From 6f705ebb1bc6622e13d4b0b478b95c520cab366a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Thu, 14 Nov 2024 14:35:25 +0100
Subject: [PATCH] Change expected test failures in FIPS mode

Resolves: RHEL-64698
---
 opensc.spec | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/opensc.spec b/opensc.spec
index d2f827e..d4ce50a 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -60,11 +60,18 @@ every software/card that does so, too.
 %patch 8 -p1 -b .file-cache
 %patch 9 -p1 -b .sast
 
-# The test-pkcs11-tool-allowed-mechanisms already works in Fedora
-sed -i -e '/XFAIL_TESTS/,$ {
-  s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh/
+XFAIL_TESTS="test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh"
+ 
+# In FIPS mode, OpenSSL doesn't allow RSA-PKCS, this is hardcoded into OpenSSL
+# and we cannot influence it. Hence, the test is expected to fail in FIPS mode.
+if [[ -f "/proc/sys/crypto/fips_enabled" && $(cat /proc/sys/crypto/fips_enabled) == "1" ]]; then
+	XFAIL_TESTS+=" test-pkcs11-tool-unwrap-wrap-test.sh test-p11test.sh"
+fi
+ 
+sed -i -e "/XFAIL_TESTS/,$ {
+  s/XFAIL_TESTS.*/XFAIL_TESTS=$XFAIL_TESTS/
   q
-}' tests/Makefile.am
+}" tests/Makefile.am
 
 
 cp -p src/pkcs15init/README ./README.pkcs15init