Merge branch 'upstream/main'

.circleci/config.yml

@@ -240,19 +240,6 @@ jobs:
               fi
             fi
 
-  check-clang-format:
-    docker:
-      - image: cimg/base:2022.12
-    steps:
-      - run:
-          name: Install dependencies
-          command: sudo apt-get update && sudo apt-get install -y clang-format
-      - checkout
-      - run:
-          name: Check coding style using clang-format
-          command: |
-            find . -type f -and '(' -name '*.h' -or -name '*.c' -or -name '*.inc' ')' | xargs clang-format --dry-run --Werror
-
   trigger-downstream-ci:
     docker:
       - image: cimg/base:2020.01
@@ -277,7 +264,6 @@ workflows:
   version: 2.1
   build:
     jobs:
-      - check-clang-format
       - ubuntu:
           name: ubuntu-focal
           IMAGE: openquantumsafe/ci-ubuntu-focal-x86_64:latest

.github/workflows/coding_style.yml

@@ -0,0 +1,20 @@
+name: Coding style tests
+on: [workflow_call]
+
+jobs:
+  check_clang_format:
+    name: "Coding style"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    container:
+      image: openquantumsafe/ci-ubuntu-jammy:latest
+    steps:
+      - name: Install dependencies
+        run: apt-get update && apt-get install -y clang-format
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Check coding style using clang-format
+        run: find . -type f -and '(' -name '*.h' -or -name '*.c' -or -name '*.inc' ')' | xargs clang-format --dry-run --Werror

.github/workflows/linux.yml

@@ -7,9 +7,11 @@ on:
     branches: [ "main" ]
 
 jobs:
-
+  coding_style_tests:
+    uses: ./.github/workflows/coding_style.yml
   linux_baseline:
     runs-on: ubuntu-latest
+    needs: [coding_style_tests]
     strategy:
       fail-fast: false
       matrix:
@@ -30,6 +32,7 @@ jobs:
 
   linux_intel:
     runs-on: ubuntu-latest
+    needs: [coding_style_tests]
     strategy:
       fail-fast: false
       matrix:
@@ -79,6 +82,7 @@ jobs:
   asan_linux_intel:
     name: "Security checks"
     runs-on: ubuntu-latest
+    needs: [coding_style_tests]
     strategy:
       fail-fast: false
     container:
@@ -154,6 +158,7 @@ jobs:
   linux_aarch64:
     name: "aarch64 cross-compilation"
     runs-on: ubuntu-latest
+    needs: [coding_style_tests]
     strategy:
       fail-fast: false
     container:
@@ -222,10 +227,21 @@ jobs:
             ctest --test-dir build/
 
       - name: Build .deb install package
-        run: cpack
+        run: |
+            cpack \
+                --toolchain "${CMAKE_TOOLCHAIN_FILE}" \
+                -C DebPack \
+                -DCMAKE_INSTALL_PREFIX=/usr
+        working-directory: build
+
+      - name: Verify the .deb file target architecture.
         working-directory: build
+        run: |
+            dpkg -I oqs-provider-*.deb | grep -q "Architecture: arm64"
+
       - name: Retain .deb installer
         uses: actions/upload-artifact@v3
         with:
           name: oqsprovider-aarch64
           path: build/*.deb
+

.github/workflows/macos.yml

@@ -6,6 +6,8 @@ permissions:
   contents: read
 
 jobs:
+  coding_style_tests:
+    uses: ./.github/workflows/coding_style.yml
   macos:
 # Run a job for each of the specified os configs:
     strategy:
@@ -18,6 +20,7 @@ jobs:
         params:
           - oqsconfig: -DOQS_ALGS_ENABLED=STD
     runs-on: ${{matrix.os}}
+    needs: [coding_style_tests]
     env:
 # Don't overwhelm github CI VMs:
       MAKE_PARAMS: -j 4
@@ -57,7 +60,7 @@ jobs:
           key: ${{ runner.os }}-openssl32
       - name: build liboqs
         run: |
-           cmake -DOPENSSL_ROOT_DIR=../.localopenssl32 -DCMAKE_INSTALL_PREFIX=../.localliboqs ${{ matrix.params.oqsconfig }} -S . -B _build 
+           cmake -DOPENSSL_ROOT_DIR=../.localopenssl32 -DCMAKE_INSTALL_PREFIX=../.localliboqs ${{ matrix.params.oqsconfig }} -S . -B _build
            cmake --build _build
            cmake --install _build
         working-directory: liboqs

.github/workflows/standalone.yml

@@ -5,10 +5,12 @@ on:
     branches: [ '*' ]
   pull_request:
     branches: [ "main" ]
-
-jobs:
 
+jobs:
+  coding_style_tests:
+    uses: ./.github/workflows/coding_style.yml
   standalone_macos_intel:
+    needs: [coding_style_tests]
     runs-on: macos-13
     strategy:
       fail-fast: false
@@ -28,6 +30,7 @@ jobs:
             fi'
 
   standalone_linux_intel:
+    needs: [coding_style_tests]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/windows.yml

@@ -6,6 +6,8 @@ permissions:
   contents: read
 
 jobs:
+  coding_style_tests:
+    uses: ./.github/workflows/coding_style.yml
   cygwin:
 # Run a job for each of the specified target architectures:
     strategy:
@@ -19,6 +21,7 @@ jobs:
 #          - arch: win32
 #            config: --strict-warnings no-fips enable-quic
     runs-on: ${{matrix.os}}
+    needs: [coding_style_tests]
     env:
       CYGWIN_NOWINPATH: 1
       SHELLOPTS: igncr
@@ -107,6 +110,7 @@ jobs:
 #            oqsconfig: -DOQS_ALGS_ENABLED=STD
 #            osslconfig: --strict-warnings no-fips enable-quic
     runs-on: ${{matrix.os}}
+    needs: [coding_style_tests]
     steps:
       - name: Restore OpenSSL32 cache
         id: cache-openssl32
@@ -212,14 +216,15 @@ jobs:
           - arch: win64
             oqsconfig: -DOQS_ALGS_ENABLED=STD
             osslconfig: no-shared no-fips VC-WIN64A
-        toolchain: 
+        toolchain:
         - .CMake/toolchain_windows_amd64.cmake
         msarch:
           - x64
         type:
           - Debug
           - Release
     runs-on: ${{matrix.os}}
+    needs: [coding_style_tests]
     steps:
         - name: Restore native OpenSSL32 cache
           id: cache-openssl32n
@@ -261,7 +266,7 @@ jobs:
           run: |
             cmake --version
             cmake -B build --toolchain ${{ matrix.toolchain }} .
-            cmake --build build 
+            cmake --build build
             cmake --build build --target INSTALL
           working-directory: liboqs
         - name: prepare the OpenSSL build directory
@@ -305,4 +310,4 @@ jobs:
           with:
             name: oqs-provider-msvc
             path: D:/a/oqs-provider/oqs-provider/_build/lib/oqsprovider.dll
-          
+

USAGE.md

@@ -79,7 +79,7 @@ can be registered for testing.
 
 If this configuration variable is not set, the global environment variable
 "OPENSSL_MODULES" must point to a directory where the `oqsprovider` binary
-is to be found. 
+is to be found.
 
 If the `oqsprovider` binary cannot be found, it simply (and silently) will
 not be available for use.
@@ -160,15 +160,15 @@ The following section provides example commands for certain standard OpenSSL ope
 
 ### Checking provider version information
 
-    openssl list -providers -verbose 
+    openssl list -providers -verbose
 
 ### Checking quantum safe signature algorithms available for use
 
-    openssl list -signature-algorithms -provider oqsprovider 
+    openssl list -signature-algorithms -provider oqsprovider
 
 ### Checking quantum safe KEM algorithms available for use
 
-    openssl list -kem-algorithms -provider oqsprovider 
+    openssl list -kem-algorithms -provider oqsprovider
 
 ### Creating keys and certificates
 
@@ -222,7 +222,7 @@ Step 1: Create quantum-safe key pair and self-signed certificate:
 
     openssl req -x509 -new -newkey dilithium3 -keyout qsc.key -out qsc.crt -nodes -subj "/CN=oqstest" -days 365 -config openssl/apps/openssl.cnf
 
-By changing the `-newkey` parameter algorithm name [any of the 
+By changing the `-newkey` parameter algorithm name [any of the
 supported quantum-safe or hybrid algorithms](README.md#signature-algorithms)
 can be utilized instead of the sample algorithm `dilithium3`.
 
@@ -247,7 +247,7 @@ Continuing the example above, the following command verifies the CMS file
 `signedfile` and outputs the `outputfile`. Its contents should be identical
 to the original data in `inputfile` above.
 
-    openssl cms -verify -CAfile qsc.crt -inform pem -in signedfile -crlfeol -out outputfile 
+    openssl cms -verify -CAfile qsc.crt -inform pem -in signedfile -crlfeol -out outputfile
 
 Note that it is also possible to build proper QSC certificate chains
 using the standard OpenSSL calls. For sample code see
@@ -276,3 +276,27 @@ The `dgst` command is not tested for interoperability with [oqs-openssl111](http
 
 The OpenSSL [`EVP_PKEY_decapsulate` API](https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_decapsulate.html) specifies an explicit return value for failure. For security reasons, most KEM algorithms available from liboqs do not return an error code if decapsulation failed. Successful decapsulation can instead be implicitly verified by comparing the original and the decapsulated message.
 
+## Supported OpenSSL parameters (`OSSL_PARAM`)
+
+OpenSSL 3 comes with the [`OSSL_PARAM`](https://www.openssl.org/docs/man3.2/man3/OSSL_PARAM.html) API.
+Through these [`OSSL_PARAM`] structures, oqs-provider can expose some useful information
+about a specific object.
+
+### `EVP_PKEY`
+
+Using the [`EVP_PKEY_get_params`](https://www.openssl.org/docs/man3.2/man3/EVP_PKEY_get_params.html)
+API, the following custom parameters are gettable:
+
+  - `OQS_HYBRID_PKEY_PARAM_CLASSICAL_PUB_KEY`: points to the public key of the
+    classical part of an hybrid key.
+  - `OQS_HYBRID_PKEY_PARAM_CLASSICAL_PRIV_KEY`: points to the private key of the
+    classical part of an hybrid key.
+  - `OQS_HYBRID_PKEY_PARAM_PQ_PUB_KEY`: points to the public key of the
+    quantum-resistant part of an hybrid key.
+  - `OQS_HYBRID_PKEY_PARAM_PQ_PRIV_KEY`: points to the private key of the
+    quantum-resistant part of an hybrid key.
+
+In case of non hybrid keys, these parameters return `NULL`.
+
+See the [corresponding test](tests/oqs_test_evp_pkey_params.c) for an example of
+how to use [`EVP_PKEY_get_params`] with custom oqs-provider parameters.

oqs-template/generate.py

@@ -89,7 +89,7 @@ def nist_to_bits(nistlevel):
       return 192
    elif nistlevel==5:
       return 256
-   else: 
+   else:
       return None
 
 def get_tmp_kem_oid():
@@ -100,7 +100,7 @@ def get_tmp_kem_oid():
 def complete_config(config):
    for kem in config['kems']:
       bits_level = nist_to_bits(get_kem_nistlevel(kem))
-      if bits_level == None: 
+      if bits_level == None:
           print("Cannot find security level for {:s} {:s}".format(kem['family'], kem['name_group']))
           exit(1)
       kem['bit_security'] = bits_level
@@ -127,7 +127,7 @@ def complete_config(config):
    for famsig in config['sigs']:
       for sig in famsig['variants']:
          bits_level = nist_to_bits(get_sig_nistlevel(famsig, sig))
-         if bits_level == None: 
+         if bits_level == None:
              print("Cannot find security level for {:s} {:s}. Setting to 0.".format(famsig['family'], sig['name']))
              bits_level = 0
          sig['security'] = bits_level
@@ -230,7 +230,7 @@ def load_config(include_disabled_sigs=False):
 # extend config with "hybrid_groups" array:
 config = load_config() # extend config with "hybrid_groups" array
 
-# complete config with "bit_security" and "hybrid_group from 
+# complete config with "bit_security" and "hybrid_group from
 # nid_hybrid information
 config = complete_config(config)
 
@@ -245,6 +245,7 @@ def load_config(include_disabled_sigs=False):
 populate('oqsprov/oqs_decode_der2key.c', config, '/////')
 populate('oqsprov/oqsprov_keys.c', config, '/////')
 populate('scripts/common.py', config, '#####')
+populate('test/oqs_test_evp_pkey_params.c', config, '/////')
 
 config2 = load_config(include_disabled_sigs=True)
 config2 = complete_config(config2)

oqs-template/oqsprov/oqsprov.c/encoding_patching.fragment

@@ -1,13 +1,19 @@
 {% set cnt = namespace(val=-2) %}
+{ const char* envval = NULL;
 {%- for sig in config['sigs'] %}
    {%- for variant in sig['variants'] %}
       {%- set cnt.val = cnt.val + 2 %}
-   if (getenv("OQS_ENCODING_{{variant['name']|upper}}")) oqs_alg_encoding_list[{{ cnt.val }}] = getenv("OQS_ENCODING_{{variant['name']|upper}}");
-   if (getenv("OQS_ENCODING_{{variant['name']|upper}}_ALGNAME")) oqs_alg_encoding_list[{{ cnt.val + 1 }}] = getenv("OQS_ENCODING_{{variant['name']|upper}}_ALGNAME");
+   if ((envval = getenv("OQS_ENCODING_{{variant['name']|upper}}"))) oqs_alg_encoding_list[{{ cnt.val }}] = envval;
+   if ((envval = getenv("OQS_ENCODING_{{variant['name']|upper}}_ALGNAME"))) oqs_alg_encoding_list[{{ cnt.val + 1 }}] = envval;
       {%- for classical_alg in variant['mix_with'] %}
          {%- set cnt.val = cnt.val + 2 %}
-   if (getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}")) oqs_alg_encoding_list[{{ cnt.val }}] = getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}");
-   if (getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}_ALGNAME")) oqs_alg_encoding_list[{{ cnt.val + 1 }}] = getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}_ALGNAME");
+   if ((envval = getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}"))) oqs_alg_encoding_list[{{ cnt.val }}] = envval;
+   if ((envval = getenv("OQS_ENCODING_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}_ALGNAME"))) oqs_alg_encoding_list[{{ cnt.val + 1 }}] = envval;
+      {%- endfor %}
+      {%- for composite_alg in variant['composite'] %}
+         {%- set cnt.val = cnt.val + 2 %}
+   if (getenv("OQS_ENCODING_{{variant['name']|upper}}_{{ composite_alg['name']|upper }}")) oqs_alg_encoding_list[{{ cnt.val }}] = getenv("OQS_ENCODING_{{variant['name']|upper}}_{{ composite_alg['name']|upper }}");
+   if (getenv("OQS_ENCODING_{{variant['name']|upper}}_{{ composite_alg['name']|upper }}_ALGNAME")) oqs_alg_encoding_list[{{ cnt.val + 1 }}] = getenv("OQS_ENCODING_{{variant['name']|upper}}_{{ composite_alg['name']|upper }}_ALGNAME");
       {%- endfor %}
       {%- for composite_alg in variant['composite'] %}
          {%- set cnt.val = cnt.val + 2 %}
@@ -16,4 +22,5 @@
       {%- endfor %}
    {%- endfor %}
 {%- endfor %}
+}
 

oqs-template/oqsprov/oqsprov.c/oid_patching.fragment

@@ -1,14 +1,16 @@
 {% set cnt = namespace(val=-2) %}
+{
+  const char *envval = NULL;
 
 #ifdef OQS_KEM_ENCODERS
 
 {% set kemcount = namespace(val=-2) %}
 {% for kem in config['kems'] %}
 {% set kemcount.val = kemcount.val + 2 -%}
-   if (getenv("OQS_OID_{{kem['name_group']|upper}}")) oqs_oid_alg_list[{{ kemcount.val }}] = getenv("OQS_OID_{{kem['name_group']|upper}}");
+   if ((envval = getenv("OQS_OID_{{kem['name_group']|upper}}"))) oqs_oid_alg_list[{{ kemcount.val }}] = envval;
 {% for hybrid in kem['hybrids'] %}
 {% set kemcount.val = kemcount.val + 2 -%}
-   if (getenv("OQS_OID_{{ hybrid['hybrid_group']|upper }}_{{kem['name_group']|upper}}")) oqs_oid_alg_list[{{ kemcount.val }}] = getenv("OQS_OID_{{ hybrid['hybrid_group']|upper }}_{{kem['name_group']|upper}}");
+   if ((envval = getenv("OQS_OID_{{ hybrid['hybrid_group']|upper }}_{{kem['name_group']|upper}}"))) oqs_oid_alg_list[{{ kemcount.val }}] = envval;
 {%- endfor -%}
 {%- endfor %}
 
@@ -20,11 +22,11 @@
 {%- for sig in config['sigs'] %}
    {%- for variant in sig['variants'] %}
       {%- set cnt.val = cnt.val + 2 %}
-   if (getenv("OQS_OID_{{variant['name']|upper}}")) oqs_oid_alg_list[{{ cnt.val }}+OQS_KEMOID_CNT] = getenv("OQS_OID_{{variant['name']|upper}}");
+   if ((envval = getenv("OQS_OID_{{variant['name']|upper}}"))) oqs_oid_alg_list[{{ cnt.val }}+OQS_KEMOID_CNT] = envval;
       {%- for classical_alg in variant['mix_with'] %}
          {%- set cnt.val = cnt.val + 2 %}
-   if (getenv("OQS_OID_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}")) oqs_oid_alg_list[{{ cnt.val }}+OQS_KEMOID_CNT] = getenv("OQS_OID_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}");
+   if ((envval = getenv("OQS_OID_{{ classical_alg['name']|upper }}_{{variant['name']|upper}}"))) oqs_oid_alg_list[{{ cnt.val }}+OQS_KEMOID_CNT] = envval;
       {%- endfor %}
    {%- endfor %}
 {%- endfor %}
-
+}