From: Joachim Vandersmissen <git@jvdsn.com>
Date: Fri, 18 Apr 2025 16:09:05 +0000 (-0500)
Subject: Test ML-DSA, SLH-DSA, and ML-KEM PCT implementations
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f28cc6e63cdafdea08921abf12066ddfc68e6ec;p=thirdparty%2Fopenssl.git

Test ML-DSA, SLH-DSA, and ML-KEM PCT implementations

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27436)
---

diff --git a/test/pairwise_fail_test.c b/test/pairwise_fail_test.c
index 0e46aba2ad7..9345a9c841a 100644
--- a/test/pairwise_fail_test.c
+++ b/test/pairwise_fail_test.c
@@ -133,6 +133,39 @@ static int test_keygen_pairwise_failure(void)
             goto err;
         if (!TEST_ptr_null(pkey))
             goto err;
+    } else if (strncmp(pairwise_name, "ml-dsa", 6) == 0) {
+        if (!TEST_true(setup_selftest_pairwise_failure(type)))
+            goto err;
+        if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "ML-DSA-87", NULL)))
+            goto err;
+        if (!TEST_int_eq(EVP_PKEY_keygen_init(ctx), 1))
+            goto err;
+        if (!TEST_int_le(EVP_PKEY_keygen(ctx, &pkey), 0))
+            goto err;
+        if (!TEST_ptr_null(pkey))
+            goto err;
+    } else if (strncmp(pairwise_name, "slh-dsa", 7) == 0) {
+        if (!TEST_true(setup_selftest_pairwise_failure(type)))
+            goto err;
+        if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "SLH-DSA-SHA2-256f", NULL)))
+            goto err;
+        if (!TEST_int_eq(EVP_PKEY_keygen_init(ctx), 1))
+            goto err;
+        if (!TEST_int_le(EVP_PKEY_keygen(ctx, &pkey), 0))
+            goto err;
+        if (!TEST_ptr_null(pkey))
+            goto err;
+    } else if (strncmp(pairwise_name, "ml-kem", 6) == 0) {
+        if (!TEST_true(setup_selftest_pairwise_failure(type)))
+            goto err;
+        if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "ML-KEM-1024", NULL)))
+            goto err;
+        if (!TEST_int_eq(EVP_PKEY_keygen_init(ctx), 1))
+            goto err;
+        if (!TEST_int_le(EVP_PKEY_keygen(ctx, &pkey), 0))
+            goto err;
+        if (!TEST_ptr_null(pkey))
+            goto err;
     }
     ret = 1;
 err:
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index a101a26fb18..e7c726352b6 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -22,7 +22,7 @@ use lib bldtop_dir('.');
 plan skip_all => "These tests are unsupported in a non fips build"
     if disabled("fips");
 
-plan tests => 6;
+plan tests => 9;
 my $provconf = srctop_file("test", "fips-and-base.cnf");
 
 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
@@ -77,3 +77,45 @@ SKIP: {
                  "-pairwise", "eddsa"])),
        "fips provider eddsa keygen pairwise failure test");
 }
+
+SKIP: {
+    skip "Skip ML-DSA test because of no ml-dsa in this build", 1
+        if disabled("ml-dsa");
+
+    run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version is too old", 1
+        if !$exit;
+
+    ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                 "-pairwise", "ml-dsa"])),
+       "fips provider ml-dsa keygen pairwise failure test");
+}
+
+SKIP: {
+    skip "Skip SLH-DSA test because of no slh-dsa in this build", 1
+        if disabled("slh-dsa");
+
+    run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version is too old", 1
+        if !$exit;
+
+    ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                 "-pairwise", "slh-dsa"])),
+       "fips provider slh-dsa keygen pairwise failure test");
+}
+
+SKIP: {
+    skip "Skip ML-KEM test because of no ml-kem in this build", 1
+        if disabled("ml-kem");
+
+    run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version is too old", 1
+        if !$exit;
+
+    ok(run(test(["pairwise_fail_test", "-config", $provconf,
+                 "-pairwise", "ml-kem"])),
+       "fips provider ml-kem keygen pairwise failure test");
+}