From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Thu, 17 Jul 2025 10:45:49 +0000 (+0200)
Subject: Pairwise check for DH keys import as part of FIPS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e08b83cbb3b853ae9dc364c32d927405172918ac;p=thirdparty%2Fopenssl.git

Pairwise check for DH keys import as part of FIPS

For DH key import, it appears the PCT and assurances are implemented in
the source but are not be performed by default.

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28058)
---

diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 1aaa88dacae..7cffc60a059 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -80,6 +80,12 @@ int ossl_dh_key_fromdata(DH *dh, const OSSL_PARAM params[], int include_private)
     if (!DH_set0_key(dh, pub_key, priv_key))
         goto err;
 
+#ifdef FIPS_MODULE
+    if (pub_key != NULL && priv_key != NULL)
+        if (ossl_dh_check_pairwise(dh) == 0)
+            return 0;
+#endif
+
     return 1;
 
  err: