Provide relevant diagnostics when FIPS checksum is corrupted

Resolves: RHEL-5317

0032-Force-fips.patch

@@ -151,7 +151,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
      } else {
          OSSL_PROVIDER_INFO entry;
  
-@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU
+@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU
              return 0;
      }
  
@@ -173,6 +173,9 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi
 +            if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
 +                return 0;
 +        }
++        /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */
++        if (OSSL_PROVIDER_available(libctx, "fips") != 1)
++            return 0;
 +        if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
 +            return 0;
 +        if (EVP_default_properties_enable_fips(libctx, 1) != 1)

openssl.spec

@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 24%{?dist}
+Release: 25%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -522,6 +522,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
+- Provide relevant diagnostics when FIPS checksum is corrupted
+  Resolves: RHEL-5317
+
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly
   Related: rhbz#2216256