diff -up openssl-3.0.0/providers/fips/self_test.c.embed-hmac openssl-3.0.0/providers/fips/self_test.c

--- openssl-3.0.0/providers/fips/self_test.c.embed-hmac	2021-11-16 13:57:05.127171056 +0100

+++ openssl-3.0.0/providers/fips/self_test.c	2021-11-16 14:07:21.963412455 +0100

@@ -171,11 +171,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)

 }

 #endif

+#define HMAC_LEN 32

+/*

+ * The __attribute__ ensures we've created the .rodata1 section

+ * static ensures it's zero filled

+*/

+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};

+

 /*

  * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify

  * the result matches the expected value.

  * Return 1 if verified, or 0 if it fails.

  */

+#ifndef __USE_GNU

+#define __USE_GNU

+#include <dlfcn.h>

+#undef __USE_GNU

+#else

+#include <dlfcn.h>

+#endif

+#include <link.h>

+

 static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,

                             unsigned char *expected, size_t expected_len,

                             OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,

@@ -183,14 +199,26 @@ static int verify_integrity(OSSL_CORE_BI

 {

     int ret = 0, status;

     unsigned char out[MAX_MD_SIZE];

-    unsigned char buf[INTEGRITY_BUF_SIZE];

+    unsigned char buf[INTEGRITY_BUF_SIZE+HMAC_LEN];

     size_t bytes_read = 0, out_len = 0;

     EVP_MAC *mac = NULL;

     EVP_MAC_CTX *ctx = NULL;

     OSSL_PARAM params[2], *p = params;

+    Dl_info info;

+    void *extra_info = NULL;

+    struct link_map *lm = NULL;

+    unsigned long paddr;

+    unsigned long off = 0;

+    int have_rest = 0;

     OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);

+    if (!dladdr1 ((const void *)fips_hmac_container,

+                &info, &extra_info, RTLD_DL_LINKMAP))

+        goto err;

+    lm = extra_info;

+    paddr = (unsigned long)fips_hmac_container - lm->l_addr;

+

     mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);

     if (mac == NULL)

         goto err;

@@ -204,12 +233,53 @@ static int verify_integrity(OSSL_CORE_BI

     if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))

         goto err;

+    status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);

+    if (status != 1 || bytes_read != HMAC_LEN)

+        goto err;

+    off += HMAC_LEN;

+

     while (1) {

-        status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);

-        if (status != 1)

+        status = read_ex_cb(bio, buf+HMAC_LEN, INTEGRITY_BUF_SIZE, &bytes_read);

+        if (status != 1) {

+            have_rest = 1;

+            break;

+        }

+

+        if (bytes_read == INTEGRITY_BUF_SIZE) { /* Full block */

+            /* Logic:

+             * We have HMAC_LEN (read before) + INTEGRITY_BUF_SIZE (read now) in buffer

+             * We calculate HMAC from first INTEGRITY_BUF_SIZE bytes

+             * and move last HMAC_LEN bytes to the beginning of the buffer

+             *

+             * If we have read (a part of) buffer fips_hmac_container

+             * we should replace it with zeros.

+             * If it is inside our current buffer, we will update now.

+             * If it intersects the upper bound, we will clean up on the next step.

+             */

+            if (off - HMAC_LEN <= paddr && paddr <= off + bytes_read)

+                memset (buf + HMAC_LEN + paddr - off, 0, HMAC_LEN);

+            off += bytes_read;

+

+            if (!EVP_MAC_update(ctx, buf, bytes_read))

+                goto err;

+            memcpy (buf, buf+INTEGRITY_BUF_SIZE, HMAC_LEN);

+        } else { /* Final block */

+            /* Logic is basically the same as in previous branch

+             * but we calculate HMAC from HMAC_LEN (rest of previous step)

+             * and bytes_read read on this step

+             * */

+            if (off - HMAC_LEN <= paddr && paddr <= off + bytes_read)

+                memset (buf + HMAC_LEN + paddr - off, 0, HMAC_LEN);

+            if (!EVP_MAC_update(ctx, buf, bytes_read+HMAC_LEN))

+                goto err;

+            off += bytes_read;

             break;

-        if (!EVP_MAC_update(ctx, buf, bytes_read))

+        }

+    }

+    if (have_rest) {

+        if (!EVP_MAC_update(ctx, buf, HMAC_LEN))

             goto err;

+        off += HMAC_LEN;

     }

     if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))

         goto err;

@@ -284,8 +358,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS

         CRYPTO_THREAD_unlock(fips_state_lock);

     }

-    if (st == NULL

-            || st->module_checksum_data == NULL) {

+    if (st == NULL) {

         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);

         goto end;

     }

@@ -294,8 +367,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS

     if (ev == NULL)

         goto end;

-    module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,

-                                         &checksum_len);

+    module_checksum = fips_hmac_container;

+    checksum_len = sizeof(fips_hmac_container);

+

     if (module_checksum == NULL) {

         ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);

         goto end;

@@ -357,7 +431,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS

     ok = 1;

 end:

     OSSL_SELF_TEST_free(ev);

-    OPENSSL_free(module_checksum);

     OPENSSL_free(indicator_checksum);

     if (st != NULL) {

diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t

--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t	2021-09-07 13:46:32.000000000 +0200

+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t	2021-11-18 09:39:53.386817874 +0100

@@ -20,7 +20,7 @@

 use lib bldtop_dir('.');

 use platform;

-my $no_check = disabled("fips");

+my $no_check = 1;

 plan skip_all => "FIPS module config file only supported in a fips build"

     if $no_check;

diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t

--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t	2021-09-07 13:46:32.000000000 +0200

+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t	2021-11-18 09:59:02.315619486 +0100

@@ -23,7 +23,7 @@

 use lib bldtop_dir('.');

 use platform;

-my $no_check = disabled("fips");

+my $no_check = 1;

 plan skip_all => "Test only supported in a fips build"

     if $no_check;

 plan tests => 1;

diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t

--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t	2021-09-07 13:46:32.000000000 +0200

+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t	2021-11-18 09:59:55.365072074 +0100

@@ -22,7 +22,7 @@

 use lib bldtop_dir('.');

 use platform;

-plan skip_all => "Test only supported in a fips build" if disabled("fips");

+plan skip_all => "Test only supported in a fips build" if 1;

 plan tests => 29;

diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t

--- openssl-3.0.0/test/recipes/30-test_defltfips.t	2021-09-07 13:46:32.000000000 +0200

+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t	2021-11-18 10:22:54.179659682 +0100

@@ -21,7 +21,7 @@

 use lib srctop_dir('Configurations');

 use lib bldtop_dir('.');

-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);

 plan tests =>

     ($no_fips ? 1 : 5);

diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t

--- openssl-3.0.0/test/recipes/80-test_ssl_new.t	2021-09-07 13:46:32.000000000 +0200

+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t	2021-11-18 10:18:53.391721164 +0100

@@ -23,7 +23,7 @@

 use lib srctop_dir('Configurations');

 use lib bldtop_dir('.');

-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);

 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");

diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t

--- openssl-3.0.0/test/recipes/90-test_sslapi.t	2021-11-18 10:32:17.734196705 +0100

+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t	2021-11-18 10:18:30.695538445 +0100

@@ -18,7 +18,7 @@

 use lib srctop_dir('Configurations');

 use lib bldtop_dir('.');

-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);

 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"

     if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));

--- /dev/null	2021-11-16 15:27:32.915000000 +0100

+++ openssl-3.0.0/test/fipsmodule.cnf	2021-11-18 11:15:34.538060408 +0100

@@ -0,0 +1,2 @@

+[fips_sect]

+activate = 1