From 040bdfb18684d809cb5edacf9867d3378b7e093b Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Tue, 17 Feb 2026 22:37:39 +0100
Subject: lib: Add SLH-DSA tests and per-algorithm PQC gating

This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with
per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the
OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5.

SLH-DSA was already working, but now added explicit authentication
tests for it with a full certificate chain (root CA, intermediate CA,
server) to show full support.

Rename PQC test files and cert headers to use algorithm-specific names
(ml_kem, ml_dsa, slh_dsa) and move cert headers to
include/test/certs/.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/oap/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/irmd/oap/io.c')

diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
index 8f75a8d8..c8d26147 100644
--- a/src/irmd/oap/io.c
+++ b/src/irmd/oap/io.c
@@ -118,7 +118,7 @@ int load_kex_config(const char *        name,
                 log_info("Key exchange not configured for %s.", name);
                 return 0;
         }
-#ifndef HAVE_OPENSSL_PQC
+#ifndef HAVE_OPENSSL_ML_KEM
         if (IS_KEM_ALGORITHM(cfg->x.str)) {
                 log_err("PQC not available, can't use %s for %s.",
                         cfg->x.str, name);
-- 
cgit v1.2.3