From 38cfb38a6617cb4f3a03f6165e84c6ea1c58bb99 Mon Sep 17 00:00:00 2001 From: Pauli Date: Fri, 29 Aug 2025 12:42:35 +1000 Subject: [PATCH] ec: convert to transient error state on import failure in FIPS provider Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28376) (cherry picked from commit d6f398cc957b704d6af43c9c1f55a5f432226fd0) --- providers/implementations/keymgmt/ec_kmgmt.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c index 7d3c2231697..201492a6ea7 100644 --- a/providers/implementations/keymgmt/ec_kmgmt.c +++ b/providers/implementations/keymgmt/ec_kmgmt.c @@ -442,7 +442,7 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[], ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx); BN_CTX_free(bnctx); if (ok <= 0) - ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT); } #endif /* FIPS_MODULE */ @@ -1347,6 +1347,21 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gctx->group_check != NULL) ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); +#ifdef FIPS_MODULE + if (ret > 0 + && !ossl_fips_self_testing() + && EC_KEY_get0_public_key(ec) != NULL + && EC_KEY_get0_private_key(ec) != NULL + && EC_KEY_get0_group(ec) != NULL) { + BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); + + ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx); + BN_CTX_free(bnctx); + if (ret <= 0) + ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); + } +#endif /* FIPS_MODULE */ + if (ret) return ec; err: -- 2.47.3