root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

slh-dsa: enter FIPS error state if pairwise test fails 

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28394)
This commit is contained in:
Pauli 2025-08-31 17:21:42 +10:00
parent cca9844f0c
commit a7d2754661
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
providers/implementations/keymgmt/slh_dsa_kmgmt.c.in
View File

@ -140,9 +140,7 @@ static int slh_dsa_import(void *keydata, int selection, const OSSL_PARAM params[
*/
if (res > 0 && ossl_slh_dsa_key_has(key, OSSL_KEYMGMT_SELECT_KEYPAIR) > 0)
if (!slh_dsa_fips140_pairwise_test(key, NULL)) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_KEY,
"explicit %s public key does not match private",
ossl_slh_dsa_key_get_name(key));
ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT_IMPORT);
ossl_slh_dsa_key_reset(key);
res = 0;
}