kdf: add FIPS error state handling

Check for provider being disabled on new and derive.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)

1 files changed, 7 insertions, 0 deletions

diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c
index 76b0a58e1f..f412f1f8db 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -18,6 +18,7 @@
 #include "internal/numbers.h"
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
 #include "prov/providercommonerr.h"
 #include "prov/implementations.h"
 
@@ -56,6 +57,9 @@ static void *kdf_scrypt_new(void *provctx)
 {
     KDF_SCRYPT *ctx;
 
+    if (!ossl_prov_is_running())
+        return NULL;
+
     ctx = OPENSSL_zalloc(sizeof(*ctx));
     if (ctx == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -127,6 +131,9 @@ static int kdf_scrypt_derive(void *vctx, unsigned char *key,
 {
     KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
     if (ctx->pass == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
         return 0;