -105,7 +109,10 @@ L<EVP_PKEY_derive(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.0.
+The EVP_PKEY_sign_init() and EVP_PKEY_sign() functions were added in
+OpenSSL 1.0.0.
+
+The EVP_PKEY_sign_init_ex() function was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/EVP_PKEY_verify.pod b/doc/man3/EVP_PKEY_verify.pod
index c41525246a..972c5c54b9 100644
--- a/doc/man3/EVP_PKEY_verify.pod
+++ b/doc/man3/EVP_PKEY_verify.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-EVP_PKEY_verify_init, EVP_PKEY_verify
+EVP_PKEY_verify_init, EVP_PKEY_verify_init_ex, EVP_PKEY_verify
 - signature verification using a public key algorithm
 
 =head1 SYNOPSIS
@@ -10,6 +10,7 @@ EVP_PKEY_verify_init, EVP_PKEY_verify
  #include <openssl/evp.h>
 
  int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
  int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
                      const unsigned char *sig, size_t siglen,
                      const unsigned char *tbs, size_t tbslen);
@@ -22,6 +23,9 @@ using L<EVP_PKEY_CTX_new(3)> or variants thereof.  The algorithm is used to
 fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
 for more information about implicit fetches.
 
+EVP_PKEY_verify_init_ex() is the same as EVP_PKEY_verify_init() but additionally
+sets the passed parameters I<params> on the context before returning.
+
 The EVP_PKEY_verify() function performs a public key verification operation
 using I<ctx>. The signature is specified using the I<sig> and
 I<siglen> parameters. The verified data (i.e. the data believed originally
@@ -93,7 +97,10 @@ L<EVP_PKEY_derive(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.0.
+The EVP_PKEY_verify_init() and EVP_PKEY_verify() functions were added in
+OpenSSL 1.0.0.
+
+The EVP_PKEY_verify_init_ex() function was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/EVP_PKEY_verify_recover.pod b/doc/man3/EVP_PKEY_verify_recover.pod
index e8acd6ab8d..5b7535007c 100644
--- a/doc/man3/EVP_PKEY_verify_recover.pod
+++ b/doc/man3/EVP_PKEY_verify_recover.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover
+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover_init_ex,
+EVP_PKEY_verify_recover
 - recover signature using a public key algorithm
 
 =head1 SYNOPSIS
@@ -10,6 +11,8 @@ EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover
  #include <openssl/evp.h>
 
  int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx,
+                                     const OSSL_PARAM params[]);
  int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
                              unsigned char *rout, size_t *routlen,
                              const unsigned char *sig, size_t siglen);
@@ -22,6 +25,10 @@ using L<EVP_PKEY_CTX_new(3)> or variants thereof.  The algorithm is used to
 fetch a B<EVP_SIGNATURE> method implicitly, see L<provider(7)/Implicit fetch>
 for more information about implicit fetches.
 
+EVP_PKEY_verify_recover_init_ex() is the same as
+EVP_PKEY_verify_recover_init() but additionally sets the passed parameters
+I<params> on the context before returning.
+
 The EVP_PKEY_verify_recover() function recovers signed data
 using I<ctx>. The signature is specified using the I<sig> and
 I<siglen> parameters. If I<rout> is NULL then the maximum size of the output
@@ -104,7 +111,10 @@ L<EVP_PKEY_derive(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.0.0.
+The EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover()
+functions were added in OpenSSL 1.0.0.
+
+The EVP_PKEY_verify_recover_init_ex() function was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/RSA_private_encrypt.pod b/doc/man3/RSA_private_encrypt.pod
index eaa7715bfb..ca77320baa 100644
--- a/doc/man3/RSA_private_encrypt.pod
+++ b/doc/man3/RSA_private_encrypt.pod
@@ -21,8 +21,9 @@ L<openssl_user_macros(7)>:
 =head1 DESCRIPTION
 
 Both of the functions described on this page are deprecated.
-Applications should instead use L<EVP_PKEY_encrypt_init(3)>,
-L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)>.
+Applications should instead use L<EVP_PKEY_encrypt_init_ex(3)>,
+L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init_ex(3)> and
+L<EVP_PKEY_decrypt(3)>.
 
 These functions handle RSA signatures at a low-level.
 
diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
index 566b245f3f..1624c16002 100644
--- a/doc/man3/RSA_public_encrypt.pod
+++ b/doc/man3/RSA_public_encrypt.pod
@@ -21,8 +21,9 @@ L<openssl_user_macros(7)>:
 =head1 DESCRIPTION
 
 Both of the functions described on this page are deprecated.
-Applications should instead use L<EVP_PKEY_encrypt_init(3)>,
-L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)>.
+Applications should instead use L<EVP_PKEY_encrypt_init_ex(3)>,
+L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init_ex(3)> and
+L<EVP_PKEY_decrypt(3)>.
 
 RSA_public_encrypt() encrypts the B<flen> bytes at B<from> (usually a
 session key) using the public key B<rsa> and stores the ciphertext in
diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
index 939dc76f76..108fbceceb 100644
--- a/doc/man7/provider-asym_cipher.pod
+++ b/doc/man7/provider-asym_cipher.pod
@@ -23,13 +23,15 @@ provider-asym_cipher - The asym_cipher library E<lt>-E<gt> provider functions
  void *OSSL_FUNC_asym_cipher_dupctx(void *ctx);
 
  /* Encryption */
- int OSSL_FUNC_asym_cipher_encrypt_init(void *ctx, void *provkey);
+ int OSSL_FUNC_asym_cipher_encrypt_init(void *ctx, void *provkey,
+                                        const OSSL_PARAM params[]);
  int OSSL_FUNC_asym_cipher_encrypt(void *ctx, unsigned char *out, size_t *outlen,
                                    size_t outsize, const unsigned char *in,
                                    size_t inlen);
 
  /* Decryption */
- int OSSL_FUNC_asym_cipher_decrypt_init(void *ctx, void *provkey);
+ int OSSL_FUNC_asym_cipher_decrypt_init(void *ctx, void *provkey,
+                                        const OSSL_PARAM params[]);
  int OSSL_FUNC_asym_cipher_decrypt(void *ctx, unsigned char *out, size_t *outlen,
                                    size_t outsize, const unsigned char *in,
                                    size_t inlen);
@@ -122,10 +124,11 @@ context in the I<ctx> parameter and return the duplicate copy.
 OSSL_FUNC_asym_cipher_encrypt_init() initialises a context for an asymmetric encryption
 given a provider side asymmetric cipher context in the I<ctx> parameter, and a
 pointer to a provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_asym_cipher_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
-
 OSSL_FUNC_asym_cipher_encrypt() performs the actual encryption itself.
 A previously initialised asymmetric cipher context is passed in the I<ctx>
 parameter.
@@ -143,6 +146,8 @@ written to I<*outlen>.
 OSSL_FUNC_asym_cipher_decrypt_init() initialises a context for an asymmetric decryption
 given a provider side asymmetric cipher context in the I<ctx> parameter, and a
 pointer to a provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_asym_cipher_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
@@ -168,9 +173,12 @@ functions.
 OSSL_FUNC_asym_cipher_get_ctx_params() gets asymmetric cipher parameters associated
 with the given provider side asymmetric cipher context I<ctx> and stores them in
 I<params>.
+Passing NULL for I<params> should return true.
+
 OSSL_FUNC_asym_cipher_set_ctx_params() sets the asymmetric cipher parameters associated
 with the given provider side asymmetric cipher context I<ctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 Parameters currently recognised by built-in asymmetric cipher algorithms are as
 follows.
diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod
index 133ee07d67..de5be060a1 100644
--- a/doc/man7/provider-cipher.pod
+++ b/doc/man7/provider-cipher.pod
@@ -25,10 +25,10 @@ provider-cipher - The cipher library E<lt>-E<gt> provider functions
  /* Encryption/decryption */
  int OSSL_FUNC_cipher_encrypt_init(void *cctx, const unsigned char *key,
                                    size_t keylen, const unsigned char *iv,
-                                   size_t ivlen);
+                                   size_t ivlen, const OSSL_PARAM params[]);
  int OSSL_FUNC_cipher_decrypt_init(void *cctx, const unsigned char *key,
                                    size_t keylen, const unsigned char *iv,
-                                   size_t ivlen);
+                                   size_t ivlen, const OSSL_PARAM params[]);
  int OSSL_FUNC_cipher_update(void *cctx, unsigned char *out, size_t *outl,
                              size_t outsize, const unsigned char *in, size_t inl);
  int OSSL_FUNC_cipher_final(void *cctx, unsigned char *out, size_t *outl,
@@ -129,6 +129,8 @@ OSSL_FUNC_cipher_encrypt_init() initialises a cipher operation for encryption gi
 newly created provider side cipher context in the I<cctx> parameter.
 The key to be used is given in I<key> which is I<keylen> bytes long.
 The IV to be used is given in I<iv> which is I<ivlen> bytes long.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_cipher_set_ctx_params().
 
 OSSL_FUNC_cipher_decrypt_init() is the same as OSSL_FUNC_cipher_encrypt_init() except that it
 initialises the context for a decryption operation.
@@ -184,9 +186,11 @@ and stores them in I<params>.
 OSSL_FUNC_cipher_set_ctx_params() sets cipher operation parameters for the
 provider side cipher context I<cctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_cipher_get_ctx_params() gets cipher operation details details from
 the given provider side cipher context I<cctx> and stores them in I<params>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_cipher_gettable_params(), OSSL_FUNC_cipher_gettable_ctx_params(),
 and OSSL_FUNC_cipher_settable_ctx_params() all return constant B<OSSL_PARAM>
diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod
index 7165827160..ce53c61de4 100644
--- a/doc/man7/provider-digest.pod
+++ b/doc/man7/provider-digest.pod
@@ -22,7 +22,7 @@ provider-digest - The digest library E<lt>-E<gt> provider functions
  void *OSSL_FUNC_digest_dupctx(void *dctx);
 
  /* Digest generation */
- int OSSL_FUNC_digest_init(void *dctx);
+ int OSSL_FUNC_digest_init(void *dctx, const OSSL_PARAM params[]);
  int OSSL_FUNC_digest_update(void *dctx, const unsigned char *in, size_t inl);
  int OSSL_FUNC_digest_final(void *dctx, unsigned char *out, size_t *outl,
                             size_t outsz);
@@ -115,6 +115,8 @@ I<dctx> parameter and return the duplicate copy.
 
 OSSL_FUNC_digest_init() initialises a digest operation given a newly created
 provider side digest context in the I<dctx> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_digest_set_ctx_params().
 
 OSSL_FUNC_digest_update() is called to supply data to be digested as part of a
 previously initialised digest operation.
@@ -150,9 +152,11 @@ and stores them in I<params>.
 OSSL_FUNC_digest_set_ctx_params() sets digest operation parameters for the
 provider side digest context I<dctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_digest_get_ctx_params() gets digest operation details details from
 the given provider side digest context I<dctx> and stores them in I<params>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_digest_gettable_params() returns a constant B<OSSL_PARAM> array
 containing descriptors of the parameters that OSSL_FUNC_digest_get_params()
diff --git a/doc/man7/provider-encoder.pod b/doc/man7/provider-encoder.pod
index 2fcbd6499a..5e34b7a394 100644
--- a/doc/man7/provider-encoder.pod
+++ b/doc/man7/provider-encoder.pod
@@ -197,6 +197,7 @@ OSSL_FUNC_encoder_newctx().
 OSSL_FUNC_encoder_set_ctx_params() sets context data according to parameters
 from I<params> that it recognises.  Unrecognised parameters should be
 ignored.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_encoder_settable_ctx_params() returns a constant B<OSSL_PARAM>
 array describing the parameters that OSSL_FUNC_encoder_set_ctx_params()
diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod
index 0b13537e8d..fb9e30a843 100644
--- a/doc/man7/provider-kdf.pod
+++ b/doc/man7/provider-kdf.pod
@@ -127,9 +127,11 @@ provider algorithm and stores them in I<params>.
 OSSL_FUNC_kdf_set_ctx_params() sets KDF parameters associated with the given
 provider side KDF context I<kctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_kdf_get_ctx_params() retrieves gettable parameter values associated
 with the given provider side KDF context I<kctx> and stores them in I<params>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_kdf_gettable_params(), OSSL_FUNC_kdf_gettable_ctx_params(),
 and OSSL_FUNC_kdf_settable_ctx_params() all return constant B<OSSL_PARAM>
diff --git a/doc/man7/provider-kem.pod b/doc/man7/provider-kem.pod
index 7903fb8ca4..3ed9ff11fc 100644
--- a/doc/man7/provider-kem.pod
+++ b/doc/man7/provider-kem.pod
@@ -23,7 +23,8 @@ provider-kem - The kem library E<lt>-E<gt> provider functions
  void *OSSL_FUNC_kem_dupctx(void *ctx);
 
  /* Encapsulation */
- int OSSL_FUNC_kem_encapsulate_init(void *ctx, void *provkey, const char *name);
+ int OSSL_FUNC_kem_encapsulate_init(void *ctx, void *provkey, const char *name,
+                                    const OSSL_PARAM params[]);
  int OSSL_FUNC_kem_encapsulate(void *ctx, unsigned char *out, size_t *outlen,
                                unsigned char *secret, size_t *secretlen);
 
@@ -120,6 +121,8 @@ OSSL_FUNC_kem_encapsulate_init() initialises a context for an asymmetric
 encapsulation given a provider side asymmetric kem context in the I<ctx>
 parameter, a pointer to a provider key object in the I<provkey> parameter and
 the I<name> of the algorithm.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_kem_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
@@ -168,9 +171,12 @@ functions.
 OSSL_FUNC_kem_get_ctx_params() gets asymmetric kem parameters associated
 with the given provider side asymmetric kem context I<ctx> and stores them in
 I<params>.
+Passing NULL for I<params> should return true.
+
 OSSL_FUNC_kem_set_ctx_params() sets the asymmetric kem parameters associated
 with the given provider side asymmetric kem context I<ctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 No parameters are currently recognised by built-in asymmetric kem algorithms.
 
diff --git a/doc/man7/provider-keyexch.pod b/doc/man7/provider-keyexch.pod
index b353f760bd..0fc36c5da6 100644
--- a/doc/man7/provider-keyexch.pod
+++ b/doc/man7/provider-keyexch.pod
@@ -23,7 +23,8 @@ provider-keyexch - The keyexch library E<lt>-E<gt> provider functions
  void *OSSL_FUNC_keyexch_dupctx(void *ctx);
 
  /* Shared secret derivation */
- int OSSL_FUNC_keyexch_init(void *ctx, void *provkey);
+ int OSSL_FUNC_keyexch_init(void *ctx, void *provkey,
+                            const OSSL_PARAM params[]);
  int OSSL_FUNC_keyexch_set_peer(void *ctx, void *provkey);
  int OSSL_FUNC_keyexch_derive(void *ctx, unsigned char *secret, size_t *secretlen,
                               size_t outlen);
@@ -107,7 +108,10 @@ the I<ctx> parameter and return the duplicate copy.
 
 OSSL_FUNC_keyexch_init() initialises a key exchange operation given a provider side key
 exchange context in the I<ctx> parameter, and a pointer to a provider key object
-in the I<provkey> parameter. The key object should have been previously
+in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_keyexch_set_params().
+The key object should have been previously
 generated, loaded or imported into the provider using the key management
 (OSSL_OP_KEYMGMT) operation (see provider-keymgmt(7)>.
 
@@ -135,10 +139,12 @@ OSSL_FUNC_keyexch_set_ctx_params() sets key exchange parameters associated with
 given provider side key exchange context I<ctx> to I<params>,
 see L</Common Key Exchange parameters>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_keyexch_get_ctx_params() gets key exchange parameters associated with the
 given provider side key exchange context I<ctx> into I<params>,
 see L</Common Key Exchange parameters>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_keyexch_settable_ctx_params() yields a constant B<OSSL_PARAM> array that
 describes the settable parameters, i.e. parameters that can be used with
diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod
index 2156ed9b7f..fa901b2742 100644
--- a/doc/man7/provider-keymgmt.pod
+++ b/doc/man7/provider-keymgmt.pod
@@ -19,7 +19,8 @@ provider-keymgmt - The KEYMGMT library E<lt>-E<gt> provider functions
  void OSSL_FUNC_keymgmt_free(void *keydata);
 
  /* Generation, a more complex constructor */
- void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection);
+ void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection,
+                                  const OSSL_PARAM params[]);
  int OSSL_FUNC_keymgmt_gen_set_template(void *genctx, void *template);
  int OSSL_FUNC_keymgmt_gen_set_params(void *genctx, const OSSL_PARAM params[]);
  const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_settable_params(void *genctx,
@@ -222,6 +223,8 @@ more elaborate context based key object constructor.
 OSSL_FUNC_keymgmt_gen_init() should create the key object generation context
 and initialize it with I<selections>, which will determine what kind
 of contents the key object to be generated should get.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_keymgmt_set_params().
 
 OSSL_FUNC_keymgmt_gen_set_template() should add I<template> to the context
 I<genctx>.  The I<template> is assumed to be a key object constructed
diff --git a/doc/man7/provider-mac.pod b/doc/man7/provider-mac.pod
index 8b4ce93613..82bbdb9aa2 100644
--- a/doc/man7/provider-mac.pod
+++ b/doc/man7/provider-mac.pod
@@ -137,10 +137,12 @@ provider algorithm and stores them in I<params>.
 OSSL_FUNC_mac_set_ctx_params() sets mac parameters associated with the given
 provider side mac context I<mctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_mac_get_ctx_params() gets details of currently set parameter values
 associated with the given provider side mac context I<mctx> and stores them
 in I<params>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_mac_gettable_params(), OSSL_FUNC_mac_gettable_ctx_params(),
 and OSSL_FUNC_mac_settable_ctx_params() all return constant B<OSSL_PARAM>
diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod
index 157f6227e9..be81237610 100644
--- a/doc/man7/provider-rand.pod
+++ b/doc/man7/provider-rand.pod
@@ -160,10 +160,12 @@ provider algorithm and stores them in I<params>.
 OSSL_FUNC_rand_set_ctx_params() sets rand parameters associated with the given
 provider side rand context I<ctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_rand_get_ctx_params() gets details of currently set parameter values
 associated with the given provider side rand context I<ctx> and stores them
 in I<params>.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_rand_gettable_params(), OSSL_FUNC_rand_gettable_ctx_params(),
 and OSSL_FUNC_rand_settable_ctx_params() all return constant B<OSSL_PARAM>
diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod
index 0d17d58367..fe8a68b77c 100644
--- a/doc/man7/provider-signature.pod
+++ b/doc/man7/provider-signature.pod
@@ -23,24 +23,28 @@ provider-signature - The signature library E<lt>-E<gt> provider functions
  void *OSSL_FUNC_signature_dupctx(void *ctx);
 
  /* Signing */
- int OSSL_FUNC_signature_sign_init(void *ctx, void *provkey);
+ int OSSL_FUNC_signature_sign_init(void *ctx, void *provkey,
+                                   const OSSL_PARAM params[]);
  int OSSL_FUNC_signature_sign(void *ctx, unsigned char *sig, size_t *siglen,
                               size_t sigsize, const unsigned char *tbs, size_t tbslen);
 
  /* Verifying */
- int OSSL_FUNC_signature_verify_init(void *ctx, void *provkey);
+ int OSSL_FUNC_signature_verify_init(void *ctx, void *provkey,
+                                     const OSSL_PARAM params[]);
  int OSSL_FUNC_signature_verify(void *ctx, const unsigned char *sig, size_t siglen,
                                 const unsigned char *tbs, size_t tbslen);
 
  /* Verify Recover */
- int OSSL_FUNC_signature_verify_recover_init(void *ctx, void *provkey);
+ int OSSL_FUNC_signature_verify_recover_init(void *ctx, void *provkey,
+                                             const OSSL_PARAM params[]);
  int OSSL_FUNC_signature_verify_recover(void *ctx, unsigned char *rout,
                                         size_t *routlen, size_t routsize,
                                         const unsigned char *sig, size_t siglen);
 
  /* Digest Sign */
  int OSSL_FUNC_signature_digest_sign_init(void *ctx, const char *mdname,
-                                          const char *props, void *provkey);
+                                          const char *props, void *provkey,
+                                          const OSSL_PARAM params[]);
  int OSSL_FUNC_signature_digest_sign_update(void *ctx, const unsigned char *data,
                                      size_t datalen);
  int OSSL_FUNC_signature_digest_sign_final(void *ctx, unsigned char *sig,
@@ -52,7 +56,8 @@ provider-signature - The signature library E<lt>-E<gt> provider functions
 
  /* Digest Verify */
  int OSSL_FUNC_signature_digest_verify_init(void *ctx, const char *mdname,
-                                            const char *props, void *provkey);
+                                            const char *props, void *provkey,
+                                            const OSSL_PARAM params[]);
  int OSSL_FUNC_signature_digest_verify_update(void *ctx,
                                               const unsigned char *data,
                                               size_t datalen);
@@ -192,6 +197,8 @@ the I<ctx> parameter and return the duplicate copy.
 OSSL_FUNC_signature_sign_init() initialises a context for signing given a provider side
 signature context in the I<ctx> parameter, and a pointer to a provider key object
 in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_signature_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
@@ -212,6 +219,8 @@ I<*siglen>.
 OSSL_FUNC_signature_verify_init() initialises a context for verifying a signature given
 a provider side signature context in the I<ctx> parameter, and a pointer to a
 provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_signature_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
@@ -228,6 +237,8 @@ long.
 OSSL_FUNC_signature_verify_recover_init() initialises a context for recovering the
 signed data given a provider side signature context in the I<ctx> parameter, and
 a pointer to a provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_signature_set_ctx_params().
 The key object should have been previously generated, loaded or imported into
 the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 provider-keymgmt(7)>.
@@ -246,7 +257,11 @@ the I<routlen> parameter.
 
 OSSL_FUNC_signature_digeset_sign_init() initialises a context for signing given a
 provider side signature context in the I<ctx> parameter, and a pointer to a
-provider key object in the I<provkey> parameter. The key object should have been
+provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+using OSSL_FUNC_signature_set_ctx_params() and
+OSSL_FUNC_signature_set_ctx_md_params().
+The key object should have been
 previously generated, loaded or imported into the provider using the
 key management (OSSL_OP_KEYMGMT) operation (see provider-keymgmt(7)>.
 The name of the digest to be used will be in the I<mdname> parameter. There may
@@ -281,7 +296,11 @@ length of the signature should be written to I<*siglen>.
 
 OSSL_FUNC_signature_digeset_verify_init() initialises a context for verifying given a
 provider side verification context in the I<ctx> parameter, and a pointer to a
-provider key object in the I<provkey> parameter. The key object should have been
+provider key object in the I<provkey> parameter.
+The I<params>, if not NULL, should be set on the context in a manner similar to
+OSSL_FUNC_signature_set_ctx_params() and
+OSSL_FUNC_signature_set_ctx_md_params().
+The key object should have been
 previously generated, loaded or imported into the provider using the
 key management (OSSL_OP_KEYMGMT) operation (see provider-keymgmt(7)>.
 The name of the digest to be used will be in the I<mdname> parameter. There may
@@ -313,9 +332,12 @@ the OSSL_FUNC_signature_get_ctx_params() and OSSL_FUNC_signature_set_ctx_params(
 
 OSSL_FUNC_signature_get_ctx_params() gets signature parameters associated with the
 given provider side signature context I<ctx> and stored them in I<params>.
+Passing NULL for I<params> should return true.
+
 OSSL_FUNC_signature_set_ctx_params() sets the signature parameters associated with the
 given provider side signature context I<ctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 Common parameters currently recognised by built-in signature algorithms are as
 follows.
@@ -372,9 +394,12 @@ functions.
 
 OSSL_FUNC_signature_get_md_ctx_params() gets digest parameters associated with the
 given provider side digest signature context I<ctx> and stores them in I<params>.
+Passing NULL for I<params> should return true.
+
 OSSL_FUNC_signature_set_ms_ctx_params() sets the digest parameters associated with the
 given provider side digest signature context I<ctx> to I<params>.
 Any parameter settings are additional to any that were previously set.
+Passing NULL for I<params> should return true.
 
 Parameters currently recognised by built-in signature algorithms are the same
 as those for built-in digest algorithms. See
diff --git a/doc/man7/provider-storemgmt.pod b/doc/man7/provider-storemgmt.pod
index 2e5bddc5ec..8b4c7dbe71 100644
--- a/doc/man7/provider-storemgmt.pod
+++ b/doc/man7/provider-storemgmt.pod
@@ -89,6 +89,7 @@ OSSL_FUNC_store_set_ctx_params() should set additional parameters, such as what
 kind of data to expect, search criteria, and so on.  More on those below, in
 L</Load Parameters>.  Whether unrecognised parameters are an error or simply
 ignored is at the implementation's discretion.
+Passing NULL for I<params> should return true.
 
 OSSL_FUNC_store_load() loads the next object from the URI opened by
 OSSL_FUNC_store_open(), creates an object abstraction for it (see
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 70cc6fff1c..5dd0db3bae 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -776,7 +776,8 @@ int evp_keymgmt_get_params(const EVP_KEYMGMT *keymgmt,
                            void *keydata, OSSL_PARAM params[]);
 int evp_keymgmt_set_params(const EVP_KEYMGMT *keymgmt,
                            void *keydata, const OSSL_PARAM params[]);
-void *evp_keymgmt_gen_init(const EVP_KEYMGMT *keymgmt, int selection);
+void *evp_keymgmt_gen_init(const EVP_KEYMGMT *keymgmt, int selection,
+                           const OSSL_PARAM params[]);
 int evp_keymgmt_gen_set_template(const EVP_KEYMGMT *keymgmt, void *genctx,
                                  void *template);
 int evp_keymgmt_gen_set_params(const EVP_KEYMGMT *keymgmt, void *genctx,
diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h
index eb71bc5469..214772bc7e 100644
--- a/include/openssl/core_dispatch.h
+++ b/include/openssl/core_dispatch.h
@@ -243,7 +243,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_test, (void *provctx))
 # define OSSL_FUNC_DIGEST_GETTABLE_CTX_PARAMS       13
 
 OSSL_CORE_MAKE_FUNC(void *, digest_newctx, (void *provctx))
-OSSL_CORE_MAKE_FUNC(int, digest_init, (void *dctx))
+OSSL_CORE_MAKE_FUNC(int, digest_init, (void *dctx, const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, digest_update,
                     (void *dctx, const unsigned char *in, size_t inl))
 OSSL_CORE_MAKE_FUNC(int, digest_final,
@@ -290,12 +290,14 @@ OSSL_CORE_MAKE_FUNC(int, cipher_encrypt_init, (void *cctx,
                                                   const unsigned char *key,
                                                   size_t keylen,
                                                   const unsigned char *iv,
-                                                  size_t ivlen))
+                                                  size_t ivlen,
+                                                  const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, cipher_decrypt_init, (void *cctx,
                                                   const unsigned char *key,
                                                   size_t keylen,
                                                   const unsigned char *iv,
-                                                  size_t ivlen))
+                                                  size_t ivlen,
+                                                  const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, cipher_update,
                     (void *cctx,
                      unsigned char *out, size_t *outl, size_t outsize,
@@ -524,7 +526,7 @@ OSSL_CORE_MAKE_FUNC(void *, keymgmt_new, (void *provctx))
 # define OSSL_FUNC_KEYMGMT_GEN                         6
 # define OSSL_FUNC_KEYMGMT_GEN_CLEANUP                 7
 OSSL_CORE_MAKE_FUNC(void *, keymgmt_gen_init,
-                    (void *provctx, int selection))
+                    (void *provctx, int selection, const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, keymgmt_gen_set_template,
                     (void *genctx, void *templ))
 OSSL_CORE_MAKE_FUNC(int, keymgmt_gen_set_params,
@@ -613,7 +615,8 @@ OSSL_CORE_MAKE_FUNC(int, keymgmt_copy,
 # define OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS        10
 
 OSSL_CORE_MAKE_FUNC(void *, keyexch_newctx, (void *provctx))
-OSSL_CORE_MAKE_FUNC(int, keyexch_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, keyexch_init, (void *ctx, void *provkey,
+                                        const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, keyexch_derive, (void *ctx,  unsigned char *secret,
                                              size_t *secretlen, size_t outlen))
 OSSL_CORE_MAKE_FUNC(int, keyexch_set_peer, (void *ctx, void *provkey))
@@ -658,27 +661,27 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, keyexch_gettable_ctx_params,
 
 OSSL_CORE_MAKE_FUNC(void *, signature_newctx, (void *provctx,
                                                   const char *propq))
-OSSL_CORE_MAKE_FUNC(int, signature_sign_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, signature_sign_init, (void *ctx, void *provkey,
+                                               const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, signature_sign, (void *ctx,  unsigned char *sig,
                                              size_t *siglen, size_t sigsize,
                                              const unsigned char *tbs,
                                              size_t tbslen))
-OSSL_CORE_MAKE_FUNC(int, signature_verify_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, signature_verify_init, (void *ctx, void *provkey,
+                                                 const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, signature_verify, (void *ctx,
                                                const unsigned char *sig,
                                                size_t siglen,
                                                const unsigned char *tbs,
                                                size_t tbslen))
-OSSL_CORE_MAKE_FUNC(int, signature_verify_recover_init, (void *ctx,
-                                                            void *provkey))
-OSSL_CORE_MAKE_FUNC(int, signature_verify_recover, (void *ctx,
-                                                       unsigned char *rout,
-                                                       size_t *routlen,
-                                                       size_t routsize,
-                                                       const unsigned char *sig,
-                                                       size_t siglen))
+OSSL_CORE_MAKE_FUNC(int, signature_verify_recover_init,
+                    (void *ctx, void *provkey, const OSSL_PARAM params[]))
+OSSL_CORE_MAKE_FUNC(int, signature_verify_recover,
+                    (void *ctx, unsigned char *rout, size_t *routlen,
+                     size_t routsize, const unsigned char *sig, size_t siglen))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_sign_init,
-                    (void *ctx, const char *mdname, void *provkey))
+                    (void *ctx, const char *mdname, void *provkey,
+                     const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_sign_update,
                     (void *ctx, const unsigned char *data, size_t datalen))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_sign_final,
@@ -688,7 +691,8 @@ OSSL_CORE_MAKE_FUNC(int, signature_digest_sign,
                     (void *ctx, unsigned char *sigret, size_t *siglen,
                      size_t sigsize, const unsigned char *tbs, size_t tbslen))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_verify_init,
-                    (void *ctx, const char *mdname, void *provkey))
+                    (void *ctx, const char *mdname, void *provkey,
+                     const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_verify_update,
                     (void *ctx, const unsigned char *data, size_t datalen))
 OSSL_CORE_MAKE_FUNC(int, signature_digest_verify_final,
@@ -731,13 +735,15 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, signature_settable_ctx_md_params,
 # define OSSL_FUNC_ASYM_CIPHER_SETTABLE_CTX_PARAMS    11
 
 OSSL_CORE_MAKE_FUNC(void *, asym_cipher_newctx, (void *provctx))
-OSSL_CORE_MAKE_FUNC(int, asym_cipher_encrypt_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, asym_cipher_encrypt_init, (void *ctx, void *provkey,
+                                                    const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, asym_cipher_encrypt, (void *ctx, unsigned char *out,
                                                   size_t *outlen,
                                                   size_t outsize,
                                                   const unsigned char *in,
                                                   size_t inlen))
-OSSL_CORE_MAKE_FUNC(int, asym_cipher_decrypt_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, asym_cipher_decrypt_init, (void *ctx, void *provkey,
+                                                    const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, asym_cipher_decrypt, (void *ctx, unsigned char *out,
                                                   size_t *outlen,
                                                   size_t outsize,
@@ -768,12 +774,14 @@ OSSL_CORE_MAKE_FUNC(const OSSL_PARAM *, asym_cipher_settable_ctx_params,
 # define OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS    11
 
 OSSL_CORE_MAKE_FUNC(void *, kem_newctx, (void *provctx))
-OSSL_CORE_MAKE_FUNC(int, kem_encapsulate_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, kem_encapsulate_init, (void *ctx, void *provkey,
+                                                const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, kem_encapsulate, (void *ctx,
                                            unsigned char *out, size_t *outlen,
                                            unsigned char *secret,
                                            size_t *secretlen))
-OSSL_CORE_MAKE_FUNC(int, kem_decapsulate_init, (void *ctx, void *provkey))
+OSSL_CORE_MAKE_FUNC(int, kem_decapsulate_init, (void *ctx, void *provkey,
+                                                const OSSL_PARAM params[]))
 OSSL_CORE_MAKE_FUNC(int, kem_decapsulate, (void *ctx,
                                            unsigned char *out, size_t *outlen,
                                            const unsigned char *in, size_t inlen))
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 9bd8d85a3e..e098bc6887 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -654,6 +654,8 @@ __owur int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);
 void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags);
 void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
 int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags);
+__owur int EVP_DigestInit_ex2(EVP_MD_CTX *ctx, const EVP_MD *type,
+                              const OSSL_PARAM params[]);
 __owur int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,
                                  ENGINE *impl);
 __owur int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d,
@@ -698,6 +700,10 @@ __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                                   const EVP_CIPHER *cipher, ENGINE *impl,
                                   const unsigned char *key,
                                   const unsigned char *iv);
+__owur int EVP_EncryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                               const unsigned char *key,
+                               const unsigned char *iv,
+                               const OSSL_PARAM params[]);
 /*__owur*/ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                  int *outl, const unsigned char *in, int inl);
 /*__owur*/ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -711,6 +717,10 @@ __owur int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                                   const EVP_CIPHER *cipher, ENGINE *impl,
                                   const unsigned char *key,
                                   const unsigned char *iv);
+__owur int EVP_DecryptInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                               const unsigned char *key,
+                               const unsigned char *iv,
+                               const OSSL_PARAM params[]);
 /*__owur*/ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                                  int *outl, const unsigned char *in, int inl);
 __owur int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
@@ -725,6 +735,9 @@ __owur int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
                                  const EVP_CIPHER *cipher, ENGINE *impl,
                                  const unsigned char *key,
                                  const unsigned char *iv, int enc);
+__owur int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+                              const unsigned char *key, const unsigned char *iv,
+                              int enc, const OSSL_PARAM params[]);
 __owur int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                             int *outl, const unsigned char *in, int inl);
 __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
@@ -754,7 +767,8 @@ __owur int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
 
 int EVP_DigestSignInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                           const char *mdname, OSSL_LIB_CTX *libctx,
-                          const char *props, EVP_PKEY *pkey);
+                          const char *props, EVP_PKEY *pkey,
+                          OSSL_PARAM params[]);
 /*__owur*/ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                                   const EVP_MD *type, ENGINE *e,
                                   EVP_PKEY *pkey);
@@ -764,7 +778,8 @@ __owur int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
 
 int EVP_DigestVerifyInit_ex(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                             const char *mdname, OSSL_LIB_CTX *libctx,
-                            const char *props, EVP_PKEY *pkey);
+                            const char *props, EVP_PKEY *pkey,
+                            OSSL_PARAM params[]);
 __owur int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
                                 const EVP_MD *type, ENGINE *e,
                                 EVP_PKEY *pkey);
@@ -1769,35 +1784,42 @@ const OSSL_PARAM *EVP_KEM_gettable_ctx_params(const EVP_KEM *kem);
 const OSSL_PARAM *EVP_KEM_settable_ctx_params(const EVP_KEM *kem);
 
 int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
                   unsigned char *sig, size_t *siglen,
                   const unsigned char *tbs, size_t tbslen);
 int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
                     const unsigned char *sig, size_t siglen,
                     const unsigned char *tbs, size_t tbslen);
 int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx,
+                                    const OSSL_PARAM params[]);
 int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
                             unsigned char *rout, size_t *routlen,
                             const unsigned char *sig, size_t siglen);
 int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_encrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
                      unsigned char *out, size_t *outlen,
                      const unsigned char *in, size_t inlen);
 int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_decrypt_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
                      unsigned char *out, size_t *outlen,
                      const unsigned char *in, size_t inlen);
 
 int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_derive_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
 int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
 
-int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
                          unsigned char *wrappedkey, size_t *wrappedkeylen,
                          unsigned char *genkey, size_t *genkeylen);
-int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx);
+int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
 int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
                          unsigned char *unwrapped, size_t *unwrappedlen,
                          const unsigned char *wrapped, size_t wrappedlen);
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 8bf93dc7a2..34ce13dd30 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -91,7 +91,8 @@ static void *rsa_newctx(void *provctx)
     return prsactx;
 }
 
-static int rsa_init(void *vprsactx, void *vrsa, int operation)
+static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
+                    int operation)
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
@@ -116,17 +117,19 @@ static int rsa_init(void *vprsactx, void *vrsa, int operation)
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
     }
-    return 1;
+    return rsa_set_ctx_params(prsactx, params);
 }
 
-static int rsa_encrypt_init(void *vprsactx, void *vrsa)
+static int rsa_encrypt_init(void *vprsactx, void *vrsa,
+                            const OSSL_PARAM params[])
 {
-    return rsa_init(vprsactx, vrsa, EVP_PKEY_OP_ENCRYPT);
+    return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCRYPT);
 }
 
-static int rsa_decrypt_init(void *vprsactx, void *vrsa)
+static int rsa_decrypt_init(void *vprsactx, void *vrsa,
+                            const OSSL_PARAM params[])
 {
-    return rsa_init(vprsactx, vrsa, EVP_PKEY_OP_DECRYPT);
+    return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT);
 }
 
 static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen,
@@ -329,7 +332,7 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     OSSL_PARAM *p;
 
-    if (prsactx == NULL || params == NULL)
+    if (prsactx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_PAD_MODE);
@@ -422,8 +425,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
     char mdprops[OSSL_MAX_PROPQUERY_SIZE] = { '\0' };
     char *str = mdname;
 
-    if (prsactx == NULL || params == NULL)
+    if (prsactx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST);
     if (p != NULL) {
diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c
index efd87f9d6a..581ca632b2 100644
--- a/providers/implementations/asymciphers/sm2_enc.c
+++ b/providers/implementations/asymciphers/sm2_enc.c
@@ -56,7 +56,7 @@ static void *sm2_newctx(void *provctx)
     return psm2ctx;
 }
 
-static int sm2_init(void *vpsm2ctx, void *vkey)
+static int sm2_init(void *vpsm2ctx, void *vkey, const OSSL_PARAM params[])
 {
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
 
@@ -65,7 +65,7 @@ static int sm2_init(void *vpsm2ctx, void *vkey)
     EC_KEY_free(psm2ctx->key);
     psm2ctx->key = vkey;
 
-    return 1;
+    return sm2_set_ctx_params(psm2ctx, params);
 }
 
 static const EVP_MD *sm2_get_md(PROV_SM2_CTX *psm2ctx)
@@ -156,7 +156,7 @@ static int sm2_get_ctx_params(void *vpsm2ctx, OSSL_PARAM *params)
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
     OSSL_PARAM *p;
 
-    if (vpsm2ctx == NULL || params == NULL)
+    if (vpsm2ctx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_DIGEST);
@@ -186,8 +186,10 @@ static int sm2_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[])
 {
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
 
-    if (psm2ctx == NULL || params == NULL)
+    if (psm2ctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     if (!ossl_prov_digest_load_from_params(&psm2ctx->md, params,
                                            psm2ctx->libctx))
diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index b78687ceae..a0eef7c1e5 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -33,6 +33,8 @@ const OSSL_DISPATCH ossl_##nm##kbits##sub##_functions[] = {                    \
 # define AES_CBC_HMAC_SHA_FLAGS (PROV_CIPHER_FLAG_AEAD                         \
                                  | PROV_CIPHER_FLAG_TLS1_MULTIBLOCK)
 
+static OSSL_FUNC_cipher_encrypt_init_fn aes_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn aes_dinit;
 static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha1_freectx;
 static OSSL_FUNC_cipher_freectx_fn aes_cbc_hmac_sha256_freectx;
 static OSSL_FUNC_cipher_get_ctx_params_fn aes_get_ctx_params;
@@ -40,12 +42,28 @@ static OSSL_FUNC_cipher_gettable_ctx_params_fn aes_gettable_ctx_params;
 static OSSL_FUNC_cipher_set_ctx_params_fn aes_set_ctx_params;
 static OSSL_FUNC_cipher_settable_ctx_params_fn aes_settable_ctx_params;
 # define aes_gettable_params ossl_cipher_generic_gettable_params
-# define aes_einit ossl_cipher_generic_einit
-# define aes_dinit ossl_cipher_generic_dinit
 # define aes_update ossl_cipher_generic_stream_update
 # define aes_final ossl_cipher_generic_stream_final
 # define aes_cipher ossl_cipher_generic_cipher
 
+static int aes_einit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return aes_set_ctx_params(ctx, params);
+}
+
+static int aes_dinit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return aes_set_ctx_params(ctx, params);
+}
+
 static const OSSL_PARAM cipher_aes_known_settable_ctx_params[] = {
     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_MAC_KEY, NULL, 0),
     OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD, NULL, 0),
@@ -76,6 +94,9 @@ static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
 # endif
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_MAC_KEY);
     if (p != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
diff --git a/providers/implementations/ciphers/cipher_aes_cts.inc b/providers/implementations/ciphers/cipher_aes_cts.inc
index fbd66eb257..2a3b88b2c0 100644
--- a/providers/implementations/ciphers/cipher_aes_cts.inc
+++ b/providers/implementations/ciphers/cipher_aes_cts.inc
@@ -14,6 +14,8 @@
 
 #define AES_CTS_FLAGS PROV_CIPHER_FLAG_CTS
 
+static OSSL_FUNC_cipher_encrypt_init_fn aes_cbc_cts_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn aes_cbc_cts_dinit;
 static OSSL_FUNC_cipher_get_ctx_params_fn aes_cbc_cts_get_ctx_params;
 static OSSL_FUNC_cipher_set_ctx_params_fn aes_cbc_cts_set_ctx_params;
 static OSSL_FUNC_cipher_gettable_ctx_params_fn aes_cbc_cts_gettable_ctx_params;
@@ -23,6 +25,24 @@ CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(aes_cbc_cts)
 OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_CTS_MODE, NULL, 0),
 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(aes_cbc_cts)
 
+static int aes_cbc_cts_einit(void *ctx, const unsigned char *key, size_t keylen,
+                             const unsigned char *iv, size_t ivlen,
+                             const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return aes_cbc_cts_set_ctx_params(ctx, params);
+}
+
+static int aes_cbc_cts_dinit(void *ctx, const unsigned char *key, size_t keylen,
+                             const unsigned char *iv, size_t ivlen,
+                             const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return aes_cbc_cts_set_ctx_params(ctx, params);
+}
+
 static int aes_cbc_cts_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
@@ -80,8 +100,8 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_cts_functions[] = {            \
       (void (*)(void)) alg##_##kbits##_##lcmode##_newctx },                    \
     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx },              \
     { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx },                \
-    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_cipher_generic_einit }, \
-    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_cipher_generic_dinit }, \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))aes_cbc_cts_einit },      \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))aes_cbc_cts_dinit },      \
     { OSSL_FUNC_CIPHER_UPDATE,                                                 \
       (void (*)(void)) ossl_##alg##_##lcmode##_cts_block_update },             \
     { OSSL_FUNC_CIPHER_FINAL,                                                  \
diff --git a/providers/implementations/ciphers/cipher_aes_ocb.c b/providers/implementations/ciphers/cipher_aes_ocb.c
index 627f146273..ce377ad574 100644
--- a/providers/implementations/ciphers/cipher_aes_ocb.c
+++ b/providers/implementations/ciphers/cipher_aes_ocb.c
@@ -102,7 +102,8 @@ static ossl_inline int aes_generic_ocb_copy_ctx(PROV_AES_OCB_CTX *dst,
  * Provider dispatch functions
  */
 static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
-                        const unsigned char *iv, size_t ivlen, int enc)
+                        const unsigned char *iv, size_t ivlen,
+                        const OSSL_PARAM params[], int enc)
 {
     PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx;
 
@@ -131,21 +132,24 @@ static int aes_ocb_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->base.hw->init(&ctx->base, key, keylen);
+        if (!ctx->base.hw->init(&ctx->base, key, keylen))
+            return 0;
     }
-    return 1;
+    return aes_ocb_set_ctx_params(ctx, params);
 }
 
 static int aes_ocb_einit(void *vctx, const unsigned char *key, size_t keylen,
-                         const unsigned char *iv, size_t ivlen)
+                         const unsigned char *iv, size_t ivlen,
+                         const OSSL_PARAM params[])
 {
-    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 1);
+    return aes_ocb_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 static int aes_ocb_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                         const unsigned char *iv, size_t ivlen)
+                         const unsigned char *iv, size_t ivlen,
+                         const OSSL_PARAM params[])
 {
-    return aes_ocb_init(vctx, key, keylen, iv, ivlen, 0);
+    return aes_ocb_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 /*
@@ -354,6 +358,9 @@ static int aes_ocb_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     size_t sz;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
     if (p != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
index 9a75f6f5b7..dd3346a81c 100644
--- a/providers/implementations/ciphers/cipher_aes_siv.c
+++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -25,6 +25,8 @@
 #define siv_stream_update siv_cipher
 #define SIV_FLAGS AEAD_FLAGS
 
+static OSSL_FUNC_cipher_set_ctx_params_fn aes_siv_set_ctx_params;
+
 static void *aes_siv_newctx(void *provctx, size_t keybits, unsigned int mode,
                             uint64_t flags)
 {
@@ -75,7 +77,8 @@ static void *siv_dupctx(void *vctx)
 }
 
 static int siv_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[], int enc)
 {
     PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
 
@@ -89,21 +92,24 @@ static int siv_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->hw->initkey(ctx, key, ctx->keylen);
+        if (!ctx->hw->initkey(ctx, key, ctx->keylen))
+            return 0;
     }
-    return 1;
+    return aes_siv_set_ctx_params(ctx, params);
 }
 
 static int siv_einit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
+                     const unsigned char *iv, size_t ivlen,
+                     const OSSL_PARAM params[])
 {
-    return siv_init(vctx, key, keylen, iv, ivlen, 1);
+    return siv_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 static int siv_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
+                     const unsigned char *iv, size_t ivlen,
+                     const OSSL_PARAM params[])
 {
-    return siv_init(vctx, key, keylen, iv, ivlen, 0);
+    return siv_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
@@ -195,6 +201,9 @@ static int aes_siv_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     unsigned int speed = 0;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
     if (p != NULL) {
         if (ctx->enc)
diff --git a/providers/implementations/ciphers/cipher_aes_wrp.c b/providers/implementations/ciphers/cipher_aes_wrp.c
index 4428ff0552..f797db4596 100644
--- a/providers/implementations/ciphers/cipher_aes_wrp.c
+++ b/providers/implementations/ciphers/cipher_aes_wrp.c
@@ -34,6 +34,7 @@ static OSSL_FUNC_cipher_decrypt_init_fn aes_wrap_dinit;
 static OSSL_FUNC_cipher_update_fn aes_wrap_cipher;
 static OSSL_FUNC_cipher_final_fn aes_wrap_final;
 static OSSL_FUNC_cipher_freectx_fn aes_wrap_freectx;
+static OSSL_FUNC_cipher_set_ctx_params_fn aes_wrap_set_ctx_params;
 
 typedef struct prov_aes_wrap_ctx_st {
     PROV_CIPHER_CTX base;
@@ -75,7 +76,7 @@ static void aes_wrap_freectx(void *vctx)
 
 static int aes_wrap_init(void *vctx, const unsigned char *key,
                          size_t keylen, const unsigned char *iv,
-                         size_t ivlen, int enc)
+                         size_t ivlen, const OSSL_PARAM params[], int enc)
 {
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
     PROV_AES_WRAP_CTX *wctx = (PROV_AES_WRAP_CTX *)vctx;
@@ -121,19 +122,21 @@ static int aes_wrap_init(void *vctx, const unsigned char *key,
             ctx->block = (block128_f)AES_decrypt;
         }
     }
-    return 1;
+    return aes_wrap_set_ctx_params(ctx, params);
 }
 
 static int aes_wrap_einit(void *ctx, const unsigned char *key, size_t keylen,
-                          const unsigned char *iv, size_t ivlen)
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
 {
-    return aes_wrap_init(ctx, key, keylen, iv, ivlen, 1);
+    return aes_wrap_init(ctx, key, keylen, iv, ivlen, params, 1);
 }
 
 static int aes_wrap_dinit(void *ctx, const unsigned char *key, size_t keylen,
-                          const unsigned char *iv, size_t ivlen)
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
 {
-    return aes_wrap_init(ctx, key, keylen, iv, ivlen, 0);
+    return aes_wrap_init(ctx, key, keylen, iv, ivlen, params, 0);
 }
 
 static int aes_wrap_cipher_internal(void *vctx, unsigned char *out,
@@ -226,6 +229,9 @@ static int aes_wrap_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     size_t keylen = 0;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
     if (p != NULL) {
         if (!OSSL_PARAM_get_size_t(p, &keylen)) {
diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c
index 13552b2a76..5cfb22778e 100644
--- a/providers/implementations/ciphers/cipher_aes_xts.c
+++ b/providers/implementations/ciphers/cipher_aes_xts.c
@@ -66,7 +66,8 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes,
  * Provider dispatch functions
  */
 static int aes_xts_init(void *vctx, const unsigned char *key, size_t keylen,
-                        const unsigned char *iv, size_t ivlen, int enc)
+                        const unsigned char *iv, size_t ivlen,
+                        const OSSL_PARAM params[], int enc)
 {
     PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx;
     PROV_CIPHER_CTX *ctx = &xctx->base;
@@ -87,21 +88,24 @@ static int aes_xts_init(void *vctx, const unsigned char *key, size_t keylen,
         }
         if (!aes_xts_check_keys_differ(key, keylen / 2, enc))
             return 0;
-        return ctx->hw->init(ctx, key, keylen);
+        if (!ctx->hw->init(ctx, key, keylen))
+            return 0;
     }
-    return 1;
+    return aes_xts_set_ctx_params(ctx, params);
 }
 
 static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen,
-                         const unsigned char *iv, size_t ivlen)
+                         const unsigned char *iv, size_t ivlen,
+                         const OSSL_PARAM params[])
 {
-    return aes_xts_init(vctx, key, keylen, iv, ivlen, 1);
+    return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                         const unsigned char *iv, size_t ivlen)
+                         const unsigned char *iv, size_t ivlen,
+                         const OSSL_PARAM params[])
 {
-    return aes_xts_init(vctx, key, keylen, iv, ivlen, 0);
+    return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 static void *aes_xts_newctx(void *provctx, unsigned int mode, uint64_t flags,
@@ -229,6 +233,9 @@ static int aes_xts_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
     if (p != NULL) {
         size_t keylen;
diff --git a/providers/implementations/ciphers/cipher_chacha20.c b/providers/implementations/ciphers/cipher_chacha20.c
index 9bce5b0914..386c865d83 100644
--- a/providers/implementations/ciphers/cipher_chacha20.c
+++ b/providers/implementations/ciphers/cipher_chacha20.c
@@ -106,6 +106,9 @@ static int chacha20_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     size_t len;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
     if (p != NULL) {
         if (!OSSL_PARAM_get_size_t(p, &len)) {
@@ -143,34 +146,40 @@ const OSSL_PARAM *chacha20_settable_ctx_params(ossl_unused void *cctx,
 }
 
 int ossl_chacha20_einit(void *vctx, const unsigned char *key, size_t keylen,
-                        const unsigned char *iv, size_t ivlen)
+                        const unsigned char *iv, size_t ivlen,
+                        const OSSL_PARAM params[])
 {
     int ret;
 
     /* The generic function checks for ossl_prov_is_running() */
-    ret= ossl_cipher_generic_einit(vctx, key, keylen, iv, ivlen);
+    ret = ossl_cipher_generic_einit(vctx, key, keylen, iv, ivlen, NULL);
     if (ret && iv != NULL) {
         PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
         PROV_CIPHER_HW_CHACHA20 *hw = (PROV_CIPHER_HW_CHACHA20 *)ctx->hw;
 
         hw->initiv(ctx);
     }
+    if (ret && !chacha20_set_ctx_params(vctx, params))
+        ret = 0;
     return ret;
 }
 
 int ossl_chacha20_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                        const unsigned char *iv, size_t ivlen)
+                        const unsigned char *iv, size_t ivlen,
+                        const OSSL_PARAM params[])
 {
     int ret;
 
     /* The generic function checks for ossl_prov_is_running() */
-    ret= ossl_cipher_generic_dinit(vctx, key, keylen, iv, ivlen);
+    ret = ossl_cipher_generic_dinit(vctx, key, keylen, iv, ivlen, NULL);
     if (ret && iv != NULL) {
         PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
         PROV_CIPHER_HW_CHACHA20 *hw = (PROV_CIPHER_HW_CHACHA20 *)ctx->hw;
 
         hw->initiv(ctx);
     }
+    if (ret && !chacha20_set_ctx_params(vctx, params))
+        ret = 0;
     return ret;
 }
 
diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305.c b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
index 78ede20b44..0ba7483780 100644
--- a/providers/implementations/ciphers/cipher_chacha20_poly1305.c
+++ b/providers/implementations/ciphers/cipher_chacha20_poly1305.c
@@ -149,6 +149,9 @@ static int chacha20_poly1305_set_ctx_params(void *vctx,
     PROV_CIPHER_HW_CHACHA20_POLY1305 *hw =
         (PROV_CIPHER_HW_CHACHA20_POLY1305 *)ctx->base.hw;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
     if (p != NULL) {
         if (!OSSL_PARAM_get_size_t(p, &len)) {
@@ -224,12 +227,12 @@ static int chacha20_poly1305_set_ctx_params(void *vctx,
 
 static int chacha20_poly1305_einit(void *vctx, const unsigned char *key,
                                   size_t keylen, const unsigned char *iv,
-                                  size_t ivlen)
+                                  size_t ivlen, const OSSL_PARAM params[])
 {
     int ret;
 
     /* The generic function checks for ossl_prov_is_running() */
-    ret = ossl_cipher_generic_einit(vctx, key, keylen, iv, ivlen);
+    ret = ossl_cipher_generic_einit(vctx, key, keylen, iv, ivlen, NULL);
     if (ret && iv != NULL) {
         PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
         PROV_CIPHER_HW_CHACHA20_POLY1305 *hw =
@@ -237,17 +240,19 @@ static int chacha20_poly1305_einit(void *vctx, const unsigned char *key,
 
         hw->initiv(ctx);
     }
+    if (ret && !chacha20_poly1305_set_ctx_params(vctx, params))
+        ret = 0;
     return ret;
 }
 
 static int chacha20_poly1305_dinit(void *vctx, const unsigned char *key,
                                   size_t keylen, const unsigned char *iv,
-                                  size_t ivlen)
+                                  size_t ivlen, const OSSL_PARAM params[])
 {
     int ret;
 
     /* The generic function checks for ossl_prov_is_running() */
-    ret = ossl_cipher_generic_dinit(vctx, key, keylen, iv, ivlen);
+    ret = ossl_cipher_generic_dinit(vctx, key, keylen, iv, ivlen, NULL);
     if (ret && iv != NULL) {
         PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
         PROV_CIPHER_HW_CHACHA20_POLY1305 *hw =
@@ -255,6 +260,8 @@ static int chacha20_poly1305_dinit(void *vctx, const unsigned char *key,
 
         hw->initiv(ctx);
     }
+    if (ret && !chacha20_poly1305_set_ctx_params(vctx, params))
+        ret = 0;
     return ret;
 }
 
diff --git a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c
index 4e4165868e..1533a3869b 100644
--- a/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c
+++ b/providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c
@@ -68,9 +68,9 @@ static int chacha20_poly1305_initkey(PROV_CIPHER_CTX *bctx,
     ctx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
 
     if (bctx->enc)
-        return ossl_chacha20_einit(&ctx->chacha, key, keylen, NULL, 0);
+        return ossl_chacha20_einit(&ctx->chacha, key, keylen, NULL, 0, NULL);
     else
-        return ossl_chacha20_dinit(&ctx->chacha, key, keylen, NULL, 0);
+        return ossl_chacha20_dinit(&ctx->chacha, key, keylen, NULL, 0, NULL);
 }
 
 static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx)
@@ -92,10 +92,10 @@ static int chacha20_poly1305_initiv(PROV_CIPHER_CTX *bctx)
 
         if (bctx->enc)
             ret = ossl_chacha20_einit(&ctx->chacha, NULL, 0,
-                                      tempiv, sizeof(tempiv));
+                                      tempiv, sizeof(tempiv), NULL);
         else
             ret = ossl_chacha20_dinit(&ctx->chacha, NULL, 0,
-                                      tempiv, sizeof(tempiv));
+                                      tempiv, sizeof(tempiv), NULL);
         ctx->nonce[0] = ctx->chacha.counter[1];
         ctx->nonce[1] = ctx->chacha.counter[2];
         ctx->nonce[2] = ctx->chacha.counter[3];
diff --git a/providers/implementations/ciphers/cipher_des.c b/providers/implementations/ciphers/cipher_des.c
index 32cab17b3e..9010ce9099 100644
--- a/providers/implementations/ciphers/cipher_des.c
+++ b/providers/implementations/ciphers/cipher_des.c
@@ -71,7 +71,8 @@ static void des_freectx(void *vctx)
 }
 
 static int des_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[], int enc)
 {
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
 
@@ -92,21 +93,24 @@ static int des_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->hw->init(ctx, key, keylen);
+        if (!ctx->hw->init(ctx, key, keylen))
+            return 0;
     }
-    return 1;
+    return ossl_cipher_generic_set_ctx_params(ctx, params);
 }
 
 static int des_einit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
+                     const unsigned char *iv, size_t ivlen,
+                     const OSSL_PARAM params[])
 {
-    return des_init(vctx, key, keylen, iv, ivlen, 1);
+    return des_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 static int des_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen)
+                     const unsigned char *iv, size_t ivlen,
+                     const OSSL_PARAM params[])
 {
-    return des_init(vctx, key, keylen, iv, ivlen, 0);
+    return des_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 static int des_generatekey(PROV_CIPHER_CTX *ctx, void *ptr)
diff --git a/providers/implementations/ciphers/cipher_null.c b/providers/implementations/ciphers/cipher_null.c
index 00c97aad7a..0df97a7f8b 100644
--- a/providers/implementations/ciphers/cipher_null.c
+++ b/providers/implementations/ciphers/cipher_null.c
@@ -38,7 +38,8 @@ static void null_freectx(void *vctx)
 
 static OSSL_FUNC_cipher_encrypt_init_fn null_einit;
 static int null_einit(void *vctx, const unsigned char *key, size_t keylen,
-                      const unsigned char *iv, size_t ivlen)
+                      const unsigned char *iv, size_t ivlen,
+                      const OSSL_PARAM params[])
 {
     PROV_CIPHER_NULL_CTX *ctx = (PROV_CIPHER_NULL_CTX *)vctx;
 
@@ -51,7 +52,8 @@ static int null_einit(void *vctx, const unsigned char *key, size_t keylen,
 
 static OSSL_FUNC_cipher_decrypt_init_fn null_dinit;
 static int null_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                      const unsigned char *iv, size_t ivlen)
+                      const unsigned char *iv, size_t ivlen,
+                      const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
diff --git a/providers/implementations/ciphers/cipher_rc2.c b/providers/implementations/ciphers/cipher_rc2.c
index d78b044247..f8a18462af 100644
--- a/providers/implementations/ciphers/cipher_rc2.c
+++ b/providers/implementations/ciphers/cipher_rc2.c
@@ -25,10 +25,13 @@
 #define RC2_128_MAGIC   0x3a
 #define RC2_FLAGS       PROV_CIPHER_FLAG_VARIABLE_LENGTH
 
+static OSSL_FUNC_cipher_encrypt_init_fn rc2_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn rc2_dinit;
 static OSSL_FUNC_cipher_freectx_fn rc2_freectx;
 static OSSL_FUNC_cipher_dupctx_fn rc2_dupctx;
 static OSSL_FUNC_cipher_gettable_ctx_params_fn rc2_gettable_ctx_params;
 static OSSL_FUNC_cipher_settable_ctx_params_fn rc2_settable_ctx_params;
+static OSSL_FUNC_cipher_set_ctx_params_fn rc2_set_ctx_params;
 
 static void rc2_freectx(void *vctx)
 {
@@ -84,6 +87,24 @@ static int rc2_magic_to_keybits(int magic)
     return 0;
 }
 
+static int rc2_einit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc2_set_ctx_params(ctx, params);
+}
+
+static int rc2_dinit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc2_set_ctx_params(ctx, params);
+}
+
 static int rc2_get_ctx_params(void *vctx, OSSL_PARAM params[])
 {
     PROV_RC2_CTX *ctx = (PROV_RC2_CTX *)vctx;
@@ -138,11 +159,14 @@ static int rc2_get_ctx_params(void *vctx, OSSL_PARAM params[])
     return 1;
 }
 
-static int rc2_set_ctx_params(void *vctx, OSSL_PARAM params[])
+static int rc2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 {
     PROV_RC2_CTX *ctx = (PROV_RC2_CTX *)vctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_cipher_var_keylen_set_ctx_params(vctx, params))
         return 0;
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_RC2_KEYBITS);
@@ -152,7 +176,7 @@ static int rc2_set_ctx_params(void *vctx, OSSL_PARAM params[])
             return 0;
         }
     }
-    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_ALG_ID);
+    p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_ALG_ID);
     if (p != NULL) {
         ASN1_TYPE *type = NULL;
         long num = 0;
@@ -222,8 +246,8 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_functions[] = {                \
       (void (*)(void)) alg##_##kbits##_##lcmode##_newctx },                    \
     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx },              \
     { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx },                \
-    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_cipher_generic_einit }, \
-    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_cipher_generic_dinit }, \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc2_einit },              \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc2_dinit },              \
     { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_cipher_generic_##typ##_update },\
     { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_cipher_generic_##typ##_final },  \
     { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher },   \
diff --git a/providers/implementations/ciphers/cipher_rc4.c b/providers/implementations/ciphers/cipher_rc4.c
index 98937c0044..a548beafaf 100644
--- a/providers/implementations/ciphers/cipher_rc4.c
+++ b/providers/implementations/ciphers/cipher_rc4.c
@@ -21,6 +21,8 @@
 
 #define RC4_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH
 
+static OSSL_FUNC_cipher_encrypt_init_fn rc4_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn rc4_dinit;
 static OSSL_FUNC_cipher_freectx_fn rc4_freectx;
 static OSSL_FUNC_cipher_dupctx_fn rc4_dupctx;
 
@@ -50,6 +52,24 @@ static void *rc4_dupctx(void *ctx)
     return ret;
 }
 
+static int rc4_einit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return ossl_cipher_var_keylen_set_ctx_params(ctx, params);
+}
+
+static int rc4_dinit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return ossl_cipher_var_keylen_set_ctx_params(ctx, params);
+}
+
 #define IMPLEMENT_cipher(alg, UCALG, flags, kbits, blkbits, ivbits, typ)       \
 static OSSL_FUNC_cipher_get_params_fn alg##_##kbits##_get_params;              \
 static int alg##_##kbits##_get_params(OSSL_PARAM params[])                     \
@@ -75,8 +95,8 @@ const OSSL_DISPATCH ossl_##alg##kbits##_functions[] = {                        \
       (void (*)(void)) alg##_##kbits##_newctx },                               \
     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx },              \
     { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx },                \
-    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_cipher_generic_einit }, \
-    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_cipher_generic_dinit }, \
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc4_einit },              \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc4_dinit },              \
     { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_cipher_generic_##typ##_update },\
     { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_cipher_generic_##typ##_final },  \
     { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher },   \
diff --git a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
index 533820cd80..b915122a39 100644
--- a/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
+++ b/providers/implementations/ciphers/cipher_rc4_hmac_md5.c
@@ -30,6 +30,8 @@
 
 #define GET_HW(ctx) ((PROV_CIPHER_HW_RC4_HMAC_MD5 *)ctx->base.hw)
 
+static OSSL_FUNC_cipher_encrypt_init_fn rc4_hmac_md5_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn rc4_hmac_md5_dinit;
 static OSSL_FUNC_cipher_newctx_fn rc4_hmac_md5_newctx;
 static OSSL_FUNC_cipher_freectx_fn rc4_hmac_md5_freectx;
 static OSSL_FUNC_cipher_get_ctx_params_fn rc4_hmac_md5_get_ctx_params;
@@ -38,8 +40,6 @@ static OSSL_FUNC_cipher_set_ctx_params_fn rc4_hmac_md5_set_ctx_params;
 static OSSL_FUNC_cipher_settable_ctx_params_fn rc4_hmac_md5_settable_ctx_params;
 static OSSL_FUNC_cipher_get_params_fn rc4_hmac_md5_get_params;
 #define rc4_hmac_md5_gettable_params ossl_cipher_generic_gettable_params
-#define rc4_hmac_md5_einit ossl_cipher_generic_einit
-#define rc4_hmac_md5_dinit ossl_cipher_generic_dinit
 #define rc4_hmac_md5_update ossl_cipher_generic_stream_update
 #define rc4_hmac_md5_final ossl_cipher_generic_stream_final
 #define rc4_hmac_md5_cipher ossl_cipher_generic_cipher
@@ -71,6 +71,24 @@ static void rc4_hmac_md5_freectx(void *vctx)
     OPENSSL_clear_free(ctx,  sizeof(*ctx));
 }
 
+static int rc4_hmac_md5_einit(void *ctx, const unsigned char *key,
+                              size_t keylen, const unsigned char *iv,
+                              size_t ivlen, const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc4_hmac_md5_set_ctx_params(ctx, params);
+}
+
+static int rc4_hmac_md5_dinit(void *ctx, const unsigned char *key,
+                              size_t keylen, const unsigned char *iv,
+                              size_t ivlen, const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc4_hmac_md5_set_ctx_params(ctx, params);
+}
+
 static const OSSL_PARAM rc4_hmac_md5_known_gettable_ctx_params[] = {
     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),
     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_IVLEN, NULL),
@@ -125,6 +143,9 @@ static int rc4_hmac_md5_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     size_t sz;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
     if (p != NULL) {
         if (!OSSL_PARAM_get_size_t(p, &sz)) {
diff --git a/providers/implementations/ciphers/cipher_rc5.c b/providers/implementations/ciphers/cipher_rc5.c
index 0d6f87ed63..5c7d2b1721 100644
--- a/providers/implementations/ciphers/cipher_rc5.c
+++ b/providers/implementations/ciphers/cipher_rc5.c
@@ -22,10 +22,13 @@
 
 #define RC5_FLAGS PROV_CIPHER_FLAG_VARIABLE_LENGTH
 
+static OSSL_FUNC_cipher_encrypt_init_fn rc5_einit;
+static OSSL_FUNC_cipher_decrypt_init_fn rc5_dinit;
 static OSSL_FUNC_cipher_freectx_fn rc5_freectx;
 static OSSL_FUNC_cipher_dupctx_fn rc5_dupctx;
 OSSL_FUNC_cipher_gettable_ctx_params_fn rc5_gettable_ctx_params;
 OSSL_FUNC_cipher_settable_ctx_params_fn rc5_settable_ctx_params;
+static OSSL_FUNC_cipher_set_ctx_params_fn rc5_set_ctx_params;
 
 static void rc5_freectx(void *vctx)
 {
@@ -53,11 +56,32 @@ static void *rc5_dupctx(void *ctx)
     return ret;
 }
 
+static int rc5_einit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_einit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc5_set_ctx_params(ctx, params);
+}
+
+static int rc5_dinit(void *ctx, const unsigned char *key, size_t keylen,
+                          const unsigned char *iv, size_t ivlen,
+                          const OSSL_PARAM params[])
+{
+    if (!ossl_cipher_generic_dinit(ctx, key, keylen, iv, ivlen, NULL))
+        return 0;
+    return rc5_set_ctx_params(ctx, params);
+}
+
 static int rc5_set_ctx_params(void *vctx, const OSSL_PARAM params[])
 {
     PROV_RC5_CTX *ctx = (PROV_RC5_CTX *)vctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_cipher_var_keylen_set_ctx_params(vctx, params))
         return 0;
 
@@ -134,8 +158,8 @@ const OSSL_DISPATCH ossl_##alg##kbits##lcmode##_functions[] = {                \
       (void (*)(void)) alg##_##kbits##_##lcmode##_newctx },                    \
     { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void)) alg##_freectx },              \
     { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void)) alg##_dupctx },                \
-    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))ossl_cipher_generic_einit },\
-    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))ossl_cipher_generic_dinit },\
+    { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))rc5_einit },              \
+    { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))rc5_dinit },              \
     { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))ossl_cipher_generic_##typ##_update },\
     { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))ossl_cipher_generic_##typ##_final },  \
     { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))ossl_cipher_generic_cipher },   \
diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c
index f0fd03ff4b..048b08661d 100644
--- a/providers/implementations/ciphers/cipher_tdes_common.c
+++ b/providers/implementations/ciphers/cipher_tdes_common.c
@@ -62,7 +62,8 @@ void ossl_tdes_freectx(void *vctx)
 }
 
 static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
-                     const unsigned char *iv, size_t ivlen, int enc)
+                     const unsigned char *iv, size_t ivlen,
+                     const OSSL_PARAM params[], int enc)
 {
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
 
@@ -83,21 +84,24 @@ static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->hw->init(ctx, key, ctx->keylen);
+        if (!ctx->hw->init(ctx, key, ctx->keylen))
+            return 0;
     }
-    return 1;
+    return ossl_cipher_generic_set_ctx_params(ctx, params);
 }
 
 int ossl_tdes_einit(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[])
 {
-    return tdes_init(vctx, key, keylen, iv, ivlen, 1);
+    return tdes_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 int ossl_tdes_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[])
 {
-    return tdes_init(vctx, key, keylen, iv, ivlen, 0);
+    return tdes_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes)
diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c
index 3d2fb5b8f8..53ecbc9012 100644
--- a/providers/implementations/ciphers/ciphercommon.c
+++ b/providers/implementations/ciphers/ciphercommon.c
@@ -107,6 +107,9 @@ int ossl_cipher_var_keylen_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_cipher_generic_set_ctx_params(vctx, params))
         return 0;
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
@@ -174,7 +177,7 @@ void ossl_cipher_generic_reset_ctx(PROV_CIPHER_CTX *ctx)
 static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
                                         const unsigned char *key, size_t keylen,
                                         const unsigned char *iv, size_t ivlen,
-                                        int enc)
+                                        const OSSL_PARAM params[], int enc)
 {
     ctx->num = 0;
     ctx->bufsz = 0;
@@ -197,25 +200,26 @@ static int cipher_generic_init_internal(PROV_CIPHER_CTX *ctx,
         } else {
             ctx->keylen = keylen;
         }
-        return ctx->hw->init(ctx, key, ctx->keylen);
+        if (!ctx->hw->init(ctx, key, ctx->keylen))
+            return 0;
     }
-    return 1;
+    return ossl_cipher_generic_set_ctx_params(ctx, params);
 }
 
 int ossl_cipher_generic_einit(void *vctx, const unsigned char *key,
                               size_t keylen, const unsigned char *iv,
-                              size_t ivlen)
+                              size_t ivlen, const OSSL_PARAM params[])
 {
     return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
-                                        iv, ivlen, 1);
+                                        iv, ivlen, params, 1);
 }
 
 int ossl_cipher_generic_dinit(void *vctx, const unsigned char *key,
                               size_t keylen, const unsigned char *iv,
-                              size_t ivlen)
+                              size_t ivlen, const OSSL_PARAM params[])
 {
     return cipher_generic_init_internal((PROV_CIPHER_CTX *)vctx, key, keylen,
-                                        iv, ivlen, 0);
+                                        iv, ivlen, params, 0);
 }
 
 /* Max padding including padding length byte */
@@ -574,6 +578,9 @@ int ossl_cipher_generic_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_PADDING);
     if (p != NULL) {
         unsigned int pad;
diff --git a/providers/implementations/ciphers/ciphercommon_ccm.c b/providers/implementations/ciphers/ciphercommon_ccm.c
index d14a7eb5e6..ce3f7527f3 100644
--- a/providers/implementations/ciphers/ciphercommon_ccm.c
+++ b/providers/implementations/ciphers/ciphercommon_ccm.c
@@ -71,6 +71,9 @@ int ossl_ccm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     size_t sz;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
     if (p != NULL) {
         if (p->data_type != OSSL_PARAM_OCTET_STRING) {
@@ -217,7 +220,8 @@ int ossl_ccm_get_ctx_params(void *vctx, OSSL_PARAM params[])
 }
 
 static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[], int enc)
 {
     PROV_CCM_CTX *ctx = (PROV_CCM_CTX *)vctx;
 
@@ -239,21 +243,24 @@ static int ccm_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->hw->setkey(ctx, key, keylen);
+        if (!ctx->hw->setkey(ctx, key, keylen))
+            return 0;
     }
-    return 1;
+    return ossl_ccm_set_ctx_params(ctx, params);
 }
 
 int ossl_ccm_einit(void *vctx, const unsigned char *key, size_t keylen,
-                   const unsigned char *iv, size_t ivlen)
+                   const unsigned char *iv, size_t ivlen,
+                   const OSSL_PARAM params[])
 {
-    return ccm_init(vctx, key, keylen, iv, ivlen, 1);
+    return ccm_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 int ossl_ccm_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                   const unsigned char *iv, size_t ivlen)
+                   const unsigned char *iv, size_t ivlen,
+                   const OSSL_PARAM params[])
 {
-    return ccm_init(vctx, key, keylen, iv, ivlen, 0);
+    return ccm_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 int ossl_ccm_stream_update(void *vctx, unsigned char *out, size_t *outl,
diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c
index c7b91e7bfa..b19e15b3b2 100644
--- a/providers/implementations/ciphers/ciphercommon_gcm.c
+++ b/providers/implementations/ciphers/ciphercommon_gcm.c
@@ -40,7 +40,8 @@ void ossl_gcm_initctx(void *provctx, PROV_GCM_CTX *ctx, size_t keybits,
 }
 
 static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
-                    const unsigned char *iv, size_t ivlen, int enc)
+                    const unsigned char *iv, size_t ivlen,
+                    const OSSL_PARAM params[], int enc)
 {
     PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx;
 
@@ -64,21 +65,24 @@ static int gcm_init(void *vctx, const unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
-        return ctx->hw->setkey(ctx, key, ctx->keylen);
+        if (!ctx->hw->setkey(ctx, key, ctx->keylen))
+            return 0;
     }
-    return 1;
+    return ossl_gcm_set_ctx_params(ctx, params);
 }
 
 int ossl_gcm_einit(void *vctx, const unsigned char *key, size_t keylen,
-                   const unsigned char *iv, size_t ivlen)
+                   const unsigned char *iv, size_t ivlen,
+                   const OSSL_PARAM params[])
 {
-    return gcm_init(vctx, key, keylen, iv, ivlen, 1);
+    return gcm_init(vctx, key, keylen, iv, ivlen, params, 1);
 }
 
 int ossl_gcm_dinit(void *vctx, const unsigned char *key, size_t keylen,
-                   const unsigned char *iv, size_t ivlen)
+                   const unsigned char *iv, size_t ivlen,
+                   const OSSL_PARAM params[])
 {
-    return gcm_init(vctx, key, keylen, iv, ivlen, 0);
+    return gcm_init(vctx, key, keylen, iv, ivlen, params, 0);
 }
 
 /* increment counter (64-bit int) by 1 */
@@ -223,6 +227,9 @@ int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     size_t sz;
     void *vp;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG);
     if (p != NULL) {
         vp = ctx->buf;
diff --git a/providers/implementations/digests/blake2_prov.c b/providers/implementations/digests/blake2_prov.c
index 74ff44e6b7..25342eedb8 100644
--- a/providers/implementations/digests/blake2_prov.c
+++ b/providers/implementations/digests/blake2_prov.c
@@ -12,9 +12,6 @@
 #include "prov/digestcommon.h"
 #include "prov/implementations.h"
 
-OSSL_FUNC_digest_init_fn ossl_blake2s256_init;
-OSSL_FUNC_digest_init_fn ossl_blake2b512_init;
-
 int ossl_blake2s256_init(void *ctx)
 {
     BLAKE2S_PARAM P;
diff --git a/providers/implementations/digests/md5_sha1_prov.c b/providers/implementations/digests/md5_sha1_prov.c
index e41ac815c5..e7b8389b2b 100644
--- a/providers/implementations/digests/md5_sha1_prov.c
+++ b/providers/implementations/digests/md5_sha1_prov.c
@@ -42,13 +42,16 @@ static int md5_sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     MD5_SHA1_CTX *ctx = (MD5_SHA1_CTX *)vctx;
 
-    if (ctx != NULL && params != NULL) {
-        p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS);
-        if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING)
-            return ossl_md5_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                                      p->data_size, p->data);
-    }
-    return 0;
+    if (ctx == NULL)
+        return 0;
+    if (params == NULL)
+        return 1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS);
+    if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING)
+        return ossl_md5_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
+                                  p->data_size, p->data);
+    return 1;
 }
 
 /* ossl_md5_sha1_functions */
diff --git a/providers/implementations/digests/mdc2_prov.c b/providers/implementations/digests/mdc2_prov.c
index edd73ed89e..de39f8a104 100644
--- a/providers/implementations/digests/mdc2_prov.c
+++ b/providers/implementations/digests/mdc2_prov.c
@@ -41,15 +41,17 @@ static int mdc2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     MDC2_CTX *ctx = (MDC2_CTX *)vctx;
 
-    if (ctx != NULL && params != NULL) {
-        p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_PAD_TYPE);
-        if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->pad_type)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
+    if (ctx == NULL)
+        return 0;
+    if (params == NULL)
         return 1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_PAD_TYPE);
+    if (p != NULL && !OSSL_PARAM_get_uint(p, &ctx->pad_type)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+        return 0;
     }
-    return 0; /* Null Parameter */
+    return 1;
 }
 
 /* ossl_mdc2_functions */
diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c
index 96f4cc7004..3b731796bd 100644
--- a/providers/implementations/digests/sha2_prov.c
+++ b/providers/implementations/digests/sha2_prov.c
@@ -45,13 +45,16 @@ static int sha1_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     SHA_CTX *ctx = (SHA_CTX *)vctx;
 
-    if (ctx != NULL && params != NULL) {
-        p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS);
-        if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING)
-            return ossl_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
-                                  p->data_size, p->data);
-    }
-    return 0;
+    if (ctx == NULL)
+        return 0;
+    if (params == NULL)
+        return 1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_SSL3_MS);
+    if (p != NULL && p->data_type == OSSL_PARAM_OCTET_STRING)
+        return ossl_sha1_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
+                              p->data_size, p->data);
+    return 1;
 }
 
 /* ossl_sha1_functions */
diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c
index c8c5df41ed..168825d475 100644
--- a/providers/implementations/digests/sha3_prov.c
+++ b/providers/implementations/digests/sha3_prov.c
@@ -28,6 +28,7 @@
  * of the functions in the dispatch table are correct.
  */
 static OSSL_FUNC_digest_init_fn keccak_init;
+static OSSL_FUNC_digest_init_fn keccak_init_params;
 static OSSL_FUNC_digest_update_fn keccak_update;
 static OSSL_FUNC_digest_final_fn keccak_final;
 static OSSL_FUNC_digest_freectx_fn keccak_freectx;
@@ -49,7 +50,7 @@ static sha3_final_fn generic_sha3_final;
 
 #endif
 
-static int keccak_init(void *vctx)
+static int keccak_init(void *vctx, ossl_unused const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
@@ -58,6 +59,12 @@ static int keccak_init(void *vctx)
     return 1;
 }
 
+static int keccak_init_params(void *vctx, const OSSL_PARAM params[])
+{
+    return keccak_init(vctx, NULL)
+            && shake_set_ctx_params(vctx, params);
+}
+
 static int keccak_update(void *vctx, const unsigned char *inp, size_t len)
 {
     KECCAK1600_CTX *ctx = vctx;
@@ -225,7 +232,6 @@ static void *uname##_newctx(void *provctx)                                     \
 PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags)                     \
 const OSSL_DISPATCH ossl_##name##_functions[] = {                              \
     { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx },                \
-    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init },                    \
     { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))keccak_update },                \
     { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final },                  \
     { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx },              \
@@ -234,10 +240,12 @@ const OSSL_DISPATCH ossl_##name##_functions[] = {                              \
 
 #define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags)          \
     PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags),      \
+    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init },                    \
     PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
 
 #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags)         \
     PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags),      \
+    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params },             \
     { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \
     { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS,                                    \
      (void (*)(void))shake_settable_ctx_params },                              \
@@ -276,15 +284,17 @@ static int shake_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     KECCAK1600_CTX *ctx = (KECCAK1600_CTX *)vctx;
 
-    if (ctx != NULL && params != NULL) {
-        p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN);
-        if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
-            return 0;
-        }
+    if (ctx == NULL)
+        return 0;
+    if (params == NULL)
         return 1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_DIGEST_PARAM_XOFLEN);
+    if (p != NULL && !OSSL_PARAM_get_size_t(p, &ctx->md_size)) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+        return 0;
     }
-    return 0; /* Null Parameter */
+    return 1;
 }
 
 #define IMPLEMENT_SHA3_functions(bitlen)                                       \
diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c
index b74adfbc34..87eb17dd60 100644
--- a/providers/implementations/exchange/dh_exch.c
+++ b/providers/implementations/exchange/dh_exch.c
@@ -93,7 +93,7 @@ static void *dh_newctx(void *provctx)
     return pdhctx;
 }
 
-static int dh_init(void *vpdhctx, void *vdh)
+static int dh_init(void *vpdhctx, void *vdh, const OSSL_PARAM params[])
 {
     PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
 
@@ -105,7 +105,7 @@ static int dh_init(void *vpdhctx, void *vdh)
     DH_free(pdhctx->dh);
     pdhctx->dh = vdh;
     pdhctx->kdf_type = PROV_DH_KDF_NONE;
-    return ossl_dh_check_key(vdh);
+    return dh_set_ctx_params(pdhctx, params) && ossl_dh_check_key(vdh);
 }
 
 static int dh_set_peer(void *vpdhctx, void *vdh)
@@ -292,8 +292,10 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[])
     char name[80] = { '\0' }; /* should be big enough */
     char *str = NULL;
 
-    if (pdhctx == NULL || params == NULL)
+    if (pdhctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
     if (p != NULL) {
@@ -416,7 +418,7 @@ static int dh_get_ctx_params(void *vpdhctx, OSSL_PARAM params[])
     PROV_DH_CTX *pdhctx = (PROV_DH_CTX *)vpdhctx;
     OSSL_PARAM *p;
 
-    if (pdhctx == NULL || params == NULL)
+    if (pdhctx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_KDF_TYPE);
diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c
index d468d2a8a2..63bcf4e50c 100644
--- a/providers/implementations/exchange/ecdh_exch.c
+++ b/providers/implementations/exchange/ecdh_exch.c
@@ -99,7 +99,7 @@ void *ecdh_newctx(void *provctx)
 }
 
 static
-int ecdh_init(void *vpecdhctx, void *vecdh)
+int ecdh_init(void *vpecdhctx, void *vecdh, const OSSL_PARAM params[])
 {
     PROV_ECDH_CTX *pecdhctx = (PROV_ECDH_CTX *)vpecdhctx;
 
@@ -112,7 +112,8 @@ int ecdh_init(void *vpecdhctx, void *vecdh)
     pecdhctx->k = vecdh;
     pecdhctx->cofactor_mode = -1;
     pecdhctx->kdf_type = PROV_ECDH_KDF_NONE;
-    return ossl_ec_check_key(vecdh, 1);
+    return ecdh_set_ctx_params(pecdhctx, params)
+           && ossl_ec_check_key(vecdh, 1);
 }
 
 static
@@ -206,8 +207,10 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[])
     PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
     const OSSL_PARAM *p;
 
-    if (pectx == NULL || params == NULL)
+    if (pectx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
     if (p != NULL) {
@@ -310,7 +313,7 @@ int ecdh_get_ctx_params(void *vpecdhctx, OSSL_PARAM params[])
     PROV_ECDH_CTX *pectx = (PROV_ECDH_CTX *)vpecdhctx;
     OSSL_PARAM *p;
 
-    if (pectx == NULL || params == NULL)
+    if (pectx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE);
diff --git a/providers/implementations/exchange/ecx_exch.c b/providers/implementations/exchange/ecx_exch.c
index 17861c0d75..caa1eece89 100644
--- a/providers/implementations/exchange/ecx_exch.c
+++ b/providers/implementations/exchange/ecx_exch.c
@@ -69,7 +69,8 @@ static void *x448_newctx(void *provctx)
     return ecx_newctx(provctx, X448_KEYLEN);
 }
 
-static int ecx_init(void *vecxctx, void *vkey)
+static int ecx_init(void *vecxctx, void *vkey,
+                    ossl_unused const OSSL_PARAM params[])
 {
     PROV_ECX_CTX *ecxctx = (PROV_ECX_CTX *)vecxctx;
     ECX_KEY *key = vkey;
diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
index 6979ce5c11..d61c04354c 100644
--- a/providers/implementations/exchange/kdf_exch.c
+++ b/providers/implementations/exchange/kdf_exch.c
@@ -74,7 +74,7 @@ KDF_NEWCTX(tls1_prf, "TLS1-PRF")
 KDF_NEWCTX(hkdf, "HKDF")
 KDF_NEWCTX(scrypt, "SCRYPT")
 
-static int kdf_init(void *vpkdfctx, void *vkdf)
+static int kdf_init(void *vpkdfctx, void *vkdf, const OSSL_PARAM params[])
 {
     PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
 
@@ -85,7 +85,7 @@ static int kdf_init(void *vpkdfctx, void *vkdf)
         return 0;
     pkdfctx->kdfdata = vkdf;
 
-    return 1;
+    return kdf_set_ctx_params(pkdfctx, params);
 }
 
 static int kdf_derive(void *vpkdfctx, unsigned char *secret, size_t *secretlen,
diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h
index 638fe3d4a4..b0ed83648d 100644
--- a/providers/implementations/include/prov/digestcommon.h
+++ b/providers/implementations/include/prov/digestcommon.h
@@ -36,7 +36,7 @@ static int name##_get_params(OSSL_PARAM params[])                              \
   (void (*)(void))ossl_digest_default_gettable_params }
 
 # define PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START(                            \
-    name, CTX, blksize, dgstsize, flags, init, upd, fin)                       \
+    name, CTX, blksize, dgstsize, flags, upd, fin)                             \
 static OSSL_FUNC_digest_newctx_fn name##_newctx;                               \
 static OSSL_FUNC_digest_freectx_fn name##_freectx;                             \
 static OSSL_FUNC_digest_dupctx_fn name##_dupctx;                               \
@@ -58,11 +58,6 @@ static void *name##_dupctx(void *ctx)                                          \
         *ret = *in;                                                            \
     return ret;                                                                \
 }                                                                              \
-static OSSL_FUNC_digest_init_fn name##_internal_init;                          \
-static int name##_internal_init(void *ctx)                                     \
-{                                                                              \
-    return ossl_prov_is_running() ? init(ctx) : 0;                             \
-}                                                                              \
 static OSSL_FUNC_digest_final_fn name##_internal_final;                        \
 static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl,  \
                                  size_t outsz)                                 \
@@ -76,7 +71,6 @@ static int name##_internal_final(void *ctx, unsigned char *out, size_t *outl,  \
 PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags)                     \
 const OSSL_DISPATCH ossl_##name##_functions[] = {                              \
     { OSSL_FUNC_DIGEST_NEWCTX, (void (*)(void))name##_newctx },                \
-    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))name##_internal_init },           \
     { OSSL_FUNC_DIGEST_UPDATE, (void (*)(void))upd },                          \
     { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))name##_internal_final },         \
     { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))name##_freectx },              \
@@ -89,17 +83,32 @@ const OSSL_DISPATCH ossl_##name##_functions[] = {                              \
 
 # define IMPLEMENT_digest_functions(                                           \
     name, CTX, blksize, dgstsize, flags, init, upd, fin)                       \
+static OSSL_FUNC_digest_init_fn name##_internal_init;                          \
+static int name##_internal_init(void *ctx,                                     \
+                                ossl_unused const OSSL_PARAM params[])         \
+{                                                                              \
+    return ossl_prov_is_running() && init(ctx);                                \
+}                                                                              \
 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START(name, CTX, blksize, dgstsize, flags, \
-                                          init, upd, fin),                     \
+                                          upd, fin),                           \
+    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))name##_internal_init },           \
 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
 
 # define IMPLEMENT_digest_functions_with_settable_ctx(                         \
     name, CTX, blksize, dgstsize, flags, init, upd, fin,                       \
     settable_ctx_params, set_ctx_params)                                       \
+static OSSL_FUNC_digest_init_fn name##_internal_init;                          \
+static int name##_internal_init(void *ctx, const OSSL_PARAM params[])          \
+{                                                                              \
+    return ossl_prov_is_running()                                              \
+           && init(ctx)                                                        \
+           && set_ctx_params(ctx, params);                                     \
+}                                                                              \
 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_START(name, CTX, blksize, dgstsize, flags, \
-                                          init, upd, fin),                     \
-{ OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, (void (*)(void))settable_ctx_params }, \
-{ OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))set_ctx_params },           \
+                                          upd, fin),                           \
+    { OSSL_FUNC_DIGEST_INIT, (void (*)(void))name##_internal_init },           \
+    { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, (void (*)(void))settable_ctx_params }, \
+    { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))set_ctx_params },       \
 PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END
 
 
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index 24052f4d63..52b284c662 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -172,6 +172,9 @@ static int kdf_hkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
     int n;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index 2f6171baa7..e22d54171f 100644
--- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c
@@ -282,6 +282,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_macctx_load_from_params(&ctx->ctx_init, params, NULL,
                                            NULL, NULL, libctx))
         return 0;
diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c
index 041c3e32b2..4bf9ce7294 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -136,6 +136,9 @@ static int krb5kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     KRB5KDF_CTX *ctx = vctx;
     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_cipher_load_from_params(&ctx->cipher, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
index ce27fe9b39..eb7b15de59 100644
--- a/providers/implementations/kdfs/pbkdf2.c
+++ b/providers/implementations/kdfs/pbkdf2.c
@@ -172,6 +172,9 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     int pkcs5;
     uint64_t iter, min_iter;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c
index bea6dffeca..d0036441a3 100644
--- a/providers/implementations/kdfs/pkcs12kdf.c
+++ b/providers/implementations/kdfs/pkcs12kdf.c
@@ -225,6 +225,9 @@ static int kdf_pkcs12_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     KDF_PKCS12 *ctx = vctx;
     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c
index 6c61d3bb3c..12c57bb1a4 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -185,6 +185,9 @@ static int kdf_scrypt_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     KDF_SCRYPT *ctx = vctx;
     uint64_t u64_value;
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL)
         if (!scrypt_set_membuf(&ctx->pass, &ctx->pass_len, p))
             return 0;
diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c
index f99a6a7413..93a7a64fb5 100644
--- a/providers/implementations/kdfs/sshkdf.c
+++ b/providers/implementations/kdfs/sshkdf.c
@@ -136,6 +136,9 @@ static int kdf_sshkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     KDF_SSHKDF *ctx = vctx;
     OSSL_LIB_CTX *provctx = PROV_LIBCTX_OF(ctx->provctx);
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c
index 118c44cfa7..c281997a25 100644
--- a/providers/implementations/kdfs/sskdf.c
+++ b/providers/implementations/kdfs/sskdf.c
@@ -449,6 +449,9 @@ static int sskdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
     size_t sz;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx))
         return 0;
 
diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c
index 4204f03b3a..74a0f7e1f3 100644
--- a/providers/implementations/kdfs/tls1_prf.c
+++ b/providers/implementations/kdfs/tls1_prf.c
@@ -168,6 +168,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     TLS1_PRF *ctx = vctx;
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx);
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_DIGEST)) != NULL) {
         if (strcasecmp(p->data, SN_md5_sha1) == 0) {
             if (!ossl_prov_macctx_load_from_params(&ctx->P_hash, params,
diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c
index ca478bc883..c469d48439 100644
--- a/providers/implementations/kdfs/x942kdf.c
+++ b/providers/implementations/kdfs/x942kdf.c
@@ -472,6 +472,8 @@ static int x942kdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     const char *propq = NULL;
     size_t id;
 
+    if (params == NULL)
+        return 1;
     if (!ossl_prov_digest_load_from_params(&ctx->digest, params, provctx))
         return 0;
 
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 559d7d0c52..36bcea3506 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -117,7 +117,8 @@ static void *rsakem_dupctx(void *vprsactx)
     return dstctx;
 }
 
-static int rsakem_init(void *vprsactx, void *vrsa, int operation)
+static int rsakem_init(void *vprsactx, void *vrsa,
+                       const OSSL_PARAM params[], int operation)
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
@@ -130,26 +131,26 @@ static int rsakem_init(void *vprsactx, void *vrsa, int operation)
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
     }
-    return 1;
+    return rsakem_set_ctx_params(prsactx, params);
 }
 
-static int rsakem_encapsulate_init(void *vprsactx, void *vrsa)
+static int rsakem_encapsulate_init(void *vprsactx, void *vrsa,
+                                   const OSSL_PARAM params[])
 {
-    return rsakem_init(vprsactx, vrsa, EVP_PKEY_OP_ENCAPSULATE);
+    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_ENCAPSULATE);
 }
 
-static int rsakem_decapsulate_init(void *vprsactx, void *vrsa)
+static int rsakem_decapsulate_init(void *vprsactx, void *vrsa,
+                                   const OSSL_PARAM params[])
 {
-    return rsakem_init(vprsactx, vrsa, EVP_PKEY_OP_DECAPSULATE);
+    return rsakem_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECAPSULATE);
 }
 
 static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
 {
     PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx;
 
-    if (ctx == NULL || params == NULL)
-        return 0;
-    return 1;
+    return ctx != NULL;
 }
 
 static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = {
@@ -168,8 +169,11 @@ static int rsakem_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     int op;
 
-    if (prsactx == NULL || params == NULL)
+    if (prsactx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
+
 
     p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_OPERATION);
     if (p != NULL) {
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 5731b73418..da111c2cd7 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -408,7 +408,8 @@ static int dh_validate(const void *keydata, int selection, int checktype)
     return ok;
 }
 
-static void *dh_gen_init_base(void *provctx, int selection, int type)
+static void *dh_gen_init_base(void *provctx, int selection,
+                              const OSSL_PARAM params[], int type)
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct dh_gen_ctx *gctx = NULL;
@@ -441,17 +442,23 @@ static void *dh_gen_init_base(void *provctx, int selection, int type)
         gctx->generator = DH_GENERATOR_2;
         gctx->dh_type = type;
     }
+    if (!dh_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
     return gctx;
 }
 
-static void *dh_gen_init(void *provctx, int selection)
+static void *dh_gen_init(void *provctx, int selection,
+                         const OSSL_PARAM params[])
 {
-    return dh_gen_init_base(provctx, selection, DH_FLAG_TYPE_DH);
+    return dh_gen_init_base(provctx, selection, params, DH_FLAG_TYPE_DH);
 }
 
-static void *dhx_gen_init(void *provctx, int selection)
+static void *dhx_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
 {
-   return dh_gen_init_base(provctx, selection, DH_FLAG_TYPE_DHX);
+   return dh_gen_init_base(provctx, selection, params, DH_FLAG_TYPE_DHX);
 }
 
 static int dh_gen_set_template(void *genctx, void *templ)
@@ -487,6 +494,9 @@ static int dh_gen_set_params(void *genctx, const OSSL_PARAM params[])
 
     if (gctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
+
 
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE);
     if (p != NULL) {
diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c
index 92ab579b66..e6e9a51397 100644
--- a/providers/implementations/keymgmt/dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/dsa_kmgmt.c
@@ -365,7 +365,8 @@ static int dsa_validate(const void *keydata, int selection, int checktype)
     return ok;
 }
 
-static void *dsa_gen_init(void *provctx, int selection)
+static void *dsa_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct dsa_gen_ctx *gctx = NULL;
@@ -387,6 +388,10 @@ static void *dsa_gen_init(void *provctx, int selection)
         gctx->pcounter = -1;
         gctx->hindex = 0;
     }
+    if (!dsa_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
     return gctx;
 }
 
@@ -423,6 +428,9 @@ static int dsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
 
     if (gctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
+
 
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_FFC_TYPE);
     if (p != NULL) {
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 92521b66ec..01e5983236 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -774,6 +774,9 @@ int ec_set_params(void *key, const OSSL_PARAM params[])
 
     if (key == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
+
 
     if (!ossl_ec_group_set_params((EC_GROUP *)EC_KEY_get0_group(key), params))
         return 0;
@@ -932,7 +935,8 @@ struct ec_gen_ctx {
     EC_GROUP *gen_group;
 };
 
-static void *ec_gen_init(void *provctx, int selection)
+static void *ec_gen_init(void *provctx, int selection,
+                         const OSSL_PARAM params[])
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct ec_gen_ctx *gctx = NULL;
@@ -945,6 +949,10 @@ static void *ec_gen_init(void *provctx, int selection)
         gctx->selection = selection;
         gctx->ecdh_mode = 0;
     }
+    if (!ec_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
     return gctx;
 }
 
diff --git a/providers/implementations/keymgmt/ecx_kmgmt.c b/providers/implementations/keymgmt/ecx_kmgmt.c
index 0adfd01173..8e47dfb03e 100644
--- a/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -41,6 +41,8 @@ static OSSL_FUNC_keymgmt_gen_fn x448_gen;
 static OSSL_FUNC_keymgmt_gen_fn ed25519_gen;
 static OSSL_FUNC_keymgmt_gen_fn ed448_gen;
 static OSSL_FUNC_keymgmt_gen_cleanup_fn ecx_gen_cleanup;
+static OSSL_FUNC_keymgmt_gen_set_params_fn ecx_gen_set_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn ecx_gen_settable_params;
 static OSSL_FUNC_keymgmt_load_fn ecx_load;
 static OSSL_FUNC_keymgmt_get_params_fn x25519_get_params;
 static OSSL_FUNC_keymgmt_get_params_fn x448_get_params;
@@ -373,6 +375,9 @@ static int ecx_set_params(void *key, const OSSL_PARAM params[])
     ECX_KEY *ecxkey = key;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL) {
         void *buf = ecxkey->pubkey;
@@ -445,7 +450,8 @@ static const OSSL_PARAM *ed448_settable_params(void *provctx)
     return ed_settable_params;
 }
 
-static void *ecx_gen_init(void *provctx, int selection, ECX_KEY_TYPE type)
+static void *ecx_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[], ECX_KEY_TYPE type)
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct ecx_gen_ctx *gctx = NULL;
@@ -458,27 +464,35 @@ static void *ecx_gen_init(void *provctx, int selection, ECX_KEY_TYPE type)
         gctx->type = type;
         gctx->selection = selection;
     }
+    if (!ecx_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
     return gctx;
 }
 
-static void *x25519_gen_init(void *provctx, int selection)
+static void *x25519_gen_init(void *provctx, int selection,
+                             const OSSL_PARAM params[])
 {
-    return ecx_gen_init(provctx, selection, ECX_KEY_TYPE_X25519);
+    return ecx_gen_init(provctx, selection, params, ECX_KEY_TYPE_X25519);
 }
 
-static void *x448_gen_init(void *provctx, int selection)
+static void *x448_gen_init(void *provctx, int selection,
+                           const OSSL_PARAM params[])
 {
-    return ecx_gen_init(provctx, selection, ECX_KEY_TYPE_X448);
+    return ecx_gen_init(provctx, selection, params, ECX_KEY_TYPE_X448);
 }
 
-static void *ed25519_gen_init(void *provctx, int selection)
+static void *ed25519_gen_init(void *provctx, int selection,
+                              const OSSL_PARAM params[])
 {
-    return ecx_gen_init(provctx, selection, ECX_KEY_TYPE_ED25519);
+    return ecx_gen_init(provctx, selection, params, ECX_KEY_TYPE_ED25519);
 }
 
-static void *ed448_gen_init(void *provctx, int selection)
+static void *ed448_gen_init(void *provctx, int selection,
+                            const OSSL_PARAM params[])
 {
-    return ecx_gen_init(provctx, selection, ECX_KEY_TYPE_ED448);
+    return ecx_gen_init(provctx, selection, params, ECX_KEY_TYPE_ED448);
 }
 
 static int ecx_gen_set_params(void *genctx, const OSSL_PARAM params[])
diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
index 9d98d32fb2..9039816ee8 100644
--- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c
+++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c
@@ -47,6 +47,7 @@ static OSSL_FUNC_keymgmt_new_fn mac_new_cmac;
 static OSSL_FUNC_keymgmt_gettable_params_fn cmac_gettable_params;
 static OSSL_FUNC_keymgmt_import_types_fn cmac_imexport_types;
 static OSSL_FUNC_keymgmt_export_types_fn cmac_imexport_types;
+static OSSL_FUNC_keymgmt_gen_init_fn cmac_gen_init;
 static OSSL_FUNC_keymgmt_gen_set_params_fn cmac_gen_set_params;
 static OSSL_FUNC_keymgmt_gen_settable_params_fn cmac_gen_settable_params;
 
@@ -371,7 +372,7 @@ static const OSSL_PARAM *mac_settable_params(void *provctx)
     return settable_params;
 }
 
-static void *mac_gen_init(void *provctx, int selection)
+static void *mac_gen_init_common(void *provctx, int selection)
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct mac_gen_ctx *gctx = NULL;
@@ -386,6 +387,30 @@ static void *mac_gen_init(void *provctx, int selection)
     return gctx;
 }
 
+static void *mac_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
+{
+    struct mac_gen_ctx *gctx = mac_gen_init_common(provctx, selection);
+
+    if (gctx != NULL && !mac_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
+    return gctx;
+}
+
+static void *cmac_gen_init(void *provctx, int selection,
+                           const OSSL_PARAM params[])
+{
+    struct mac_gen_ctx *gctx = mac_gen_init_common(provctx, selection);
+
+    if (gctx != NULL && !cmac_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
+    return gctx;
+}
+
 static int mac_gen_set_params(void *genctx, const OSSL_PARAM params[])
 {
     struct mac_gen_ctx *gctx = genctx;
@@ -535,7 +560,7 @@ const OSSL_DISPATCH ossl_cossl_mac_legacy_keymgmt_functions[] = {
     { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))cmac_imexport_types },
     { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))mac_export },
     { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))cmac_imexport_types },
-    { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))mac_gen_init },
+    { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))cmac_gen_init },
     { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))cmac_gen_set_params },
     { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
         (void (*)(void))cmac_gen_settable_params },
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index ac8443a739..095c713aac 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -417,7 +417,8 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb)
     return gctx->cb(params, gctx->cbarg);
 }
 
-static void *gen_init(void *provctx, int selection, int rsa_type)
+static void *gen_init(void *provctx, int selection, int rsa_type,
+                      const OSSL_PARAM params[])
 {
     OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(provctx);
     struct rsa_gen_ctx *gctx = NULL;
@@ -441,17 +442,23 @@ static void *gen_init(void *provctx, int selection, int rsa_type)
             gctx->rsa_type = rsa_type;
         }
     }
+    if (!rsa_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        gctx = NULL;
+    }
     return gctx;
 }
 
-static void *rsa_gen_init(void *provctx, int selection)
+static void *rsa_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
 {
-    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSA);
+    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSA, params);
 }
 
-static void *rsapss_gen_init(void *provctx, int selection)
+static void *rsapss_gen_init(void *provctx, int selection,
+                             const OSSL_PARAM params[])
 {
-    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSASSAPSS);
+    return gen_init(provctx, selection, RSA_FLAG_TYPE_RSASSAPSS, params);
 }
 
 /*
@@ -464,6 +471,9 @@ static int rsa_gen_set_params(void *genctx, const OSSL_PARAM params[])
     struct rsa_gen_ctx *gctx = genctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_BITS)) != NULL
         && !OSSL_PARAM_get_size_t(p, &gctx->nbits))
         return 0;
diff --git a/providers/implementations/macs/blake2_mac_impl.c b/providers/implementations/macs/blake2_mac_impl.c
index 35a162246e..e1ffa04bfd 100644
--- a/providers/implementations/macs/blake2_mac_impl.c
+++ b/providers/implementations/macs/blake2_mac_impl.c
@@ -185,6 +185,9 @@ static int blake2_mac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[])
     struct blake2_mac_data_st *macctx = vmacctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) {
         size_t size;
 
diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c
index 9807799fe0..0795c245a7 100644
--- a/providers/implementations/macs/cmac_prov.c
+++ b/providers/implementations/macs/cmac_prov.c
@@ -184,6 +184,9 @@ static int cmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[])
     OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx))
         return 0;
 
diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c
index 7188232d7d..f291e574ca 100644
--- a/providers/implementations/macs/hmac_prov.c
+++ b/providers/implementations/macs/hmac_prov.c
@@ -294,6 +294,9 @@ static int hmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     int flags = 0;
 
+    if (params == NULL)
+        return 1;
+
     if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
         return 0;
 
diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c
index 361ff8e716..8735705f1b 100644
--- a/providers/implementations/macs/kmac_prov.c
+++ b/providers/implementations/macs/kmac_prov.c
@@ -379,6 +379,9 @@ static int kmac_set_ctx_params(void *vmacctx, const OSSL_PARAM *params)
     struct kmac_data_st *kctx = vmacctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_XOF)) != NULL
         && !OSSL_PARAM_get_int(p, &kctx->xof_mode))
         return 0;
diff --git a/providers/implementations/macs/siphash_prov.c b/providers/implementations/macs/siphash_prov.c
index 3f2e3267e0..0181d68ed1 100644
--- a/providers/implementations/macs/siphash_prov.c
+++ b/providers/implementations/macs/siphash_prov.c
@@ -195,6 +195,9 @@ static int siphash_set_params(void *vmacctx, const OSSL_PARAM *params)
     const OSSL_PARAM *p = NULL;
     size_t size;
 
+    if (params == NULL)
+        return 1;
+
     if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_SIZE)) != NULL) {
         if (!OSSL_PARAM_get_size_t(p, &size)
             || !SipHash_set_hash_size(&ctx->siphash, size))
diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c
index a05c9397c8..461d641273 100644
--- a/providers/implementations/rands/drbg.c
+++ b/providers/implementations/rands/drbg.c
@@ -915,6 +915,9 @@ int ossl_drbg_set_ctx_params(PROV_DRBG *drbg, const OSSL_PARAM params[])
 {
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_DRBG_PARAM_RESEED_REQUESTS);
     if (p != NULL && !OSSL_PARAM_get_uint(p, &drbg->reseed_interval))
         return 0;
diff --git a/providers/implementations/rands/test_rng.c b/providers/implementations/rands/test_rng.c
index 1335de8681..bdad7ac9ac 100644
--- a/providers/implementations/rands/test_rng.c
+++ b/providers/implementations/rands/test_rng.c
@@ -183,6 +183,9 @@ static int test_rng_set_ctx_params(void *vtest, const OSSL_PARAM params[])
     void *ptr = NULL;
     size_t size = 0;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_RAND_PARAM_STRENGTH);
     if (p != NULL && !OSSL_PARAM_get_uint(p, &t->strength))
         return 0;
diff --git a/providers/implementations/signature/dsa.c b/providers/implementations/signature/dsa.c
index 214238e7cc..88a8102cff 100644
--- a/providers/implementations/signature/dsa.c
+++ b/providers/implementations/signature/dsa.c
@@ -171,7 +171,8 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
     return 1;
 }
 
-static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
+static int dsa_signverify_init(void *vpdsactx, void *vdsa,
+                               const OSSL_PARAM params[], int operation)
 {
     PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
 
@@ -183,6 +184,10 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
     DSA_free(pdsactx->dsa);
     pdsactx->dsa = vdsa;
     pdsactx->operation = operation;
+
+    if (!dsa_set_ctx_params(pdsactx, params))
+        return 0;
+
     if (!ossl_dsa_check_key(vdsa, operation == EVP_PKEY_OP_SIGN)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
@@ -190,14 +195,15 @@ static int dsa_signverify_init(void *vpdsactx, void *vdsa, int operation)
     return 1;
 }
 
-static int dsa_sign_init(void *vpdsactx, void *vdsa)
+static int dsa_sign_init(void *vpdsactx, void *vdsa, const OSSL_PARAM params[])
 {
-    return dsa_signverify_init(vpdsactx, vdsa, EVP_PKEY_OP_SIGN);
+    return dsa_signverify_init(vpdsactx, vdsa, params, EVP_PKEY_OP_SIGN);
 }
 
-static int dsa_verify_init(void *vpdsactx, void *vdsa)
+static int dsa_verify_init(void *vpdsactx, void *vdsa,
+                           const OSSL_PARAM params[])
 {
-    return dsa_signverify_init(vpdsactx, vdsa, EVP_PKEY_OP_VERIFY);
+    return dsa_signverify_init(vpdsactx, vdsa, params, EVP_PKEY_OP_VERIFY);
 }
 
 static int dsa_sign(void *vpdsactx, unsigned char *sig, size_t *siglen,
@@ -244,7 +250,8 @@ static int dsa_verify(void *vpdsactx, const unsigned char *sig, size_t siglen,
 }
 
 static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
-                                      void *vdsa, int operation)
+                                      void *vdsa, const OSSL_PARAM params[],
+                                      int operation)
 {
     PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
 
@@ -252,7 +259,7 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
         return 0;
 
     pdsactx->flag_allow_md = 0;
-    if (!dsa_signverify_init(vpdsactx, vdsa, operation))
+    if (!dsa_signverify_init(vpdsactx, vdsa, params, operation))
         return 0;
 
     if (!dsa_setup_md(pdsactx, mdname, NULL))
@@ -262,7 +269,7 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
     if (pdsactx->mdctx == NULL)
         goto error;
 
-    if (!EVP_DigestInit_ex(pdsactx->mdctx, pdsactx->md, NULL))
+    if (!EVP_DigestInit_ex2(pdsactx->mdctx, pdsactx->md, params))
         goto error;
 
     return 1;
@@ -276,14 +283,17 @@ static int dsa_digest_signverify_init(void *vpdsactx, const char *mdname,
 }
 
 static int dsa_digest_sign_init(void *vpdsactx, const char *mdname,
-                                      void *vdsa)
+                                void *vdsa, const OSSL_PARAM params[])
 {
-    return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, EVP_PKEY_OP_SIGN);
+    return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, params,
+                                      EVP_PKEY_OP_SIGN);
 }
 
-static int dsa_digest_verify_init(void *vpdsactx, const char *mdname, void *vdsa)
+static int dsa_digest_verify_init(void *vpdsactx, const char *mdname,
+                                  void *vdsa, const OSSL_PARAM params[])
 {
-    return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, EVP_PKEY_OP_VERIFY);
+    return dsa_digest_signverify_init(vpdsactx, mdname, vdsa, params,
+                                      EVP_PKEY_OP_VERIFY);
 }
 
 int dsa_digest_signverify_update(void *vpdsactx, const unsigned char *data,
@@ -413,7 +423,7 @@ static int dsa_get_ctx_params(void *vpdsactx, OSSL_PARAM *params)
     PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
     OSSL_PARAM *p;
 
-    if (pdsactx == NULL || params == NULL)
+    if (pdsactx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
@@ -445,8 +455,10 @@ static int dsa_set_ctx_params(void *vpdsactx, const OSSL_PARAM params[])
     PROV_DSA_CTX *pdsactx = (PROV_DSA_CTX *)vpdsactx;
     const OSSL_PARAM *p;
 
-    if (pdsactx == NULL || params == NULL)
+    if (pdsactx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_DIGEST);
     /* Not allowed during certain operations */
diff --git a/providers/implementations/signature/ecdsa.c b/providers/implementations/signature/ecdsa.c
index 0e99cb2a5d..4f90032af3 100644
--- a/providers/implementations/signature/ecdsa.c
+++ b/providers/implementations/signature/ecdsa.c
@@ -125,7 +125,8 @@ static void *ecdsa_newctx(void *provctx, const char *propq)
     return ctx;
 }
 
-static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
+static int ecdsa_signverify_init(void *vctx, void *ec,
+                                 const OSSL_PARAM params[], int operation)
 {
     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
 
@@ -137,17 +138,19 @@ static int ecdsa_signverify_init(void *vctx, void *ec, int operation)
     EC_KEY_free(ctx->ec);
     ctx->ec = ec;
     ctx->operation = operation;
+    if (!ecdsa_set_ctx_params(ctx, params))
+        return 0;
     return ossl_ec_check_key(ec, operation == EVP_PKEY_OP_SIGN);
 }
 
-static int ecdsa_sign_init(void *vctx, void *ec)
+static int ecdsa_sign_init(void *vctx, void *ec, const OSSL_PARAM params[])
 {
-    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_SIGN);
+    return ecdsa_signverify_init(vctx, ec, params, EVP_PKEY_OP_SIGN);
 }
 
-static int ecdsa_verify_init(void *vctx, void *ec)
+static int ecdsa_verify_init(void *vctx, void *ec, const OSSL_PARAM params[])
 {
-    return ecdsa_signverify_init(vctx, ec, EVP_PKEY_OP_VERIFY);
+    return ecdsa_signverify_init(vctx, ec, params, EVP_PKEY_OP_VERIFY);
 }
 
 static int ecdsa_sign(void *vctx, unsigned char *sig, size_t *siglen,
@@ -251,7 +254,8 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
 }
 
 static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
-                                        void *ec, int operation)
+                                        void *ec, const OSSL_PARAM params[],
+                                        int operation)
 {
     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
 
@@ -259,7 +263,7 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
         return 0;
 
     ctx->flag_allow_md = 0;
-    if (!ecdsa_signverify_init(vctx, ec, operation)
+    if (!ecdsa_signverify_init(vctx, ec, params, operation)
         || !ecdsa_setup_md(ctx, mdname, NULL))
         return 0;
 
@@ -267,7 +271,7 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
     if (ctx->mdctx == NULL)
         goto error;
 
-    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
+    if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
         goto error;
     return 1;
 error:
@@ -278,14 +282,18 @@ error:
     return 0;
 }
 
-static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec)
+static int ecdsa_digest_sign_init(void *vctx, const char *mdname, void *ec,
+                                  const OSSL_PARAM params[])
 {
-    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_SIGN);
+    return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
+                                        EVP_PKEY_OP_SIGN);
 }
 
-static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec)
+static int ecdsa_digest_verify_init(void *vctx, const char *mdname, void *ec,
+                                    const OSSL_PARAM params[])
 {
-    return ecdsa_digest_signverify_init(vctx, mdname, ec, EVP_PKEY_OP_VERIFY);
+    return ecdsa_digest_signverify_init(vctx, mdname, ec, params,
+                                        EVP_PKEY_OP_VERIFY);
 }
 
 int ecdsa_digest_signverify_update(void *vctx, const unsigned char *data,
@@ -406,7 +414,7 @@ static int ecdsa_get_ctx_params(void *vctx, OSSL_PARAM *params)
     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
     OSSL_PARAM *p;
 
-    if (ctx == NULL || params == NULL)
+    if (ctx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
@@ -444,8 +452,10 @@ static int ecdsa_set_ctx_params(void *vctx, const OSSL_PARAM params[])
     PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx;
     const OSSL_PARAM *p;
 
-    if (ctx == NULL || params == NULL)
+    if (ctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
 #if !defined(OPENSSL_NO_ACVP_TESTS)
     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
diff --git a/providers/implementations/signature/eddsa.c b/providers/implementations/signature/eddsa.c
index 0427d38241..221ccdd928 100644
--- a/providers/implementations/signature/eddsa.c
+++ b/providers/implementations/signature/eddsa.c
@@ -84,7 +84,8 @@ static void *eddsa_newctx(void *provctx, const char *propq_unused)
 }
 
 static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname,
-                                        void *vedkey)
+                                        void *vedkey,
+                                        ossl_unused const OSSL_PARAM params[])
 {
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     ECX_KEY *edkey = (ECX_KEY *)vedkey;
@@ -277,7 +278,7 @@ static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params)
     PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx;
     OSSL_PARAM *p;
 
-    if (peddsactx == NULL || params == NULL)
+    if (peddsactx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c
index 81bf8f27a1..a8cc67b410 100644
--- a/providers/implementations/signature/mac_legacy.c
+++ b/providers/implementations/signature/mac_legacy.c
@@ -91,7 +91,8 @@ MAC_NEWCTX(siphash, "SIPHASH")
 MAC_NEWCTX(poly1305, "POLY1305")
 MAC_NEWCTX(cmac, "CMAC")
 
-static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey)
+static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey,
+                                const OSSL_PARAM params[])
 {
     PROV_MAC_CTX *pmacctx = (PROV_MAC_CTX *)vpmacctx;
     const char *ciphername = NULL, *engine = NULL;
@@ -121,7 +122,7 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey)
         return 0;
 
     if (!EVP_MAC_init(pmacctx->macctx, pmacctx->key->priv_key,
-                      pmacctx->key->priv_key_len, NULL))
+                      pmacctx->key->priv_key_len, params))
         return 0;
 
     return 1;
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c
index d3189b0d1a..0df079dc79 100644
--- a/providers/implementations/signature/rsa.c
+++ b/providers/implementations/signature/rsa.c
@@ -357,7 +357,8 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
     return 1;
 }
 
-static int rsa_signverify_init(void *vprsactx, void *vrsa, int operation)
+static int rsa_signverify_init(void *vprsactx, void *vrsa,
+                               const OSSL_PARAM params[], int operation)
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
@@ -371,6 +372,9 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, int operation)
     prsactx->rsa = vrsa;
     prsactx->operation = operation;
 
+    if (!rsa_set_ctx_params(prsactx, params))
+        return 0;
+
     if (!ossl_rsa_check_key(vrsa, operation == EVP_PKEY_OP_SIGN)) {
         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
         return 0;
@@ -468,11 +472,11 @@ static void free_tbuf(PROV_RSA_CTX *ctx)
     ctx->tbuf = NULL;
 }
 
-static int rsa_sign_init(void *vprsactx, void *vrsa)
+static int rsa_sign_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
-    return rsa_signverify_init(vprsactx, vrsa, EVP_PKEY_OP_SIGN);
+    return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_SIGN);
 }
 
 static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
@@ -621,11 +625,13 @@ static int rsa_sign(void *vprsactx, unsigned char *sig, size_t *siglen,
     return 1;
 }
 
-static int rsa_verify_recover_init(void *vprsactx, void *vrsa)
+static int rsa_verify_recover_init(void *vprsactx, void *vrsa,
+                                   const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
-    return rsa_signverify_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFYRECOVER);
+    return rsa_signverify_init(vprsactx, vrsa, params,
+                               EVP_PKEY_OP_VERIFYRECOVER);
 }
 
 static int rsa_verify_recover(void *vprsactx,
@@ -712,11 +718,12 @@ static int rsa_verify_recover(void *vprsactx,
     return 1;
 }
 
-static int rsa_verify_init(void *vprsactx, void *vrsa)
+static int rsa_verify_init(void *vprsactx, void *vrsa,
+                           const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
-    return rsa_signverify_init(vprsactx, vrsa, EVP_PKEY_OP_VERIFY);
+    return rsa_signverify_init(vprsactx, vrsa, params, EVP_PKEY_OP_VERIFY);
 }
 
 static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
@@ -801,7 +808,8 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen,
 }
 
 static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
-                                      void *vrsa, int operation)
+                                      void *vrsa, const OSSL_PARAM params[],
+                                      int operation)
 {
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
 
@@ -810,7 +818,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
 
     if (prsactx != NULL)
         prsactx->flag_allow_md = 0;
-    if (!rsa_signverify_init(vprsactx, vrsa, operation))
+    if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
         return 0;
     if (mdname != NULL
         /* was rsa_setup_md already called in rsa_signverify_init()? */
@@ -824,7 +832,7 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
         goto error;
     }
 
-    if (!EVP_DigestInit_ex(prsactx->mdctx, prsactx->md, NULL))
+    if (!EVP_DigestInit_ex2(prsactx->mdctx, prsactx->md, params))
         goto error;
 
     return 1;
@@ -850,12 +858,12 @@ static int rsa_digest_signverify_update(void *vprsactx,
 }
 
 static int rsa_digest_sign_init(void *vprsactx, const char *mdname,
-                                void *vrsa)
+                                void *vrsa, const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
-                                      EVP_PKEY_OP_SIGN);
+                                      params, EVP_PKEY_OP_SIGN);
 }
 
 static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
@@ -887,12 +895,12 @@ static int rsa_digest_sign_final(void *vprsactx, unsigned char *sig,
 }
 
 static int rsa_digest_verify_init(void *vprsactx, const char *mdname,
-                                  void *vrsa)
+                                  void *vrsa, const OSSL_PARAM params[])
 {
     if (!ossl_prov_is_running())
         return 0;
     return rsa_digest_signverify_init(vprsactx, mdname, vrsa,
-                                      EVP_PKEY_OP_VERIFY);
+                                      params, EVP_PKEY_OP_VERIFY);
 }
 
 int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig,
@@ -995,7 +1003,7 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
     OSSL_PARAM *p;
 
-    if (prsactx == NULL || params == NULL)
+    if (prsactx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
@@ -1114,8 +1122,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
     char mgf1mdname[OSSL_MAX_NAME_SIZE] = "", *pmgf1mdname = NULL;
     char mgf1mdprops[OSSL_MAX_PROPQUERY_SIZE] = "", *pmgf1mdprops = NULL;
 
-    if (prsactx == NULL || params == NULL)
+    if (prsactx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
+
     pad_mode = prsactx->pad_mode;
     saltlen = prsactx->saltlen;
 
diff --git a/providers/implementations/signature/sm2sig.c b/providers/implementations/signature/sm2sig.c
index 5463b000e0..4201e825b1 100644
--- a/providers/implementations/signature/sm2sig.c
+++ b/providers/implementations/signature/sm2sig.c
@@ -113,7 +113,8 @@ static void *sm2sig_newctx(void *provctx, const char *propq)
     return ctx;
 }
 
-static int sm2sig_signature_init(void *vpsm2ctx, void *ec)
+static int sm2sig_signature_init(void *vpsm2ctx, void *ec,
+                                 const OSSL_PARAM params[])
 {
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
 
@@ -121,7 +122,7 @@ static int sm2sig_signature_init(void *vpsm2ctx, void *ec)
         return 0;
     EC_KEY_free(psm2ctx->ec);
     psm2ctx->ec = ec;
-    return 1;
+    return sm2sig_set_ctx_params(psm2ctx, params);
 }
 
 static int sm2sig_sign(void *vpsm2ctx, unsigned char *sig, size_t *siglen,
@@ -173,7 +174,7 @@ static void free_md(PROV_SM2_CTX *ctx)
 }
 
 static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
-                                         void *ec)
+                                         void *ec, const OSSL_PARAM params[])
 {
     PROV_SM2_CTX *ctx = (PROV_SM2_CTX *)vpsm2ctx;
     int md_nid = NID_sm3;
@@ -182,7 +183,7 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
 
     free_md(ctx);
 
-    if (!sm2sig_signature_init(vpsm2ctx, ec))
+    if (!sm2sig_signature_init(vpsm2ctx, ec, params))
         return ret;
 
     ctx->md = EVP_MD_fetch(ctx->libctx, mdname, ctx->propq);
@@ -207,7 +208,7 @@ static int sm2sig_digest_signverify_init(void *vpsm2ctx, const char *mdname,
     }
     WPACKET_cleanup(&pkt);
 
-    if (!EVP_DigestInit_ex(ctx->mdctx, ctx->md, NULL))
+    if (!EVP_DigestInit_ex2(ctx->mdctx, ctx->md, params))
         goto error;
 
     ctx->flag_compute_z_digest = 1;
@@ -353,7 +354,7 @@ static int sm2sig_get_ctx_params(void *vpsm2ctx, OSSL_PARAM *params)
     PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
     OSSL_PARAM *p;
 
-    if (psm2ctx == NULL || params == NULL)
+    if (psm2ctx == NULL)
         return 0;
 
     p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_ALGORITHM_ID);
@@ -393,8 +394,10 @@ static int sm2sig_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[])
     const OSSL_PARAM *p;
     char *mdname;
 
-    if (psm2ctx == NULL || params == NULL)
+    if (psm2ctx == NULL)
         return 0;
+    if (params == NULL)
+        return 1;
 
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DIST_ID);
     if (p != NULL) {
diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c
index 1ea820e2a4..f4ac6e0c83 100644
--- a/providers/implementations/storemgmt/file_store.c
+++ b/providers/implementations/storemgmt/file_store.c
@@ -326,6 +326,9 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
     struct file_ctx_st *ctx = loaderctx;
     const OSSL_PARAM *p;
 
+    if (params == NULL)
+        return 1;
+
     p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
     if (p != NULL) {
         OPENSSL_free(ctx->_.file.propq);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8eb0f7c864..19ae6d9a28 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4827,7 +4827,7 @@ int ssl_decapsulate(SSL *s, EVP_PKEY *privkey,
 
     pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, privkey, s->ctx->propq);
 
-    if (EVP_PKEY_decapsulate_init(pctx) <= 0
+    if (EVP_PKEY_decapsulate_init(pctx, NULL) <= 0
             || EVP_PKEY_decapsulate(pctx, NULL, &pmslen, ct, ctlen) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         goto err;
@@ -4877,7 +4877,7 @@ int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,
 
     pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pubkey, s->ctx->propq);
 
-    if (EVP_PKEY_encapsulate_init(pctx) <= 0
+    if (EVP_PKEY_encapsulate_init(pctx, NULL) <= 0
             || EVP_PKEY_encapsulate(pctx, NULL, &ctlen, NULL, &pmslen) <= 0
             || pmslen == 0 || ctlen == 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 13e5f5a8e5..5e21ff8593 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1570,7 +1570,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
 
     bindersize = hashsize;
     if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_name(md), s->ctx->libctx,
-                              s->ctx->propq, mackey) <= 0
+                              s->ctx->propq, mackey, NULL) <= 0
             || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
             || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
             || bindersize != hashsize) {
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 28fb039424..8462a67c1a 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -734,7 +734,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
 
     hmaclen = SHA256_DIGEST_LENGTH;
     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
-                              s->ctx->propq, pkey) <= 0
+                              s->ctx->propq, pkey, NULL) <= 0
             || EVP_DigestSign(hctx, hmac, &hmaclen, data,
                               rawlen - SHA256_DIGEST_LENGTH) <= 0
             || hmaclen != SHA256_DIGEST_LENGTH) {
@@ -1796,7 +1796,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
     }
 
     if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
-                              s->ctx->propq, pkey) <= 0
+                              s->ctx->propq, pkey, NULL) <= 0
             || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
                               totcookielen) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e5a255d75d..c60b259e1f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2272,7 +2272,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
 
         if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
                                     md == NULL ? NULL : EVP_MD_name(md),
-                                    s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
+                                    s->ctx->libctx, s->ctx->propq, pkey,
+                                    NULL) <= 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
             goto err;
         }
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index a7ed843aa4..800a957ab2 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -310,7 +310,8 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
     }
 
     if (EVP_DigestSignInit_ex(mctx, &pctx, md == NULL ? NULL : EVP_MD_name(md),
-                              s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
+                              s->ctx->libctx, s->ctx->propq, pkey,
+                              NULL) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
         goto err;
     }
@@ -487,7 +488,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
 
     if (EVP_DigestVerifyInit_ex(mctx, &pctx,
                                 md == NULL ? NULL : EVP_MD_name(md),
-                                s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
+                                s->ctx->libctx, s->ctx->propq, pkey,
+                                NULL) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
         goto err;
     }
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d1138e45d5..4c2ca4e6e5 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2672,7 +2672,8 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
 
         if (EVP_DigestSignInit_ex(md_ctx, &pctx,
                                   md == NULL ? NULL : EVP_MD_name(md),
-                                  s->ctx->libctx, s->ctx->propq, pkey) <= 0) {
+                                  s->ctx->libctx, s->ctx->propq, pkey,
+                                  NULL) <= 0) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
             goto err;
         }
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index bb0ee0c5d4..e45fdea0cb 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -378,7 +378,8 @@ int tls1_change_cipher_state(SSL *s, int which)
         }
         if (mac_key == NULL
             || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_name(m),
-                                     s->ctx->libctx, s->ctx->propq, mac_key) <= 0) {
+                                     s->ctx->libctx, s->ctx->propq, mac_key,
+                                     NULL) <= 0) {
             EVP_PKEY_free(mac_key);
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
             goto err;
diff --git a/test/acvp_test.c b/test/acvp_test.c
index dab75a8a13..02ef638ddd 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -97,7 +97,7 @@ static int sig_gen(EVP_PKEY *pkey, OSSL_PARAM *params, const char *digest_name,
     if (!TEST_ptr(sig = OPENSSL_malloc(sz))
         || !TEST_ptr(md_ctx = EVP_MD_CTX_new())
         || !TEST_int_eq(EVP_DigestSignInit_ex(md_ctx, NULL, digest_name, libctx,
-                                              NULL, pkey), 1)
+                                              NULL, pkey, NULL), 1)
         || !TEST_int_gt(EVP_DigestSign(md_ctx, sig, &sig_len, msg, msg_len), 0))
         goto err;
     *sig_out = sig;
@@ -306,7 +306,7 @@ static int ecdsa_sigver_test(int id)
     ret = TEST_int_gt((sig_len = i2d_ECDSA_SIG(sign, &sig)), 0)
           && TEST_ptr(md_ctx = EVP_MD_CTX_new())
           && TEST_true(EVP_DigestVerifyInit_ex(md_ctx, NULL, tst->digest_alg,
-                                               libctx, NULL, pkey)
+                                               libctx, NULL, pkey, NULL)
           && TEST_int_eq(EVP_DigestVerify(md_ctx, sig, sig_len,
                                           tst->msg, tst->msg_len), tst->pass));
 err:
@@ -1249,7 +1249,7 @@ static int rsa_sigver_test(int id)
         || !TEST_ptr(md_ctx = EVP_MD_CTX_new())
         || !TEST_true(EVP_DigestVerifyInit_ex(md_ctx, &pkey_ctx,
                                               tst->digest_alg, libctx, NULL,
-                                              pkey)
+                                              pkey, NULL)
         || !TEST_true(EVP_PKEY_CTX_set_params(pkey_ctx, params))
         || !TEST_int_eq(EVP_DigestVerify(md_ctx, tst->sig, tst->sig_len,
                                          tst->msg, tst->msg_len), tst->pass)))
diff --git a/test/algorithmid_test.c b/test/algorithmid_test.c
index b1b579b40d..ae7a49f54b 100644
--- a/test/algorithmid_test.c
+++ b/test/algorithmid_test.c
@@ -162,7 +162,7 @@ static int test_x509_sig_aid(X509 *eecert, const char *ee_filename,
     if (!TEST_ptr(mdctx = EVP_MD_CTX_new())
         || !TEST_true(EVP_DigestVerifyInit_ex(mdctx, &pctx,
                                               OBJ_nid2sn(dig_nid),
-                                              NULL, NULL, pkey))) {
+                                              NULL, NULL, pkey, NULL))) {
         TEST_info("Couldn't initialize a DigestVerify operation with "
                   "pkey type %s and hash type %s",
                   OBJ_nid2sn(pkey_nid), OBJ_nid2sn(dig_nid));
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 62840d0d19..acba9819e6 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -1888,7 +1888,7 @@ static int test_EVP_PKEY_CTX_get_set_params(EVP_PKEY *pkey)
     mdctx = EVP_MD_CTX_new();
     if (!TEST_ptr(mdctx)
         || !TEST_true(EVP_DigestSignInit_ex(mdctx, NULL, "SHA1", NULL, NULL,
-                                            pkey)))
+                                            pkey, NULL)))
         goto err;
 
     /*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index bd0ddb7371..f5d652ebc0 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -506,7 +506,7 @@ static int kem_rsa_gen_recover(void)
 
     ret = TEST_true(rsa_keygen(2048, &pub, &priv))
           && TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub, NULL))
-          && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx), 1)
+          && TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(sctx, "RSASVE"), 1)
           && TEST_int_eq(EVP_PKEY_encapsulate(sctx, NULL, &ctlen, NULL,
                                               &secretlen), 1)
@@ -515,7 +515,7 @@ static int kem_rsa_gen_recover(void)
           && TEST_int_eq(EVP_PKEY_encapsulate(sctx, ct, &ctlen, secret,
                                               &secretlen), 1)
           && TEST_ptr(rctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv, NULL))
-          && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx), 1)
+          && TEST_int_eq(EVP_PKEY_decapsulate_init(rctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(rctx, "RSASVE"), 1)
           && TEST_int_eq(EVP_PKEY_decapsulate(rctx, NULL, &unwraplen,
                                               ct, ctlen), 1)
@@ -545,21 +545,21 @@ static int kem_rsa_params(void)
           /* Test setting kem op before the init fails */
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), -2)
           /* Test NULL ctx passed */
-          && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL), 0)
+          && TEST_int_eq(EVP_PKEY_encapsulate_init(NULL, NULL), 0)
           && TEST_int_eq(EVP_PKEY_encapsulate(NULL, NULL, NULL, NULL, NULL), 0)
-          && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL), 0)
+          && TEST_int_eq(EVP_PKEY_decapsulate_init(NULL, NULL), 0)
           && TEST_int_eq(EVP_PKEY_decapsulate(NULL, NULL, NULL, NULL, 0), 0)
           /* Test Invalid operation */
           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, NULL, NULL, NULL, NULL), -1)
           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, NULL, NULL, 0), 0)
           /* Wrong key component - no secret should be returned on failure */
-          && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx), 1)
+          && TEST_int_eq(EVP_PKEY_decapsulate_init(pubctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSASVE"), 1)
           && TEST_int_eq(EVP_PKEY_decapsulate(pubctx, secret, &secretlen, ct,
                                               sizeof(ct)), 0)
           && TEST_uchar_eq(secret[0], 0)
           /* Test encapsulate fails if the mode is not set */
-          && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx), 1)
+          && TEST_int_eq(EVP_PKEY_encapsulate_init(pubctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, &ctlen, secret, &secretlen), -2)
           /* Test setting a bad kem ops fail */
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(pubctx, "RSA"), 0)
@@ -583,7 +583,7 @@ static int kem_rsa_params(void)
           /* Test that lengths are optional if ct is not NULL */
           && TEST_int_eq(EVP_PKEY_encapsulate(pubctx, ct, NULL, secret, NULL), 1)
           /* Pass if secret or secret length are not NULL */
-          && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx), 1)
+          && TEST_int_eq(EVP_PKEY_decapsulate_init(privctx, NULL), 1)
           && TEST_int_eq(EVP_PKEY_CTX_set_kem_op(privctx, "RSASVE"), 1)
           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, secret, NULL, ct, sizeof(ct)), 1)
           && TEST_int_eq(EVP_PKEY_decapsulate(privctx, NULL, &secretlen, ct, sizeof(ct)), 1)
@@ -633,7 +633,7 @@ static int kem_invalid_keytype(void)
 
     if (!TEST_ptr(sctx = EVP_PKEY_CTX_new_from_pkey(libctx, key, NULL)))
         goto done;
-    if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx), -2))
+    if (!TEST_int_eq(EVP_PKEY_encapsulate_init(sctx, NULL), -2))
         goto done;
 
     ret = 1;
diff --git a/test/evp_test.c b/test/evp_test.c
index d781ecadce..bd32ad5c7b 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1199,7 +1199,7 @@ static int mac_test_run_pkey(EVP_TEST *t)
         t->err = "INTERNAL_ERROR";
         goto err;
     }
-    if (!EVP_DigestSignInit_ex(mctx, &pctx, mdname, libctx, NULL, key)) {
+    if (!EVP_DigestSignInit_ex(mctx, &pctx, mdname, libctx, NULL, key, NULL)) {
         t->err = "DIGESTSIGNINIT_ERROR";
         goto err;
     }
@@ -2898,12 +2898,12 @@ static int digestsigver_test_parse(EVP_TEST *t,
         }
         if (mdata->is_verify) {
             if (!EVP_DigestVerifyInit_ex(mdata->ctx, &mdata->pctx, name, libctx,
-                                         NULL, pkey))
+                                         NULL, pkey, NULL))
                 t->err = "DIGESTVERIFYINIT_ERROR";
             return 1;
         }
         if (!EVP_DigestSignInit_ex(mdata->ctx, &mdata->pctx, name, libctx, NULL,
-                                   pkey))
+                                   pkey, NULL))
             t->err = "DIGESTSIGNINIT_ERROR";
         return 1;
     }
diff --git a/test/tls-provider.c b/test/tls-provider.c
index 03e2ae1f0e..1085273a32 100644
--- a/test/tls-provider.c
+++ b/test/tls-provider.c
@@ -202,7 +202,8 @@ static void *xor_newctx(void *provctx)
     return pxorctx;
 }
 
-static int xor_init(void *vpxorctx, void *vkey)
+static int xor_init(void *vpxorctx, void *vkey,
+                    ossl_unused const OSSL_PARAM params[])
 {
     PROV_XOR_CTX *pxorctx = (PROV_XOR_CTX *)vpxorctx;
 
@@ -317,7 +318,7 @@ static int xor_encapsulate(void *vpxorctx,
     }
 
     /* 1. Generate keypair */
-    genctx = xor_gen_init(pxorctx->provctx, OSSL_KEYMGMT_SELECT_KEYPAIR);
+    genctx = xor_gen_init(pxorctx->provctx, OSSL_KEYMGMT_SELECT_KEYPAIR, NULL);
     if (genctx == NULL)
         goto end;
     ourkey = xor_gen(genctx, NULL, NULL);
@@ -331,7 +332,7 @@ static int xor_encapsulate(void *vpxorctx,
     /* 3. Derive ss via KEX */
     derivectx = xor_newctx(pxorctx->provctx);
     if (derivectx == NULL
-            || !xor_init(derivectx, ourkey)
+            || !xor_init(derivectx, ourkey, NULL)
             || !xor_set_peer(derivectx, pxorctx->key)
             || !xor_derive(derivectx, ss, sslen, XOR_KEY_SIZE))
         goto end;
@@ -378,7 +379,7 @@ static int xor_decapsulate(void *vpxorctx,
     /* Derive ss via KEX */
     derivectx = xor_newctx(pxorctx->provctx);
     if (derivectx == NULL
-            || !xor_init(derivectx, pxorctx->key)
+            || !xor_init(derivectx, pxorctx->key, NULL)
             || !xor_set_peer(derivectx, peerkey)
             || !xor_derive(derivectx, ss, sslen, XOR_KEY_SIZE))
         goto end;
@@ -537,7 +538,8 @@ struct xor_gen_ctx {
     OSSL_LIB_CTX *libctx;
 };
 
-static void *xor_gen_init(void *provctx, int selection)
+static void *xor_gen_init(void *provctx, int selection,
+                          const OSSL_PARAM params[])
 {
     struct xor_gen_ctx *gctx = NULL;
 
@@ -551,6 +553,10 @@ static void *xor_gen_init(void *provctx, int selection)
     /* Our provctx is really just an OSSL_LIB_CTX */
     gctx->libctx = (OSSL_LIB_CTX *)provctx;
 
+    if (!xor_gen_set_params(gctx, params)) {
+        OPENSSL_free(gctx);
+        return NULL;
+    }
     return gctx;
 }
 
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 2ca427c63b..bfd44c2325 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5314,3 +5314,13 @@ EVP_RAND_CTX_settable_params            ?	3_0_0	EXIST::FUNCTION:
 RAND_set_DRBG_type                      ?	3_0_0	EXIST::FUNCTION:
 RAND_set_seed_source_type               ?	3_0_0	EXIST::FUNCTION:
 BIO_f_readbuffer                        ?	3_0_0	EXIST::FUNCTION:
+EVP_DigestInit_ex2                      ?	3_0_0	EXIST::FUNCTION:
+EVP_EncryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:
+EVP_DecryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:
+EVP_CipherInit_ex2                      ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_sign_init_ex                   ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_verify_init_ex                 ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_verify_recover_init_ex         ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_encrypt_init_ex                ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_decrypt_init_ex                ?	3_0_0	EXIST::FUNCTION:
+EVP_PKEY_derive_init_ex                 ?	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list