kdf: add FIPS error state handling

Check for provider being disabled on new and derive.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)

1 files changed, 11 insertions, 2 deletions

diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c
index 9a4cf57bc2..0492b09ccc 100644
--- a/providers/implementations/kdfs/krb5kdf.c
+++ b/providers/implementations/kdfs/krb5kdf.c
@@ -28,6 +28,7 @@
 #include "prov/implementations.h"
 #include "prov/provider_ctx.h"
 #include "prov/provider_util.h"
+#include "prov/providercommon.h"
 #include "prov/providercommonerr.h"
 
 /* KRB5 KDF defined in RFC 3961, Section 5.1 */
@@ -59,6 +60,9 @@ static void *krb5kdf_new(void *provctx)
 {
     KRB5KDF_CTX *ctx;
 
+    if (!ossl_prov_is_running())
+        return NULL;
+
     if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL)
         ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
     ctx->provctx = provctx;
@@ -99,9 +103,13 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
                               size_t keylen)
 {
     KRB5KDF_CTX *ctx = (KRB5KDF_CTX *)vctx;
-    const EVP_CIPHER *cipher = ossl_prov_cipher_cipher(&ctx->cipher);
-    ENGINE *engine = ossl_prov_cipher_engine(&ctx->cipher);
+    const EVP_CIPHER *cipher;
+    ENGINE *engine;
 
+    if (!ossl_prov_is_running())
+        return 0;
+
+    cipher = ossl_prov_cipher_cipher(&ctx->cipher);
     if (cipher == NULL) {
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CIPHER);
         return 0;
@@ -114,6 +122,7 @@ static int krb5kdf_derive(void *vctx, unsigned char *key,
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONSTANT);
         return 0;
     }
+    engine = ossl_prov_cipher_engine(&ctx->cipher);
     return KRB5KDF(cipher, engine, ctx->key, ctx->key_len,
                    ctx->constant, ctx->constant_len,
                    key, keylen);