Commit 1079919338 for openssl.org
commit 1079919338c109e9d7195c9d731406361545a925
Author: Milan Broz <gmazyland@gmail.com>
Date: Wed Feb 11 13:02:26 2026 +0100
Add curveSM2 and curveSM2MLKEM768 TLS test.
This extends sslapi test for SM2-based key exchange.
Also add comments for #endif to clearly mark disabled code blocks.
Signed-off-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MergeDate: Sat Feb 21 13:26:27 2026
(Merged from https://github.com/openssl/openssl/pull/29953)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index c75832b6b3..1e9f9dd763 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -5361,22 +5361,24 @@ end:
* Test 16 = Test X25519MLKEM768
* Test 17 = Test SecP256r1MLKEM768
* Test 18 = Test SecP384r1MLKEM1024
- * Test 19 = Test all ML-KEM with TLSv1.2 client and server
- * Test 20 = Test all FFDHE with TLSv1.2 client and server
- * Test 21 = Test all ECDHE with TLSv1.2 client and server
+ * Test 19 = Test curveSM2 with TLSv1.3 client and server
+ * Test 20 = Test curveSM2MLKEM768 with TLSv1.3 client and server
+ * Test 21 = Test all ML-KEM with TLSv1.2 client and server
+ * Test 22 = Test all FFDHE with TLSv1.2 client and server
+ * Test 23 = Test all ECDHE with TLSv1.2 client and server
*/
#ifndef OPENSSL_NO_EC
static int ecdhe_kexch_groups[] = { NID_X9_62_prime256v1, NID_secp384r1,
NID_secp521r1,
#ifndef OPENSSL_NO_ECX
NID_X25519, NID_X448
-#endif
+#endif /* OPENSSL_NO_ECX */
};
-#endif
+#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_DH
static int ffdhe_kexch_groups[] = { NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
NID_ffdhe6144, NID_ffdhe8192 };
-#endif
+#endif /* OPENSSL_NO_DH */
static int test_key_exchange(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
@@ -5394,9 +5396,9 @@ static int test_key_exchange(int idx)
switch (idx) {
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_TLS1_2
- case 21:
+ case 23:
max_version = TLS1_2_VERSION;
-#endif
+#endif /* OPENSSL_NO_TLS1_2 */
/* Fall through */
case 0:
kexch_groups = ecdhe_kexch_groups;
@@ -5428,13 +5430,13 @@ static int test_key_exchange(int idx)
kexch_alg = NID_X448;
kexch_name0 = "x448";
break;
-#endif
-#endif
+#endif /* OPENSSL_NO_ECX */
+#endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_DH
#ifndef OPENSSL_NO_TLS1_2
- case 20:
+ case 22:
max_version = TLS1_2_VERSION;
-#endif
+#endif /* OPENSSL_NO_TLS1_2 */
/* Fall through */
case 6:
kexch_groups = ffdhe_kexch_groups;
@@ -5461,10 +5463,10 @@ static int test_key_exchange(int idx)
kexch_alg = NID_ffdhe8192;
kexch_name0 = "ffdhe8192";
break;
-#endif
+#endif /* OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ML_KEM
#if !defined(OPENSSL_NO_TLS1_2)
- case 19:
+ case 21:
max_version = TLS1_2_VERSION;
kexch_groups = NULL;
#if !defined(OPENSSL_NO_EC)
@@ -5480,7 +5482,7 @@ static int test_key_exchange(int idx)
/* With neither EC nor DH TLS 1.2 can't happen */
return 1;
#endif
-#endif
+#endif /* OPENSSL_NO_TLS1_2 */
case 12:
kexch_groups = NULL;
if (kexch_names == NULL)
@@ -5509,7 +5511,7 @@ static int test_key_exchange(int idx)
kexch_name0 = "X25519MLKEM768";
kexch_names = kexch_name0;
break;
-#endif
+#endif /* OPENSSL_NO_ECX */
case 17:
kexch_groups = NULL;
kexch_name0 = "SecP256r1MLKEM768";
@@ -5520,15 +5522,37 @@ static int test_key_exchange(int idx)
kexch_name0 = "SecP384r1MLKEM1024";
kexch_names = kexch_name0;
break;
-#endif
-#endif
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_ML_KEM */
+
+#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_SM2
+ case 19:
+ if (is_fips)
+ return TEST_skip("curveSM2 is not supported by the fips provider.");
+ kexch_groups = NULL;
+ kexch_name0 = "curveSM2";
+ kexch_names = kexch_name0;
+ break;
+#ifndef OPENSSL_NO_ML_KEM
+ case 20:
+ if (is_fips)
+ return TEST_skip("curveSM2MLKEM768 is not supported by the fips provider.");
+ kexch_groups = NULL;
+ kexch_name0 = "curveSM2MLKEM768";
+ kexch_names = kexch_name0;
+ break;
+#endif /* OPENSSL_NO_ML_KEM */
+#endif /* OPENSSL_NO_SM2 */
+#endif /* OPENSSL_NO_EC */
+
default:
/* We're skipping this test */
return 1;
}
if (is_fips && fips_provider_version_lt(libctx, 3, 5, 0)
- && idx >= 12 && idx <= 19)
+ && ((idx >= 12 && idx <= 18) || idx == 21))
return TEST_skip("ML-KEM not supported in this version of fips provider");
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
@@ -14414,14 +14438,14 @@ int setup_tests(void)
#endif /* OSSL_NO_USABLE_TLS1_3 */
#ifndef OPENSSL_NO_TLS1_2
/* Test with both TLSv1.3 and 1.2 versions */
- ADD_ALL_TESTS(test_key_exchange, 21);
+ ADD_ALL_TESTS(test_key_exchange, 23);
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DH)
ADD_ALL_TESTS(test_negotiated_group,
4 * (OSSL_NELEM(ecdhe_kexch_groups) + OSSL_NELEM(ffdhe_kexch_groups)));
#endif
#else
/* Test with only TLSv1.3 versions */
- ADD_ALL_TESTS(test_key_exchange, 18);
+ ADD_ALL_TESTS(test_key_exchange, 20);
#endif
ADD_ALL_TESTS(test_custom_exts, 6);
ADD_TEST(test_stateless);