From bda919bdb4626b1b7c574113701ac3bf8cb886f5 Mon Sep 17 00:00:00 2001
From: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date: Fri, 3 Jan 2025 11:14:34 +0100
Subject: [PATCH] limit oqs-specific tests to oqsprovider

Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
---
 test/oqs_test_endecode.c        |  4 +++-
 test/oqs_test_evp_pkey_params.c |  6 ++++--
 test/oqs_test_kems.c            | 11 ++++++-----
 test/oqs_test_signatures.c      |  7 +++++++
 test/tlstest_helpers.c          |  1 +
 5 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/test/oqs_test_endecode.c b/test/oqs_test_endecode.c
index 86a8896c..a5af1059 100644
--- a/test/oqs_test_endecode.c
+++ b/test/oqs_test_endecode.c
@@ -16,7 +16,9 @@
 static OSSL_LIB_CTX *libctx = NULL;
 static char *modulename = NULL;
 static char *configfile = NULL;
-static char *testpropq = NULL;
+// as different providers may support different key formats, limit testing to
+// oqsprovider
+static char *testpropq = "provider=oqsprovider";
 static OSSL_LIB_CTX *keyctx = NULL;
 static OSSL_LIB_CTX *testctx = NULL;
 
diff --git a/test/oqs_test_evp_pkey_params.c b/test/oqs_test_evp_pkey_params.c
index 7f56c233..1136b21b 100644
--- a/test/oqs_test_evp_pkey_params.c
+++ b/test/oqs_test_evp_pkey_params.c
@@ -172,7 +172,9 @@ static OSSL_LIB_CTX *init_openssl(void) {
 static EVP_PKEY_CTX *init_EVP_PKEY_CTX(OSSL_LIB_CTX *libctx, const char *alg) {
     EVP_PKEY_CTX *ctx;
 
-    if (!(ctx = EVP_PKEY_CTX_new_from_name(libctx, alg, NULL))) {
+    // make sure we only test oqsprovider
+    if (!(ctx = EVP_PKEY_CTX_new_from_name(libctx, alg,
+                                           "provider=oqsprovider"))) {
         fprintf(stderr,
                 cRED "`EVP_PKEY_CTX_new_from_name` failed with algorithm %s: ",
                 alg);
@@ -637,4 +639,4 @@ int main(int argc, char **argv) {
 
 end:
     return ret;
-}
\ No newline at end of file
+}
diff --git a/test/oqs_test_kems.c b/test/oqs_test_kems.c
index 9797776e..10eb8360 100644
--- a/test/oqs_test_kems.c
+++ b/test/oqs_test_kems.c
@@ -27,12 +27,13 @@ static int test_oqs_kems(const char *kemalg_name) {
         return 1;
     }
     // test with built-in digest only if default provider is active:
-    // TBD revisit when hybrids are activated: They always need default
-    // provider
+    // limit testing to oqsprovider as other implementations may support
+    // different key formats than what is defined by NIST
     if (OSSL_PROVIDER_available(libctx, "default")) {
-        testresult &= (ctx = EVP_PKEY_CTX_new_from_name(libctx, kemalg_name,
-                                                        NULL)) != NULL &&
-                      EVP_PKEY_keygen_init(ctx) && EVP_PKEY_generate(ctx, &key);
+        testresult &=
+            (ctx = EVP_PKEY_CTX_new_from_name(
+                 libctx, kemalg_name, "provider=oqsprovider")) != NULL &&
+            EVP_PKEY_keygen_init(ctx) && EVP_PKEY_generate(ctx, &key);
 
         if (!testresult)
             goto err;
diff --git a/test/oqs_test_signatures.c b/test/oqs_test_signatures.c
index 47c8728e..5b4455d8 100644
--- a/test/oqs_test_signatures.c
+++ b/test/oqs_test_signatures.c
@@ -34,6 +34,9 @@ static int test_oqs_signatures(const char *sigalg_name) {
     // TBD revisit when hybrids are activated: They always need default
     // provider
     if (OSSL_PROVIDER_available(libctx, "default")) {
+        // XXX testing omits passing propq limited to oqsprovider for now
+        // as sig key formats area reasonably stable; revisit as and when
+        // this changes to only test against itself
         testresult &=
             (ctx = EVP_PKEY_CTX_new_from_name(libctx, sigalg_name, NULL)) !=
                 NULL &&
@@ -63,6 +66,10 @@ static int test_oqs_signatures(const char *sigalg_name) {
     mdctx = NULL;
     key = NULL;
 
+    // XXX testing omits passing propq limited to oqsprovider for now
+    // as sig key formats area reasonably stable; revisit as and when
+    // this changes to only test against itself
+
     // this test must work also with default provider inactive:
     testresult &=
         (ctx = EVP_PKEY_CTX_new_from_name(libctx, sigalg_name, NULL)) != NULL &&
diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
index 52a49f96..cb251f35 100644
--- a/test/tlstest_helpers.c
+++ b/test/tlstest_helpers.c
@@ -7,6 +7,7 @@
 /* Stolen from openssl/tests/sslapitest.c: */
 int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,
                     char *privkeyfilename) {
+    // do test against any provider as handshaking should work with any provider
     EVP_PKEY_CTX *evpctx = EVP_PKEY_CTX_new_from_name(libctx, algname, NULL);
     EVP_PKEY *pkey = NULL;
     X509 *x509 = X509_new();