Embed correct HMAC into fips provider

We have stripped production version and unstripped version for tests.
Related: rhbz#1985362

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -49,7 +49,7 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
 # Add FIPS_mode() compatibility macro
 Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
 # Add check to see if fips flag is enabled in kernel
-#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
+Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
 # remove unsupported EC curves
 Patch11: 0011-Remove-EC-curves.patch
 # Instructions to load legacy provider in openssl.cnf
@@ -58,6 +58,10 @@ Patch24: 0024-load-legacy-prov.patch
 Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
 # Tmp: test name change
 Patch31: 0031-tmp-Fix-test-names.patch
+# We load FIPS provider and set FIPS properties implicitly
+Patch32: 0032-Force-fips.patch
+# Embed HMAC into the fips.so
+Patch33: 0033-FIPS-embed-hmac.patch
 # Tmp: coverity
 Patch100: 0100-coverity.patch
 
@@ -231,18 +235,27 @@ OPENSSL_ENABLE_MD5_VERIFY=
 export OPENSSL_ENABLE_MD5_VERIFY
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
+#embed HMAC into fips provider for test run
+LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
+cp providers/fips.so providers/fips.so.orig
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
+mv providers/fips.so.mac providers/fips.so
+#run tests itself
 make test HARNESS_JOBS=8
 
 # Add generation of HMAC checksum of the final stripped library
-#%define __spec_install_post \
-#    %{?__debug_package:%{__debug_install_post}} \
-#    %{__arch_install_post} \
-#    %{__os_install_post} \
-#    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
-#    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
-#    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
-#    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
-#%{nil}
+# We manually copy standard definition of __spec_install_post
+# and add hmac calculation/embedding to fips.so
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
+    cp $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.orig \
+    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
+    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
+    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
+%{nil}
 
 %define __provides_exclude_from %{_libdir}/openssl
 
@@ -382,6 +395,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
+- Embed FIPS HMAC in fips.so
+- Enforce loading FIPS provider when FIPS kernel flag is on
+
 * Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
 - Fix memory leak in s_client
 - Related: rhbz#1996092