From 05b87f449d6f14bca1a8e255d01bc632c2d833f8 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Mon, 26 Jun 2023 10:15:57 +0200
Subject: [PATCH] Remove the listing of brainpool curves in FIPS mode Related:
 rhbz#2188180 Signed-off-by: Sahana Prasad <sahana@redhat.com>

---
 0045-FIPS-services-minimize.patch | 16 ++++++++++++++++
 openssl.spec                      |  6 +++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index bfee965..2ba9aab 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -737,3 +737,19 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen
  
      if (!ossl_prov_is_running())
          return 0;
+diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c
+--- openssl-3.0.7/apps/ecparam.c.minfips	2023-06-24 09:58:57.773344910 +0200
++++ openssl-3.0.7/apps/ecparam.c	2023-06-26 09:18:06.843859405 +0200
+@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
+-        if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
++        if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
++            || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
++            || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
++            || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
++            || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
+             continue;
+ 
+         if (comment == NULL)
diff --git a/openssl.spec b/openssl.spec
index 5ca4f1e..e4b4eeb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.7
-Release: 20%{?dist}
+Release: 21%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Jun 26 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.7-21
+- Remove the listing of brainpool curves in FIPS mode.
+  Related: rhbz#2188180
+
 * Tue May 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-20
 - Fix possible DoS translating ASN.1 object identifiers
   Resolves: CVE-2023-2650