commit 60ac01873b0a0665d5397066a389a59de429b709
author Bob Beck <bbe@google.com> Mon Mar 24 15:53:00 2025 +0000
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Mar 25 11:33:28 2025 -0700
tree 068f19eebc0ced5eb7e20e6efbfcb0758c30fe53
parent f6bf5e2cc110b2b2ac62c0d900c7dafca89c376c

Pull SLH-DSA test out of BORINGSSL_self_check()

FIPS: this changes the entry point for running the self tests.

Change-Id: I1ddef5b05e68effd1290d5e4428c278fd43bc4f7
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/77927
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: Bob Beck <bbe@google.com>

crypto/fipsmodule/self_check/self_check.cc.inc

diff --git a/crypto/fipsmodule/self_check/self_check.cc.inc b/crypto/fipsmodule/self_check/self_check.cc.inc
index a126a1b..4fd3963 100644
--- a/crypto/fipsmodule/self_check/self_check.cc.inc
+++ b/crypto/fipsmodule/self_check/self_check.cc.inc
@@ -1034,12 +1034,21 @@
 
 int BORINGSSL_self_test(void) {
   if (!boringssl_self_test_fast() ||
-      // When requested to run self tests, also run the lazy tests.
+      // When requested to run self tests, also run some of the lazy tests.
       !boringssl_self_test_rsa() ||    //
       !boringssl_self_test_ecc() ||    //
       !boringssl_self_test_ffdh() ||   //
       !boringssl_self_test_mlkem() ||  //
-      !boringssl_self_test_mldsa() ||  //
+      !boringssl_self_test_mldsa()) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int BORINGSSL_self_test_all(void) {
+  if (!BORINGSSL_self_test() ||
+      // When requested to run all self tests, add in the really slow tests.
       !boringssl_self_test_slhdsa()) {
     return 0;
   }

include/openssl/crypto.h

diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index eb60945..ca1ca2f 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -46,10 +46,17 @@
 // in which case it returns zero.
 OPENSSL_EXPORT int CRYPTO_has_asm(void);
 
-// BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one on
-// success and zero on error.
+// BORINGSSL_self_test triggers most of the FIPS KAT-based self tests. It
+// returns one on success and zero on error. It currently skips the SLH-DSA
+// tests, which take a really long time to run.
 OPENSSL_EXPORT int BORINGSSL_self_test(void);
 
+// BORINGSSL_self_test_all triggers all of the FIPS KAT-based self tests. This
+// is the 'self-test' entry point required by FIPS 140. It returns one on
+// success and zero on error. This test will take a very long time to run. You
+// probably do not want to run this in a resource or time constrained test.
+OPENSSL_EXPORT int BORINGSSL_self_test_all(void);
+
 // BORINGSSL_integrity_test triggers the module's integrity test where the code
 // and data of the module is matched against a hash injected at build time. It
 // returns one on success or zero if there's a mismatch. This function only