slh-dsa: use fast flavours for FIPS Power Up Self Test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26821)

diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
index 8ad7eff4926cc86199b2064016eee010a8f60090..63024d0433fdf358215f085f993c39c5857bfba2 100644 (file)
--- a/providers/fips/self_test_data.inc
+++ b/providers/fips/self_test_data.inc
@@ -2876,7 +2876,8 @@ static const ST_KAT_PARAM slh_dsa_sha2_128s_keygen_init_params[] = {
                        slh_dsa_sha2_128s_keygen_entropy),
     ST_KAT_PARAM_END()
 };
-static const ST_KAT_PARAM slh_dsa_128_keygen_expected_params[] = {
+
+static const ST_KAT_PARAM slh_dsa_128s_keygen_expected_params[] = {
     ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY,
                        slh_dsa_sha2_128s_keygen_priv),
     ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY,
@@ -2884,9 +2885,14 @@ static const ST_KAT_PARAM slh_dsa_128_keygen_expected_params[] = {
     ST_KAT_PARAM_END()
 };
 
-static const unsigned char slh_dsa_sig_msg[] = {
+static const unsigned char slh_dsa_sha2_sig_msg[] = {
+    0x3f
+};
+
+static const unsigned char slh_dsa_shake_sig_msg[] = {
     0x01, 0x02, 0x03, 0x04
 };
+
 static int deterministic = 1;
 static const ST_KAT_PARAM slh_dsa_sig_params[] = {
     ST_KAT_PARAM_INT(OSSL_SIGNATURE_PARAM_DETERMINISTIC, deterministic),
@@ -2894,6 +2900,18 @@ static const ST_KAT_PARAM slh_dsa_sig_params[] = {
 };
 
 static const unsigned char slh_dsa_sha2_128f_priv_pub[] = {
+    0xd5, 0x21, 0x3b, 0xa4, 0xbb, 0x64, 0x70, 0xf1, 0xb9, 0xed, 0xa8, 0x8c, 0xbc, 0x94, 0xe6, 0x27,
+    0x7a, 0x58, 0xa9, 0x51, 0xef, 0x7f, 0x2b, 0x81, 0x46, 0x1d, 0xba, 0xc4, 0x1b, 0x5a, 0x6b, 0x83,
+    0xfa, 0x49, 0x5f, 0xb8, 0x34, 0xde, 0xfe, 0xa7, 0xcc, 0x96, 0xa8, 0x13, 0x09, 0x47, 0x91, 0x35,
+    0xa6, 0x70, 0x29, 0xe9, 0x06, 0x68, 0xc5, 0xa5, 0x8b, 0x96, 0xe6, 0x01, 0x11, 0x49, 0x1f, 0x3d
+};
+
+static const ST_KAT_PARAM slh_dsa_sha2_128f_key_params[] = {
+    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, slh_dsa_sha2_128f_priv_pub),
+    ST_KAT_PARAM_END()
+};
+
+static const unsigned char slh_dsa_shake_128f_priv_pub[] = {
     0xbb, 0xc7, 0x43, 0x06, 0xf7, 0x5d, 0xc2, 0xda, 0xf7, 0x37, 0x2b, 0x3c, 0x98, 0x41, 0xa4, 0xd6,
     0x85, 0x2c, 0x17, 0xb4, 0x59, 0xf1, 0x69, 0x2b, 0x8e, 0x9a, 0x1a, 0x0d, 0xac, 0xe5, 0xba, 0x26,
     0x38, 0x0c, 0x99, 0x30, 0x4a, 0x0d, 0xdd, 0x32, 0xf3, 0x44, 0xb9, 0x51, 0x44, 0xe1, 0xfd, 0xef,
@@ -2901,22 +2919,22 @@ static const unsigned char slh_dsa_sha2_128f_priv_pub[] = {
 };
 
 static const ST_KAT_PARAM slh_dsa_shake_128f_key_params[] = {
-    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, slh_dsa_sha2_128f_priv_pub),
+    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, slh_dsa_shake_128f_priv_pub),
     ST_KAT_PARAM_END()
 };
 
 /* This is the SHA256 digest of the signature */
-static const unsigned char slh_dsa_sha2_128s_sig_digest[] = {
-     0x64, 0x4b, 0x4b, 0xed, 0xc6, 0x21, 0x40, 0x5e,
-     0x95, 0x2d, 0xe1, 0x94, 0xf6, 0x36, 0x2c, 0xbc,
-     0x05, 0xf8, 0xb4, 0x9d, 0x66, 0xe0, 0xda, 0xfd,
-     0xe8, 0x24, 0xd5, 0x38, 0xe6, 0xbb, 0x5b, 0x3a,
+static const unsigned char slh_dsa_sha2_128f_sig_digest[] = {
+    0xd3, 0x53, 0x7e, 0x05, 0xae, 0x63, 0x87, 0x6b, 0xf7, 0x80, 0x15, 0xff,
+    0x86, 0xcc, 0x9e, 0x28, 0x4f, 0x91, 0xca, 0xbf, 0xac, 0x19, 0x12, 0x98,
+    0xfb, 0xaa, 0x37, 0x55, 0x96, 0x35, 0x1d, 0x55
 };
+
 static const unsigned char slh_dsa_shake_128f_sig_digest[] = {
-     0xb7, 0xeb, 0x1f, 0x00, 0x33, 0x41, 0xff, 0x11,
-     0x3f, 0xc7, 0x4d, 0xce, 0x90, 0x6c, 0x55, 0xf7,
-     0x4a, 0x54, 0x8b, 0x86, 0xc1, 0xb1, 0x08, 0x48,
-     0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
+    0xb7, 0xeb, 0x1f, 0x00, 0x33, 0x41, 0xff, 0x11,
+    0x3f, 0xc7, 0x4d, 0xce, 0x90, 0x6c, 0x55, 0xf7,
+    0x4a, 0x54, 0x8b, 0x86, 0xc1, 0xb1, 0x08, 0x48,
+    0x89, 0x77, 0x00, 0x72, 0x03, 0x92, 0xd1, 0xa6,
 };
 #endif /* OPENSSL_NO_SLH_DSA */
 
@@ -3017,23 +3035,33 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
     },
 #endif /* OPENSSL_NO_ML_DSA */
 #ifndef OPENSSL_NO_SLH_DSA
+    /*
+     * FIPS 140-3 IG 10.3.A.16 Note 29 says:
+     *
+     *  It is recommended (but not required) that if the module implements
+     *   both "s" and "f" algorithms, the module self-test at least one of
+     *   each "s" and "f" algorithm.
+     *
+     * Because the "s" version is so slow, we only test the "f" versions
+     * here.
+     */
     {
         OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
-        "SLH-DSA-SHA2-128s", "SLH-DSA-SHA2-128s", SIGNATURE_MODE_SIG_DIGESTED,
-        slh_dsa_128_keygen_expected_params,
-        ITM(slh_dsa_sig_msg),
+        "SLH-DSA-SHA2-128f", "SLH-DSA-SHA2-128f", SIGNATURE_MODE_SIG_DIGESTED,
+        slh_dsa_sha2_128f_key_params,
+        ITM(slh_dsa_sha2_sig_msg),
         NULL, 0, NULL, 0, NULL, 0,
-        ITM(slh_dsa_sha2_128s_sig_digest),
-        slh_dsa_sig_params
+        ITM(slh_dsa_sha2_128f_sig_digest),
+        slh_dsa_sig_params, slh_dsa_sig_params
     },
     {
         OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
         "SLH-DSA-SHAKE-128f", "SLH-DSA-SHAKE-128f", SIGNATURE_MODE_SIG_DIGESTED,
         slh_dsa_shake_128f_key_params,
-        ITM(slh_dsa_sig_msg),
+        ITM(slh_dsa_shake_sig_msg),
         NULL, 0, NULL, 0, NULL, 0,
         ITM(slh_dsa_shake_128f_sig_digest),
-        slh_dsa_sig_params
+        slh_dsa_sig_params, slh_dsa_sig_params
     },
 #endif /* OPENSSL_NO_SLH_DSA */
 };
@@ -3060,7 +3088,7 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = {
         OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
         "SLH-DSA-SHA2-128s",
         slh_dsa_sha2_128s_keygen_init_params,
-        slh_dsa_128_keygen_expected_params
+        slh_dsa_128s_keygen_expected_params
     },
 # endif
 };