ec: convert to transient error state on import failure in FIPS provider

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)

diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 7ac1601c09233100bcd0feb6220f6bc04dbb51e6..f4d8ba7254c0d51dfdf71063855522ed12e176b4 100644 (file)
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -442,7 +442,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
         ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
         BN_CTX_free(bnctx);
         if (ok <= 0)
-            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
     }
 #endif  /* FIPS_MODULE */
 
@@ -1351,6 +1351,21 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     if (gctx->group_check != NULL)
         ret = ret && ossl_ec_set_check_group_type_from_name(ec,
                                                             gctx->group_check);
+#ifdef FIPS_MODULE
+    if (ret > 0
+            && !ossl_fips_self_testing()
+            && EC_KEY_get0_public_key(ec) != NULL
+            && EC_KEY_get0_private_key(ec) != NULL
+            && EC_KEY_get0_group(ec) != NULL) {
+        BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
+
+        ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
+        BN_CTX_free(bnctx);
+        if (ret <= 0)
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+    }
+#endif  /* FIPS_MODULE */
+
     if (ret)
         return ec;
 err: