From b393177f7df829c7bb03e58d7ed7eb0f18cdf9b1 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 19 May 2022 12:20:50 +0200
Subject: [PATCH] `openssl ecparam -list_curves` lists only FIPS-approved
 curves in FIPS mode

Resolves: rhbz#2083240
---
 0045-FIPS-services-minimize.patch | 13 +++++++++++++
 openssl.spec                      |  6 +++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index 81b3e73..2d216c2 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -668,3 +668,16 @@ diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c
  #endif
  
      prog = opt_init(argc, argv, req_options);
+diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c
+--- openssl-3.0.1/apps/ecparam.c.fips_list_curves	2022-05-19 11:46:22.682519422 +0200
++++ openssl-3.0.1/apps/ecparam.c	2022-05-19 11:50:44.559828701 +0200
+@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out)
+         const char *comment = curves[n].comment;
+         const char *sname = OBJ_nid2sn(curves[n].nid);
+ 
++        if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
++            continue;
++
+         if (comment == NULL)
+             comment = "CURVE DESCRIPTION NOT AVAILABLE";
+         if (sname == NULL)
diff --git a/openssl.spec b/openssl.spec
index 905f281..1748ffe 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 31%{?dist}
+Release: 32%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -449,6 +449,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
+- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
+- Resolves: rhbz#2083240
+
 * Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
 - Disable SHA-1 signature verification in FIPS mode
 - Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode