[FYI 3.3 backport] fips: Allow builds in pedantic mode

Configure

@@ -465,6 +465,7 @@ my @disablables = (
     "external-tests",
     "filenames",
     "fips",
+    "fips-pedanticonly",
     "fips-securitychecks",
     "fuzz-afl",
     "fuzz-libfuzzer",
@@ -574,6 +575,7 @@ our %disabled = ( # "what"         => "comment"
                   "ec_nistp_64_gcc_128" => "default",
                   "egd"                 => "default",
                   "external-tests"      => "default",
+                  "fips-pedanticonly"   => "default",
                   "fuzz-afl"            => "default",
                   "fuzz-libfuzzer"      => "default",
                   "ktls"                => "default",

providers/fips/fipsprov.c

@@ -27,6 +27,12 @@
 #include "crypto/context.h"
 #include "internal/core.h"
 
+#ifndef OPENSSL_NO_FIPS_PEDANTICONLY
+# define FIPS_PEDANTIC_DEFAULT 1
+#else
+# define FIPS_PEDANTIC_DEFAULT 0
+#endif
+
 static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes";
 static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no";
 
@@ -104,8 +110,8 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
     if (fgbl == NULL)
         return NULL;
     init_fips_option(&fgbl->fips_security_checks, 1);
-    init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */
-    init_fips_option(&fgbl->fips_restricted_drgb_digests, 0);
+    init_fips_option(&fgbl->fips_tls1_prf_ems_check, FIPS_PEDANTIC_DEFAULT);
+    init_fips_option(&fgbl->fips_restricted_drgb_digests, FIPS_PEDANTIC_DEFAULT);
     return fgbl;
 }
 
@@ -184,6 +190,17 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl)
         return 0;
     }
 
+#ifndef OPENSSL_NO_FIPS_PEDANTICONLY
+    if (fgbl->selftest_params.indicator_checksum_data ||
+        fgbl->selftest_params.indicator_data ||
+        (fgbl->fips_security_checks.option && strcmp(fgbl->fips_security_checks.option, "1")) ||
+        (fgbl->fips_tls1_prf_ems_check.option && strcmp(fgbl->fips_tls1_prf_ems_check.option, "1")) ||
+        (fgbl->fips_restricted_drgb_digests.option && strcmp(fgbl->fips_restricted_drgb_digests.option, "1"))) {
+        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+        return 0;
+    }
+#endif
+
     return 1;
 }
 

test/recipes/03-test_fipsinstall.t

@@ -32,7 +32,7 @@ my @pedantic_okay =
 my @pedantic_fail =
     ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
 
-plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
+plan tests => 36 + (scalar @pedantic_okay) + (scalar @pedantic_fail) + (config("fips-pedanticonly") ? 1 : 0);
 
 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@@ -118,13 +118,28 @@ ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
              '-section_name', 'fips_sect', '-verify'])),
    "fipsinstall verify fail");
 
-
-# output a fips.cnf file containing mac data
-ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
-            '-provider_name', 'fips', '-mac_name', 'HMAC',
-            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
-            '-section_name', 'fips_sect'])),
-   "fipsinstall");
+if (disabled("fips-pedanticonly")) {
+    # output a fips.cnf file containing mac data
+    ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
+		'-provider_name', 'fips', '-mac_name', 'HMAC',
+		'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+		'-section_name', 'fips_sect'])),
+       "fipsinstall");
+} else {
+    # output a fips.cnf file containing mac data fails without pedantic
+    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
+		'-provider_name', 'fips', '-mac_name', 'HMAC',
+		'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+		'-section_name', 'fips_sect'])),
+       "fipsinstall fails without pedantic");
+
+    # output a fips.cnf file containing mac data (with pedantic)
+    ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
+		'-provider_name', 'fips', '-mac_name', 'HMAC', '-pedantic',
+		'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+		'-section_name', 'fips_sect'])),
+       "fipsinstall");
+}
 
 # verify the fips.cnf file
 ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
@@ -376,18 +391,23 @@ SKIP: {
        "fipsinstall fails when attempting to run self tests on install");
 }
 
+
+SKIP: {
+    skip "default to not banning truncted digests with DRBGs in pedanticonly", 3
+	unless disabled("fips-pedanticonly");
+
 ok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1,
    'fipsinstall defaults to not banning truncated digests with DRBGs');
 
 ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
-           '-provider_name', 'fips', '-mac_name', 'HMAC',
-           '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
-           '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])),
+	    '-provider_name', 'fips', '-mac_name', 'HMAC',
+	    '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+	    '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])),
    "fipsinstall knows about allowing truncated digests in DRBGs");
 
 ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
    'fipsinstall will allow option for truncated digests with DRBGs');
-
+}
 
 ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
             '-module', $infile, '-pedantic'])),
@@ -404,4 +424,3 @@ foreach my $o (@pedantic_fail) {
                  '-module', $infile, '-pedantic', "-${o}"])),
             "fipsinstall disallows -${o} after -pedantic option");
 }
-