From: Pauli <ppzgs1@gmail.com>
Date: Fri, 29 Aug 2025 02:43:01 +0000 (+1000)
Subject: ml-dsa: convert to transient error state on import failure in FIPS provider
X-Git-Tag: openssl-3.6.0-alpha1~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56a791209c1e63222b1680151709fabd86948548;p=thirdparty%2Fopenssl.git

ml-dsa: convert to transient error state on import failure in FIPS provider

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28376)
---

diff --git a/providers/implementations/keymgmt/ml_dsa_kmgmt.c.in b/providers/implementations/keymgmt/ml_dsa_kmgmt.c.in
index f806fb73e78..fb1005918d0 100644
--- a/providers/implementations/keymgmt/ml_dsa_kmgmt.c.in
+++ b/providers/implementations/keymgmt/ml_dsa_kmgmt.c.in
@@ -281,6 +281,7 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
 {
     ML_DSA_KEY *key = keydata;
     int include_priv;
+    int res;
 
     if (!ossl_prov_is_running() || key == NULL)
         return 0;
@@ -289,7 +290,17 @@ static int ml_dsa_import(void *keydata, int selection, const OSSL_PARAM params[]
         return 0;
 
     include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
-    return ml_dsa_key_fromdata(key, params, include_priv);
+    res = ml_dsa_key_fromdata(key, params, include_priv);
+#ifdef FIPS_MODULE
+    if (res > 0) {
+        res = ml_dsa_pairwise_test(key);
+        if (!res) {
+            ossl_ml_dsa_key_reset(key);
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
+        }
+    }
+#endif  /* FIPS_MODULE */
+    return res;
 }
 
 static const OSSL_PARAM *ml_dsa_imexport_types(int selection)