]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a6747a8)
Add OSSL_SELF_TEST_TYPE_PCT_IMPORT transient error state
authorPauli <ppzgs1@gmail.com>
Fri, 29 Aug 2025 02:41:22 +0000 (12:41 +1000)
committerNeil Horman <nhorman@openssl.org>
Sat, 30 Aug 2025 13:23:31 +0000 (09:23 -0400)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)

(cherry picked from commit 1dc1de78617a3ef817d845329ad9c7b8c96362a2)

include/openssl/self_test.h patch | blob | blame | history
providers/fips/self_test.c patch | blob | blame | history

diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
index c4439cb287155c05b447fbae8be85d0ae770e460..6c81cef4c300281306b4088e152b9052b564c8f0 100644 (file)
--- a/include/openssl/self_test.h
+++ b/include/openssl/self_test.h
@@ -31,6 +31,7 @@ extern "C" {
 # define OSSL_SELF_TEST_TYPE_CRNG               "Continuous_RNG_Test"
 # define OSSL_SELF_TEST_TYPE_PCT                "Conditional_PCT"
 # define OSSL_SELF_TEST_TYPE_PCT_KAT            "Conditional_KAT"
+# define OSSL_SELF_TEST_TYPE_PCT_IMPORT         "Import_PCT"
 # define OSSL_SELF_TEST_TYPE_KAT_INTEGRITY      "KAT_Integrity"
 # define OSSL_SELF_TEST_TYPE_KAT_CIPHER         "KAT_Cipher"
 # define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER    "KAT_AsymmetricCipher"
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index ef7be26ca722367e4d8484ddf3b03b5b43e04a2c..456efd139e94e1eea69754b2bede4c0332c95d20 100644 (file)
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -424,9 +424,18 @@ void SELF_TEST_disable_conditional_error_state(void)
 
 void ossl_set_error_state(const char *type)
 {
-    int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
+    int cond_test = 0;
+    int import_pct = 0;
 
-    if (!cond_test || (FIPS_conditional_error_check == 1)) {
+    if (type != NULL) {
+        cond_test = strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0;
+        import_pct = strcmp(type, OSSL_SELF_TEST_TYPE_PCT_IMPORT) == 0;
+    }
+
+    if (import_pct) {
+        /* Failure to import is transient to avoid a DoS attack */
+        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR);
+    } else if (!cond_test || (FIPS_conditional_error_check == 1)) {
         set_fips_state(FIPS_STATE_ERROR);
         ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
     } else {
Mirror of https://github.com/openssl/openssl.git