From 067d5800f275012076e66cb3ed4dc0d6edab05df Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 20 Jul 2020 14:51:05 +0200
Subject: [PATCH] Additional FIPS mode check for EC key generation

---
 openssl-1.1.1-fips-dh.patch | 29 ++++++++++++++++++++++++++---
 openssl.spec                |  5 ++++-
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/openssl-1.1.1-fips-dh.patch b/openssl-1.1.1-fips-dh.patch
index d827a8a..d98372e 100644
--- a/openssl-1.1.1-fips-dh.patch
+++ b/openssl-1.1.1-fips-dh.patch
@@ -2388,9 +2388,29 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/
 +}
 +
 diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_key.c
---- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh	2020-07-17 10:36:29.183787931 +0200
-+++ openssl-1.1.1g/crypto/ec/ec_key.c	2020-07-17 10:36:29.247788458 +0200
-@@ -296,8 +296,20 @@ int ec_key_simple_generate_key(EC_KEY *e
+--- openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh	2020-07-17 11:00:53.958175227 +0200
++++ openssl-1.1.1g/crypto/ec/ec_key.c	2020-07-20 13:24:03.941107320 +0200
+@@ -280,9 +280,18 @@ int ec_key_simple_generate_key(EC_KEY *e
+     if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
+         goto err;
+ 
+-    eckey->priv_key = priv_key;
+     eckey->pub_key = pub_key;
+ 
++    if (FIPS_mode()) {
++        eckey->priv_key = NULL;
++        if (EC_KEY_check_key(eckey) <= 0) {
++            eckey->pub_key = NULL;
++            goto err;
++        }
++    }
++
++    eckey->priv_key = priv_key;
++
+     ok = 1;
+ 
+  err:
+@@ -296,8 +305,23 @@ int ec_key_simple_generate_key(EC_KEY *e
  
  int ec_key_simple_generate_public_key(EC_KEY *eckey)
  {
@@ -2408,6 +2428,9 @@ diff -up openssl-1.1.1g/crypto/ec/ec_key.c.fips-dh openssl-1.1.1g/crypto/ec/ec_k
 +    ret = EC_KEY_check_key(eckey);
 +    eckey->priv_key = priv_key;
 +
++    if (ret <= 0)
++        EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
++
 +    return ret;
  }
  
diff --git a/openssl.spec b/openssl.spec
index 220df7c..7ab3ea6 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1g
-Release: 12%{?dist}
+Release: 13%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -475,6 +475,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
+- Additional FIPS mode check for EC key generation
+
 * Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
 - Further changes for SP 800-56A rev3 requirements