From 131e7d16022bc8f7513e70f888c9b5690da802ed Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 12 Oct 2023 14:07:54 +0200
Subject: [PATCH] Provide relevant diagnostics when FIPS checksum is corrupted

Resolves: RHEL-5317
---
 0032-Force-fips.patch | 5 ++++-
 openssl.spec          | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch
index 5f82475..4dc9774 100644
--- a/0032-Force-fips.patch
+++ b/0032-Force-fips.patch
@@ -151,7 +151,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
      } else {
          OSSL_PROVIDER_INFO entry;
  
-@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU
+@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU
              return 0;
      }
  
@@ -173,6 +173,9 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
 +            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
 +                return 0;
 +        }
++        /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */
++        if (OSSL_PROVIDER_available(libctx, "fips") != 1)
++            return 0;
 +        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
 +            return 0;
 +        if (EVP_default_properties_enable_fips(libctx, 1) != 1)
diff --git a/openssl.spec b/openssl.spec
index 5a65b10..f689e74 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 24%{?dist}
+Release: 25%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -522,6 +522,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
+- Provide relevant diagnostics when FIPS checksum is corrupted
+  Resolves: RHEL-5317
+
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly
   Related: rhbz#2216256