From fb4b72ff2f98c7cf07e9cc410fbb9f685e3f2b1f Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 10 Mar 2023 12:36:43 +0100
Subject: [PATCH] DH PCT should abort on failure

Resolves: rhbz#2178039
---
 0044-FIPS-140-3-keychecks.patch | 6 ++----
 openssl.spec                    | 2 ++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch
index ba2818c..6b77eb4 100644
--- a/0044-FIPS-140-3-keychecks.patch
+++ b/0044-FIPS-140-3-keychecks.patch
@@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
  
      if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
          ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -354,8 +367,23 @@ static int generate_key(DH *dh)
+@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
      if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
          goto err;
  
@@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
      dh->priv_key = priv_key;
 +#ifdef FIPS_MODULE
 +    if (ossl_dh_check_pairwise(dh) <= 0) {
-+        dh->pub_key = dh->priv_key = NULL;
-+        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
-+        goto err;
++        abort();
 +    }
 +#endif
 +
diff --git a/openssl.spec b/openssl.spec
index 26153ce..d0fa72a 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -521,6 +521,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2178034
 - Forbid DHX keys import in FIPS mode
   Resolves: rhbz#2178030
+- DH PCT should abort on failure
+  Resolves: rhbz#2178039
 
 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode