Check for selftest failure in various places.

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index ef22737b0ed0ef67aac817bd8f281f0a9f4ca9ef..f3331e1ce5e34c63c4078d7e3e18d336ff78a6c2 100644 (file)
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -306,6 +306,14 @@ int EC_KEY_generate_key(EC_KEY *eckey)
        BIGNUM  *priv_key = NULL, *order = NULL;
        EC_POINT *pub_key = NULL;
 
+#ifdef OPENSSL_FIPS
+       if(FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
+               return 0;
+               }
+#endif
+
        if (!eckey || !eckey->group)
                {
                ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);

diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index f93dfcb4f73ed7d1749c23112f16794ce08e9c70..94a8f4b696a5fcb97c3cd08ab4c471d8dc696210 100644 (file)
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -119,6 +119,14 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
        size_t buflen, len;
        unsigned char *buf=NULL;
 
+#ifdef OPENSSL_FIPS
+       if(FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_ECDH_COMPUTE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
+               return -1;
+               }
+#endif
+
        if (outlen > INT_MAX)
                {
                ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index acdeea83d4a789c356547546de2f7b56d1170ac1..8336bceb673b6fcd96552a8fa7ed2a9e2e50d83a 100644 (file)
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -238,6 +238,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
        ECDSA_DATA *ecdsa;
        const BIGNUM *priv_key;
 
+#ifdef OPENSSL_FIPS
+       if(FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
+               return NULL;
+               }
+#endif
+
        ecdsa    = ecdsa_check(eckey);
        group    = EC_KEY_get0_group(eckey);
        priv_key = EC_KEY_get0_private_key(eckey);
@@ -373,6 +381,14 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
        const EC_GROUP *group;
        const EC_POINT *pub_key;
 
+#ifdef OPENSSL_FIPS
+       if(FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
+               return -1;
+               }
+#endif
+
        /* check input values */
        if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
            (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)

diff --git a/crypto/fips_err.h b/crypto/fips_err.h
index c671691b4786b32e5e567db4df5e6541268f27ab..ec6a1d5fd051d043257af24c15c69953002e01aa 100644 (file)
--- a/crypto/fips_err.h
+++ b/crypto/fips_err.h
@@ -77,6 +77,10 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2),       "DSA_BUILTIN_PARAMGEN2"},
 {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
 {ERR_FUNC(FIPS_F_DSA_DO_VERIFY),       "DSA_do_verify"},
+{ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY),    "ECDH_compute_key"},
+{ERR_FUNC(FIPS_F_ECDSA_DO_SIGN),       "ECDSA_do_sign"},
+{ERR_FUNC(FIPS_F_ECDSA_DO_VERIFY),     "ECDSA_do_verify"},
+{ERR_FUNC(FIPS_F_EC_KEY_GENERATE_KEY), "EC_KEY_generate_key"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA),      "FIPS_CHECK_DSA"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA_PRNG), "fips_check_dsa_prng"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_EC),       "FIPS_CHECK_EC"},

diff --git a/fips/fips.h b/fips/fips.h
index 06809c7dcb88ab52a26bc4f99a7a3484e928f199..4cadbd26fd8bcaff31dcee541804add0b4d036bf 100644 (file)
--- a/fips/fips.h
+++ b/fips/fips.h
@@ -349,6 +349,10 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_DSA_BUILTIN_PARAMGEN2                    102
 #define FIPS_F_DSA_DO_SIGN                              103
 #define FIPS_F_DSA_DO_VERIFY                            104
+#define FIPS_F_ECDH_COMPUTE_KEY                                 163
+#define FIPS_F_ECDSA_DO_SIGN                            164
+#define FIPS_F_ECDSA_DO_VERIFY                          165
+#define FIPS_F_EC_KEY_GENERATE_KEY                      166
 #define FIPS_F_FIPS_CHECK_DSA                           105
 #define FIPS_F_FIPS_CHECK_DSA_PRNG                      151
 #define FIPS_F_FIPS_CHECK_EC                            106

diff --git a/fips/rand/fips_drbg_lib.c b/fips/rand/fips_drbg_lib.c
index 32e4b83c5e9f7cdcb83fbc44436b3412dd7e0633..1596977fd54d77b4967a5203d1139dc8d33e808f 100644 (file)
--- a/fips/rand/fips_drbg_lib.c
+++ b/fips/rand/fips_drbg_lib.c
@@ -386,6 +386,12 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
        {
        int r = 0;
 
+       if (FIPS_selftest_failed())
+               {
+               FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
+               return 0;
+               }
+
        if (!fips_drbg_check(dctx))
                return 0;