From d4dfefef6ab0743dba71a96cceeceb3dcf8c5bb5 Mon Sep 17 00:00:00 2001
From: Pauli <ppzgs1@gmail.com>
Date: Fri, 29 Aug 2025 12:41:22 +1000
Subject: [PATCH] Add OSSL_SELF_TEST_TYPE_PCT_IMPORT transient error state

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)

(cherry picked from commit 1dc1de78617a3ef817d845329ad9c7b8c96362a2)
---
 include/openssl/self_test.h |  1 +
 providers/fips/self_test.c  | 13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
index c4439cb2871..6c81cef4c30 100644
--- a/include/openssl/self_test.h
+++ b/include/openssl/self_test.h
@@ -31,6 +31,7 @@ extern "C" {
 # define OSSL_SELF_TEST_TYPE_CRNG               "Continuous_RNG_Test"
 # define OSSL_SELF_TEST_TYPE_PCT                "Conditional_PCT"
 # define OSSL_SELF_TEST_TYPE_PCT_KAT            "Conditional_KAT"
+# define OSSL_SELF_TEST_TYPE_PCT_IMPORT         "Import_PCT"
 # define OSSL_SELF_TEST_TYPE_KAT_INTEGRITY      "KAT_Integrity"
 # define OSSL_SELF_TEST_TYPE_KAT_CIPHER         "KAT_Cipher"
 # define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER    "KAT_AsymmetricCipher"
diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c
index ef7be26ca72..456efd139e9 100644
--- a/providers/fips/self_test.c
+++ b/providers/fips/self_test.c
@@ -424,9 +424,18 @@ void SELF_TEST_disable_conditional_error_state(void)
 
 void ossl_set_error_state(const char *type)
 {
-    int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0);
+    int cond_test = 0;
+    int import_pct = 0;
 
-    if (!cond_test || (FIPS_conditional_error_check == 1)) {
+    if (type != NULL) {
+        cond_test = strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0;
+        import_pct = strcmp(type, OSSL_SELF_TEST_TYPE_PCT_IMPORT) == 0;
+    }
+
+    if (import_pct) {
+        /* Failure to import is transient to avoid a DoS attack */
+        ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_IMPORT_PCT_ERROR);
+    } else if (!cond_test || (FIPS_conditional_error_check == 1)) {
         set_fips_state(FIPS_STATE_ERROR);
         ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE);
     } else {
-- 
2.47.3