Skip to content

Commit

Permalink
Merge branch 'open-quantum-safe:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@feventura
feventura authored Apr 23, 2024
2 parents ccd1ac3 + d7e7f19 commit d79789c
Show file tree
Hide file tree
Showing 13 changed files with 1,763 additions and 113 deletions.
9 changes: 4 additions & 5 deletions .github/workflows/linux.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v2
- name: Full build
run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=main ./scripts/fullbuild.sh
run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=0.10.0 ./scripts/fullbuild.sh
- name: Enable sibling oqsprovider for testing
run: cd _build/lib && ln -s oqsprovider.so oqsprovider2.so
- name: Test
Expand All @@ -71,7 +71,7 @@ jobs:
git diff && \
! git status | grep modified
- name: Build .deb install package
run: cpack
run: cpack -C DebPack
working-directory: _build
- name: Retain .deb installer
uses: actions/upload-artifact@v3
Expand Down Expand Up @@ -152,8 +152,7 @@ jobs:
run: |
ctest --test-dir build \
--output-on-failure \
--extra-verbose \
--repeat until-pass:5
--extra-verbose
linux_aarch64:
name: "aarch64 cross-compilation"
Expand Down Expand Up @@ -199,7 +198,7 @@ jobs:
- name: Clone and build liboqs for linux-aarch64
working-directory: /opt/
run: |
git clone --depth=1 --branch main https://github.com/open-quantum-safe/liboqs.git liboqs
git clone --depth=1 --branch 0.10.0 https://github.com/open-quantum-safe/liboqs.git liboqs
cd liboqs
mkdir build install
cmake --toolchain "${CMAKE_TOOLCHAIN_FILE}" \
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/macos.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
with:
set-safe-directory: true
repository: open-quantum-safe/liboqs
ref: main
ref: 0.10.0
path: liboqs
- name: Retrieve OpenSSL32 from cache
id: cache-openssl32
Expand Down
41 changes: 23 additions & 18 deletions .github/workflows/windows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,37 +36,24 @@ jobs:
set-safe-directory: true
repository: openssl/openssl
path: openssl
# TODO: Revert ref tag once openssl master doesn't crash any more
ref: openssl-3.3.0
- name: checkout liboqs
uses: actions/checkout@v3
with:
set-safe-directory: true
repository: open-quantum-safe/liboqs
ref: main
path: liboqs
- name: Install cygwin
uses: cygwin/cygwin-install-action@master
with:
packages: perl git ninja gcc-core cmake make
packages: perl git ninja gcc-core cmake make python3 python3-devel python3-setuptools python3-exceptiongroup
- name: Retrieve OpenSSL32 from cache
id: cache-openssl32
uses: actions/cache@v3
with:
path: c:\cygwin\opt\openssl32
key: ${{ runner.os }}-cygwinopenssl32
- name: Set installpath
run: |
echo "IP=$(cygpath -u $PWD)/.local" >> "$env:GITHUB_ENV"
- name: build liboqs
run: |
which cmake
cmake --version
gcc --version
mkdir _build
cd _build
cmake -GNinja -DOPENSSL_ROOT_DIR=/opt/openssl32 -DCMAKE_INSTALL_PREFIX="${{ env.IP }}" ${{ matrix.platform.oqsconfig }} -DCMAKE_C_COMPILER=gcc ..
ninja
ninja install
working-directory: liboqs
- name: Build openssl3 if not cached
if: steps.cache-openssl32.outputs.cache-hit != 'true'
run: bash -c "./config --prefix=/opt/openssl32 ${{ matrix.platform.config }} && perl configdata.pm --dump && make $MAKE_PARAMS && make install_sw"
Expand All @@ -81,10 +68,30 @@ jobs:
path: |
c:\cygwin\opt\openssl32
key: ${{ runner.os }}-cygwinopenssl32
- name: Set installpath
run: |
echo "IP=$(cygpath -u $PWD)/.local" >> "$env:GITHUB_ENV"
- name: build liboqs
run: |
which cmake
cmake --version
gcc --version
mkdir _build
cd _build
cmake -GNinja -DOPENSSL_ROOT_DIR=/opt/openssl32 -DCMAKE_INSTALL_PREFIX="${{ env.IP }}" ${{ matrix.platform.oqsconfig }} -DCMAKE_C_COMPILER=gcc ..
ninja
ninja install
pip install pytest psutil pytest-xdist pyyaml
# TODO: as "autoprocesses" not recognized, don't run ninja run_tests
working-directory: liboqs
- name: build oqs-provider
run: bash -c "git config --global --add safe.directory $(cygpath -u $PWD) && liboqs_DIR='${{ env.IP }}' cmake -GNinja -DCMAKE_C_COMPILER=gcc -DOPENSSL_ROOT_DIR=/opt/openssl32 -S . -B _build && cd _build && ninja && cd .."
- name: Check Openssl providers
run: bash -c "OPENSSL_MODULES=_build/lib /opt/openssl32/bin/openssl list -providers -provider oqsprovider -provider default"
- name: Check Openssl provider signature algorithms
run: bash -c "OPENSSL_MODULES=_build/lib /opt/openssl32/bin/openssl list -signature-algorithms -provider oqsprovider -provider default"
- name: Check Openssl provider KEM algorithms
run: bash -c "OPENSSL_MODULES=_build/lib /opt/openssl32/bin/openssl list -kem-algorithms -provider oqsprovider -provider default"
- name: Run tests
run: bash -c "echo $PATH && PATH=/opt/openssl32/bin:/usr/bin ctest -V"
working-directory: _build
Expand Down Expand Up @@ -130,7 +137,6 @@ jobs:
with:
set-safe-directory: true
repository: open-quantum-safe/liboqs
ref: main
path: liboqs
- uses: ilammy/msvc-dev-cmd@v1
with:
Expand Down Expand Up @@ -244,7 +250,6 @@ jobs:
with:
set-safe-directory: true
repository: open-quantum-safe/liboqs
ref: main
path: liboqs
- uses: ilammy/msvc-dev-cmd@v1
with:
Expand Down
2 changes: 1 addition & 1 deletion CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ else()
cmake_minimum_required(VERSION 3.0 FATAL_ERROR)
endif()
project(oqs-provider LANGUAGES C)
set(OQSPROVIDER_VERSION_TEXT "0.5.4-dev")
set(OQSPROVIDER_VERSION_TEXT "0.6.1-dev")
set(CMAKE_C_STANDARD 11)
set_property(GLOBAL PROPERTY FIND_LIBRARY_USE_LIB64_PATHS ON)
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
Expand Down
15 changes: 5 additions & 10 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,18 +134,13 @@ has not been not getting back-ported to OpenSSL3.0.
Also not supported in this version are provider-based signature algorithms
used during TLS1.3 operations as documented in https://github.com/openssl/openssl/issues/10512.

## 3.2
Also not fully supported in 3.0.2 is performance testing as per the openssl
`speed` command as documented in #385.

This version has full support for all TLS1.3 operations using PQ algorithms
when deploying `oqsprovider`.

A final configuration limitation for provider-based signature algorithms exists
as documented in https://github.com/openssl/openssl/issues/22761.
## 3.2 and greater

## 3.3(-dev)

When https://github.com/openssl/openssl/pull/22779 lands, a last known
config-time limitation for provider-based signatures should be gone.
These versions have full support for all TLS1.3 operations using PQ algorithms
when deploying `oqsprovider`.

## All versions

Expand Down
75 changes: 73 additions & 2 deletions RELEASE.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# oqs-provider 0.5.4-dev
# oqs-provider 0.6.0

## About

Expand All @@ -14,7 +14,78 @@ Further details on building, testing and use can be found in [README.md](https:/

## Release notes

This is version 0.5.4-dev of oqs-provider.
This is version 0.6.0 of oqs-provider.

### Security considerations

None.

### What's New

This release continues from the 0.5.3 release of oqs-provider and is fully tested to be used in conjunction with the main branch of [liboqs](https://github.com/open-quantum-safe/liboqs). This release is guaranteed to be in sync with v0.10.0 of `liboqs`.

This release also makes available ready-to-run binaries for Windows (.dll) and MacOS (.dylib) compiled for `x64` CPUs. Activation and use is documented in [USAGE.md](https://github.com/open-quantum-safe/oqs-provider/blob/main/USAGE.md).

### Additional new feature highlights

* First availability of standardized PQ algorithms, e.g., [ML-KEM](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf), [ML-DSA](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf)
* Support for [Composite PQ operations](https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-sigs/)
* Alignment with PQ algorithm implementations as provided by [liboqs 0.10.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.10.0), most notably updating HQC and Falcon.
* Implementation of security code review recommendations
* Support for more hybrid operations as fully documented [here](https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md).
* Support for extraction of classical and hybrid key material

## What's Changed
* Clarify liboqs_DIR naming convention by @ajbozarth in https://github.com/open-quantum-safe/oqs-provider/pull/292
* check empty params lists passed by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/296
* Fix minor typos in documentation by @johnma14 in https://github.com/open-quantum-safe/oqs-provider/pull/304
* HQC code point update by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/306
* Fix broken circleci job for macOS by @johnma14 in https://github.com/open-quantum-safe/oqs-provider/pull/305
* Contribution policy by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/286
* Fix link in GOVERNANCE.md [skip ci] by @pi-314159 in https://github.com/open-quantum-safe/oqs-provider/pull/309
* Add a example of how to load oqsprovider using `OSSL_PROVIDER_add_builtin`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/308
* Get Windows CI to work again by @qnfm in https://github.com/open-quantum-safe/oqs-provider/pull/310
* Use `build` directory instead of `_build`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/314
* correct upstream and Windows CI snafus by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/322
* Revert "Use `build` directory instead of `_build`. (#314)" by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/325
* reverting to dev by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/327
* Bump jinja2 from 3.0.3 to 3.1.3 in /oqs-template by @dependabot in https://github.com/open-quantum-safe/oqs-provider/pull/334
* LICENSE copyright update [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/336
* update to 0.5.4-dev by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/337
* bring GOVERNANCE in line with liboqs [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/342
* Automatically run release tests on liboqs release candidates by @SWilson4 in https://github.com/open-quantum-safe/oqs-provider/pull/345
* add more defensive error handling by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/346
* correct wrong use of sizeof by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/347
* Protecting from NULL parameters by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/350
* guard external testing against algorithm absence by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/352
* first cut adding ML-* by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/348
* Adapt Kyber OIDs and avoid testing using downlevel brew releases by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/356
* Add extra debug information in case of TLS handshake failure. by @beldmit in https://github.com/open-quantum-safe/oqs-provider/pull/357
* p384_mlkem1024 hybrid added by @bencemali in https://github.com/open-quantum-safe/oqs-provider/pull/361
* length and null checks in en/decaps by @bencemali in https://github.com/open-quantum-safe/oqs-provider/pull/364
* documentation update [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/366
* Set Kyber OIDs by @bhess in https://github.com/open-quantum-safe/oqs-provider/pull/368
* Add code points for PADDED variant of Falcon [skip ci] by @SWilson4 in https://github.com/open-quantum-safe/oqs-provider/pull/362
* Fix #372: expose `hybrid_classical_` and `hybrid_pq_` `OSSL_PARAMS` for `EVP_PKEY`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/374
* Implementation of Composite Sig by @feventura in https://github.com/open-quantum-safe/oqs-provider/pull/317
* Do not duplicate call to `getenv`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/369
* Fix #338 and #339: output a valid aarch64 debian package with a valid directory layout. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/377
* Move the clang-format check from CircleCI to GitHub actions. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/376
* fix ossl32 cache miss for cygwin by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/387
* Remove `--repeat until-pass:5` workaround for ASan tests. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/382
* Add composite signatures to sigalg list & add code points. by @bhess in https://github.com/open-quantum-safe/oqs-provider/pull/386
* openssl provider support documentation update [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/388

## New Contributors
* @ajbozarth made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/292
* @johnma14 made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/304
* @pi-314159 made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/309
* @dependabot made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/334
* @beldmit made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/357
* @bencemali made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/361
* @feventura made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/317

**Full Changelog**: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.3...0.6.0

Previous Release Notes
======================
Expand Down
12 changes: 12 additions & 0 deletions USAGE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,18 @@ this, e.g., as follows:
OpenSSL 3.2.0-dev (Library: OpenSSL 3.2.0-dev )
```

### Note on OpenSSL installation

If one does not have an OpenSSL version installed in a suitable version, care
is advised installing such version such as not to damage a pre-installed/system-wide
`openssl` installation.

In order to experiment with a local `openssl` version, we have made available
[a shell script](scripts/fullbuild.sh) creating a local, non-system wide installed
`openssl` binary. By default, the current "master" branch is built by this script
but it can be configured to build any release/tag by setting the [OPENSSL_BRANCH](CONFIGURE.md#openssl_branch)
environment variable.

## Activation

Every OpenSSL provider needs to be activated for use. There are three main ways
Expand Down
41 changes: 27 additions & 14 deletions oqs-template/generate.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ kem_nid_end: '0x0250'
kem_nid_hybrid_end: '0x2FFF'
# need to edit ssl_local.h macros IS_OQS_KEM_CURVEID and IS_OQS_KEM_HYBRID_CURVEID with the above _end values

# Next free signature ID: 0xfee1
# Next free signature ID: 0xfeee
sigs:
# -
# iso (1)
Expand Down Expand Up @@ -569,23 +569,28 @@ sigs:
composite: [{'name': 'pss2048',
'pretty_name': 'RSA PSS 2048',
'security': '112',
'oid': '2.16.840.1.114027.80.8.1.1'},
'oid': '2.16.840.1.114027.80.8.1.1',
'code_point': '0xfee1'},
{'name': 'rsa2048',
'pretty_name': 'RSA2028',
'security': '112',
'oid': '2.16.840.1.114027.80.8.1.2'},
'oid': '2.16.840.1.114027.80.8.1.2',
'code_point': '0xfee2'},
{'name': 'ed25519',
'pretty_name': 'ED25519',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.3'},
'oid': '2.16.840.1.114027.80.8.1.3',
'code_point': '0xfee3'},
{'name': 'p256',
'pretty_name': 'ECDSA p256',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.4'},
'oid': '2.16.840.1.114027.80.8.1.4',
'code_point': '0xfee4'},
{'name': 'bp256',
'pretty_name': 'ECDSA brainpoolP256r1',
'security': '256',
'oid': '2.16.840.1.114027.80.8.1.5'}]
'oid': '2.16.840.1.114027.80.8.1.5',
'code_point': '0xfee5'}]
-
name: 'mldsa65'
pretty_name: 'ML-DSA-65'
Expand All @@ -600,23 +605,28 @@ sigs:
composite: [{'name': 'pss3072',
'pretty_name': 'RSA PSS 3072',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.6'},
'oid': '2.16.840.1.114027.80.8.1.6',
'code_point': '0xfee6'},
{'name': 'rsa3072',
'pretty_name': 'RSA 3072',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.7'},
'oid': '2.16.840.1.114027.80.8.1.7',
'code_point': '0xfee7'},
{'name': 'p256',
'pretty_name': 'ECDSA p256',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.8'},
'oid': '2.16.840.1.114027.80.8.1.8',
'code_point': '0xfee8'},
{'name': 'bp256',
'pretty_name': 'ECDSA brainpoolP256r1',
'security': '256',
'oid': '2.16.840.1.114027.80.8.1.9'},
'oid': '2.16.840.1.114027.80.8.1.9',
'code_point': '0xfee9'},
{'name': 'ed25519',
'pretty_name': 'ED25519',
'security': '128',
'oid': '2.16.840.1.114027.80.8.1.10'}]
'oid': '2.16.840.1.114027.80.8.1.10',
'code_point': '0xfeea'}]
-
name: 'mldsa87'
pretty_name: 'ML-DSA-87'
Expand All @@ -631,15 +641,18 @@ sigs:
composite: [{'name': 'p384',
'pretty_name': 'ECDSA p384',
'security': '192',
'oid': '2.16.840.1.114027.80.8.1.11'},
'oid': '2.16.840.1.114027.80.8.1.11',
'code_point': '0xfeeb'},
{'name': 'bp384',
'pretty_name': 'ECDSA brainpoolP384r1',
'security': '384',
'oid': '2.16.840.1.114027.80.8.1.12'},
'oid': '2.16.840.1.114027.80.8.1.12',
'code_point': '0xfeec'},
{'name': 'ed448',
'pretty_name': 'ED448',
'security': '192',
'oid': '2.16.840.1.114027.80.8.1.13'}]
'oid': '2.16.840.1.114027.80.8.1.13',
'code_point': '0xfeed'}]
-
# iso (1)
# identified-organization (3)
Expand Down
Loading

0 comments on commit d79789c

Please sign in to comment.