Check for selftest failure in various places.

crypto/ec/ec_key.c

@@ -306,6 +306,14 @@ int EC_KEY_generate_key(EC_KEY *eckey)
 	BIGNUM	*priv_key = NULL, *order = NULL;
 	EC_POINT *pub_key = NULL;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_EC_KEY_GENERATE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
+		return 0;
+		}
+#endif
+
 	if (!eckey || !eckey->group)
 		{
 		ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);

crypto/ecdh/ech_ossl.c

@@ -119,6 +119,14 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
 	size_t buflen, len;
 	unsigned char *buf=NULL;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_ECDH_COMPUTE_KEY,FIPS_R_FIPS_SELFTEST_FAILED);
+		return -1;
+		}
+#endif
+
 	if (outlen > INT_MAX)
 		{
 		ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); /* sort of, anyway */

crypto/ecdsa/ecs_ossl.c

@@ -238,6 +238,14 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 	ECDSA_DATA *ecdsa;
 	const BIGNUM *priv_key;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_ECDSA_DO_SIGN,FIPS_R_FIPS_SELFTEST_FAILED);
+		return NULL;
+		}
+#endif
+
 	ecdsa    = ecdsa_check(eckey);
 	group    = EC_KEY_get0_group(eckey);
 	priv_key = EC_KEY_get0_private_key(eckey);
@@ -373,6 +381,14 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 	const EC_GROUP *group;
 	const EC_POINT *pub_key;
 
+#ifdef OPENSSL_FIPS
+	if(FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_ECDSA_DO_VERIFY,FIPS_R_FIPS_SELFTEST_FAILED);
+		return -1;
+		}
+#endif
+
 	/* check input values */
 	if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
 	    (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)

crypto/fips_err.h

@@ -77,6 +77,10 @@ static ERR_STRING_DATA FIPS_str_functs[]=
 {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2),	"DSA_BUILTIN_PARAMGEN2"},
 {ERR_FUNC(FIPS_F_DSA_DO_SIGN),	"DSA_do_sign"},
 {ERR_FUNC(FIPS_F_DSA_DO_VERIFY),	"DSA_do_verify"},
+{ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY),	"ECDH_compute_key"},
+{ERR_FUNC(FIPS_F_ECDSA_DO_SIGN),	"ECDSA_do_sign"},
+{ERR_FUNC(FIPS_F_ECDSA_DO_VERIFY),	"ECDSA_do_verify"},
+{ERR_FUNC(FIPS_F_EC_KEY_GENERATE_KEY),	"EC_KEY_generate_key"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA),	"FIPS_CHECK_DSA"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA_PRNG),	"fips_check_dsa_prng"},
 {ERR_FUNC(FIPS_F_FIPS_CHECK_EC),	"FIPS_CHECK_EC"},

fips/fips.h

@@ -349,6 +349,10 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_DSA_BUILTIN_PARAMGEN2			 102
 #define FIPS_F_DSA_DO_SIGN				 103
 #define FIPS_F_DSA_DO_VERIFY				 104
+#define FIPS_F_ECDH_COMPUTE_KEY				 163
+#define FIPS_F_ECDSA_DO_SIGN				 164
+#define FIPS_F_ECDSA_DO_VERIFY				 165
+#define FIPS_F_EC_KEY_GENERATE_KEY			 166
 #define FIPS_F_FIPS_CHECK_DSA				 105
 #define FIPS_F_FIPS_CHECK_DSA_PRNG			 151
 #define FIPS_F_FIPS_CHECK_EC				 106

fips/rand/fips_drbg_lib.c

@@ -386,6 +386,12 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
 	{
 	int r = 0;
 
+	if (FIPS_selftest_failed())
+		{
+		FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
+		return 0;
+		}
+
 	if (!fips_drbg_check(dctx))
 		return 0;