Use certified FIPS module instead of freshly built one in Red Hat distribution

Resolves: RHEL-23474

openssl.spec

@@ -230,6 +230,9 @@ BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy),
 BuildRequires: git-core
 Requires: coreutils
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+%if ( %{defined rhel} && (! %{defined centos}) )
+Requires: openssl-fips-provider
+%endif
 
 %description
 The OpenSSL toolkit provides support for secure communications between
@@ -393,6 +396,14 @@ make test HARNESS_JOBS=8
 # Add generation of HMAC checksum of the final stripped library
 # We manually copy standard definition of __spec_install_post
 # and add hmac calculation/embedding to fips.so
+%if ( %{defined rhel} && (! %{defined centos}) )
+%define __spec_install_post \
+    rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+%{nil}
+%else
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
@@ -402,6 +413,7 @@ make test HARNESS_JOBS=8
     mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
     rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
 %{nil}
+%endif
 
 %define __provides_exclude_from %{_libdir}/openssl
 
@@ -558,6 +570,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
   Resolves: RHEL-20249
 - Denial of service via null dereference in PKCS#12
   Resolves: RHEL-22486
+- Use certified FIPS module instead of freshly built one in Red Hat distribution
+  Resolves: RHEL-23474
 
 * Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
 - Provide relevant diagnostics when FIPS checksum is corrupted