diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c index 24128f40d5..d7aea95f1f 100644 --- a/crypto/fipsmodule/ec/ec_key.c +++ b/crypto/fipsmodule/ec/ec_key.c @@ -550,9 +550,8 @@ int EC_KEY_generate_key_fips(EC_KEY *eckey) { #if defined(AWSLC_FIPS) AWS_LC_FIPS_failure("EC keygen checks failed"); -#else - return 0; #endif + return 0; } int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, diff --git a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c index 9722f6490b..c0474c5b33 100644 --- a/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c +++ b/crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c @@ -51,7 +51,7 @@ static int ml_dsa_keypair_pct(ml_dsa_params *params, * array of CRYPTO_SECRETKEYBYTES bytes) * - const uint8_t *rnd: pointer to random seed * - * Returns 0 (success) + * Returns 0 (success) -1 on failure or abort depending on FIPS mode **************************************************/ int ml_dsa_keypair_internal(ml_dsa_params *params, uint8_t *pk, @@ -114,6 +114,7 @@ int ml_dsa_keypair_internal(ml_dsa_params *params, // Abort in case of PCT failure. if (!ml_dsa_keypair_pct(params, pk, sk)) { AWS_LC_FIPS_failure("ML-DSA keygen PCT failed"); + return -1; } #endif return 0; @@ -138,9 +139,9 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk) { if (!RAND_bytes(seed, ML_DSA_SEEDBYTES)) { return -1; } - ml_dsa_keypair_internal(params, pk, sk, seed); + int result = ml_dsa_keypair_internal(params, pk, sk, seed); OPENSSL_cleanse(seed, sizeof(seed)); - return 0; + return result; } /************************************************* diff --git a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c index 7f74bc8365..3aaf55ef00 100644 --- a/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c +++ b/crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c @@ -59,7 +59,6 @@ int crypto_kem_keypair_derand(ml_kem_params *params, memcpy(sk+params->secret_key_bytes-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES); #if defined(AWSLC_FIPS) - // Abort in case of PCT failure. if (keygen_pct(params, pk, sk)) { return -1; }