LMS capability registration not wired in acvp_app (no capabilities added to ctx)

[rakeshbasav]

Hello libacvp team,

I’m trying to run ACVP testing for LMS (SP 800-208) using libacvp with the OpenSSL 3.x implementation, but LMS capabilities are not being registered, even though LMS is supported by the underlying crypto provider.

Environment
libacvp version: 2.2.0
OpenSSL version: 3.6.0 (built with default + FIPS providers)
OS: Linux x86_64
ACVP server: demo.acvts.nist.gov
Provider status:
openssl list -providers -verbose
→ default + fips providers active

LMS available in OpenSSL:
openssl list -signature-algorithms | grep -i lms
→ LMS is listed under both default and fips providers

What Works
./app/acvp_app --rsa
✅ RSA capabilities register successfully
./app/acvp_app --ecdsa
✅ ECDSA capabilities register successfully

What Does NOT Work
./app/acvp_app --lms

Output:
[ACVP]: Building registration of capabilities...
[ACVP][ERROR]: No capabilities added to ctx
[ACVP][ERROR]: Unable to build registration

Debugging shows:
ctx->capabilities == NULL

Investigation Findings

• CLI parsing does set cfg->lms = 1

• iut_register_capabilities() is called successfully

However, No LMS capability is added to ctx
acvp_build_registration_json() fails because no capabilities exist

Searching the OpenSSL registration code:
app/implementations/openssl/3/registrations/

shows:

• enable_rsa(), enable_ecdsa() are implemented

• No enable_lms() implementation exists

No calls to:

• acvp_cap_lms_enable()
• acvp_cap_lms_set_*()

The only LMS handler found is:
app/implementations/stubs/stub_lms.c
which appears unused by the OpenSSL implementation.

Expected Behavior

When running: ./app/acvp_app --lms
I would expect:

• LMS KeyGen / SigGen / SigVer capabilities to be registered
• ACVP registration JSON to include LMS algorithms
• Registration request to succeed

Actual Behavior

LMS is silently ignored
No capabilities are added
Registration fails with: No capabilities added to ctx

Question / Request

• Is LMS intentionally not wired in the OpenSSL 3.x implementation?
• Is LMS support currently stub-only in libacvp?-
• Are there plans or guidance for implementing: enable_lms() in fp_3xx / fp_4x registration files?-
• Is there an example or reference implementation for LMS capability registration?

Thanks for your time and for maintaining libacvp.

Best regards,
Rakesh

[abkarcher]

Hello,

I apologize for the delay in my response.

LMS is not currently supported by acvp_app's OpenSSL harness, but it is supported by libacvp.
We typically only add algorithms to the harness as they are required by FIPS efforts and LTS releases. LMS was added to OpenSSL in 3.6, which is not an LTS release and not being formally FIPS validated by OpenSSL to my understanding. We have a note to add support, but it is presently lower priority until an LTS or FIPS scheduled OpenSSL release is more imminent. If we have time, we may be able to add it sooner.

For registration code, here is an example of what LMS sigver might look like:

rv = acvp_cap_lms_enable(ctx, ACVP_LMS_SIGVER, &lms_handler_function);
CHECK_ENABLE_CAP_RV(rv);
rv = acvp_cap_lms_set_parm(ctx, ACVP_LMS_SIGVER, ACVP_LMS_PARAM_LMS_MODE, ACVP_LMS_MODE_SHA256_M32_H5);
CHECK_ENABLE_CAP_RV(rv);
rv = acvp_cap_lms_set_parm(ctx, ACVP_LMS_SIGVER, ACVP_LMS_PARAM_LMOTS_MODE, ACVP_LMOTS_MODE_SHA256_N32_W1);
CHECK_ENABLE_CAP_RV(rv);
rv = acvp_cap_lms_set_parm(ctx, ACVP_LMS_SIGVER, ACVP_LMS_PARAM_LMS_MODE, ACVP_LMS_MODE_SHA256_M24_H5);
CHECK_ENABLE_CAP_RV(rv);
rv = acvp_cap_lms_set_parm(ctx, ACVP_LMS_SIGVER, ACVP_LMS_PARAM_LMOTS_MODE, ACVP_LMOTS_MODE_SHA256_N24_W1);
CHECK_ENABLE_CAP_RV(rv);

There are other members of those enumerators for the different parameter sets in acvp.h. The same parameters are used for SigVer, SigGen, and KeyGen.

The above APIs indicate general support for a given parameter set. If you only support certain combinations of LMS and LMOTS parameter sets, that can be done using this API instead of set_parm:

ACVP_RESULT acvp_cap_lms_set_mode_compatability_pair(ACVP_CTX *ctx,
                                                     ACVP_CIPHER cipher,
                                                     ACVP_LMS_MODE lms_mode,
                                                     ACVP_LMOTS_MODE lmots_mode);

Happy to answer any other questions!

Thanks,
Andrew