From 7e3aafb60cbcea02e0bb6097b54a2471695866a6 Mon Sep 17 00:00:00 2001
From: John Bland <106998124+jpbland1@users.noreply.github.com>
Date: Fri, 19 May 2023 12:12:44 -0400
Subject: [PATCH] Fix for FIPS ECC integrity check with crypto callback set
 (#6425)

Skip ECC private key check when the TPM is used to generate the key, since it doesn't release the private part. this option needs to be used with a FIPS approved TPM for the end result to be FIPS approved
---
 configure.ac        | 1 -
 wolfcrypt/src/ecc.c | 7 ++++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7102fa58c..788219b52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -434,7 +434,6 @@ AS_CASE([$FIPS_VERSION],
     ]
 )
 
-
 # For reproducible build, gate out from the build anything that might
 # introduce semantically frivolous jitter, maximizing chance of
 # identical object files.
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index dca2d69b9..9018105cb 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -5676,7 +5676,12 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
     if (err == MP_OKAY) {
         err = _ecc_validate_public_key(key, 0, 0);
     }
-    if (err == MP_OKAY) {
+    if (err == MP_OKAY
+#if defined(WOLF_CRYPTO_CB)
+        /* even if WOLF_CRYPTO_CB we generate the key if the devId is invalid */
+        && key->devId == INVALID_DEVID
+#endif
+        ) {
         err = _ecc_pairwise_consistency_test(key, rng);
     }
 #endif