DH PCT should abort on failure

Resolves: rhbz#2178039

0044-FIPS-140-3-keychecks.patch

@@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
  
      if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) {
          ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-@@ -354,8 +367,23 @@ static int generate_key(DH *dh)
+@@ -354,8 +367,21 @@ static int generate_key(DH *dh)
      if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key))
          goto err;
  
@@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c
      dh->priv_key = priv_key;
 +#ifdef FIPS_MODULE
 +    if (ossl_dh_check_pairwise(dh) <= 0) {
-+        dh->pub_key = dh->priv_key = NULL;
-+        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
-+        goto err;
++        abort();
 +    }
 +#endif
 +

openssl.spec

@@ -521,6 +521,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2178034
 - Forbid DHX keys import in FIPS mode
   Resolves: rhbz#2178030
+- DH PCT should abort on failure
+  Resolves: rhbz#2178039
 
 * Wed Mar 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-6
 - Fixes RNG slowdown in FIPS mode