From: Pauli <ppzgs1@gmail.com>
Date: Fri, 29 Aug 2025 02:42:35 +0000 (+1000)
Subject: ec: convert to transient error state on import failure in FIPS provider
X-Git-Tag: openssl-3.6.0-alpha1~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6f398cc957b704d6af43c9c1f55a5f432226fd0;p=thirdparty%2Fopenssl.git

ec: convert to transient error state on import failure in FIPS provider

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)
---

diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 7ac1601c092..f4d8ba7254c 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -442,7 +442,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
         ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
         BN_CTX_free(bnctx);
         if (ok <= 0)
-            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
     }
 #endif  /* FIPS_MODULE */
 
@@ -1351,6 +1351,21 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     if (gctx->group_check != NULL)
         ret = ret && ossl_ec_set_check_group_type_from_name(ec,
                                                             gctx->group_check);
+#ifdef FIPS_MODULE
+    if (ret > 0
+            && !ossl_fips_self_testing()
+            && EC_KEY_get0_public_key(ec) != NULL
+            && EC_KEY_get0_private_key(ec) != NULL
+            && EC_KEY_get0_group(ec) != NULL) {
+        BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
+
+        ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
+        BN_CTX_free(bnctx);
+        if (ret <= 0)
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+    }
+#endif  /* FIPS_MODULE */
+
     if (ret)
         return ec;
 err: