From: Pauli <ppzgs1@gmail.com>
Date: Fri, 29 Aug 2025 02:43:09 +0000 (+1000)
Subject: ml-kem: convert to transient error state on import failure in FIPS provider
X-Git-Tag: openssl-3.5.3~35
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=017a65c59bcbe4961ed9e7c523cbc65ef98c8189;p=thirdparty%2Fopenssl.git

ml-kem: convert to transient error state on import failure in FIPS provider

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)

(cherry picked from commit eaba675c4b300e18aa4a200a75ff9566653afda8)
---

diff --git a/providers/implementations/keymgmt/ml_kem_kmgmt.c b/providers/implementations/keymgmt/ml_kem_kmgmt.c
index 3936b6c3cd4..9b34fe1c033 100644
--- a/providers/implementations/keymgmt/ml_kem_kmgmt.c
+++ b/providers/implementations/keymgmt/ml_kem_kmgmt.c
@@ -475,7 +475,7 @@ static int ml_kem_import(void *vkey, int selection, const OSSL_PARAM params[])
     if (res > 0 && include_private
         && !ml_kem_pairwise_test(key, key->prov_flags)) {
 #ifdef FIPS_MODULE
-        ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+        ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
 #endif
         ossl_ml_kem_key_reset(key);
         res = 0;
@@ -504,7 +504,7 @@ static const OSSL_PARAM *ml_kem_gettable_params(void *provctx)
 }
 
 #ifndef FIPS_MODULE
-void *ml_kem_load(const void *reference, size_t reference_sz)
+static void *ml_kem_load(const void *reference, size_t reference_sz)
 {
     ML_KEM_KEY *key = NULL;
     uint8_t *encoded_dk = NULL;