From: Pauli <ppzgs1@gmail.com>
Date: Sun, 31 Aug 2025 07:21:42 +0000 (+1000)
Subject: slh-dsa: enter FIPS error state if pairwise test fails
X-Git-Tag: openssl-3.5.3~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d30a87dbfdcfb8fced26d18ef9f8b9f6411c082;p=thirdparty%2Fopenssl.git

slh-dsa: enter FIPS error state if pairwise test fails

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28394)

(cherry picked from commit a7d2754661e85d14d9629fb4db0f8f5fcef28e61)
---

diff --git a/providers/implementations/keymgmt/slh_dsa_kmgmt.c b/providers/implementations/keymgmt/slh_dsa_kmgmt.c
index ee6aba0883a..c403eba7add 100644
--- a/providers/implementations/keymgmt/slh_dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/slh_dsa_kmgmt.c
@@ -128,9 +128,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
      */
     if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
         if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,
-                           "explicit %s public key does not match private",
-                           ossl_slh_dsa_key_get_name(key));
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
             ossl_slh_dsa_key_reset(key);
             res = 0;
         }