From 5b4467a2c47e6de814e69ec3eb4c3e7a4632119c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 1 Apr 2019 13:13:09 -0400
Subject: [PATCH] FIPS-aware SPAKE group negotiation

(cherry picked from commit 59269fca96168aa89dc32834d188a54eea8953ac)
---
 src/plugins/preauth/spake/groups.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c
index a195cc195..8a913cb5a 100644
--- a/src/plugins/preauth/spake/groups.c
+++ b/src/plugins/preauth/spake/groups.c
@@ -56,6 +56,8 @@
 #include "trace.h"
 #include "groups.h"
 
+#include <openssl/crypto.h>
+
 #define DEFAULT_GROUPS_CLIENT "edwards25519"
 #define DEFAULT_GROUPS_KDC ""
 
@@ -102,6 +104,9 @@ find_gdef(int32_t group)
 {
     size_t i;
 
+    if (group == builtin_edwards25519.reg->id && FIPS_mode())
+        return NULL;
+
     for (i = 0; groupdefs[i] != NULL; i++) {
         if (groupdefs[i]->reg->id == group)
             return groupdefs[i];
@@ -116,6 +121,9 @@ find_gnum(const char *name)
 {
     size_t i;
 
+    if (strcasecmp(name, builtin_edwards25519.reg->name) == 0 && FIPS_mode())
+        return 0;
+
     for (i = 0; groupdefs[i] != NULL; i++) {
         if (strcasecmp(name, groupdefs[i]->reg->name) == 0)
             return groupdefs[i]->reg->id;