--- openssl-1.1.0f.ebuild	2017-10-11 21:44:59.835115343 -0700
+++ openssl-1.1.0f-r1.ebuild	2017-10-11 22:25:22.556417839 -0700
@@ -3,12 +3,15 @@
 
 EAPI=5
 
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal rpm
 
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
 HOMEPAGE="http://www.openssl.org/"
-SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+SRC_URI="
+	!bindist? ( mirror://openssl/source/${MY_P}.tar.gz )
+	bindist? ( https://archives.fedoraproject.org/pub/fedora/linux/development/27/Everything/source/tree/Packages/o/${P}-9.fc27.src.rpm )
+"
 
 LICENSE="openssl"
 SLOT="0/1.1" # .so version of libssl/libcrypto
@@ -38,6 +41,27 @@
 )
 
 src_prepare() {
+	# This does not copy the entire Fedora patchset, but JUST the parts that
+	# are needed to make it safe to use EC with RESTRICT=bindist.
+	# See openssl.spec
+	if use bindist; then
+		# Constants from openssl.spec
+		SOURCE1=hobble-openssl
+		SOURCE12=ec_curve.c
+		SOURCE13=ectest.c
+		PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
+		PATCH37=openssl-1.1.0-ec-curves.patch
+		# .spec %prep
+		"${WORKDIR}"/"$SOURCE1" || die
+		cp "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die
+		cp "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die
+		epatch "${WORKDIR}"/"${PATCH1}"
+		epatch "${WORKDIR}"/"${PATCH37}"
+		# Also see the configure parts below:
+		# enable-ec \
+		# $(use_ssl !bindist ec2m) \
+
+	fi
 	# keep this in sync with app-misc/c_rehash
 	SSL_CNF_DIR="/etc/ssl"
 
@@ -132,13 +156,15 @@
 	[[ -z ${sslout} ]] && config="config"
 
 	echoit \
+	# Fedora hobbled-EC needs 'no-ec2m'.
 	./${config} \
 		${sslout} \
 		--api=1.0.0 \
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
 		disable-deprecated \
-		$(use_ssl !bindist ec) \
+		enable-ec \
+		$(use_ssl !bindist ec2m) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \