From e63c4b68b2e090c80421601062fbdc04eb803fcd Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 13 Jan 2022 13:35:22 +0100
Subject: [PATCH] Update spec file, remove fipsmodule.cnf

Related: rhbz#2026445
---
 openssl.spec | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/openssl.spec b/openssl.spec
index 728072c..dac2042 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,10 @@ Patch33: 0033-FIPS-embed-hmac.patch
 Patch34: 0034.fipsinstall_disable.patch
 # Skip unavailable algorithms running `openssl speed`
 Patch35: 0035-speed-skip-unavailable-dgst.patch
+# Minimize fips services
+Patch45: 0045-FIPS-services-minimize.patch
+# Enable SHA1 HMAC in FIPS mode
+Patch46: 0046-FIPS-permitsha1-hmac.patch
 # Tmp: coverity
 Patch100: 0100-coverity.patch
 
@@ -310,9 +314,8 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
 
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
-%ifarch i686
+#we don't use native fipsmodule.cnf because FIPS module is loaded automatically
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
-%endif
 
 # Determine which arch opensslconf.h is going to try to #include.
 basearch=%{_arch}
@@ -374,9 +377,6 @@ install -m644 %{SOURCE9} \
 %{_libdir}/libssl.so.%{soversion}
 %attr(0755,root,root) %{_libdir}/engines-%{soversion}
 %attr(0755,root,root) %{_libdir}/ossl-modules
-%ifnarch i686
-%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
-%endif
 
 %files devel
 %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
@@ -400,6 +400,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
+- Remove algorithms we don't plan to certify from fips module
+- Remove native fipsmodule.cnf
+- Related: rhbz#2026445
+
 * Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
 - openssl speed should run in FIPS mode
 - Related: rhbz#1977318