keygen: add FIPS error state management to conditional self tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)

1 files changed, 32 insertions, 16 deletions

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 104806c1b7..2df7d0f024 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -38,7 +38,8 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_IN, OPT_OUT, OPT_MODULE,
     OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
-    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG
+    OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
+    OPT_NO_CONDITIONAL_ERRORS
 } OPTION_CHOICE;
 
 const OPTIONS fipsinstall_options[] = {
@@ -50,7 +51,9 @@ const OPTIONS fipsinstall_options[] = {
     {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
     {"section_name", OPT_SECTION_NAME, 's',
      "FIPS Provider config section name (optional)"},
-
+     {"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
+      "Disable the ability of the fips module to enter an error state if"
+      " any conditional self tests fail"},
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input config file, used when verifying"},
 
@@ -132,24 +135,28 @@ static int write_config_header(BIO *out, const char *prov_name,
 
 /*
  * Outputs a fips related config file that contains entries for the fips
- * module checksum and the installation indicator checksum.
+ * module checksum, installation indicator checksum and the option
+ * conditional_errors.
  *
  * Returns 1 if the config file is written otherwise it returns 0 on error.
  */
 static int write_config_fips_section(BIO *out, const char *section,
                                      unsigned char *module_mac,
                                      size_t module_mac_len,
+                                     int conditional_errors,
                                      unsigned char *install_mac,
                                      size_t install_mac_len)
 {
     int ret = 0;
 
-    if (!(BIO_printf(out, "[%s]\n", section) > 0
-          && BIO_printf(out, "activate = 1\n") > 0
-          && BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
-                        VERSION_VAL) > 0
-          && print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
-                       module_mac_len)))
+    if (BIO_printf(out, "[%s]\n", section) <= 0
+        || BIO_printf(out, "activate = 1\n") <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
+                      VERSION_VAL) <= 0
+        || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
+                      conditional_errors ? "1" : "0") <= 0
+        || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
+                      module_mac_len))
         goto end;
 
     if (install_mac != NULL) {
@@ -168,7 +175,8 @@ end:
 static CONF *generate_config_and_load(const char *prov_name,
                                       const char *section,
                                       unsigned char *module_mac,
-                                      size_t module_mac_len)
+                                      size_t module_mac_len,
+                                      int conditional_errors)
 {
     BIO *mem_bio = NULL;
     CONF *conf = NULL;
@@ -177,8 +185,10 @@ static CONF *generate_config_and_load(const char *prov_name,
     if (mem_bio  == NULL)
         return 0;
     if (!write_config_header(mem_bio, prov_name, section)
-         || !write_config_fips_section(mem_bio, section, module_mac,
-                                       module_mac_len, NULL, 0))
+         || !write_config_fips_section(mem_bio, section,
+                                       module_mac, module_mac_len,
+                                       conditional_errors,
+                                       NULL, 0))
         goto end;
 
     conf = app_load_config_bio(mem_bio, NULL);
@@ -272,6 +282,7 @@ end:
 int fipsinstall_main(int argc, char **argv)
 {
     int ret = 1, verify = 0, gotkey = 0, gotdigest = 0;
+    int enable_conditional_errors = 1;
     const char *section_name = "fips_sect";
     const char *mac_name = "HMAC";
     const char *prov_name = "fips";
@@ -311,6 +322,9 @@ opthelp:
         case OPT_OUT:
             out_fname = opt_arg();
             break;
+        case OPT_NO_CONDITIONAL_ERRORS:
+            enable_conditional_errors = 0;
+            break;
         case OPT_QUIET:
             quiet = 1;
             /* FALLTHROUGH */
@@ -457,7 +471,8 @@ opthelp:
     } else {
 
         conf = generate_config_and_load(prov_name, section_name, module_mac,
-                                        module_mac_len);
+                                        module_mac_len,
+                                        enable_conditional_errors);
         if (conf == NULL)
             goto end;
         if (!load_fips_prov_and_run_self_test(prov_name))
@@ -468,9 +483,10 @@ opthelp:
             BIO_printf(bio_err, "Failed to open file\n");
             goto end;
         }
-        if (!write_config_fips_section(fout, section_name, module_mac,
-                                       module_mac_len, install_mac,
-                                       install_mac_len))
+        if (!write_config_fips_section(fout, section_name,
+                                       module_mac, module_mac_len,
+                                       enable_conditional_errors,
+                                       install_mac, install_mac_len))
             goto end;
         if (!quiet)
             BIO_printf(bio_out, "INSTALL PASSED\n");