lib: Add SLH-DSA tests and per-algorithm PQC gating

This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with
per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the
OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5.

SLH-DSA was already working, but now added explicit authentication
tests for it with a full certificate chain (root CA, intermediate CA,
server) to show full support.

Rename PQC test files and cert headers to use algorithm-specific names
(ml_kem, ml_dsa, slh_dsa) and move cert headers to
include/test/certs/.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>

5 files changed, 22 insertions, 21 deletions

diff --git a/src/irmd/config.h.in b/src/irmd/config.h.in
index e1072193..6cbfc11f 100644
--- a/src/irmd/config.h.in
+++ b/src/irmd/config.h.in
@@ -78,7 +78,8 @@
 #cmakedefine HAVE_LIBGCRYPT
 #cmakedefine HAVE_OPENSSL
 #ifdef HAVE_OPENSSL
-#cmakedefine HAVE_OPENSSL_PQC
+#cmakedefine HAVE_OPENSSL_ML_KEM
+#cmakedefine HAVE_OPENSSL_ML_DSA
 #endif
 #define IRMD_SECMEM_MAX        @IRMD_SECMEM_MAX@
 #ifdef CONFIG_OUROBOROS_DEBUG
diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
index 8f75a8d8..c8d26147 100644
--- a/src/irmd/oap/io.c
+++ b/src/irmd/oap/io.c
@@ -118,7 +118,7 @@ int load_kex_config(const char *        name,
                 log_info("Key exchange not configured for %s.", name);
                 return 0;
         }
-#ifndef HAVE_OPENSSL_PQC
+#ifndef HAVE_OPENSSL_ML_KEM
         if (IS_KEM_ALGORITHM(cfg->x.str)) {
                 log_err("PQC not available, can't use %s for %s.",
                         cfg->x.str, name);
diff --git a/src/irmd/oap/tests/CMakeLists.txt b/src/irmd/oap/tests/CMakeLists.txt
index 2bf23821..b534cb72 100644
--- a/src/irmd/oap/tests/CMakeLists.txt
+++ b/src/irmd/oap/tests/CMakeLists.txt
@@ -13,9 +13,9 @@ create_test_sourcelist(${PARENT_DIR}_tests test_suite.c
   oap_test.c
 )
 
-create_test_sourcelist(${PARENT_DIR}_pqc_tests test_suite_pqc.c
-  # PQC-specific tests
-  oap_test_pqc.c
+create_test_sourcelist(${PARENT_DIR}_ml_dsa_tests test_suite_ml_dsa.c
+  # ML-DSA-specific tests
+  oap_test_ml_dsa.c
 )
 
 # OAP test needs io.c compiled with OAP_TEST_MODE
@@ -41,24 +41,24 @@ target_include_directories(${PARENT_DIR}_test PRIVATE
   ${IRMD_BINARY_DIR}
 )
 
-# PQC test executable (ML-DSA)
-add_executable(${PARENT_DIR}_pqc_test ${${PARENT_DIR}_pqc_tests} ${OAP_TEST_SOURCES})
+# ML-DSA test executable
+add_executable(${PARENT_DIR}_ml_dsa_test ${${PARENT_DIR}_ml_dsa_tests} ${OAP_TEST_SOURCES})
 set_source_files_properties(${OAP_TEST_SOURCES}
-  TARGET_DIRECTORY ${PARENT_DIR}_pqc_test
+  TARGET_DIRECTORY ${PARENT_DIR}_ml_dsa_test
   PROPERTIES COMPILE_DEFINITIONS "OAP_TEST_MODE"
 )
 
-disable_test_logging_for_target(${PARENT_DIR}_pqc_test)
-target_link_libraries(${PARENT_DIR}_pqc_test ouroboros-irm)
-target_include_directories(${PARENT_DIR}_pqc_test PRIVATE
+disable_test_logging_for_target(${PARENT_DIR}_ml_dsa_test)
+target_link_libraries(${PARENT_DIR}_ml_dsa_test ouroboros-irm)
+target_include_directories(${PARENT_DIR}_ml_dsa_test PRIVATE
   ${IRMD_SOURCE_DIR}
   ${IRMD_BINARY_DIR}
 )
 
-add_dependencies(build_tests ${PARENT_DIR}_test ${PARENT_DIR}_pqc_test)
+add_dependencies(build_tests ${PARENT_DIR}_test ${PARENT_DIR}_ml_dsa_test)
 
 # Regular tests
 ouroboros_register_tests(TARGET ${PARENT_DIR}_test TESTS ${${PARENT_DIR}_tests})
 
-# PQC tests
-ouroboros_register_tests(TARGET ${PARENT_DIR}_pqc_test TESTS ${${PARENT_DIR}_pqc_tests})
+# ML-DSA tests
+ouroboros_register_tests(TARGET ${PARENT_DIR}_ml_dsa_test TESTS ${${PARENT_DIR}_ml_dsa_tests})
diff --git a/src/irmd/oap/tests/oap_test.c b/src/irmd/oap/tests/oap_test.c
index fc78ed9a..169cfc14 100644
--- a/src/irmd/oap/tests/oap_test.c
+++ b/src/irmd/oap/tests/oap_test.c
@@ -38,7 +38,7 @@
 #include <ouroboros/time.h>
 
 #include <test/test.h>
-#include <test/certs.h>
+#include <test/certs/ecdsa.h>
 
 #include "oap.h"
 #include "common.h"
@@ -526,7 +526,7 @@ static int test_oap_roundtrip_all(void)
         for (i = 0; kex_supported_nids[i] != NID_undef; i++) {
                 const char * algo = kex_nid_to_str(kex_supported_nids[i]);
 
-                /* Skip KEM algorithms - they're tested in oap_test_pqc */
+                /* Skip KEM algorithms - tested in oap_test_ml_dsa */
                 if (IS_KEM_ALGORITHM(algo))
                         continue;
 
diff --git a/src/irmd/oap/tests/oap_test_pqc.c b/src/irmd/oap/tests/oap_test_ml_dsa.c
index bbaf9f7b..f9e6bdb2 100644
--- a/src/irmd/oap/tests/oap_test_pqc.c
+++ b/src/irmd/oap/tests/oap_test_ml_dsa.c
@@ -1,7 +1,7 @@
 /*
  * Ouroboros - Copyright (C) 2016 - 2026
  *
- * Unit tests of OAP post-quantum key exchange
+ * Unit tests of OAP ML-KEM/ML-DSA key exchange
  *
  *    Dimitri Staessens <dimitri@ouroboros.rocks>
  *    Sander Vrijders   <sander@ouroboros.rocks>
@@ -34,7 +34,7 @@
 #include <ouroboros/random.h>
 #include <test/test.h>
 
-#include <test/certs_pqc.h>
+#include <test/certs/ml_dsa.h>
 
 #include "oap.h"
 #include "common.h"
@@ -412,15 +412,15 @@ static int test_oap_kem_srv_uncfg_all(void)
         return ret;
 }
 
-int oap_test_pqc(int    argc,
-                 char **argv)
+int oap_test_ml_dsa(int    argc,
+                    char **argv)
 {
         int ret = 0;
 
         (void) argc;
         (void) argv;
 
-#ifdef HAVE_OPENSSL_PQC
+#ifdef HAVE_OPENSSL_ML_KEM
         ret |= test_oap_roundtrip_auth_only();
 
         ret |= test_oap_roundtrip_kem_all();