diff --git a/ALGORITHMS.md b/ALGORITHMS.md index 3f21bcea..ea00ce41 100644 --- a/ALGORITHMS.md +++ b/ALGORITHMS.md @@ -162,6 +162,10 @@ OQS_CODEPOINT_X25519_KYBER512=65072 ./openssl/apps/openssl s_client -groups x25 Along the same lines as the code points, X.509 OIDs may be subject to change prior to final standardization. The environment variables below permit adapting the OIDs of all supported signature algorithms as per the table below. +OIDs denoted with NULL are not maintained and may lead to errors in code +execution. Anyone interested in using an algorithm with such designation is +requested to contribute to the maintenance of these OIDs along the lines +discussed in https://github.com/open-quantum-safe/oqs-provider/issues/351. |Algorithm name | default OID | enabled | environment variable | @@ -260,58 +264,58 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li |Algorithm name | default OID | environment variable | |---------------|:-----------------:|----------------------| -| frodo640aes | 1.3.9999.99.61 | OQS_OID_FRODO640AES -| p256_frodo640aes | 1.3.9999.99.60 | OQS_OID_P256_FRODO640AES -| x25519_frodo640aes | 1.3.9999.99.45 | OQS_OID_X25519_FRODO640AES -| frodo640shake | 1.3.9999.99.63 | OQS_OID_FRODO640SHAKE -| p256_frodo640shake | 1.3.9999.99.62 | OQS_OID_P256_FRODO640SHAKE -| x25519_frodo640shake | 1.3.9999.99.46 | OQS_OID_X25519_FRODO640SHAKE -| frodo976aes | 1.3.9999.99.65 | OQS_OID_FRODO976AES -| p384_frodo976aes | 1.3.9999.99.64 | OQS_OID_P384_FRODO976AES -| x448_frodo976aes | 1.3.9999.99.47 | OQS_OID_X448_FRODO976AES -| frodo976shake | 1.3.9999.99.67 | OQS_OID_FRODO976SHAKE -| p384_frodo976shake | 1.3.9999.99.66 | OQS_OID_P384_FRODO976SHAKE -| x448_frodo976shake | 1.3.9999.99.48 | OQS_OID_X448_FRODO976SHAKE -| frodo1344aes | 1.3.9999.99.69 | OQS_OID_FRODO1344AES -| p521_frodo1344aes | 1.3.9999.99.68 | OQS_OID_P521_FRODO1344AES -| frodo1344shake | 1.3.9999.99.71 | OQS_OID_FRODO1344SHAKE -| p521_frodo1344shake | 1.3.9999.99.70 | OQS_OID_P521_FRODO1344SHAKE +| frodo640aes | NULL | OQS_OID_FRODO640AES +| p256_frodo640aes | NULL | OQS_OID_P256_FRODO640AES +| x25519_frodo640aes | NULL | OQS_OID_X25519_FRODO640AES +| frodo640shake | NULL | OQS_OID_FRODO640SHAKE +| p256_frodo640shake | NULL | OQS_OID_P256_FRODO640SHAKE +| x25519_frodo640shake | NULL | OQS_OID_X25519_FRODO640SHAKE +| frodo976aes | NULL | OQS_OID_FRODO976AES +| p384_frodo976aes | NULL | OQS_OID_P384_FRODO976AES +| x448_frodo976aes | NULL | OQS_OID_X448_FRODO976AES +| frodo976shake | NULL | OQS_OID_FRODO976SHAKE +| p384_frodo976shake | NULL | OQS_OID_P384_FRODO976SHAKE +| x448_frodo976shake | NULL | OQS_OID_X448_FRODO976SHAKE +| frodo1344aes | NULL | OQS_OID_FRODO1344AES +| p521_frodo1344aes | NULL | OQS_OID_P521_FRODO1344AES +| frodo1344shake | NULL | OQS_OID_FRODO1344SHAKE +| p521_frodo1344shake | NULL | OQS_OID_P521_FRODO1344SHAKE | kyber512 | 1.3.6.1.4.1.2.267.8.2.2 | OQS_OID_KYBER512 -| p256_kyber512 | 1.3.9999.99.72 | OQS_OID_P256_KYBER512 -| x25519_kyber512 | 1.3.9999.99.49 | OQS_OID_X25519_KYBER512 +| p256_kyber512 | NULL | OQS_OID_P256_KYBER512 +| x25519_kyber512 | NULL | OQS_OID_X25519_KYBER512 | kyber768 | 1.3.6.1.4.1.2.267.8.3.3 | OQS_OID_KYBER768 -| p384_kyber768 | 1.3.9999.99.73 | OQS_OID_P384_KYBER768 -| x448_kyber768 | 1.3.9999.99.50 | OQS_OID_X448_KYBER768 -| x25519_kyber768 | 1.3.9999.99.51 | OQS_OID_X25519_KYBER768 -| p256_kyber768 | 1.3.9999.99.52 | OQS_OID_P256_KYBER768 +| p384_kyber768 | NULL | OQS_OID_P384_KYBER768 +| x448_kyber768 | NULL | OQS_OID_X448_KYBER768 +| x25519_kyber768 | NULL | OQS_OID_X25519_KYBER768 +| p256_kyber768 | NULL | OQS_OID_P256_KYBER768 | kyber1024 | 1.3.6.1.4.1.2.267.8.4.4 | OQS_OID_KYBER1024 -| p521_kyber1024 | 1.3.9999.99.74 | OQS_OID_P521_KYBER1024 +| p521_kyber1024 | NULL | OQS_OID_P521_KYBER1024 | mlkem512 | 2.16.840.1.101.3.4.4.1 | OQS_OID_MLKEM512 | p256_mlkem512 | 1.3.6.1.4.1.22554.5.7.1 | OQS_OID_P256_MLKEM512 | x25519_mlkem512 | 1.3.6.1.4.1.22554.5.8.1 | OQS_OID_X25519_MLKEM512 | mlkem768 | 2.16.840.1.101.3.4.4.2 | OQS_OID_MLKEM768 -| p384_mlkem768 | 1.3.9999.99.75 | OQS_OID_P384_MLKEM768 -| x448_mlkem768 | 1.3.9999.99.53 | OQS_OID_X448_MLKEM768 -| x25519_mlkem768 | 1.3.9999.99.54 | OQS_OID_X25519_MLKEM768 -| p256_mlkem768 | 1.3.9999.99.55 | OQS_OID_P256_MLKEM768 +| p384_mlkem768 | NULL | OQS_OID_P384_MLKEM768 +| x448_mlkem768 | NULL | OQS_OID_X448_MLKEM768 +| x25519_mlkem768 | NULL | OQS_OID_X25519_MLKEM768 +| p256_mlkem768 | NULL | OQS_OID_P256_MLKEM768 | mlkem1024 | 2.16.840.1.101.3.4.4.3 | OQS_OID_MLKEM1024 -| p521_mlkem1024 | 1.3.9999.99.76 | OQS_OID_P521_MLKEM1024 +| p521_mlkem1024 | NULL | OQS_OID_P521_MLKEM1024 | p384_mlkem1024 | 1.3.6.1.4.1.42235.6 | OQS_OID_P384_MLKEM1024 -| bikel1 | 1.3.9999.99.78 | OQS_OID_BIKEL1 -| p256_bikel1 | 1.3.9999.99.77 | OQS_OID_P256_BIKEL1 -| x25519_bikel1 | 1.3.9999.99.56 | OQS_OID_X25519_BIKEL1 -| bikel3 | 1.3.9999.99.80 | OQS_OID_BIKEL3 -| p384_bikel3 | 1.3.9999.99.79 | OQS_OID_P384_BIKEL3 -| x448_bikel3 | 1.3.9999.99.57 | OQS_OID_X448_BIKEL3 -| bikel5 | 1.3.9999.99.82 | OQS_OID_BIKEL5 -| p521_bikel5 | 1.3.9999.99.81 | OQS_OID_P521_BIKEL5 -| hqc128 | 1.3.9999.99.84 | OQS_OID_HQC128 -| p256_hqc128 | 1.3.9999.99.83 | OQS_OID_P256_HQC128 -| x25519_hqc128 | 1.3.9999.99.58 | OQS_OID_X25519_HQC128 -| hqc192 | 1.3.9999.99.86 | OQS_OID_HQC192 -| p384_hqc192 | 1.3.9999.99.85 | OQS_OID_P384_HQC192 -| x448_hqc192 | 1.3.9999.99.59 | OQS_OID_X448_HQC192 -| hqc256 | 1.3.9999.99.88 | OQS_OID_HQC256 -| p521_hqc256 | 1.3.9999.99.87 | OQS_OID_P521_HQC256 +| bikel1 | NULL | OQS_OID_BIKEL1 +| p256_bikel1 | NULL | OQS_OID_P256_BIKEL1 +| x25519_bikel1 | NULL | OQS_OID_X25519_BIKEL1 +| bikel3 | NULL | OQS_OID_BIKEL3 +| p384_bikel3 | NULL | OQS_OID_P384_BIKEL3 +| x448_bikel3 | NULL | OQS_OID_X448_BIKEL3 +| bikel5 | NULL | OQS_OID_BIKEL5 +| p521_bikel5 | NULL | OQS_OID_P521_BIKEL5 +| hqc128 | NULL | OQS_OID_HQC128 +| p256_hqc128 | NULL | OQS_OID_P256_HQC128 +| x25519_hqc128 | NULL | OQS_OID_X25519_HQC128 +| hqc192 | NULL | OQS_OID_HQC192 +| p384_hqc192 | NULL | OQS_OID_P384_HQC192 +| x448_hqc192 | NULL | OQS_OID_X448_HQC192 +| hqc256 | NULL | OQS_OID_HQC256 +| p521_hqc256 | NULL | OQS_OID_P521_HQC256 diff --git a/oqs-template/generate.py b/oqs-template/generate.py index b36433ff..e6091874 100644 --- a/oqs-template/generate.py +++ b/oqs-template/generate.py @@ -93,9 +93,11 @@ def nist_to_bits(nistlevel): return None def get_tmp_kem_oid(): - global kemoidcnt - kemoidcnt = kemoidcnt+1 - return "1.3.9999.99."+str(kemoidcnt) + # doesn't work for runs on different files: + # global kemoidcnt + # kemoidcnt = kemoidcnt+1 + # return "1.3.9999.99."+str(kemoidcnt) + return "NULL" def complete_config(config): for kem in config['kems']: diff --git a/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment b/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment index 21af9c85..2012d8b0 100644 --- a/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment +++ b/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment @@ -29,9 +29,17 @@ const char* oqs_oid_alg_list[OQS_OID_CNT] = #ifdef OQS_KEM_ENCODERS {% for kem in config['kems'] %} +{%- if kem['oid'] == "NULL" -%} +NULL, "{{ kem['name_group'] }}", +{%- else -%} "{{ kem['oid'] }}", "{{ kem['name_group'] }}", +{%- endif -%} {%- for hybrid in kem['hybrids'] %} +{%- if hybrid['hybrid_oid'] == "NULL" -%} +NULL, "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", +{%- else -%} "{{hybrid['hybrid_oid']}}", "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", +{%- endif -%} {%- endfor -%} {%- endfor %} diff --git a/oqsprov/oqsprov.c b/oqsprov/oqsprov.c index 12104199..80436ccf 100644 --- a/oqsprov/oqsprov.c +++ b/oqsprov/oqsprov.c @@ -58,58 +58,57 @@ extern OSSL_FUNC_provider_get_capabilities_fn oqs_provider_get_capabilities; const char *oqs_oid_alg_list[OQS_OID_CNT] = { #ifdef OQS_KEM_ENCODERS - - "1.3.9999.99.17", + NULL, "frodo640aes", - "1.3.9999.99.16", + NULL, "p256_frodo640aes", - "1.3.9999.99.1", + NULL, "x25519_frodo640aes", - "1.3.9999.99.19", + NULL, "frodo640shake", - "1.3.9999.99.18", + NULL, "p256_frodo640shake", - "1.3.9999.99.2", + NULL, "x25519_frodo640shake", - "1.3.9999.99.21", + NULL, "frodo976aes", - "1.3.9999.99.20", + NULL, "p384_frodo976aes", - "1.3.9999.99.3", + NULL, "x448_frodo976aes", - "1.3.9999.99.23", + NULL, "frodo976shake", - "1.3.9999.99.22", + NULL, "p384_frodo976shake", - "1.3.9999.99.4", + NULL, "x448_frodo976shake", - "1.3.9999.99.25", + NULL, "frodo1344aes", - "1.3.9999.99.24", + NULL, "p521_frodo1344aes", - "1.3.9999.99.27", + NULL, "frodo1344shake", - "1.3.9999.99.26", + NULL, "p521_frodo1344shake", "1.3.6.1.4.1.2.267.8.2.2", "kyber512", - "1.3.9999.99.28", + NULL, "p256_kyber512", - "1.3.9999.99.5", + NULL, "x25519_kyber512", "1.3.6.1.4.1.2.267.8.3.3", "kyber768", - "1.3.9999.99.29", + NULL, "p384_kyber768", - "1.3.9999.99.6", + NULL, "x448_kyber768", - "1.3.9999.99.7", + NULL, "x25519_kyber768", - "1.3.9999.99.8", + NULL, "p256_kyber768", "1.3.6.1.4.1.2.267.8.4.4", "kyber1024", - "1.3.9999.99.30", + NULL, "p521_kyber1024", "2.16.840.1.101.3.4.4.1", "mlkem512", @@ -119,51 +118,51 @@ const char *oqs_oid_alg_list[OQS_OID_CNT] = { "x25519_mlkem512", "2.16.840.1.101.3.4.4.2", "mlkem768", - "1.3.9999.99.31", + NULL, "p384_mlkem768", - "1.3.9999.99.9", + NULL, "x448_mlkem768", - "1.3.9999.99.10", + NULL, "x25519_mlkem768", - "1.3.9999.99.11", + NULL, "p256_mlkem768", "2.16.840.1.101.3.4.4.3", "mlkem1024", - "1.3.9999.99.32", + NULL, "p521_mlkem1024", "1.3.6.1.4.1.42235.6", "p384_mlkem1024", - "1.3.9999.99.34", + NULL, "bikel1", - "1.3.9999.99.33", + NULL, "p256_bikel1", - "1.3.9999.99.12", + NULL, "x25519_bikel1", - "1.3.9999.99.36", + NULL, "bikel3", - "1.3.9999.99.35", + NULL, "p384_bikel3", - "1.3.9999.99.13", + NULL, "x448_bikel3", - "1.3.9999.99.38", + NULL, "bikel5", - "1.3.9999.99.37", + NULL, "p521_bikel5", - "1.3.9999.99.40", + NULL, "hqc128", - "1.3.9999.99.39", + NULL, "p256_hqc128", - "1.3.9999.99.14", + NULL, "x25519_hqc128", - "1.3.9999.99.42", + NULL, "hqc192", - "1.3.9999.99.41", + NULL, "p384_hqc192", - "1.3.9999.99.15", + NULL, "x448_hqc192", - "1.3.9999.99.44", + NULL, "hqc256", - "1.3.9999.99.43", + NULL, "p521_hqc256", #endif /* OQS_KEM_ENCODERS */ @@ -1161,51 +1160,59 @@ int OQS_PROVIDER_ENTRYPOINT_NAME(const OSSL_CORE_HANDLE *handle, // insert all OIDs to the global objects list for (i = 0; i < OQS_OID_CNT; i += 2) { - if (!c_obj_create(handle, oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], - oqs_oid_alg_list[i + 1])) { - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - fprintf(stderr, "error registering NID for %s\n", - oqs_oid_alg_list[i + 1]); - goto end_init; - } - - /* create object (NID) again to avoid setup corner case problems - * see https://github.com/openssl/openssl/discussions/21903 - * Not testing for errors is intentional. - * At least one core version hangs up; so don't do this there: - */ - if (ossl_versionp && strcmp("3.1.0", ossl_versionp)) { - ERR_set_mark(); - OBJ_create(oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], - oqs_oid_alg_list[i + 1]); - ERR_pop_to_mark(); - } - - if (!oqs_set_nid((char *)oqs_oid_alg_list[i + 1], - OBJ_sn2nid(oqs_oid_alg_list[i + 1]))) { - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; - } - - if (!c_obj_add_sigid(handle, oqs_oid_alg_list[i + 1], "", - oqs_oid_alg_list[i + 1])) { - fprintf(stderr, "error registering %s with no hash\n", - oqs_oid_alg_list[i + 1]); - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; - } - if (OBJ_sn2nid(oqs_oid_alg_list[i + 1]) != 0) { - OQS_PROV_PRINTF3( - "OQS PROV: successfully registered %s with NID %d\n", - oqs_oid_alg_list[i + 1], OBJ_sn2nid(oqs_oid_alg_list[i + 1])); + if (oqs_oid_alg_list[i] == NULL) { + OQS_PROV_PRINTF2("OQS PROV: Warning: No OID registered for %s\n", + oqs_oid_alg_list[i + 1]); } else { - fprintf(stderr, - "OQS PROV: Impossible error: NID unregistered " - "for %s.\n", - oqs_oid_alg_list[i + 1]); - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; + if (!c_obj_create(handle, oqs_oid_alg_list[i], + oqs_oid_alg_list[i + 1], + oqs_oid_alg_list[i + 1])) { + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + fprintf(stderr, "error registering NID for %s\n", + oqs_oid_alg_list[i + 1]); + goto end_init; + } + + /* create object (NID) again to avoid setup corner case problems + * see https://github.com/openssl/openssl/discussions/21903 + * Not testing for errors is intentional. + * At least one core version hangs up; so don't do this there: + */ + if (strcmp("3.1.0", ossl_versionp)) { + ERR_set_mark(); + OBJ_create(oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], + oqs_oid_alg_list[i + 1]); + ERR_pop_to_mark(); + } + + if (!oqs_set_nid((char *)oqs_oid_alg_list[i + 1], + OBJ_sn2nid(oqs_oid_alg_list[i + 1]))) { + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } + + if (!c_obj_add_sigid(handle, oqs_oid_alg_list[i + 1], "", + oqs_oid_alg_list[i + 1])) { + fprintf(stderr, "error registering %s with no hash\n", + oqs_oid_alg_list[i + 1]); + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } + + if (OBJ_sn2nid(oqs_oid_alg_list[i + 1]) != 0) { + OQS_PROV_PRINTF3( + "OQS PROV: successfully registered %s with NID %d\n", + oqs_oid_alg_list[i + 1], + OBJ_sn2nid(oqs_oid_alg_list[i + 1])); + } else { + fprintf(stderr, + "OQS PROV: Impossible error: NID unregistered " + "for %s.\n", + oqs_oid_alg_list[i + 1]); + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } } } diff --git a/test/oqs_test_endecode.c b/test/oqs_test_endecode.c index 583ed3e5..0e498e37 100644 --- a/test/oqs_test_endecode.c +++ b/test/oqs_test_endecode.c @@ -175,6 +175,11 @@ static int test_oqs_encdec(const char *alg_name) { if (pkey == NULL) goto end; + if (!OBJ_sn2nid(alg_name)) { + printf("No OID registered for %s\n", alg_name); + ok = -1; + goto end; + } if (!encode_EVP_PKEY_prov(pkey, test_params_list[i].format, test_params_list[i].structure, test_params_list[i].pass,