From 040bdfb18684d809cb5edacf9867d3378b7e093b Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Tue, 17 Feb 2026 22:37:39 +0100
Subject: lib: Add SLH-DSA tests and per-algorithm PQC gating

This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with
per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the
OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5.

SLH-DSA was already working, but now added explicit authentication
tests for it with a full certificate chain (root CA, intermediate CA,
server) to show full support.

Rename PQC test files and cert headers to use algorithm-specific names
(ml_kem, ml_dsa, slh_dsa) and move cert headers to
include/test/certs/.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/oap/tests/oap_test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/irmd/oap/tests/oap_test.c')

diff --git a/src/irmd/oap/tests/oap_test.c b/src/irmd/oap/tests/oap_test.c
index fc78ed9a..169cfc14 100644
--- a/src/irmd/oap/tests/oap_test.c
+++ b/src/irmd/oap/tests/oap_test.c
@@ -38,7 +38,7 @@
 #include <ouroboros/time.h>
 
 #include <test/test.h>
-#include <test/certs.h>
+#include <test/certs/ecdsa.h>
 
 #include "oap.h"
 #include "common.h"
@@ -526,7 +526,7 @@ static int test_oap_roundtrip_all(void)
         for (i = 0; kex_supported_nids[i] != NID_undef; i++) {
                 const char * algo = kex_nid_to_str(kex_supported_nids[i]);
 
-                /* Skip KEM algorithms - they're tested in oap_test_pqc */
+                /* Skip KEM algorithms - tested in oap_test_ml_dsa */
                 if (IS_KEM_ALGORITHM(algo))
                         continue;
 
-- 
cgit v1.2.3