Communities - Distributions

FIPS self-test refactoring

Dmitry Belyavsky Wed 30 Jul 2025 1:45PMPublicSeen by 27

OpenSSL 3.5 brings post-quantum algorithms in FIPS provider.
Unfortunately, it means significant slow-down of FIPS startup (especially because of SLH-DSA variants).

The way forward we see is refactoring of FIPS POST so the algorithms would be tested on demand (on fetch). I would like to get feedback from the distro and large business communities and put it to the TAC agenda

Lucas MüllingMon 13 Oct 2025 12:24PM

Agreed, could you clarify if this change is to test only the algorithms what where used in a certain context?

Dmitry BelyavskyMon 13 Oct 2025 1:12PM

@Lucas Mülling https://github.com/openssl/openssl/pull/28725 is the proposed implementation

Angel YankovFri 24 Oct 2025 7:30AM

Do you want to do this also for the classical algos?

FIPS self-test refactoring

Lucas Mülling ·Mon 13 Oct 2025 12:24PM

Dmitry Belyavsky ·Mon 13 Oct 2025 1:12PM

Angel Yankov ·Fri 24 Oct 2025 7:30AM

Lucas MüllingMon 13 Oct 2025 12:24PM

Dmitry BelyavskyMon 13 Oct 2025 1:12PM

Angel YankovFri 24 Oct 2025 7:30AM