From b22df6529a5667fe7f8d636ece92a4896b86f66c Mon Sep 17 00:00:00 2001
From: Pauli <ppzgs1@gmail.com>
Date: Sun, 31 Aug 2025 17:21:42 +1000
Subject: [PATCH] slh-dsa: enter FIPS error state if pairwise test fails

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28394)

(cherry picked from commit a7d2754661e85d14d9629fb4db0f8f5fcef28e61)
---
 providers/implementations/keymgmt/slh_dsa_kmgmt.c.in | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in b/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
index 4b905503f90..aa62efe718c 100644
--- a/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
+++ b/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
@@ -140,9 +140,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
      */
     if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
         if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
-            ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,
-                           "explicit %s public key does not match private",
-                           ossl_slh_dsa_key_get_name(key));
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
             ossl_slh_dsa_key_reset(key);
             res = 0;
         }
-- 
2.47.3