Update oqsprovider git submodule and start testing with it again

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26848)
2025-03-19 19:50:42 +08:00 · 2025-02-20 11:35:09 +01:00 · 2025-02-20 11:35:09 +01:00 · c535b28baf
commit c535b28baf
parent c338c89d16
4 changed files with 7 additions and 90 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 35529a04b0530817c59dcf06df97493574428bd3
+Subproject commit 7bc597c04b534ddea9b6654481deb31ded8e1bbc
--- a/test/README-external.md
+++ b/test/README-external.md
@ -110,13 +110,12 @@ explicitly run (with more debugging):

    $ make test VERBOSE=1 TESTS=test_external_oqsprovider

-The environment variable `OQS_SKIP_TESTS` can be set to select tests and
-algorithms to be skipped, e.g. as follows:
-
-    OQS_SKIP_TESTS=kyber make test TESTS=test_external_oqsprovider
-
 The names of all supported quantum-safe algorithms are available at
-<https://github.com/open-quantum-safe/oqs-provider#algorithms>
+<https://github.com/open-quantum-safe/oqs-provider#algorithms>.
+
+Please note specific limitations of oqsprovider operations dependent on specific
+openssl versions as documented at
+<https://github.com/open-quantum-safe/oqs-provider#note-on-openssl-versions>.

 pkcs11-provider test suite
 ==========================
--- a/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh
+++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh
@ -1,68 +0,0 @@
-#!/bin/bash
-
-# Use newly built oqsprovider to save PKCS#12 files from keys and
-# and certificates files generated using alg $1.
-# Assumed oqsprovider-certgen.sh to have run before for same algorithm
-
-set -e
-set -x
-
-if [ $# -lt 1 ]; then
-    echo "Usage: $0 <algorithmname>. Exiting."
-    exit 1
-fi
-
-echo "oqsprovider-pkcs12gen.sh commencing..."
-
-if [ -z "$OPENSSL_APP" ]; then
-    echo "OPENSSL_APP env var not set. Exiting."
-    exit 1
-fi
-
-if [ -z "$OPENSSL_MODULES" ]; then
-    echo "Warning: OPENSSL_MODULES env var not set."
-fi
-
-if [ -z "$OPENSSL_CONF" ]; then
-    echo "OPENSSL_CONF env var not set. Exiting."
-    exit 1
-fi
-
-# Set OSX DYLD_LIBRARY_PATH if not already externally set
-if [ -z "$DYLD_LIBRARY_PATH" ]; then
-    export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
-fi
-
-# Assumes certgen has been run before: Quick check
-if [[ -f tmp/$1_CA.crt &&  -f tmp/$1_CA.key ]]; then
-   echo "Key and certificate using $1 found."
-else
-   echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting."
-   exit -1
-fi
-
-echo "Generating PKCS#12 files..."
-
-# pkcs12 test:
-$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12
-
-if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then
-    echo "PKCS#12 generation with oqsprovider enabled failed."
-    exit 1
-fi
-
-# Generate config file with oqsprovider disabled
-sed -e 's/^oqsprovider/# oqsprovider/' $OPENSSL_CONF > tmp/openssl-ca-no-oqsprovider.cnf
-
-# This print an error but OpenSSL returns 0 and .p12 file is generated correctly
-OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12
-
-if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then
-    echo "PKCS#12 generation with oqsprovider disabled failed."
-    exit 1
-fi
-
-if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then
-    echo "PKCS#12 files differ when oqsprovider is enabled or not."
-    exit 1
-fi
--- a/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
+++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
@ -33,16 +33,6 @@ export PATH="$O_EXE:$PATH"
 export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH"
 export OPENSSL_ROOT_DIR="$O_LIB"

-# Temporarily override IANA ML-KEM TLS group codepoints
-export OQS_CODEPOINT_FRODO640AES=65024
-export OQS_CODEPOINT_FRODO640SHAKE=65025
-export OQS_CODEPOINT_FRODO976AES=65026
-
-# These ensure oqsprovider uses ML-KEM at the right code points
-export OQS_CODEPOINT_MLKEM512=512
-export OQS_CODEPOINT_MLKEM768=513
-export OQS_CODEPOINT_MLKEM1024=514
-
 # Check/Set openssl version
 OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '`

@ -81,8 +71,4 @@ export OPENSSL_MODULES=$PWD/_build/lib
 export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider/scripts
 export OPENSSL_CONF=$OQS_PROVIDER_TESTSCRIPTS/openssl-ca.cnf
 # Be verbose if harness is verbose:
-# Fixup for oqsprovider release snafu:
-cp $SRCTOP/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh $SRCTOP/oqs-provider/scripts/
-
-echo oqsprovider is currently not compatible with our ML-KEM implementation
-# $SRCTOP/oqs-provider/scripts/runtests.sh -V
+$SRCTOP/oqs-provider/scripts/runtests.sh -V