Request for Feedback on Design related to deferring FIPS self tests
It would be good to get some reviews from internal OpenSSL resources.
Currently all self tests run on start up of the FIPS module. Recently code was added to defer self testing of SLH_DSA because it was slow. FIPS rules allow the self tests to be deferred until before first use instead of taking the hit initially.
https://github.com/openssl/openssl/pull/29004
Paul Dale Mon 17 Nov 2025 9:05AM
My opinion is that the design is good enough for the moment. It can be refined during implementation.
Dmitry Belyavsky · Mon 17 Nov 2025 9:01AM
I'm not the internal OpenSSL resource but I've read this document and I think it describes a reasonable solution. Some more details can be added to the document when we start implementing it but I don't see any reasons not to merge it now