diff --git a/SOURCES/mariadb-fips.patch b/SOURCES/mariadb-fips.patch
new file mode 100644
index 0000000..443af6f
--- /dev/null
+++ b/SOURCES/mariadb-fips.patch
@@ -0,0 +1,28 @@
+Fix md5 in FIPS mode
+
+OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer.
+In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while
+in 3.0.0+ it is a different EVP_MD provider.
+
+Resolves: rhbz#2050541
+
+diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
+--- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips 2022-02-07 16:36:47.255131576 +0100
++++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc 2022-02-07 22:57:32.391002916 +0100
+@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
+
+ static void md5_init(EVP_MD_CTX *context)
+ {
++ EVP_MD *md5;
++ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+ EVP_MD_CTX_init(context);
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Ok to ignore FIPS: MD5 is not used for crypto here */
+ EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+- EVP_DigestInit_ex(context, EVP_md5(), NULL);
++ EVP_DigestInit_ex(context, md5, NULL);
++ EVP_MD_free(md5);
+ }
+
+ static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec
index ddf57a3..21e2489 100644
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@@ -154,7 +154,7 @@
Name: mariadb
Version: 10.5.13
-Release: 1%{?with_debug:.debug}%{?dist}
+Release: 2%{?with_debug:.debug}%{?dist}
Epoch: 3
Summary: A very fast and robust SQL database server
@@ -226,6 +226,8 @@ Patch11: %{pkgnamepatch}-pcdir.patch
Patch12: %{pkgnamepatch}-openssl3.patch
# Patch15: Add option to edit groonga's and groonga-normalizer-mysql install path
Patch15: %{pkgnamepatch}-groonga.patch
+# Patch16: Fix MD5 in FIPS mode
+Patch16: %{pkgnamepatch}-fips.patch
BuildRequires: make
BuildRequires: cmake gcc-c++
@@ -757,6 +759,7 @@ rm -r storage/rocksdb/
%patch12 -p1
%endif
%patch15 -p1
+%patch16 -p1
# generate a list of tests that fail, but are not disabled by upstream
cat %{SOURCE50} | tee -a mysql-test/unstable-tests
@@ -850,7 +853,7 @@ fi
-DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \
-DENABLED_LOCAL_INFILE=ON \
-DENABLE_DTRACE=ON \
- -DSECURITY_HARDENED=ON \
+ -DSECURITY_HARDENED=OFF \
-DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \
-DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \
-DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \
@@ -879,6 +882,10 @@ fi
-DCONNECT_WITH_JDBC=OFF \
%{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON}
+# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening
+# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat
+# We disable this option to the default compilation flags (which have higher level of hardening) will be used
+
CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
# force PIC mode so that we can build libmysqld.so
@@ -1647,6 +1654,10 @@ fi
%endif
%changelog
+* Mon Feb 07 2022 Honza Horak <hhorak@redhat.com> - 3:10.5.13-2
+- Fix md5 in FIPS mode with OpenSSL 3.0.0
+ Resolves: #2050541
+
* Thu Dec 02 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.13-1
- Rebase to 10.5.13
@@ -1688,7 +1699,7 @@ fi
* Tue May 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.10-1
- Rebase to 10.5.10
-* Fri May 21 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.9-9
+* Tue May 11 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.9-9
- Fix OpenSSL 3.x compatibility
Resolves: #1962047