ml-dsa: convert to transient error state on import failure in FIPS provider

author Pauli <ppzgs1@gmail.com>

Fri, 29 Aug 2025 02:43:01 +0000 (12:43 +1000)

committer Neil Horman <nhorman@openssl.org>

Sat, 30 Aug 2025 13:23:35 +0000 (09:23 -0400)
author Pauli <ppzgs1@gmail.com>
Fri, 29 Aug 2025 02:43:01 +0000 (12:43 +1000)
committer Neil Horman <nhorman@openssl.org>
Sat, 30 Aug 2025 13:23:35 +0000 (09:23 -0400)
diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c b/providers/implementations/keymgmt/ml_dsa_kmgmt.c

index 53feeba4ac3dd761ec46dc5e511b76f39eb97d08..6b99e093c6d55e062749e99f65431b78125d8b67 100644 (file)
--- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c
@@ -268,6 +268,7 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
  {
      ML_DSA_KEY *key = keydata;
      int include_priv;
+    int res;
  
      if (!ossl_prov_is_running() || key == NULL)
          return 0;
@@ -276,7 +277,17 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
          return 0;
  
      include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
-    return ml_dsa_key_fromdata(key, params, include_priv);
+    res = ml_dsa_key_fromdata(key, params, include_priv);
+#ifdef FIPS_MODULE
+    if (res > 0) {
+        res = ml_dsa_pairwise_test(key);
+        if (!res) {
+            ossl_ml_dsa_key_reset(key);
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
+        }
+    }
+#endif  /* FIPS_MODULE */
+    return res;
  }
  
  #define ML_DSA_IMEXPORTABLE_PARAMETERS \
author	Pauli <ppzgs1@gmail.com>
	Fri, 29 Aug 2025 02:43:01 +0000 (12:43 +1000)
committer	Neil Horman <nhorman@openssl.org>
	Sat, 30 Aug 2025 13:23:35 +0000 (09:23 -0400)