keygen: add FIPS error state management to conditional self tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)

8 files changed, 37 insertions, 9 deletions

diff --git a/providers/common/include/prov/providercommon.h b/providers/common/include/prov/providercommon.h
index 280d2d2072..44e9c812aa 100644
--- a/providers/common/include/prov/providercommon.h
+++ b/providers/common/include/prov/providercommon.h
@@ -20,7 +20,7 @@ int cipher_capable_aes_cbc_hmac_sha256(void);
 OSSL_FUNC_provider_get_capabilities_fn provider_get_capabilities;
 
 /* Set the error state if this is a FIPS module */
-void ossl_set_error_state(void);
+void ossl_set_error_state(const char *type);
 
 /* Return true if the module is in a usable condition */
 int ossl_prov_is_running(void);
diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h
index d4d3c7e8e8..d972a819e2 100644
--- a/providers/common/include/prov/providercommonerr.h
+++ b/providers/common/include/prov/providercommonerr.h
@@ -75,6 +75,7 @@ int ERR_load_PROV_strings(void);
 # define PROV_R_FAILED_TO_GET_PARAMETER                   103
 # define PROV_R_FAILED_TO_SET_PARAMETER                   104
 # define PROV_R_FAILED_TO_SIGN                            175
+# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR             227
 # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE          224
 # define PROV_R_FIPS_MODULE_IN_ERROR_STATE                225
 # define PROV_R_GENERATE_ERROR                            191
@@ -133,7 +134,7 @@ int ERR_load_PROV_strings(void);
 # define PROV_R_NOT_A_PRIVATE_KEY                         221
 # define PROV_R_NOT_A_PUBLIC_KEY                          220
 # define PROV_R_NOT_INSTANTIATED                          193
-# define PROV_R_NOT_PARAMETERS                            224
+# define PROV_R_NOT_PARAMETERS                            226
 # define PROV_R_NOT_SUPPORTED                             136
 # define PROV_R_NOT_XOF_OR_INVALID_LENGTH                 113
 # define PROV_R_NO_KEY_SET                                114
diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c
index 329bb279eb..606d78cc57 100644
--- a/providers/common/provider_err.c
+++ b/providers/common/provider_err.c
@@ -58,6 +58,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = {
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER),
     "failed to set parameter"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"},
+    {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR),
+    "fips module conditional error"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE),
     "fips module entering error state"},
     {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE),
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 0f1c979efe..4290a87e6e 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -126,6 +126,9 @@ static OSSL_PARAM core_params[] =
     OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
                         selftest_params.indicator_version,
                         sizeof(selftest_params.indicator_version)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
+                        selftest_params.conditional_error_check,
+                        sizeof(selftest_params.conditional_error_check)),
     OSSL_PARAM_END
 };
 
@@ -645,6 +648,10 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
         return 0;
     }
+    /* Disable the conditional error check if is disabled in the fips config file*/
+    if (selftest_params.conditional_error_check != NULL
+        && strcmp(selftest_params.conditional_error_check, "0") == 0)
+        SELF_TEST_disable_conditional_error_state();
 
     /*  Create a context. */
     if ((*provctx = PROV_CTX_new()) == NULL
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index b0df0863e2..9d95f0ccf1 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -44,6 +44,7 @@
 #define MAC_NAME    "HMAC"
 #define DIGEST_NAME "SHA256"
 
+static int FIPS_conditional_error_check = 1;
 static int FIPS_state = FIPS_STATE_INIT;
 static CRYPTO_RWLOCK *self_test_lock = NULL;
 static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS };
@@ -311,16 +312,27 @@ end:
     if (ok)
         FIPS_state = FIPS_STATE_RUNNING;
     else
-        ossl_set_error_state();
+        ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE);
     CRYPTO_THREAD_unlock(self_test_lock);
 
     return ok;
 }
 
-void ossl_set_error_state(void)
+void SELF_TEST_disable_conditional_error_state(void)
 {
-    FIPS_state = FIPS_STATE_ERROR;
-    ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
+    FIPS_conditional_error_check = 0;
+}
+
+void ossl_set_error_state(const char *type)
+{
+    int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
+
+    if (!cond_test || (FIPS_conditional_error_check == 1)) {
+        FIPS_state = FIPS_STATE_ERROR;
+        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
+    } else {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR);
+    }
 }
 
 int ossl_prov_is_running(void)
diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h
index 20f8a12472..205623cc3d 100644
--- a/providers/fips/self_test.h
+++ b/providers/fips/self_test.h
@@ -21,6 +21,9 @@ typedef struct self_test_post_params_st {
     const char *indicator_data;             /* data to perform MAC on */
     const char *indicator_checksum_data;    /* Expected MAC integrity value */
 
+    /* Used for continuous tests */
+    const char *conditional_error_check;
+
     /* BIO callbacks supplied to the FIPS provider */
     OSSL_FUNC_BIO_new_file_fn *bio_new_file_cb;
     OSSL_FUNC_BIO_new_membuf_fn *bio_new_buffer_cb;
@@ -34,3 +37,5 @@ typedef struct self_test_post_params_st {
 
 int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test);
 int SELF_TEST_kats(OSSL_SELF_TEST *event, OPENSSL_CTX *libctx);
+
+void SELF_TEST_disable_conditional_error_state(void);
diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c
index 9a9e9c703b..e23485291b 100644
--- a/providers/implementations/rands/crngt.c
+++ b/providers/implementations/rands/crngt.c
@@ -16,6 +16,7 @@
 #include <openssl/evp.h>
 #include <openssl/core_dispatch.h>
 #include <openssl/params.h>
+#include <openssl/self_test.h>
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
 #include "internal/cryptlib.h"
@@ -99,7 +100,7 @@ static int prov_crngt_compare_previous(const unsigned char *prev,
     const int res = memcmp(prev, cur, sz) != 0;
 
     if (!res)
-        ossl_set_error_state();
+        ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG);
     return res;
 }
 
diff --git a/providers/prov_running.c b/providers/prov_running.c
index 7e62dedf4d..379fd5d25c 100644
--- a/providers/prov_running.c
+++ b/providers/prov_running.c
@@ -11,11 +11,11 @@
 #include "prov/providercommon.h"
 
 /* By default, our providers don't have an error state */
-void ossl_set_error_state(void)
+void ossl_set_error_state(const char *type)
 {
 }
 
-/* By default, out providers are always in a happy state */
+/* By default, our providers are always in a happy state */
 int ossl_prov_is_running(void)
 {
     return 1;