From: Pauli <ppzgs1@gmail.com>
Date: Thu, 4 Sep 2025 21:23:28 +0000 (+1000)
Subject: import pct: remove import PCTs for most algorithms
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f7f75816f26;p=thirdparty%2Fopenssl.git

import pct: remove import PCTs for most algorithms

This coveres DH, EC, RSA and SLH-DSA.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28447)
---

diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 431d649eb0a..4cc0920fac1 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -209,18 +209,6 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
 
         ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
-#ifdef FIPS_MODULE
-        /*
-         * FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
-         * consistency check be undertaken on key import.  The required test
-         * is described in SP 800-56Ar3 5.6.2.1.4.
-         */
-        if (ok > 0 && !ossl_fips_self_testing()) {
-            ok = ossl_dh_check_pairwise(dh, 1);
-            if (ok <= 0)
-                ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
-        }
-#endif  /* FIPS_MODULE */
     }
 
     return ok;
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index f4d8ba7254c..5b7cca59c56 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -431,21 +431,6 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
         ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
 
-#ifdef FIPS_MODULE
-    if (ok > 0
-            && !ossl_fips_self_testing()
-            && EC_KEY_get0_public_key(ec) != NULL
-            && EC_KEY_get0_private_key(ec) != NULL
-            && EC_KEY_get0_group(ec) != NULL) {
-        BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
-
-        ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
-        BN_CTX_free(bnctx);
-        if (ok <= 0)
-            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
-    }
-#endif  /* FIPS_MODULE */
-
     return ok;
 }
 
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 38ca5e77f90..68691280cdf 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -197,23 +197,6 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
         ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
     }
 
-#ifdef FIPS_MODULE
-    if (ok > 0 && !ossl_fips_self_testing()) {
-        const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
-
-        RSA_get0_key(rsa, &n, &e, &d);
-        RSA_get0_crt_params(rsa, &dp, &dq, &iq);
-        p = RSA_get0_p(rsa);
-        q = RSA_get0_q(rsa);
-
-        /* Check for the public key */
-        if (n != NULL && e != NULL)
-            /* Check for private key in straightforward or CRT form */
-            if (d != NULL || (p != NULL && q != NULL && dp != NULL
-                              && dq != NULL && iq != NULL))
-                ok = ossl_rsa_key_pairwise_test(rsa);
-    }
-#endif  /* FIPS_MODULE */
     return ok;
 }
 
diff --git a/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in b/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
index aa62efe718c..e2690731efa 100644
--- a/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
+++ b/providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
@@ -119,7 +119,7 @@ static int slh_dsa_validate(const void *key_data, int selection, int check_type)
 static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[])
 {
     SLH_DSA_KEY *key = keydata;
-    int include_priv, res;
+    int include_priv;
     struct slh_dsa_import_st p;
 
     if (!ossl_prov_is_running()
@@ -131,21 +131,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
         return 0;
 
     include_priv = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
-    res = ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
-#ifdef FIPS_MODULE
-    /*
-     * FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
-     * consistency check be undertaken on key import.  The required test
-     * is described in SP 800-56Ar3 5.6.2.1.4.
-     */
-    if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
-        if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
-            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
-            ossl_slh_dsa_key_reset(key);
-            res = 0;
-        }
-#endif  /* FIPS_MODULE */
-    return res;
+    return ossl_slh_dsa_key_fromdata(key, p.pub, p.priv, include_priv);
 }
 
 static const OSSL_PARAM *slh_dsa_imexport_types(int selection)