From a5a7753bdd6aefb9b71668bdf90b225ce2ef2e81 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 26 Sep 2024 12:11:14 -0400 Subject: [PATCH] Merge KEM OID branch (#522) commit c4f6eacca609a32fb608ff1e9498c92cd2651065 Merge: f0fe7d1 0312c00 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 17:05:42 2024 +0200 Merge branch 'main' into mb-disabletempoids Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit f0fe7d13bd75057dd067bff9efe1530d7974ecf2 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 11:19:08 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit 3d5b68ee258fdf66bde7bd6248235dc19d5699d0 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon Sep 23 11:18:58 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit e94338d88d05da8743d562e799c54f56b07fd869 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Sun Sep 15 18:19:33 2024 +0200 disable tests on no-OID KEMs Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> commit a60f6b78ec63dc4f734cd824bc1be94f0e23c724 Author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Sun Sep 15 17:31:57 2024 +0200 disable tmp OID generation Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- ALGORITHMS.md | 92 ++++----- oqs-template/generate.py | 8 +- .../oqsprov.c/assign_sig_oids.fragment | 8 + oqsprov/oqsprov.c | 183 +++++++++--------- test/oqs_test_endecode.c | 5 + 5 files changed, 161 insertions(+), 135 deletions(-) diff --git a/ALGORITHMS.md b/ALGORITHMS.md index 3f21bcea..ea00ce41 100644 --- a/ALGORITHMS.md +++ b/ALGORITHMS.md @@ -162,6 +162,10 @@ OQS_CODEPOINT_X25519_KYBER512=65072 ./openssl/apps/openssl s_client -groups x25 Along the same lines as the code points, X.509 OIDs may be subject to change prior to final standardization. The environment variables below permit adapting the OIDs of all supported signature algorithms as per the table below. +OIDs denoted with NULL are not maintained and may lead to errors in code +execution. Anyone interested in using an algorithm with such designation is +requested to contribute to the maintenance of these OIDs along the lines +discussed in https://github.com/open-quantum-safe/oqs-provider/issues/351. |Algorithm name | default OID | enabled | environment variable | @@ -260,58 +264,58 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li |Algorithm name | default OID | environment variable | |---------------|:-----------------:|----------------------| -| frodo640aes | 1.3.9999.99.61 | OQS_OID_FRODO640AES -| p256_frodo640aes | 1.3.9999.99.60 | OQS_OID_P256_FRODO640AES -| x25519_frodo640aes | 1.3.9999.99.45 | OQS_OID_X25519_FRODO640AES -| frodo640shake | 1.3.9999.99.63 | OQS_OID_FRODO640SHAKE -| p256_frodo640shake | 1.3.9999.99.62 | OQS_OID_P256_FRODO640SHAKE -| x25519_frodo640shake | 1.3.9999.99.46 | OQS_OID_X25519_FRODO640SHAKE -| frodo976aes | 1.3.9999.99.65 | OQS_OID_FRODO976AES -| p384_frodo976aes | 1.3.9999.99.64 | OQS_OID_P384_FRODO976AES -| x448_frodo976aes | 1.3.9999.99.47 | OQS_OID_X448_FRODO976AES -| frodo976shake | 1.3.9999.99.67 | OQS_OID_FRODO976SHAKE -| p384_frodo976shake | 1.3.9999.99.66 | OQS_OID_P384_FRODO976SHAKE -| x448_frodo976shake | 1.3.9999.99.48 | OQS_OID_X448_FRODO976SHAKE -| frodo1344aes | 1.3.9999.99.69 | OQS_OID_FRODO1344AES -| p521_frodo1344aes | 1.3.9999.99.68 | OQS_OID_P521_FRODO1344AES -| frodo1344shake | 1.3.9999.99.71 | OQS_OID_FRODO1344SHAKE -| p521_frodo1344shake | 1.3.9999.99.70 | OQS_OID_P521_FRODO1344SHAKE +| frodo640aes | NULL | OQS_OID_FRODO640AES +| p256_frodo640aes | NULL | OQS_OID_P256_FRODO640AES +| x25519_frodo640aes | NULL | OQS_OID_X25519_FRODO640AES +| frodo640shake | NULL | OQS_OID_FRODO640SHAKE +| p256_frodo640shake | NULL | OQS_OID_P256_FRODO640SHAKE +| x25519_frodo640shake | NULL | OQS_OID_X25519_FRODO640SHAKE +| frodo976aes | NULL | OQS_OID_FRODO976AES +| p384_frodo976aes | NULL | OQS_OID_P384_FRODO976AES +| x448_frodo976aes | NULL | OQS_OID_X448_FRODO976AES +| frodo976shake | NULL | OQS_OID_FRODO976SHAKE +| p384_frodo976shake | NULL | OQS_OID_P384_FRODO976SHAKE +| x448_frodo976shake | NULL | OQS_OID_X448_FRODO976SHAKE +| frodo1344aes | NULL | OQS_OID_FRODO1344AES +| p521_frodo1344aes | NULL | OQS_OID_P521_FRODO1344AES +| frodo1344shake | NULL | OQS_OID_FRODO1344SHAKE +| p521_frodo1344shake | NULL | OQS_OID_P521_FRODO1344SHAKE | kyber512 | 1.3.6.1.4.1.2.267.8.2.2 | OQS_OID_KYBER512 -| p256_kyber512 | 1.3.9999.99.72 | OQS_OID_P256_KYBER512 -| x25519_kyber512 | 1.3.9999.99.49 | OQS_OID_X25519_KYBER512 +| p256_kyber512 | NULL | OQS_OID_P256_KYBER512 +| x25519_kyber512 | NULL | OQS_OID_X25519_KYBER512 | kyber768 | 1.3.6.1.4.1.2.267.8.3.3 | OQS_OID_KYBER768 -| p384_kyber768 | 1.3.9999.99.73 | OQS_OID_P384_KYBER768 -| x448_kyber768 | 1.3.9999.99.50 | OQS_OID_X448_KYBER768 -| x25519_kyber768 | 1.3.9999.99.51 | OQS_OID_X25519_KYBER768 -| p256_kyber768 | 1.3.9999.99.52 | OQS_OID_P256_KYBER768 +| p384_kyber768 | NULL | OQS_OID_P384_KYBER768 +| x448_kyber768 | NULL | OQS_OID_X448_KYBER768 +| x25519_kyber768 | NULL | OQS_OID_X25519_KYBER768 +| p256_kyber768 | NULL | OQS_OID_P256_KYBER768 | kyber1024 | 1.3.6.1.4.1.2.267.8.4.4 | OQS_OID_KYBER1024 -| p521_kyber1024 | 1.3.9999.99.74 | OQS_OID_P521_KYBER1024 +| p521_kyber1024 | NULL | OQS_OID_P521_KYBER1024 | mlkem512 | 2.16.840.1.101.3.4.4.1 | OQS_OID_MLKEM512 | p256_mlkem512 | 1.3.6.1.4.1.22554.5.7.1 | OQS_OID_P256_MLKEM512 | x25519_mlkem512 | 1.3.6.1.4.1.22554.5.8.1 | OQS_OID_X25519_MLKEM512 | mlkem768 | 2.16.840.1.101.3.4.4.2 | OQS_OID_MLKEM768 -| p384_mlkem768 | 1.3.9999.99.75 | OQS_OID_P384_MLKEM768 -| x448_mlkem768 | 1.3.9999.99.53 | OQS_OID_X448_MLKEM768 -| x25519_mlkem768 | 1.3.9999.99.54 | OQS_OID_X25519_MLKEM768 -| p256_mlkem768 | 1.3.9999.99.55 | OQS_OID_P256_MLKEM768 +| p384_mlkem768 | NULL | OQS_OID_P384_MLKEM768 +| x448_mlkem768 | NULL | OQS_OID_X448_MLKEM768 +| x25519_mlkem768 | NULL | OQS_OID_X25519_MLKEM768 +| p256_mlkem768 | NULL | OQS_OID_P256_MLKEM768 | mlkem1024 | 2.16.840.1.101.3.4.4.3 | OQS_OID_MLKEM1024 -| p521_mlkem1024 | 1.3.9999.99.76 | OQS_OID_P521_MLKEM1024 +| p521_mlkem1024 | NULL | OQS_OID_P521_MLKEM1024 | p384_mlkem1024 | 1.3.6.1.4.1.42235.6 | OQS_OID_P384_MLKEM1024 -| bikel1 | 1.3.9999.99.78 | OQS_OID_BIKEL1 -| p256_bikel1 | 1.3.9999.99.77 | OQS_OID_P256_BIKEL1 -| x25519_bikel1 | 1.3.9999.99.56 | OQS_OID_X25519_BIKEL1 -| bikel3 | 1.3.9999.99.80 | OQS_OID_BIKEL3 -| p384_bikel3 | 1.3.9999.99.79 | OQS_OID_P384_BIKEL3 -| x448_bikel3 | 1.3.9999.99.57 | OQS_OID_X448_BIKEL3 -| bikel5 | 1.3.9999.99.82 | OQS_OID_BIKEL5 -| p521_bikel5 | 1.3.9999.99.81 | OQS_OID_P521_BIKEL5 -| hqc128 | 1.3.9999.99.84 | OQS_OID_HQC128 -| p256_hqc128 | 1.3.9999.99.83 | OQS_OID_P256_HQC128 -| x25519_hqc128 | 1.3.9999.99.58 | OQS_OID_X25519_HQC128 -| hqc192 | 1.3.9999.99.86 | OQS_OID_HQC192 -| p384_hqc192 | 1.3.9999.99.85 | OQS_OID_P384_HQC192 -| x448_hqc192 | 1.3.9999.99.59 | OQS_OID_X448_HQC192 -| hqc256 | 1.3.9999.99.88 | OQS_OID_HQC256 -| p521_hqc256 | 1.3.9999.99.87 | OQS_OID_P521_HQC256 +| bikel1 | NULL | OQS_OID_BIKEL1 +| p256_bikel1 | NULL | OQS_OID_P256_BIKEL1 +| x25519_bikel1 | NULL | OQS_OID_X25519_BIKEL1 +| bikel3 | NULL | OQS_OID_BIKEL3 +| p384_bikel3 | NULL | OQS_OID_P384_BIKEL3 +| x448_bikel3 | NULL | OQS_OID_X448_BIKEL3 +| bikel5 | NULL | OQS_OID_BIKEL5 +| p521_bikel5 | NULL | OQS_OID_P521_BIKEL5 +| hqc128 | NULL | OQS_OID_HQC128 +| p256_hqc128 | NULL | OQS_OID_P256_HQC128 +| x25519_hqc128 | NULL | OQS_OID_X25519_HQC128 +| hqc192 | NULL | OQS_OID_HQC192 +| p384_hqc192 | NULL | OQS_OID_P384_HQC192 +| x448_hqc192 | NULL | OQS_OID_X448_HQC192 +| hqc256 | NULL | OQS_OID_HQC256 +| p521_hqc256 | NULL | OQS_OID_P521_HQC256 diff --git a/oqs-template/generate.py b/oqs-template/generate.py index b36433ff..e6091874 100644 --- a/oqs-template/generate.py +++ b/oqs-template/generate.py @@ -93,9 +93,11 @@ def nist_to_bits(nistlevel): return None def get_tmp_kem_oid(): - global kemoidcnt - kemoidcnt = kemoidcnt+1 - return "1.3.9999.99."+str(kemoidcnt) + # doesn't work for runs on different files: + # global kemoidcnt + # kemoidcnt = kemoidcnt+1 + # return "1.3.9999.99."+str(kemoidcnt) + return "NULL" def complete_config(config): for kem in config['kems']: diff --git a/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment b/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment index 21af9c85..2012d8b0 100644 --- a/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment +++ b/oqs-template/oqsprov/oqsprov.c/assign_sig_oids.fragment @@ -29,9 +29,17 @@ const char* oqs_oid_alg_list[OQS_OID_CNT] = #ifdef OQS_KEM_ENCODERS {% for kem in config['kems'] %} +{%- if kem['oid'] == "NULL" -%} +NULL, "{{ kem['name_group'] }}", +{%- else -%} "{{ kem['oid'] }}", "{{ kem['name_group'] }}", +{%- endif -%} {%- for hybrid in kem['hybrids'] %} +{%- if hybrid['hybrid_oid'] == "NULL" -%} +NULL, "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", +{%- else -%} "{{hybrid['hybrid_oid']}}", "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", +{%- endif -%} {%- endfor -%} {%- endfor %} diff --git a/oqsprov/oqsprov.c b/oqsprov/oqsprov.c index 12104199..80436ccf 100644 --- a/oqsprov/oqsprov.c +++ b/oqsprov/oqsprov.c @@ -58,58 +58,57 @@ extern OSSL_FUNC_provider_get_capabilities_fn oqs_provider_get_capabilities; const char *oqs_oid_alg_list[OQS_OID_CNT] = { #ifdef OQS_KEM_ENCODERS - - "1.3.9999.99.17", + NULL, "frodo640aes", - "1.3.9999.99.16", + NULL, "p256_frodo640aes", - "1.3.9999.99.1", + NULL, "x25519_frodo640aes", - "1.3.9999.99.19", + NULL, "frodo640shake", - "1.3.9999.99.18", + NULL, "p256_frodo640shake", - "1.3.9999.99.2", + NULL, "x25519_frodo640shake", - "1.3.9999.99.21", + NULL, "frodo976aes", - "1.3.9999.99.20", + NULL, "p384_frodo976aes", - "1.3.9999.99.3", + NULL, "x448_frodo976aes", - "1.3.9999.99.23", + NULL, "frodo976shake", - "1.3.9999.99.22", + NULL, "p384_frodo976shake", - "1.3.9999.99.4", + NULL, "x448_frodo976shake", - "1.3.9999.99.25", + NULL, "frodo1344aes", - "1.3.9999.99.24", + NULL, "p521_frodo1344aes", - "1.3.9999.99.27", + NULL, "frodo1344shake", - "1.3.9999.99.26", + NULL, "p521_frodo1344shake", "1.3.6.1.4.1.2.267.8.2.2", "kyber512", - "1.3.9999.99.28", + NULL, "p256_kyber512", - "1.3.9999.99.5", + NULL, "x25519_kyber512", "1.3.6.1.4.1.2.267.8.3.3", "kyber768", - "1.3.9999.99.29", + NULL, "p384_kyber768", - "1.3.9999.99.6", + NULL, "x448_kyber768", - "1.3.9999.99.7", + NULL, "x25519_kyber768", - "1.3.9999.99.8", + NULL, "p256_kyber768", "1.3.6.1.4.1.2.267.8.4.4", "kyber1024", - "1.3.9999.99.30", + NULL, "p521_kyber1024", "2.16.840.1.101.3.4.4.1", "mlkem512", @@ -119,51 +118,51 @@ const char *oqs_oid_alg_list[OQS_OID_CNT] = { "x25519_mlkem512", "2.16.840.1.101.3.4.4.2", "mlkem768", - "1.3.9999.99.31", + NULL, "p384_mlkem768", - "1.3.9999.99.9", + NULL, "x448_mlkem768", - "1.3.9999.99.10", + NULL, "x25519_mlkem768", - "1.3.9999.99.11", + NULL, "p256_mlkem768", "2.16.840.1.101.3.4.4.3", "mlkem1024", - "1.3.9999.99.32", + NULL, "p521_mlkem1024", "1.3.6.1.4.1.42235.6", "p384_mlkem1024", - "1.3.9999.99.34", + NULL, "bikel1", - "1.3.9999.99.33", + NULL, "p256_bikel1", - "1.3.9999.99.12", + NULL, "x25519_bikel1", - "1.3.9999.99.36", + NULL, "bikel3", - "1.3.9999.99.35", + NULL, "p384_bikel3", - "1.3.9999.99.13", + NULL, "x448_bikel3", - "1.3.9999.99.38", + NULL, "bikel5", - "1.3.9999.99.37", + NULL, "p521_bikel5", - "1.3.9999.99.40", + NULL, "hqc128", - "1.3.9999.99.39", + NULL, "p256_hqc128", - "1.3.9999.99.14", + NULL, "x25519_hqc128", - "1.3.9999.99.42", + NULL, "hqc192", - "1.3.9999.99.41", + NULL, "p384_hqc192", - "1.3.9999.99.15", + NULL, "x448_hqc192", - "1.3.9999.99.44", + NULL, "hqc256", - "1.3.9999.99.43", + NULL, "p521_hqc256", #endif /* OQS_KEM_ENCODERS */ @@ -1161,51 +1160,59 @@ int OQS_PROVIDER_ENTRYPOINT_NAME(const OSSL_CORE_HANDLE *handle, // insert all OIDs to the global objects list for (i = 0; i < OQS_OID_CNT; i += 2) { - if (!c_obj_create(handle, oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], - oqs_oid_alg_list[i + 1])) { - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - fprintf(stderr, "error registering NID for %s\n", - oqs_oid_alg_list[i + 1]); - goto end_init; - } - - /* create object (NID) again to avoid setup corner case problems - * see https://github.com/openssl/openssl/discussions/21903 - * Not testing for errors is intentional. - * At least one core version hangs up; so don't do this there: - */ - if (ossl_versionp && strcmp("3.1.0", ossl_versionp)) { - ERR_set_mark(); - OBJ_create(oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], - oqs_oid_alg_list[i + 1]); - ERR_pop_to_mark(); - } - - if (!oqs_set_nid((char *)oqs_oid_alg_list[i + 1], - OBJ_sn2nid(oqs_oid_alg_list[i + 1]))) { - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; - } - - if (!c_obj_add_sigid(handle, oqs_oid_alg_list[i + 1], "", - oqs_oid_alg_list[i + 1])) { - fprintf(stderr, "error registering %s with no hash\n", - oqs_oid_alg_list[i + 1]); - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; - } - if (OBJ_sn2nid(oqs_oid_alg_list[i + 1]) != 0) { - OQS_PROV_PRINTF3( - "OQS PROV: successfully registered %s with NID %d\n", - oqs_oid_alg_list[i + 1], OBJ_sn2nid(oqs_oid_alg_list[i + 1])); + if (oqs_oid_alg_list[i] == NULL) { + OQS_PROV_PRINTF2("OQS PROV: Warning: No OID registered for %s\n", + oqs_oid_alg_list[i + 1]); } else { - fprintf(stderr, - "OQS PROV: Impossible error: NID unregistered " - "for %s.\n", - oqs_oid_alg_list[i + 1]); - ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); - goto end_init; + if (!c_obj_create(handle, oqs_oid_alg_list[i], + oqs_oid_alg_list[i + 1], + oqs_oid_alg_list[i + 1])) { + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + fprintf(stderr, "error registering NID for %s\n", + oqs_oid_alg_list[i + 1]); + goto end_init; + } + + /* create object (NID) again to avoid setup corner case problems + * see https://github.com/openssl/openssl/discussions/21903 + * Not testing for errors is intentional. + * At least one core version hangs up; so don't do this there: + */ + if (strcmp("3.1.0", ossl_versionp)) { + ERR_set_mark(); + OBJ_create(oqs_oid_alg_list[i], oqs_oid_alg_list[i + 1], + oqs_oid_alg_list[i + 1]); + ERR_pop_to_mark(); + } + + if (!oqs_set_nid((char *)oqs_oid_alg_list[i + 1], + OBJ_sn2nid(oqs_oid_alg_list[i + 1]))) { + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } + + if (!c_obj_add_sigid(handle, oqs_oid_alg_list[i + 1], "", + oqs_oid_alg_list[i + 1])) { + fprintf(stderr, "error registering %s with no hash\n", + oqs_oid_alg_list[i + 1]); + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } + + if (OBJ_sn2nid(oqs_oid_alg_list[i + 1]) != 0) { + OQS_PROV_PRINTF3( + "OQS PROV: successfully registered %s with NID %d\n", + oqs_oid_alg_list[i + 1], + OBJ_sn2nid(oqs_oid_alg_list[i + 1])); + } else { + fprintf(stderr, + "OQS PROV: Impossible error: NID unregistered " + "for %s.\n", + oqs_oid_alg_list[i + 1]); + ERR_raise(ERR_LIB_USER, OQSPROV_R_OBJ_CREATE_ERR); + goto end_init; + } } } diff --git a/test/oqs_test_endecode.c b/test/oqs_test_endecode.c index 583ed3e5..0e498e37 100644 --- a/test/oqs_test_endecode.c +++ b/test/oqs_test_endecode.c @@ -175,6 +175,11 @@ static int test_oqs_encdec(const char *alg_name) { if (pkey == NULL) goto end; + if (!OBJ_sn2nid(alg_name)) { + printf("No OID registered for %s\n", alg_name); + ok = -1; + goto end; + } if (!encode_EVP_PKEY_prov(pkey, test_params_list[i].format, test_params_list[i].structure, test_params_list[i].pass,