From: d-Dudas <david.dudas03@e-uvt.ro>
Date: Wed, 6 Nov 2024 18:46:59 +0000 (+0200)
Subject: Removed support for Sphincs algorithms
X-Git-Tag: 3.8.9~21^2~1
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=6e9dbd0ea3bbf7cc121cc35ebf7ef46932c99bc5;p=thirdparty%2Fgnutls.git

Removed support for Sphincs algorithms

Signed-off-by: David Dudas <david.dudas03@e-uvt.ro>
---

diff --git a/lib/algorithms.h b/lib/algorithms.h
index bac20a5d80..ee56714b99 100644
--- a/lib/algorithms.h
+++ b/lib/algorithms.h
@@ -62,24 +62,6 @@
 
 #define IS_FALCON(x) \
 	(((x) == GNUTLS_PK_EXP_FALCON512) || ((x) == GNUTLS_PK_EXP_FALCON1024))
-
-#define IS_SIMPLE_SPHINCS(x)                          \
-	(((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_128S) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_192S) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_256S) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_128S) || \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_192S) || \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_256S))
-
-#define IS_FAST_SPHINCS(x)                            \
-	(((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_128F) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_192F) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHA2_256F) ||  \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_128F) || \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_192F) || \
-	 ((x) == GNUTLS_PK_EXP_SPHINCS_SHAKE_256F))
-
-#define IS_SPHINCS(x) (IS_SIMPLE_SPHINCS(x) || IS_FAST_SPHINCS(x))
 #endif
 
 #define SIG_SEM_PRE_TLS12 (1 << 1)
diff --git a/lib/algorithms/publickey.c b/lib/algorithms/publickey.c
index e0103cc978..242cbfabbd 100644
--- a/lib/algorithms/publickey.c
+++ b/lib/algorithms/publickey.c
@@ -248,66 +248,6 @@ static const gnutls_pk_entry pk_algorithms[] = {
 	  .id = GNUTLS_PK_EXP_FALCON1024,
 	  .curve = GNUTLS_ECC_CURVE_INVALID,
 	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 128F",
-	  .oid = SPHINCS_SHA2_128F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_128F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 128S",
-	  .oid = SPHINCS_SHA2_128S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_128S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 192F",
-	  .oid = SPHINCS_SHA2_192F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_192F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 192S",
-	  .oid = SPHINCS_SHA2_192S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_192S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 256F",
-	  .oid = SPHINCS_SHA2_256F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_256F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHA2 256S",
-	  .oid = SPHINCS_SHA2_256S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHA2_256S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 128F",
-	  .oid = SPHINCS_SHAKE_128F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_128F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 128S",
-	  .oid = SPHINCS_SHAKE_128S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_128S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 192F",
-	  .oid = SPHINCS_SHAKE_192F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_192F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 192S",
-	  .oid = SPHINCS_SHAKE_192S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_192S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 256F",
-	  .oid = SPHINCS_SHAKE_256F_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_256F,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
-	{ .name = "Sphincs SHAKE 256S",
-	  .oid = SPHINCS_SHAKE_256S_OID,
-	  .id = GNUTLS_PK_EXP_SPHINCS_SHAKE_256S,
-	  .curve = GNUTLS_ECC_CURVE_INVALID,
-	  .no_prehashed = 1 },
 #endif
 	{ .name = "UNKNOWN",
 	  .oid = NULL,
diff --git a/lib/algorithms/secparams.c b/lib/algorithms/secparams.c
index 64ec392004..5308cdbf9b 100644
--- a/lib/algorithms/secparams.c
+++ b/lib/algorithms/secparams.c
@@ -41,90 +41,87 @@ typedef struct {
 #ifdef HAVE_LIBOQS
 	unsigned int ml_dsa_bits;
 	unsigned int falcon_bits;
-	unsigned int sphincs_bits;
 #endif
 } gnutls_sec_params_entry;
 
 static const gnutls_sec_params_entry sec_params[] = {
 	{ "Insecure", GNUTLS_SEC_PARAM_INSECURE, 0, 0, 0, 0, 0,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	},
 	{ "Export", GNUTLS_SEC_PARAM_EXPORT, 42, 512, 0, 84, 0,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	},
 	{ "Very weak", GNUTLS_SEC_PARAM_VERY_WEAK, 64, 767, 0, 128, 0,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	},
 	{ "Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1008, 160, 160,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	},
 #ifdef ENABLE_FIPS140
 	{ "Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	},
 	{ "Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1024, 1024, 192, 192,
 #ifdef HAVE_LIBOQS
-	  0, OQS_SIG_falcon_512_length_public_key,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_public_key
+	  0, OQS_SIG_falcon_512_length_public_key
 #endif
 	},
 	{ "Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 224, 224,
 #ifdef HAVE_LIBOQS
-	  OQS_SIG_ml_dsa_44_length_public_key, 0, 0
+	  OQS_SIG_ml_dsa_44_length_public_key, 0
 #endif
 	},
 	{ "High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256,
 #ifdef HAVE_LIBOQS
-	  0, 0, OQS_SIG_sphincs_sha2_192s_simple_length_public_key
+	  0, 0
 #endif
 	},
 #else
 	{ "Low", GNUTLS_SEC_PARAM_LOW, 80, 1024, 1024, 160, 160,
 #ifdef HAVE_LIBOQS
-		 0, 0, 0
+		 0, 0
 #endif
 	}, /* ENISA-LEGACY */
 	{ "Legacy", GNUTLS_SEC_PARAM_LEGACY, 96, 1776, 2048, 192, 192,
 #ifdef HAVE_LIBOQS
-		 0, OQS_SIG_falcon_512_length_public_key, OQS_SIG_sphincs_sha2_128f_simple_length_public_key
+		 0, OQS_SIG_falcon_512_length_public_key
 #endif
 	 },
 	{ "Medium", GNUTLS_SEC_PARAM_MEDIUM, 112, 2048, 2048, 256, 224,
 #ifdef HAVE_LIBOQS
-		 OQS_SIG_ml_dsa_44_length_public_key, 0, 0
+		 OQS_SIG_ml_dsa_44_length_public_key, 0
 #endif
 		 },
 	{ "High", GNUTLS_SEC_PARAM_HIGH, 128, 3072, 3072, 256, 256,
 #ifdef HAVE_LIBOQS
-		 0, 0, OQS_SIG_sphincs_sha2_192s_simple_length_public_key
+		 0, 0
 #endif
 	},
 #endif
 	{ "Ultra", GNUTLS_SEC_PARAM_ULTRA, 192, 8192, 8192, 384, 384,
 #ifdef HAVE_LIBOQS
-	  OQS_SIG_ml_dsa_65_length_public_key, 0, 0
+	  OQS_SIG_ml_dsa_65_length_public_key, 0
 #endif
 	},
 	{ "Future", GNUTLS_SEC_PARAM_FUTURE, 256, 15360, 15360, 512, 512,
 #ifdef HAVE_LIBOQS
 	  OQS_SIG_ml_dsa_87_length_public_key,
-	  OQS_SIG_falcon_1024_length_public_key,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_public_key
+	  OQS_SIG_falcon_1024_length_public_key
 #endif
 	},
-	{ NULL, 0, 0, 0, 0,
+	{ NULL, 0, 0, 0, 0, 0, 0,
 #ifdef HAVE_LIBOQS
-	  0, 0, 0
+	  0, 0
 #endif
 	}
 };
@@ -162,8 +159,6 @@ unsigned int gnutls_sec_param_to_pk_bits(gnutls_pk_algorithm_t algo,
 				ret = p->ml_dsa_bits;
 			else if (IS_FALCON(algo))
 				ret = p->falcon_bits;
-			else if (IS_SPHINCS(algo))
-				ret = p->sphincs_bits;
 #endif
 			else
 				ret = p->pk_bits;
@@ -307,12 +302,6 @@ gnutls_sec_param_t gnutls_pk_bits_to_sec_param(gnutls_pk_algorithm_t algo,
 				break;
 			ret = p->sec_param;
 		}
-	} else if (IS_SPHINCS(algo)) {
-		for (p = sec_params; p->name; p++) {
-			if (p->sphincs_bits > bits)
-				break;
-			ret = p->sec_param;
-		}
 #endif
 	} else {
 		for (p = sec_params; p->name; p++) {
diff --git a/lib/algorithms/sign.c b/lib/algorithms/sign.c
index c3c08a9227..cc1f231d86 100644
--- a/lib/algorithms/sign.c
+++ b/lib/algorithms/sign.c
@@ -433,78 +433,6 @@ static SYSTEM_CONFIG_OR_CONST gnutls_sign_entry_st sign_algorithms[] = {
 	  .pk = GNUTLS_PK_EXP_FALCON1024,
 	  .hash = GNUTLS_DIG_SHAKE_256,
 	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-128F",
-	  .oid = SPHINCS_SHA2_128F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_128F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_128F,
-	  .hash = GNUTLS_DIG_SHA256, //
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-128S",
-	  .oid = SPHINCS_SHA2_128S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_128S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_128S,
-	  .hash = GNUTLS_DIG_SHA256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-192F",
-	  .oid = SPHINCS_SHA2_192F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_192F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_192F,
-	  .hash = GNUTLS_DIG_SHA256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-192S",
-	  .oid = SPHINCS_SHA2_192S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_192S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_192S,
-	  .hash = GNUTLS_DIG_SHA256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-256F",
-	  .oid = SPHINCS_SHA2_256F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_256F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_256F,
-	  .hash = GNUTLS_DIG_SHA256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHA2-256S",
-	  .oid = SPHINCS_SHA2_256S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHA2_256S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHA2_256S,
-	  .hash = GNUTLS_DIG_SHA256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-128F",
-	  .oid = SPHINCS_SHAKE_128F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_128F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_128F,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-128S",
-	  .oid = SPHINCS_SHAKE_128S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_128S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_128S,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-192F",
-	  .oid = SPHINCS_SHAKE_192F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_192F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_192F,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-192S",
-	  .oid = SPHINCS_SHAKE_192S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_192S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_192S,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-256F",
-	  .oid = SPHINCS_SHAKE_256F_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_256F,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_256F,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
-	{ .name = "Sphincs-SHAKE-256S",
-	  .oid = SPHINCS_SHAKE_256S_OID,
-	  .id = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_256S,
-	  .pk = GNUTLS_PK_EXP_SPHINCS_SHAKE_256S,
-	  .hash = GNUTLS_DIG_SHAKE_256,
-	  .aid = TLS_SIGN_AID_UNKNOWN },
 #endif
 	{ .name = 0,
 	  .oid = 0,
diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h
index 9981385735..39f791429c 100644
--- a/lib/crypto-backend.h
+++ b/lib/crypto-backend.h
@@ -281,7 +281,6 @@ void gnutls_pk_params_init(gnutls_pk_params_st *p);
 #ifdef HAVE_LIBOQS
 #define ML_DSA_PRIVATE_PARAMS 4
 #define FALCON_PRIVATE_PARAMS 4
-#define SPHINCS_PRIVATE_PARAMS 4
 #endif
 
 #if MAX_PRIV_PARAMS_SIZE - RSA_PRIVATE_PARAMS < 0
diff --git a/lib/dlwrap/oqsfuncs.h b/lib/dlwrap/oqsfuncs.h
index f40155f074..9d89d29b69 100644
--- a/lib/dlwrap/oqsfuncs.h
+++ b/lib/dlwrap/oqsfuncs.h
@@ -13,10 +13,6 @@ FUNC(OQS_STATUS, OQS_KEM_keypair, (const OQS_KEM *kem, uint8_t *public_key, uint
 FUNC(OQS_STATUS, OQS_KEM_encaps, (const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key), (kem, ciphertext, shared_secret, public_key))
 FUNC(OQS_STATUS, OQS_KEM_decaps, (const OQS_KEM *kem, uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key), (kem, shared_secret, ciphertext, secret_key))
 VOID_FUNC(void, OQS_KEM_free, (OQS_KEM *kem), (kem))
-VOID_FUNC(void, OQS_SHA2_set_callbacks, (struct OQS_SHA2_callbacks *new_callbacks), (new_callbacks))
-VOID_FUNC(void, OQS_SHA3_set_callbacks, (struct OQS_SHA3_callbacks *new_callbacks), (new_callbacks))
-VOID_FUNC(void, OQS_SHA3_x4_set_callbacks, (struct OQS_SHA3_x4_callbacks *new_callbacks), (new_callbacks))
-FUNC(const char *, OQS_version, (void), ())
 FUNC(int, OQS_SIG_alg_is_enabled, (const char *method_name), (method_name))
 FUNC(OQS_SIG *, OQS_SIG_new, (const char *method_name), (method_name))
 FUNC(OQS_STATUS, OQS_SIG_keypair, (const OQS_SIG *sig, uint8_t *public_key, uint8_t *secret_key), (sig, public_key, secret_key))
diff --git a/lib/gnutls.asn b/lib/gnutls.asn
index 54dd72bce7..8f618e4afa 100644
--- a/lib/gnutls.asn
+++ b/lib/gnutls.asn
@@ -202,12 +202,4 @@ FalconPrivateKey ::= SEQUENCE {
 	privateKey               OCTET STRING,
 	publicKey                [1] OCTET STRING OPTIONAL
 }
-
-SphincsPrivateKey ::= SEQUENCE {
-	version                  INTEGER,
-	privateKeyAlgorithm      AlgorithmIdentifier,
-	privateKey               OCTET STRING,
-	publicKey                [1] OCTET STRING OPTIONAL
-}
-
 END
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 027952eb3b..603e8273a2 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -919,19 +919,7 @@ typedef enum {
 	GNUTLS_PK_EXP_KYBER768 = 257,
 	GNUTLS_PK_EXP_FALCON512 = 258,
 	GNUTLS_PK_EXP_FALCON1024 = 259,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_128F = 260,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_128S = 261,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_192F = 262,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_192S = 263,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_256F = 264,
-	GNUTLS_PK_EXP_SPHINCS_SHA2_256S = 265,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_128F = 266,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_128S = 267,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_192F = 268,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_192S = 269,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_256F = 270,
-	GNUTLS_PK_EXP_SPHINCS_SHAKE_256S = 271,
-	GNUTLS_PK_EXP_MAX = GNUTLS_PK_EXP_SPHINCS_SHAKE_256S
+	GNUTLS_PK_EXP_MAX = GNUTLS_PK_EXP_FALCON1024
 } gnutls_pk_algorithm_t;
 
 const char *gnutls_pk_algorithm_get_name(gnutls_pk_algorithm_t algorithm);
@@ -1061,19 +1049,7 @@ typedef enum {
 	GNUTLS_SIGN_EXP_MIN = 256,
 	GNUTLS_SIGN_EXP_FALCON512 = 257,
 	GNUTLS_SIGN_EXP_FALCON1024 = 258,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_128F = 259,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_128S = 260,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_192F = 261,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_192S = 262,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_256F = 263,
-	GNUTLS_SIGN_EXP_SPHINCS_SHA2_256S = 264,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_128F = 265,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_128S = 266,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_192F = 267,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_192S = 268,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_256F = 269,
-	GNUTLS_SIGN_EXP_SPHINCS_SHAKE_256S = 270,
-	GNUTLS_SIGN_EXP_MAX = GNUTLS_SIGN_EXP_SPHINCS_SHAKE_256S,
+	GNUTLS_SIGN_EXP_MAX = GNUTLS_SIGN_EXP_FALCON1024,
 } gnutls_sign_algorithm_t;
 
 /**
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 9ceceeab2b..2e27e60bef 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -699,6 +699,16 @@ static const char *pk_to_liboqs_algo(gnutls_pk_algorithm_t algo)
 		return OQS_KEM_alg_ml_kem_768;
 	case GNUTLS_PK_EXP_KYBER768:
 		return OQS_KEM_alg_kyber_768;
+	case GNUTLS_PK_ML_DSA_44:
+		return OQS_SIG_alg_ml_dsa_44;
+	case GNUTLS_PK_ML_DSA_65:
+		return OQS_SIG_alg_ml_dsa_65;
+	case GNUTLS_PK_ML_DSA_87:
+		return OQS_SIG_alg_ml_dsa_87;
+	case GNUTLS_PK_EXP_FALCON512:
+		return OQS_SIG_alg_falcon_512;
+	case GNUTLS_PK_EXP_FALCON1024:
+		return OQS_SIG_alg_falcon_1024;
 	default:
 		gnutls_assert();
 		return NULL;
@@ -1433,51 +1443,6 @@ static inline int eddsa_sign(gnutls_pk_algorithm_t algo, const uint8_t *pub,
 	}
 }
 
-#ifdef HAVE_LIBOQS
-static inline const char *convert_to_oqs_alg(gnutls_pk_algorithm_t algo)
-{
-	switch (algo) {
-	case GNUTLS_PK_ML_DSA_44:
-		return OQS_SIG_alg_ml_dsa_44;
-	case GNUTLS_PK_ML_DSA_65:
-		return OQS_SIG_alg_ml_dsa_65;
-	case GNUTLS_PK_ML_DSA_87:
-		return OQS_SIG_alg_ml_dsa_87;
-	case GNUTLS_PK_EXP_FALCON512:
-		return OQS_SIG_alg_falcon_512;
-	case GNUTLS_PK_EXP_FALCON1024:
-		return OQS_SIG_alg_falcon_1024;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-		return OQS_SIG_alg_sphincs_sha2_128f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-		return OQS_SIG_alg_sphincs_sha2_128s_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-		return OQS_SIG_alg_sphincs_sha2_192f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-		return OQS_SIG_alg_sphincs_sha2_192s_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-		return OQS_SIG_alg_sphincs_sha2_256f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-		return OQS_SIG_alg_sphincs_sha2_256s_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-		return OQS_SIG_alg_sphincs_shake_128f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-		return OQS_SIG_alg_sphincs_shake_128s_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-		return OQS_SIG_alg_sphincs_shake_192f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-		return OQS_SIG_alg_sphincs_shake_192s_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-		return OQS_SIG_alg_sphincs_shake_256f_simple;
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
-		return OQS_SIG_alg_sphincs_shake_256s_simple;
-	default:
-		gnutls_assert();
-		return NULL;
-	}
-}
-#endif
-
 /* This is the lower-level part of privkey_sign_raw_data().
  *
  * It accepts data in the appropriate hash form, i.e., DigestInfo
@@ -1902,24 +1867,12 @@ static int _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_ML_DSA_65:
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
-	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S: {
+	case GNUTLS_PK_EXP_FALCON1024: {
 		OQS_SIG *sig;
 		OQS_STATUS rc;
 		size_t size;
 
-		const char *algo_name = convert_to_oqs_alg(algo);
+		const char *algo_name = pk_to_liboqs_algo(algo);
 		if (algo_name == NULL ||
 		    !GNUTLS_OQS_FUNC(OQS_SIG_alg_is_enabled)(algo_name)) {
 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
@@ -2330,23 +2283,11 @@ static int _wrap_nettle_pk_verify(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_ML_DSA_65:
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
-	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S: {
+	case GNUTLS_PK_EXP_FALCON1024: {
 		OQS_SIG *sig;
 		OQS_STATUS rc;
 
-		const char *algo_name = convert_to_oqs_alg(algo);
+		const char *algo_name = pk_to_liboqs_algo(algo);
 		if (algo_name == NULL ||
 		    !GNUTLS_OQS_FUNC(OQS_SIG_alg_is_enabled)(algo_name)) {
 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
@@ -2545,19 +2486,7 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
 	case GNUTLS_PK_ML_DSA_65:
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
-	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S: {
+	case GNUTLS_PK_EXP_FALCON1024: {
 		const char *algo_name;
 
 		if (_gnutls_liboqs_ensure() < 0)
@@ -2778,23 +2707,12 @@ static int wrap_nettle_pk_generate_params(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_GOST_12_256:
 	case GNUTLS_PK_GOST_12_512:
 #endif
+	case GNUTLS_PK_MLKEM768:
 	case GNUTLS_PK_ML_DSA_44:
 	case GNUTLS_PK_ML_DSA_65:
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		break;
 	default:
 		gnutls_assert();
@@ -4048,18 +3966,6 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		if (params->pkflags & GNUTLS_PK_FLAG_PROVABLE)
 			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
@@ -4075,7 +3981,7 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 
 			not_approved = true;
 
-			const char *algo_name = convert_to_oqs_alg(algo);
+			const char *algo_name = pk_to_liboqs_algo(algo);
 			if (algo_name == NULL ||
 			    !GNUTLS_OQS_FUNC(OQS_SIG_alg_is_enabled)(
 				    algo_name)) {
@@ -4373,7 +4279,12 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
 	}
 #ifdef HAVE_LIBOQS
 	case GNUTLS_PK_MLKEM768:
-	case GNUTLS_PK_EXP_KYBER768: {
+	case GNUTLS_PK_EXP_KYBER768:
+	case GNUTLS_PK_ML_DSA_44:
+	case GNUTLS_PK_ML_DSA_65:
+	case GNUTLS_PK_ML_DSA_87:
+	case GNUTLS_PK_EXP_FALCON512:
+	case GNUTLS_PK_EXP_FALCON1024: {
 		const char *algo_name;
 
 		if (_gnutls_liboqs_ensure() < 0)
@@ -4387,25 +4298,6 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
 		ret = 0;
 		break;
 	}
-	case GNUTLS_PK_ML_DSA_44:
-	case GNUTLS_PK_ML_DSA_65:
-	case GNUTLS_PK_ML_DSA_87:
-	case GNUTLS_PK_EXP_FALCON512:
-	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
-		ret = 0;
-		break;
 #endif
 #if ENABLE_GOST
 	case GNUTLS_PK_GOST_01:
diff --git a/lib/privkey.c b/lib/privkey.c
index 1346cdfe0e..519044466f 100644
--- a/lib/privkey.c
+++ b/lib/privkey.c
@@ -249,18 +249,6 @@ static int privkey_to_pubkey(gnutls_pk_algorithm_t pk,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 #endif
 		ret = _gnutls_set_datum(&pub->raw_pub, priv->raw_pub.data,
 					priv->raw_pub.size);
diff --git a/lib/pubkey.c b/lib/pubkey.c
index 1f767c4f29..057b2b4ed5 100644
--- a/lib/pubkey.c
+++ b/lib/pubkey.c
@@ -65,30 +65,6 @@ static const struct pq_algorithm_pubkey_bits_st pq_pubkey_bits[] = {
 	{ GNUTLS_PK_ML_DSA_87, OQS_SIG_ml_dsa_87_length_public_key },
 	{ GNUTLS_PK_EXP_FALCON512, OQS_SIG_falcon_512_length_public_key },
 	{ GNUTLS_PK_EXP_FALCON1024, OQS_SIG_falcon_1024_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_128F,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_128S,
-	  OQS_SIG_sphincs_sha2_128s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_192F,
-	  OQS_SIG_sphincs_sha2_192f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_192S,
-	  OQS_SIG_sphincs_sha2_192s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_256F,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_256S,
-	  OQS_SIG_sphincs_sha2_256s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_128F,
-	  OQS_SIG_sphincs_shake_128f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_128S,
-	  OQS_SIG_sphincs_shake_128s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_192F,
-	  OQS_SIG_sphincs_shake_192f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_192S,
-	  OQS_SIG_sphincs_shake_192s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_256F,
-	  OQS_SIG_sphincs_shake_256f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_256S,
-	  OQS_SIG_sphincs_shake_256s_simple_length_public_key },
 
 	{ GNUTLS_PK_UNKNOWN, 0 }
 };
@@ -132,18 +108,6 @@ unsigned pubkey_to_bits(const gnutls_pk_params_st *params)
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		return pq_pubkey_to_bits(params->algo);
 #endif
 	default:
@@ -436,26 +400,10 @@ int gnutls_pubkey_get_preferred_hash_algorithm(gnutls_pubkey_t key,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		if (hash)
 			*hash = GNUTLS_DIG_SHAKE_256;
 		ret = 0;
 		break;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-		if (hash)
-			*hash = GNUTLS_DIG_SHA256;
-		ret = 0;
-		break;
 #endif
 	default:
 		gnutls_assert();
@@ -2761,18 +2709,6 @@ int pubkey_verify_data(const gnutls_sign_entry_st *se, const mac_entry_st *me,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 #endif
 		if (_gnutls_pk_verify(se->pk, data, signature, params,
 				      sign_params) != 0) {
diff --git a/lib/x509/common.h b/lib/x509/common.h
index c171c67aab..69329083da 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -124,19 +124,6 @@
 
 #define FALCON512_OID "1.3.9999.3.1"
 #define FALCON1024_OID "1.3.9999.3.4"
-
-#define SPHINCS_SHA2_128F_OID "1.3.9999.6.4.1"
-#define SPHINCS_SHA2_128S_OID "1.3.9999.6.4.2"
-#define SPHINCS_SHA2_192F_OID "1.3.9999.6.5.1"
-#define SPHINCS_SHA2_192S_OID "1.3.9999.6.5.2"
-#define SPHINCS_SHA2_256F_OID "1.3.9999.6.6.1"
-#define SPHINCS_SHA2_256S_OID "1.3.9999.6.6.2"
-#define SPHINCS_SHAKE_128F_OID "1.3.9999.6.7.1"
-#define SPHINCS_SHAKE_128S_OID "1.3.9999.6.7.2"
-#define SPHINCS_SHAKE_192F_OID "1.3.9999.6.8.1"
-#define SPHINCS_SHAKE_192S_OID "1.3.9999.6.8.2"
-#define SPHINCS_SHAKE_256F_OID "1.3.9999.6.9.1"
-#define SPHINCS_SHAKE_256S_OID "1.3.9999.6.9.2"
 #endif
 
 #define ASN1_NULL "\x05\x00"
diff --git a/lib/x509/key_decode.c b/lib/x509/key_decode.c
index 0cbd59cfe5..07c71a7261 100644
--- a/lib/x509/key_decode.c
+++ b/lib/x509/key_decode.c
@@ -741,18 +741,6 @@ int _gnutls_x509_read_pubkey(gnutls_pk_algorithm_t algo, uint8_t *der,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		ret = _gnutls_set_datum(&params->raw_pub, der, dersize);
 		break;
 #endif
@@ -859,18 +847,6 @@ int _gnutls_x509_check_pubkey_params(gnutls_pk_params_st *params)
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 #endif
 		return 0;
 	default:
diff --git a/lib/x509/key_encode.c b/lib/x509/key_encode.c
index c020e1e23b..1927c9ec1b 100644
--- a/lib/x509/key_encode.c
+++ b/lib/x509/key_encode.c
@@ -308,18 +308,6 @@ int _gnutls_x509_write_pubkey_params(const gnutls_pk_params_st *params,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 #endif
 		der->data = NULL;
 		der->size = 0;
@@ -362,18 +350,6 @@ int _gnutls_x509_write_pubkey(const gnutls_pk_params_st *params,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		return _gnutls_x509_write_pqc_alg_pubkey(params, der);
 #endif
 	default:
@@ -1264,30 +1240,6 @@ static uint8_t _gnutls_get_pqc_alg_version(gnutls_pk_params_st *params)
 		return '\x01';
 	case GNUTLS_PK_EXP_FALCON1024:
 		return '\x02';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-		return '\x01';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-		return '\x02';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-		return '\x03';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-		return '\x04';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-		return '\x05';
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-		return '\x06';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-		return '\x07';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-		return '\x08';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-		return '\x09';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-		return '\x0a';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-		return '\x0b';
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
-		return '\x0c';
 	default:
 		return '\x00';
 	}
@@ -1361,43 +1313,6 @@ static int _gnutls_asn1_encode_falcon(asn1_node *c2,
 		return GNUTLS_E_SUCCESS;
 	}
 
-cleanup:
-	asn1_delete_structure2(c2, ASN1_DELETE_FLAG_ZEROIZE);
-
-	return ret;
-}
-
-static int _gnutls_asn1_encode_sphincs(asn1_node *c2,
-				       gnutls_pk_params_st *params)
-{
-	int ret;
-	const char *oid;
-
-	oid = gnutls_pk_get_oid(params->algo);
-	if (oid == NULL)
-		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-
-	/* first make sure that no previously allocated data are leaked */
-	if (*c2 != NULL) {
-		asn1_delete_structure(c2);
-		*c2 = NULL;
-	}
-
-	if ((ret = asn1_create_element(_gnutls_get_gnutls_asn(),
-				       "GNUTLS.SphincsPrivateKey", c2)) !=
-	    ASN1_SUCCESS) {
-		gnutls_assert();
-		ret = _gnutls_asn2err(ret);
-		goto cleanup;
-	}
-
-	ret = _gnutls_asn1_encode_pqc_alg(c2, params, oid,
-					  _gnutls_get_pqc_alg_version(params));
-	if (ret < 0)
-		goto cleanup;
-
-	return GNUTLS_E_SUCCESS;
-
 cleanup:
 	asn1_delete_structure2(c2, ASN1_DELETE_FLAG_ZEROIZE);
 
@@ -1435,19 +1350,6 @@ int _gnutls_asn1_encode_privkey(asn1_node *c2, gnutls_pk_params_st *params)
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
 		return _gnutls_asn1_encode_falcon(c2, params);
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
-		return _gnutls_asn1_encode_sphincs(c2, params);
 #endif
 	default:
 		return GNUTLS_E_UNIMPLEMENTED_FEATURE;
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 6e1daec902..d836f912c4 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -139,19 +139,7 @@ int _gnutls_get_asn_mpis(asn1_node asn, const char *root,
 	    pk_algorithm != GNUTLS_PK_ML_DSA_65 &&
 	    pk_algorithm != GNUTLS_PK_ML_DSA_87 &&
 	    pk_algorithm != GNUTLS_PK_EXP_FALCON512 &&
-	    pk_algorithm != GNUTLS_PK_EXP_FALCON1024 &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_128F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_128S &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_192F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_192S &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_256F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHA2_256S &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_128F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_128S &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_192F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_192S &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_256F &&
-	    pk_algorithm != GNUTLS_PK_EXP_SPHINCS_SHAKE_256S
+	    pk_algorithm != GNUTLS_PK_EXP_FALCON1024
 #endif
 	) {
 		/* RSA, EdDSA and PQ algorithms do not use parameters */
diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c
index 56e6829d44..566aa558a1 100644
--- a/lib/x509/privkey.c
+++ b/lib/x509/privkey.c
@@ -488,98 +488,6 @@ int _gnutls_privkey_decode_falcon_key(asn1_node *pkey_asn,
 
 	return 0;
 
-error:
-	asn1_delete_structure2(pkey_asn, ASN1_DELETE_FLAG_ZEROIZE);
-	gnutls_pk_params_clear(&pkey->params);
-	gnutls_pk_params_release(&pkey->params);
-	return result;
-}
-
-static const struct pqc_algorithm_version_st sphincs_versions[] = {
-	{ '\x01', GNUTLS_PK_EXP_SPHINCS_SHA2_128F,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_public_key },
-	{ '\x02', GNUTLS_PK_EXP_SPHINCS_SHA2_128S,
-	  OQS_SIG_sphincs_sha2_128s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_128s_simple_length_public_key },
-	{ '\x03', GNUTLS_PK_EXP_SPHINCS_SHA2_192F,
-	  OQS_SIG_sphincs_sha2_192f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_192f_simple_length_public_key },
-	{ '\x04', GNUTLS_PK_EXP_SPHINCS_SHA2_192S,
-	  OQS_SIG_sphincs_sha2_192s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_192s_simple_length_public_key },
-	{ '\x05', GNUTLS_PK_EXP_SPHINCS_SHA2_256F,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_public_key },
-	{ '\x06', GNUTLS_PK_EXP_SPHINCS_SHA2_256S,
-	  OQS_SIG_sphincs_sha2_256s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_256s_simple_length_public_key },
-	{ '\x07', GNUTLS_PK_EXP_SPHINCS_SHAKE_128F,
-	  OQS_SIG_sphincs_shake_128f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_128f_simple_length_public_key },
-	{ '\x08', GNUTLS_PK_EXP_SPHINCS_SHAKE_128S,
-	  OQS_SIG_sphincs_shake_128s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_128s_simple_length_public_key },
-	{ '\x09', GNUTLS_PK_EXP_SPHINCS_SHAKE_192F,
-	  OQS_SIG_sphincs_shake_192f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_192f_simple_length_public_key },
-	{ '\x0a', GNUTLS_PK_EXP_SPHINCS_SHAKE_192S,
-	  OQS_SIG_sphincs_shake_192s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_192s_simple_length_public_key },
-	{ '\x0b', GNUTLS_PK_EXP_SPHINCS_SHAKE_256F,
-	  OQS_SIG_sphincs_shake_256f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_256f_simple_length_public_key },
-	{ '\x0c', GNUTLS_PK_EXP_SPHINCS_SHAKE_256S,
-	  OQS_SIG_sphincs_shake_256s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_256s_simple_length_public_key },
-
-	{ '\x00', GNUTLS_PK_UNKNOWN, 0, 0 }
-};
-
-static int _gnutls_set_sphincs_params(const uint8_t *version,
-				      gnutls_x509_privkey_t pkey)
-{
-	const struct pqc_algorithm_version_st *v = sphincs_versions;
-	while (v->algorithm != GNUTLS_PK_UNKNOWN && v->version != *version)
-		v++;
-
-	pkey->params.raw_priv.size = v->secret_key_length;
-	pkey->params.raw_pub.size = v->public_key_length;
-	pkey->params.params_nr = SPHINCS_PRIVATE_PARAMS;
-	pkey->params.algo = v->algorithm;
-
-	if (v->algorithm == GNUTLS_PK_UNKNOWN)
-		return GNUTLS_E_UNKNOWN_ALGORITHM;
-
-	return 0;
-}
-
-int _gnutls_privkey_decode_sphincs_key(asn1_node *pkey_asn,
-				       const gnutls_datum_t *raw_key,
-				       gnutls_x509_privkey_t pkey)
-{
-	int result;
-	uint8_t version;
-
-	gnutls_pk_params_init(&pkey->params);
-
-	if ((result = asn1_create_element(_gnutls_get_gnutls_asn(),
-					  "GNUTLS.SphincsPrivateKey",
-					  pkey_asn)) != ASN1_SUCCESS) {
-		gnutls_assert();
-		return _gnutls_asn2err(result);
-	}
-
-	result = _gnutls_decode_pqc_keys(pkey_asn, raw_key, pkey, &version);
-	if (result < 0)
-		goto error;
-
-	result = _gnutls_set_sphincs_params(&version, pkey);
-	if (result < 0)
-		goto error;
-
-	return 0;
-
 error:
 	asn1_delete_structure2(pkey_asn, ASN1_DELETE_FLAG_ZEROIZE);
 	gnutls_pk_params_clear(&pkey->params);
@@ -675,7 +583,6 @@ error:
 #ifdef HAVE_LIBOQS
 #define PEM_KEY_ML_DSA "ML-DSA PRIVATE KEY"
 #define PEM_KEY_FALCON "FALCON PRIVATE KEY"
-#define PEM_KEY_SPHINCS "SPHINCS PRIVATE KEY"
 #endif
 #define PEM_KEY_PKCS8 "PRIVATE KEY"
 
@@ -799,17 +706,6 @@ int gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
 						key->params.algo =
 							GNUTLS_PK_EXP_FALCON512;
 					}
-				} else if (left > sizeof(PEM_KEY_SPHINCS) &&
-					   memcmp(ptr, PEM_KEY_SPHINCS,
-						  sizeof(PEM_KEY_SPHINCS) -
-							  1) == 0) {
-					result = _gnutls_fbase64_decode(
-						PEM_KEY_SPHINCS, begin_ptr,
-						left, &_data);
-					if (result >= 0) {
-						key->params.algo =
-							GNUTLS_PK_EXP_SPHINCS_SHA2_128F;
-					}
 #endif
 				}
 
@@ -883,14 +779,6 @@ int gnutls_x509_privkey_import(gnutls_x509_privkey_t key,
 		result = _gnutls_privkey_decode_falcon_key(&key->key, &_data,
 							   key);
 
-		if (result < 0) {
-			gnutls_assert();
-			key->key = NULL;
-		}
-	} else if (key->params.algo == GNUTLS_PK_EXP_SPHINCS_SHA2_128F) {
-		result = _gnutls_privkey_decode_sphincs_key(&key->key, &_data,
-							    key);
-
 		if (result < 0) {
 			gnutls_assert();
 			key->key = NULL;
@@ -1081,10 +969,7 @@ int gnutls_x509_privkey_import2(gnutls_x509_privkey_t key,
 					    sizeof(PEM_KEY_ML_DSA) - 1) == 0) ||
 				    (left > sizeof(PEM_KEY_FALCON) &&
 				     memcmp(ptr, PEM_KEY_FALCON,
-					    sizeof(PEM_KEY_FALCON) - 1) == 0) ||
-				    (left > sizeof(PEM_KEY_SPHINCS) &&
-				     memcmp(ptr, PEM_KEY_SPHINCS,
-					    sizeof(PEM_KEY_SPHINCS) - 1) == 0)
+					    sizeof(PEM_KEY_FALCON) - 1) == 0)
 #endif
 				) {
 					head_enc = 0;
@@ -1846,19 +1731,6 @@ static const char *set_msg(gnutls_x509_privkey_t key)
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
 		return PEM_KEY_FALCON;
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
-		return PEM_KEY_SPHINCS;
 #endif
 	default:
 		return "UNKNOWN";
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index 483d5d2b6c..fc49e9bf83 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -88,18 +88,6 @@ inline static int _encode_privkey(gnutls_x509_privkey_t pkey,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		ret = _gnutls_x509_encode_string(
 			ASN1_ETYPE_OCTET_STRING, pkey->params.raw_priv.data,
 			pkey->params.raw_priv.size + pkey->params.raw_pub.size,
@@ -1502,42 +1490,6 @@ static const struct pq_key_length_st pq_key_lengths[] = {
 	  OQS_SIG_falcon_512_length_public_key },
 	{ GNUTLS_PK_EXP_FALCON1024, OQS_SIG_falcon_1024_length_secret_key,
 	  OQS_SIG_falcon_1024_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_128F,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_128f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_128S,
-	  OQS_SIG_sphincs_sha2_128s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_128s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_192F,
-	  OQS_SIG_sphincs_sha2_192f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_192f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_192S,
-	  OQS_SIG_sphincs_sha2_192s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_192s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_256F,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_256f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHA2_256S,
-	  OQS_SIG_sphincs_sha2_256s_simple_length_secret_key,
-	  OQS_SIG_sphincs_sha2_256s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_128F,
-	  OQS_SIG_sphincs_shake_128f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_128f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_128S,
-	  OQS_SIG_sphincs_shake_128s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_128s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_192F,
-	  OQS_SIG_sphincs_shake_192f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_192f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_192S,
-	  OQS_SIG_sphincs_shake_192s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_192s_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_256F,
-	  OQS_SIG_sphincs_shake_256f_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_256f_simple_length_public_key },
-	{ GNUTLS_PK_EXP_SPHINCS_SHAKE_256S,
-	  OQS_SIG_sphincs_shake_256s_simple_length_secret_key,
-	  OQS_SIG_sphincs_shake_256s_simple_length_public_key },
 
 	{ GNUTLS_PK_UNKNOWN, 0, 0 }
 };
@@ -1698,18 +1650,6 @@ static int decode_private_key_info(const gnutls_datum_t *der,
 	case GNUTLS_PK_ML_DSA_87:
 	case GNUTLS_PK_EXP_FALCON512:
 	case GNUTLS_PK_EXP_FALCON1024:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHA2_256S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_128S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_192S:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256F:
-	case GNUTLS_PK_EXP_SPHINCS_SHAKE_256S:
 		result = _decode_pkcs8_pqc_alg_key(pkcs8_asn, pkey, oid);
 		break;
 #endif
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 6ad8f16c60..fbb3aefb5b 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -253,9 +253,6 @@ int _gnutls_privkey_decode_falcon_key(asn1_node *pkey_asn,
 				      const gnutls_datum_t *raw_key,
 				      gnutls_x509_privkey_t pkey);
 
-int _gnutls_privkey_decode_sphincs_key(asn1_node *pkey_asn,
-				       const gnutls_datum_t *raw_key,
-				       gnutls_x509_privkey_t pkey);
 #endif
 
 int _gnutls_privkey_decode_eddsa_key(asn1_node *pkey_asn,
diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c
index a70a7f6f11..1eea0a473c 100644
--- a/tests/privkey-keygen.c
+++ b/tests/privkey-keygen.c
@@ -132,7 +132,7 @@ static bool is_supported_pk_algo(gnutls_pk_algorithm_t algo)
 void doit(void)
 {
 	gnutls_x509_privkey_t pkey, dst;
-	int ret, i;
+	int ret, algorithm, i;
 	gnutls_fips140_context_t fips_context;
 
 	ret = global_init();
@@ -163,6 +163,21 @@ void doit(void)
 			    algorithm == GNUTLS_PK_MLKEM768)
 				continue;
 
+			if (algorithm == GNUTLS_PK_GOST_01 ||
+			    algorithm == GNUTLS_PK_GOST_12_256 ||
+			    algorithm == GNUTLS_PK_GOST_12_512) {
+				/* Skip GOST algorithms:
+				 * - If they are disabled by ./configure option
+				 * - Or in FIPS140 mode
+				 */
+#ifdef ENABLE_GOST
+				if (gnutls_fips140_mode_enabled())
+					continue;
+#else
+				continue;
+#endif
+			}
+
 			ret = gnutls_x509_privkey_init(&pkey);
 			if (ret < 0) {
 				fail("gnutls_x509_privkey_init: %d\n", ret);
@@ -175,23 +190,22 @@ void doit(void)
 
 			FIPS_PUSH_CONTEXT();
 			ret = gnutls_x509_privkey_generate(
-				pkey, *algorithm,
-				gnutls_sec_param_to_pk_bits(*algorithm,
+				pkey, algorithm,
+				gnutls_sec_param_to_pk_bits(algorithm,
 							    sec_param[i]),
 				0);
 			if (ret < 0) {
 				fail("gnutls_x509_privkey_generate (%s-%d): %s (%d)\n",
-				     gnutls_pk_algorithm_get_name(*algorithm),
-				     gnutls_sec_param_to_pk_bits(*algorithm,
+				     gnutls_pk_algorithm_get_name(algorithm),
+				     gnutls_sec_param_to_pk_bits(algorithm,
 								 sec_param[i]),
 				     gnutls_strerror(ret), ret);
 			} else if (debug) {
 				success("Key[%s] generation ok: %d\n",
-					gnutls_pk_algorithm_get_name(
-						*algorithm),
+					gnutls_pk_algorithm_get_name(algorithm),
 					ret);
 			}
-			if (is_approved_pk_algo(*algorithm)) {
+			if (is_approved_pk_algo(algorithm)) {
 				FIPS_POP_CONTEXT(APPROVED);
 			} else {
 				FIPS_POP_CONTEXT(NOT_APPROVED);
@@ -200,7 +214,7 @@ void doit(void)
 			ret = gnutls_x509_privkey_verify_params(pkey);
 			if (ret < 0) {
 				fail("gnutls_x509_privkey_generate (%s): %s (%d)\n",
-				     gnutls_pk_algorithm_get_name(*algorithm),
+				     gnutls_pk_algorithm_get_name(algorithm),
 				     gnutls_strerror(ret), ret);
 			}
 
@@ -208,33 +222,33 @@ void doit(void)
 			ret = gnutls_x509_privkey_cpy(dst, pkey);
 			if (ret < 0) {
 				fail("gnutls_x509_privkey_cpy (%s): %s (%d)\n",
-				     gnutls_pk_algorithm_get_name(*algorithm),
+				     gnutls_pk_algorithm_get_name(algorithm),
 				     gnutls_strerror(ret), ret);
 			}
 
 			ret = gnutls_x509_privkey_verify_params(pkey);
 			if (ret < 0) {
 				fail("gnutls_x509_privkey_generate after cpy (%s): %s (%d)\n",
-				     gnutls_pk_algorithm_get_name(*algorithm),
+				     gnutls_pk_algorithm_get_name(algorithm),
 				     gnutls_strerror(ret), ret);
 			}
 
 			/* RSA-OAEP doesn't support signing */
-			if (*algorithm == GNUTLS_PK_RSA_OAEP) {
+			if (algorithm == GNUTLS_PK_RSA_OAEP) {
 				goto end;
 			}
 
 			FIPS_PUSH_CONTEXT();
-			sign_verify_data(*algorithm, pkey);
-			if (is_approved_pk_algo(*algorithm)) {
+			sign_verify_data(algorithm, pkey);
+			if (is_approved_pk_algo(algorithm)) {
 				FIPS_POP_CONTEXT(APPROVED);
 			} else {
 				FIPS_POP_CONTEXT(NOT_APPROVED);
 			}
 
 			FIPS_PUSH_CONTEXT();
-			sign_verify_data(*algorithm, dst);
-			if (is_approved_pk_algo(*algorithm)) {
+			sign_verify_data(algorithm, dst);
+			if (is_approved_pk_algo(algorithm)) {
 				FIPS_POP_CONTEXT(APPROVED);
 			} else {
 				FIPS_POP_CONTEXT(NOT_APPROVED);
@@ -244,8 +258,8 @@ void doit(void)
 			gnutls_x509_privkey_deinit(pkey);
 			gnutls_x509_privkey_deinit(dst);
 			success("Generated key with %s-%d\n",
-				gnutls_pk_algorithm_get_name(*algorithm),
-				gnutls_sec_param_to_pk_bits(*algorithm,
+				gnutls_pk_algorithm_get_name(algorithm),
+				gnutls_sec_param_to_pk_bits(algorithm,
 							    sec_param[i]));
 		}
 	}