lib: Add SLH-DSA tests and per-algorithm PQC gating

This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5. SLH-DSA was already working, but now added explicit authentication tests for it with a full certificate chain (root CA, intermediate CA, server) to show full support. Rename PQC test files and cert headers to use algorithm-specific names (ml_kem, ml_dsa, slh_dsa) and move cert headers to include/test/certs/. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
author: Dimitri Staessens <dimitri@ouroboros.rocks> 2026-02-17 22:37:39 +0100
committer: Sander Vrijders <sander@ouroboros.rocks> 2026-02-18 07:53:35 +0100
commit: 040bdfb18684d809cb5edacf9867d3378b7e093b (patch)
tree: d0b337c83ea4af5312834541acce584719a52ca0 /cmake/dependencies/crypt/openssl.cmake
parent: 2c717b2fc9773a74d6c9df01a2f873deea163918 (diff)
download: ouroboros-040bdfb18684d809cb5edacf9867d3378b7e093b.tar.gz
ouroboros-040bdfb18684d809cb5edacf9867d3378b7e093b.zip
1 files changed, 66 insertions, 28 deletions
diff --git a/cmake/dependencies/crypt/openssl.cmake b/cmake/dependencies/crypt/openssl.cmake
index ed07cc9d..38eb826f 100644
--- a/cmake/dependencies/crypt/openssl.cmake
+++ b/cmake/dependencies/crypt/openssl.cmake
@@ -1,35 +1,73 @@
 find_package(OpenSSL QUIET)
-if(OPENSSL_FOUND)
-  set(HAVE_OPENSSL_RNG TRUE)
-  if(OPENSSL_VERSION VERSION_LESS "3.0.0")
-    message(STATUS "Install version >= 3.0.0 to enable OpenSSL support "
-                   "(found version \"${OPENSSL_VERSION}\")")
-  else()
-    set(DISABLE_OPENSSL FALSE CACHE BOOL "Disable OpenSSL support")
-    if(NOT DISABLE_OPENSSL)
-      message(STATUS "OpenSSL support enabled, found version ${OPENSSL_VERSION}")
-      set(HAVE_OPENSSL TRUE CACHE INTERNAL "OpenSSL cryptography support available")
-      set(DISABLE_PQC FALSE CACHE BOOL "Disable post-quantum cryptography support")
-      if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3.4.0")
-        if(NOT DISABLE_PQC)
-          set(HAVE_OPENSSL_PQC TRUE CACHE INTERNAL "OpenSSL post-quantum cryptography available")
-          message(STATUS "OpenSSL PQC support enabled")
-        else()
-          message(STATUS "OpenSSL PQC support disabled by user")
-          unset(HAVE_OPENSSL_PQC CACHE)
-        endif()
-      else()
-        message(STATUS "Install OpenSSL >= 3.4.0 for PQC support")
-      endif()
-    else()
-      message(STATUS "OpenSSL support disabled")
-      unset(HAVE_OPENSSL CACHE)
-    endif()
-  endif()
-else()
+if(NOT OPENSSL_FOUND)
   message(STATUS "Install OpenSSL version >= 3.0.0 to enable OpenSSL support")
   unset(HAVE_OPENSSL_RNG)
   unset(HAVE_OPENSSL CACHE)
+  return()
+endif()
+
+set(HAVE_OPENSSL_RNG TRUE)
+
+if(OPENSSL_VERSION VERSION_LESS "3.0.0")
+  message(STATUS "Install version >= 3.0.0 to enable OpenSSL support "
+                 "(found version \"${OPENSSL_VERSION}\")")
+  return()
+endif()
+
+set(DISABLE_OPENSSL FALSE CACHE BOOL "Disable OpenSSL support")
+if(DISABLE_OPENSSL)
+  message(STATUS "OpenSSL support disabled")
+  unset(HAVE_OPENSSL CACHE)
+  return()
+endif()
+
+message(STATUS "OpenSSL support enabled, found version ${OPENSSL_VERSION}")
+set(HAVE_OPENSSL TRUE CACHE INTERNAL
+  "OpenSSL cryptography support available")
+
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3.4.0")
+  set(DISABLE_ML_KEM FALSE CACHE BOOL
+    "Disable ML-KEM support")
+  set(DISABLE_ML_DSA FALSE CACHE BOOL
+    "Disable ML-DSA support")
+  if(NOT DISABLE_ML_KEM)
+    set(HAVE_OPENSSL_ML_KEM TRUE CACHE INTERNAL
+      "OpenSSL ML-KEM available")
+    message(STATUS "OpenSSL ML-KEM support enabled")
+  else()
+    message(STATUS "OpenSSL ML-KEM support disabled")
+    unset(HAVE_OPENSSL_ML_KEM CACHE)
+  endif()
+  if(NOT DISABLE_ML_DSA)
+    set(HAVE_OPENSSL_ML_DSA TRUE CACHE INTERNAL
+      "OpenSSL ML-DSA available")
+    message(STATUS "OpenSSL ML-DSA support enabled")
+  else()
+    message(STATUS "OpenSSL ML-DSA support disabled")
+    unset(HAVE_OPENSSL_ML_DSA CACHE)
+  endif()
+else()
+  message(STATUS
+    "Install OpenSSL >= 3.4.0 for ML-KEM/ML-DSA")
+  unset(HAVE_OPENSSL_ML_KEM CACHE)
+  unset(HAVE_OPENSSL_ML_DSA CACHE)
+endif()
+
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3.5.0")
+  set(DISABLE_SLH_DSA FALSE CACHE BOOL
+    "Disable SLH-DSA support")
+  if(NOT DISABLE_SLH_DSA)
+    set(HAVE_OPENSSL_SLH_DSA TRUE CACHE INTERNAL
+      "OpenSSL SLH-DSA available")
+    message(STATUS "OpenSSL SLH-DSA support enabled")
+  else()
+    message(STATUS "OpenSSL SLH-DSA support disabled")
+    unset(HAVE_OPENSSL_SLH_DSA CACHE)
+  endif()
+else()
+  message(STATUS
+    "Install OpenSSL >= 3.5.0 for SLH-DSA")
+  unset(HAVE_OPENSSL_SLH_DSA CACHE)
 endif()
 
 # Secure memory options are in cmake/config/global.cmake
author	Dimitri Staessens <dimitri@ouroboros.rocks>	2026-02-17 22:37:39 +0100
committer	Sander Vrijders <sander@ouroboros.rocks>	2026-02-18 07:53:35 +0100
commit	040bdfb18684d809cb5edacf9867d3378b7e093b (patch)
tree	d0b337c83ea4af5312834541acce584719a52ca0 /cmake/dependencies/crypt/openssl.cmake
parent	2c717b2fc9773a74d6c9df01a2f873deea163918 (diff)
download	ouroboros-040bdfb18684d809cb5edacf9867d3378b7e093b.tar.gz ouroboros-040bdfb18684d809cb5edacf9867d3378b7e093b.zip