openssl-3/openssl-FIPS-early-KATS.patch

From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Oct 2023 13:12:40 +0200
Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch

Patch-name: 0047-FIPS-early-KATS.patch
Patch-id: 47
Patch-status: |
    # # Execute KATS before HMAC verification
From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911
---
 providers/fips/self_test.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

Index: openssl-3.2.3/providers/fips/self_test.c
===================================================================
--- openssl-3.2.3.orig/providers/fips/self_test.c
+++ openssl-3.2.3/providers/fips/self_test.c
@@ -507,6 +507,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
     if (ev == NULL)
         goto end;
 
+    /*
+     * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
+     */
+    if (kats_already_passed == 0) {
+        if (!SELF_TEST_kats(ev, st->libctx)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+            goto end;
+        }
+    }
+
    if (st->module_checksum_data == NULL) {
         module_checksum = fips_hmac_container;
         checksum_len = sizeof(fips_hmac_container);
@@ -575,18 +585,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
         }
     }
 
-    /*
-     * Only runs the KAT's during installation OR on_demand().
-     * NOTE: If the installation option 'self_test_onload' is chosen then this
-     * path will always be run, since kats_already_passed will always be 0.
-     */
-    if (on_demand_test || kats_already_passed == 0) {
-        if (!SELF_TEST_kats(ev, st->libctx)) {
-            ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
-            goto end;
-        }
-    }
-
     /* Verify that the RNG has been restored properly */
     rng = ossl_rand_get0_private_noncreating(st->libctx);
     if (rng != NULL)