Skip to content

test(integration): refactor PQ tests to utilize in-memory harness #5667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
kaukabrizvi wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

test(integration): refactor PQ tests to utilize in-memory harness #5667

kaukabrizvi wants to merge 6 commits into from
+168 −211

Conversation

@kaukabrizvi
Copy link
Contributor

@kaukabrizvi kaukabrizvi commented Dec 12, 2025
edited
Loading

Goal

Refactor the post-quantum integration tests to consistently use the in-memory TLS harness.

Why

ML-DSA support was made publicly available in s2n-tls (#5257), but the initial integration testing was intentionally temporary and hacky due to tooling and provider limitations. As noted in #5308, we should follow through by implementing robust integration tests in the standard suite (not one-off tests), preferably using a non–AWS-LC provider.

There are still blockers to adding ML-DSA coverage to the traditional integrationv2 test matrix:

  • The OQS + OpenSSL 1.1.1 builds in CI predate ML-DSA
  • AWS-LC does not currently support ML-DSA via libssl/bssl
  • OpenSSL 3.5 is the preferred non–AWS-LC provider for PQ testing, but is not yet available in our CodeBuild images or Nix setup

Given these constraints and our effort to move integration tests to Rust, the in-memory integration harness is currently the best way to provide meaningful, repeatable PQ integration coverage without weakening provider diversity or introducing AWS-LC–only tests.

How

  • Removed required_capability_async and unified all PQ tests under the existing synchronous required_capability helper
  • Migrated PQ tests to use the in-memory TlsConnPair harness consistently, avoiding ad-hoc Tokio/OpenSSL socket wiring
  • Simplified client/server setup for ML-DSA, ML-KEM, and pure ML-KEM cases while preserving coverage of:
    • client vs server roles
    • hybrid vs pure PQ negotiation
    • negotiated signature algorithms and KEM groups
  • Reduced duplication and tightened assertions around negotiated PQ properties

Callouts

  • The in-memory harness requires explicitly disabling hostname verification for RFC-derived ML-DSA certs; this is handled via a custom verify callback (only needed with s2n as client for the ML-DSA cert).
  • This refactor focuses on test structure and clarity, not expanding the PQ test matrix.

Testing

  • Existing PQ integration tests were updated and continue to pass when the relevant capabilities are supported
  • Tests correctly fail (or are skipped) when required PQ capabilities are unavailable

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

s2n-core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaukabrizvi