From 2b9e4e956b37ee49b29a73c7782f525ac8c58cc5 Mon Sep 17 00:00:00 2001
From: Pauli <paul.dale@oracle.com>
Date: Mon, 7 Sep 2020 13:13:10 +1000
Subject: kdf: add FIPS error state handling

Check for provider being disabled on new and derive.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
---
 providers/implementations/kdfs/scrypt.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'providers/implementations/kdfs/scrypt.c')

diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c
index 76b0a58e1f..f412f1f8db 100644
--- a/providers/implementations/kdfs/scrypt.c
+++ b/providers/implementations/kdfs/scrypt.c
@@ -18,6 +18,7 @@
 #include "internal/numbers.h"
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
+#include "prov/providercommon.h"
 #include "prov/providercommonerr.h"
 #include "prov/implementations.h"
 
@@ -56,6 +57,9 @@ static void *kdf_scrypt_new(void *provctx)
 {
     KDF_SCRYPT *ctx;
 
+    if (!ossl_prov_is_running())
+        return NULL;
+
     ctx = OPENSSL_zalloc(sizeof(*ctx));
     if (ctx == NULL) {
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
@@ -127,6 +131,9 @@ static int kdf_scrypt_derive(void *vctx, unsigned char *key,
 {
     KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
     if (ctx->pass == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_PASS);
         return 0;
-- 
cgit v1.2.3