diff -up libgcrypt-1.7.3/src/visibility.c.fips-reqs libgcrypt-1.7.3/src/visibility.c
--- libgcrypt-1.7.3/src/visibility.c.fips-reqs	2016-03-23 12:59:34.000000000 +0100
+++ libgcrypt-1.7.3/src/visibility.c	2016-11-22 16:29:36.992042480 +0100
@@ -1288,6 +1288,8 @@ gcry_kdf_derive (const void *passphrase,
                  unsigned long iterations,
                  size_t keysize, void *keybuffer)
 {
+  if (!fips_is_operational ())
+    return gpg_error (fips_not_operational ());
   return gpg_error (_gcry_kdf_derive (passphrase, passphraselen, algo, hashalgo,
                                       salt, saltlen, iterations,
                                       keysize, keybuffer));
@@ -1343,6 +1345,13 @@ void
 gcry_mpi_randomize (gcry_mpi_t w,
                     unsigned int nbits, enum gcry_random_level level)
 {
+  if (!fips_is_operational ())
+    {
+      (void)fips_not_operational ();
+      fips_signal_fatal_error ("called in non-operational state");
+      fips_noreturn ();
+    }
+
   _gcry_mpi_randomize (w, nbits, level);
 }
 
@@ -1368,6 +1377,8 @@ gcry_prime_generate (gcry_mpi_t *prime,
                      gcry_random_level_t random_level,
                      unsigned int flags)
 {
+  if (!fips_is_operational ())
+    return gpg_error (fips_not_operational ());
   return gpg_error (_gcry_prime_generate (prime, prime_bits, factor_bits,
                                           factors, cb_func, cb_arg,
                                           random_level, flags));