Add missing ECDH Public Key Check in FIPS mode

Resolves: RHEL-15990

0044-FIPS-140-3-keychecks.patch

@@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
      dh->dirty_cnt++;
      ok = 1;
   err:
-diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c
+diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c
+--- openssl-3.0.7/crypto/ec/ec_key.c.f188	2023-11-08 10:58:05.910031253 +0100
++++ openssl-3.0.7/crypto/ec/ec_key.c	2023-11-08 10:59:42.338526883 +0100
+@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey
+     eckey->dirty_cnt++;
+ 
+ #ifdef FIPS_MODULE
++    if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
++        ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
++        goto err;
++    }
++
+     pairwise_test = 1;
+ #endif /* FIPS_MODULE */
+ 
 diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c
 --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3	2022-07-25 13:42:46.814952053 +0200
 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c	2022-07-25 13:52:12.292065706 +0200

openssl.spec

@@ -553,6 +553,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
   Resolves: RHEL-14083
 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c)
   Resolves: RHEL-14083
+- Add missing ECDH Public Key Check in FIPS mode
+  Resolves: RHEL-15990
 
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly