From daf0430199b7672088648249de2385221bd9ebf9 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Mon, 27 Apr 2020 17:55:03 +0200
Subject: [PATCH] Set RSA_FLAG_FIPS_METHOD for RSA methods

This makes the engine to set the flag regardless of the used device.  It
is the user responsibility to ensure the device is FIPS-140-2 certified.

Resolves: rhbz#1827535

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch | 11 +++++++++++
 openssl-pkcs11.spec                                  |  6 +++++-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch

diff --git a/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch b/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
new file mode 100644
index 0000000..8abbb38
--- /dev/null
+++ b/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
@@ -0,0 +1,11 @@
+--- a/src/p11_rsa.c	2019-04-03 21:58:18.000000000 +0200
++++ b/src/p11_rsa.c	2019-11-28 15:46:18.898258545 +0100
+@@ -478,7 +478,7 @@
+ 		if (ops == NULL)
+ 			return NULL;
+ 		RSA_meth_set1_name(ops, "libp11 RSA method");
+-		RSA_meth_set_flags(ops, 0);
++		RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
+ 		RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
+ 		RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
+ 		RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
diff --git a/openssl-pkcs11.spec b/openssl-pkcs11.spec
index 2d5c16e..2b60fa1 100644
--- a/openssl-pkcs11.spec
+++ b/openssl-pkcs11.spec
@@ -1,5 +1,5 @@
 Version: 0.4.10
-Release: 5%{?dist}
+Release: 6%{?dist}
 
 # Define the directory where the OpenSSL engines are installed
 %global enginesdir %{_libdir}/engines-1.1
@@ -15,6 +15,7 @@ Patch0:         openssl-pkcs11-0.4.10-various-bug-fixes.patch
 Patch1:         openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
 Patch2:         openssl-pkcs11-0.4.10-add-support-pin-source.patch
 Patch3:         openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch
+Patch4:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
 
 BuildRequires:  autoconf automake libtool
 BuildRequires:  openssl-devel
@@ -114,6 +115,9 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 
 %changelog
+* Mon Apr 27 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-6
+- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535)
+
 * Mon Feb 03 2020 James Cassell <cyberpear@fedoraproject.org> - 0.4.10-5
 - minimization: depend on openssl-libs rather than openssl