From f0b4f85e9e3715cf90d634cd4cd21452fda2620a Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Jan 09 2023 12:28:16 +0000
Subject: Include missing OpenSSL FIPS header


Signed-off-by: Julien Rische <jrische@redhat.com>

---

diff --git a/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch
new file mode 100644
index 0000000..24ba48a
--- /dev/null
+++ b/0014-downstream-Include-missing-OpenSSL-FIPS-header.patch
@@ -0,0 +1,120 @@
+From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 5 Jan 2023 20:06:47 +0100
+Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header
+
+The inclusion of openssl/fips.h, which provides the declaration of
+FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this
+header file has to be included explicitly in krb5 code.
+---
+ src/lib/crypto/krb/prng.c                      | 4 +++-
+ src/lib/crypto/openssl/enc_provider/camellia.c | 1 +
+ src/lib/crypto/openssl/enc_provider/rc4.c      | 4 ++++
+ src/lib/crypto/openssl/hmac.c                  | 1 +
+ src/lib/krad/internal.h                        | 4 ++++
+ src/plugins/preauth/spake/spake_client.c       | 4 ++++
+ src/plugins/preauth/spake/spake_kdc.c          | 4 ++++
+ 7 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c
+index 9e80a03d21..ae37c77518 100644
+--- a/src/lib/crypto/krb/prng.c
++++ b/src/lib/crypto/krb/prng.c
+@@ -28,7 +28,9 @@
+ 
+ #include <openssl/rand.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/fips.h>
++#else
+ #include <openssl/crypto.h>
+ #endif
+ 
+diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c
+index d9f327add6..3dd3b0624f 100644
+--- a/src/lib/crypto/openssl/enc_provider/camellia.c
++++ b/src/lib/crypto/openssl/enc_provider/camellia.c
+@@ -32,6 +32,7 @@
+ #include <openssl/camellia.h>
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #include <openssl/core_names.h>
++#include <openssl/fips.h>
+ #else
+ #include <openssl/modes.h>
+ #endif
+diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
+index ce63cb5f1b..6a83f10d27 100644
+--- a/src/lib/crypto/openssl/enc_provider/rc4.c
++++ b/src/lib/crypto/openssl/enc_provider/rc4.c
+@@ -38,6 +38,10 @@
+ 
+ #include <openssl/evp.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/fips.h>
++#endif
++
+ /*
+  * The loopback field is a pointer to the structure.  If the application copies
+  * the state (not a valid operation, but one which happens to works with some
+diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c
+index f21e268f7f..25a419d73a 100644
+--- a/src/lib/crypto/openssl/hmac.c
++++ b/src/lib/crypto/openssl/hmac.c
+@@ -59,6 +59,7 @@
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #include <openssl/params.h>
+ #include <openssl/core_names.h>
++#include <openssl/fips.h>
+ #else
+ #include <openssl/hmac.h>
+ #endif
+diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h
+index e123763954..a17b6f39b1 100644
+--- a/src/lib/krad/internal.h
++++ b/src/lib/krad/internal.h
+@@ -41,6 +41,10 @@
+ 
+ #include <openssl/crypto.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/fips.h>
++#endif
++
+ #ifndef UCHAR_MAX
+ #define UCHAR_MAX 255
+ #endif
+diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c
+index a3ce22b70f..13c699071f 100644
+--- a/src/plugins/preauth/spake/spake_client.c
++++ b/src/plugins/preauth/spake/spake_client.c
+@@ -40,6 +40,10 @@
+ 
+ #include <openssl/crypto.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/fips.h>
++#endif
++
+ typedef struct reqstate_st {
+     krb5_pa_spake *msg;         /* set in prep_questions, used in process */
+     krb5_keyblock *initial_key;
+diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c
+index 232e78bc05..3394f8a58e 100644
+--- a/src/plugins/preauth/spake/spake_kdc.c
++++ b/src/plugins/preauth/spake/spake_kdc.c
+@@ -43,6 +43,10 @@
+ 
+ #include <openssl/crypto.h>
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/fips.h>
++#endif
++
+ /*
+  * The SPAKE kdcpreauth module uses a secure cookie containing the following
+  * concatenated fields (all integer fields are big-endian):
+-- 
+2.38.1
+
diff --git a/krb5.spec b/krb5.spec
index 44696f6..3593e7d 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -72,6 +72,7 @@ Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch
 Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch
 Patch12: 0012-Add-and-use-ts_interval-helper.patch
 Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
+Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -708,7 +709,8 @@ exit 0
 %{_datarootdir}/%{name}-tests/
 
 %changelog
-* Tue Dec 20 2022 Julien Rische <jrische@redhat.com> - 1.20.1-4
+* Thu Jan 05 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4
+- Include missing OpenSSL FIPS header
 - Make tests compatible with sssd_krb5_locator_plugin.so
 
 * Tue Dec 06 2022 Julien Rische <jrische@redhat.com> - 1.20.1-3