File openssl-1.0.1h-fips-engine.patch of Package openssl.1633

Index: openssl-1.0.1h/crypto/evp/digest.c
===================================================================
--- openssl-1.0.1h.orig/crypto/evp/digest.c
+++ openssl-1.0.1h/crypto/evp/digest.c
@@ -223,6 +223,22 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
 				ENGINE_finish(impl);
 				return 0;
 				}
+#ifdef OPENSSL_FIPS
+			/* If we have an engine, only use it if its FIPS certified, or
+			 * non-FIPS stuff is allowed. */
+			if (FIPS_mode()) {
+				if ((d->flags & EVP_MD_FLAG_FIPS)
+			            || (ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+			       		{
+					type = d;
+					}
+				else
+					{
+					ENGINE_finish(impl);
+					}
+			} else
+#endif
+			{
 			/* We'll use the ENGINE's private digest definition */
 			type = d;
 			/* Store the ENGINE functional reference so we know
@@ -230,6 +246,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
 			 * it when done. */
 			ctx->engine = impl;
 			}
+			}
 		else
 			ctx->engine = NULL;
 		}
Index: openssl-1.0.1h/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-1.0.1h.orig/crypto/rsa/rsa_lib.c
+++ openssl-1.0.1h/crypto/rsa/rsa_lib.c
@@ -142,6 +142,7 @@ int RSA_set_method(RSA *rsa, const RSA_M
 RSA *RSA_new_method(ENGINE *engine)
 	{
 	RSA *ret;
+	RSA_METHOD *meth;
 
 	ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
 	if (ret == NULL)
@@ -166,8 +167,8 @@ RSA *RSA_new_method(ENGINE *engine)
 		ret->engine = ENGINE_get_default_RSA();
 	if(ret->engine)
 		{
-		ret->meth = ENGINE_get_RSA(ret->engine);
-		if(!ret->meth)
+		meth = ENGINE_get_RSA(ret->engine);
+		if(!meth)
 			{
 			RSAerr(RSA_F_RSA_NEW_METHOD,
 				ERR_R_ENGINE_LIB);
@@ -175,6 +176,17 @@ RSA *RSA_new_method(ENGINE *engine)
 			OPENSSL_free(ret);
 			return NULL;
 			}
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode() || (meth->flags & RSA_FLAG_FIPS_METHOD))
+		{
+		ret->meth = meth;
+		}
+	else
+		{
+		ENGINE_finish(ret->engine);
+		ret->engine = NULL;
+		}
+#endif
 		}
 #endif
 #ifdef OPENSSL_FIPS