Temporarily disable SLH-DSA FIPS self tests

This was enabled during the rebase but it needs to be disabled until performance issues are resolved. Related: RHEL-80854 Signed-off-by: Simo Sorce <simo@redhat.com>
2025-07-15 12:34:51 -04:00 · 2025-07-15 12:34:51 -04:00 · eb7847ee25
commit eb7847ee25
parent fd23d267e8
2 changed files with 65 additions and 0 deletions
--- a/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
+++ b/0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
@ -0,0 +1,64 @@
+From 5389ed0aeb97b290969f923b205e333d4f85fdc3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 15 Jul 2025 12:32:14 -0400
+Subject: [PATCH] Temporarily disable SLH-DSA FIPS self-tests
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ providers/fips/self_test_data.inc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index f3059a8446..e924e93018 100644
+--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
+@@ -2862,6 +2862,7 @@ static const ST_KAT_PARAM ml_dsa_sig_init[] = {
+ };
+ #endif /* OPENSSL_NO_ML_DSA */
+ 
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+ /*
+  * Deterministic SLH_DSA key generation supplies the private key elements and
+@@ -2952,6 +2953,7 @@ static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
+     0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
+ };
+ #endif /* OPENSSL_NO_SLH_DSA */
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ 
+ /* Hash DRBG inputs for signature KATs */
+ static const unsigned char sig_kat_entropyin[] = {
+@@ -3051,6 +3053,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         ml_dsa_sig_init
+     },
+ #endif /* OPENSSL_NO_ML_DSA */
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ #ifndef OPENSSL_NO_SLH_DSA
+     /*
+      * FIPS 140-3 IG 10.3.A.16 Note 29 says:
+@@ -3081,6 +3084,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         slh_dsa_sig_params, slh_dsa_sig_params
+     },
+ #endif /* OPENSSL_NO_SLH_DSA */
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+ 
+ #if !defined(OPENSSL_NO_ML_DSA)
+@@ -3485,6 +3489,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+         ml_dsa_key
+     },
+ # endif
+#if 0 /* Temporarily disable SLH-DSA self tests due to performance issues */
+ # if !defined(OPENSSL_NO_SLH_DSA)
+     {
+         OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
+@@ -3493,5 +3498,6 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
+         slh_dsa_128f_keygen_expected_params
+     },
+ # endif
+#endif /* Temporarily disable SLH-DSA self tests due to performance issues */
+ };
+ #endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
+-- 
+2.50.1
+
--- a/openssl.spec
+++ b/openssl.spec
@ -94,6 +94,7 @@ Patch0052: 0052-Red-Hat-9-FIPS-indicator-defines.patch
 %if ( %{defined rhel} && (! %{defined centos}) )
 Patch0053: 0053-Allow-hybrid-MLKEM-in-FIPS-mode.patch
 %endif
+Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch

 #The patches that are different for RHEL9 and 10 start here
 Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch