From 2cdbc17e149cc7fda3fdd8c355a49581625acbad Mon Sep 17 00:00:00 2001 From: Jan Schaumann Date: Fri, 6 Sep 2024 11:02:21 +0000 Subject: [PATCH 1/2] add support for the CMAKE_PARAMS environment variable (#510) * add support for the CMAKE_PARAMS environment variable Signed-off-by: Jan Schaumann --------- Signed-off-by: Jan Schaumann --- CONFIGURE.md | 10 ++++++++++ scripts/fullbuild.sh | 7 ++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CONFIGURE.md b/CONFIGURE.md index 63dccf97..309c9570 100644 --- a/CONFIGURE.md +++ b/CONFIGURE.md @@ -30,6 +30,16 @@ activate further warning messages. In particular, when "Debug" has been set, dis [debugging capabilities](https://github.com/open-quantum-safe/oqs-provider/wiki/Debugging) are activated and additional setup warnings are output. +### CMAKE_PARAMS + +This environment variable lets you specify additional flags to pass to `cmake` explicitly when using the `fullbuild.sh` script. + +For example, in order to point `cmake` to a specific library, you might run: + +``` +$ env CMAKE_PARAMS="-DOPENSSL_CRYPTO_LIBRARY=/opt/lib64/libcrypto.so" bash scripts/fullbuild.sh +``` + ### liboqs_DIR This environment variable must be set to the location of the `liboqs` installation to be diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index 4640b575..33de4c75 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -3,6 +3,7 @@ # The following variables influence the operation of this build script: # Argument -f: Soft clean, ensuring re-build of oqs-provider binary # Argument -F: Hard clean, ensuring checkout and build of all dependencies +# EnvVar CMAKE_PARAMS: passed to cmake # EnvVar MAKE_PARAMS: passed to invocations of make; sample value: "-j" # EnvVar OQSPROV_CMAKE_PARAMS: passed to invocations of oqsprovider cmake # EnvVar LIBOQS_BRANCH: Defines branch/release of liboqs; default value "main" @@ -108,7 +109,7 @@ if [ -z $liboqs_DIR ]; then # STD: only include NIST standardized algorithms # NIST_R4: only include algorithms in round 4 of the NIST competition # All: include all algorithms supported by liboqs (default) - cd liboqs && cmake -GNinja $DOQS_ALGS_ENABLED $CMAKE_OPENSSL_LOCATION -DCMAKE_INSTALL_PREFIX=$(pwd)/../.local -S . -B _build && cd _build && ninja && ninja install && cd ../.. + cd liboqs && cmake -GNinja $CMAKE_PARAMS $DOQS_ALGS_ENABLED $CMAKE_OPENSSL_LOCATION -DCMAKE_INSTALL_PREFIX=$(pwd)/../.local -S . -B _build && cd _build && ninja && ninja install && cd ../.. if [ $? -ne 0 ]; then echo "liboqs build failed. Exiting." exit -1 @@ -125,9 +126,9 @@ if [ ! -f "_build/lib/oqsprovider.$SHLIBEXT" ]; then BUILD_TYPE="" # for omitting public key in private keys add -DNOPUBKEY_IN_PRIVKEY=ON if [ -z "$OPENSSL_INSTALL" ]; then - cmake $CMAKE_OPENSSL_LOCATION $BUILD_TYPE $OQSPROV_CMAKE_PARAMS -S . -B _build && cmake --build _build + cmake $CMAKE_PARAMS $CMAKE_OPENSSL_LOCATION $BUILD_TYPE $OQSPROV_CMAKE_PARAMS -S . -B _build && cmake --build _build else - cmake -DOPENSSL_ROOT_DIR=$OPENSSL_INSTALL $BUILD_TYPE $OQSPROV_CMAKE_PARAMS -S . -B _build && cmake --build _build + cmake $CMAKE_PARAMS -DOPENSSL_ROOT_DIR=$OPENSSL_INSTALL $BUILD_TYPE $OQSPROV_CMAKE_PARAMS -S . -B _build && cmake --build _build fi if [ $? -ne 0 ]; then echo "provider build failed. Exiting." From 8abfecd7db7620da0fd76d53739579d115e7bc05 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Wed, 11 Sep 2024 12:39:39 +0200 Subject: [PATCH 2/2] update MLKEM code points (#511) * update X25519-MLKEM768 code point Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> * further MLKEM (O)ID updates Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> * set p256_mlkem768 code point as per standard Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --------- Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- ALGORITHMS.md | 28 +++++++++---------- oqs-template/generate.yml | 50 ++++++++++++++++++++++++---------- oqs-template/oqs-kem-info.md | 22 +++++++-------- oqsprov/oqsprov.c | 6 ++-- oqsprov/oqsprov_capabilities.c | 22 +++++++-------- 5 files changed, 74 insertions(+), 54 deletions(-) diff --git a/ALGORITHMS.md b/ALGORITHMS.md index df2d1fcf..236cef8a 100644 --- a/ALGORITHMS.md +++ b/ALGORITHMS.md @@ -38,17 +38,17 @@ As standardization for these algorithms within TLS is not done, all TLS code poi | p256_kyber768 | 0x639A | Yes | OQS_CODEPOINT_P256_KYBER768 | | kyber1024 | 0x023D | Yes | OQS_CODEPOINT_KYBER1024 | | p521_kyber1024 | 0x2F3D | Yes | OQS_CODEPOINT_P521_KYBER1024 | -| mlkem512 | 0x0247 | Yes | OQS_CODEPOINT_MLKEM512 | -| p256_mlkem512 | 0x2F47 | Yes | OQS_CODEPOINT_P256_MLKEM512 | -| x25519_mlkem512 | 0x2FB2 | Yes | OQS_CODEPOINT_X25519_MLKEM512 | -| mlkem768 | 0x0248 | Yes | OQS_CODEPOINT_MLKEM768 | -| p384_mlkem768 | 0x2F48 | Yes | OQS_CODEPOINT_P384_MLKEM768 | -| x448_mlkem768 | 0x2FB3 | Yes | OQS_CODEPOINT_X448_MLKEM768 | -| x25519_mlkem768 | 0x2FB4 | Yes | OQS_CODEPOINT_X25519_MLKEM768 | -| p256_mlkem768 | 0x2FB5 | Yes | OQS_CODEPOINT_P256_MLKEM768 | -| mlkem1024 | 0x0249 | Yes | OQS_CODEPOINT_MLKEM1024 | -| p521_mlkem1024 | 0x2F49 | Yes | OQS_CODEPOINT_P521_MLKEM1024 | -| p384_mlkem1024 | 0x2F4A | Yes | OQS_CODEPOINT_P384_MLKEM1024 | +| mlkem512 | 0x024A | Yes | OQS_CODEPOINT_MLKEM512 | +| p256_mlkem512 | 0x2F4B | Yes | OQS_CODEPOINT_P256_MLKEM512 | +| x25519_mlkem512 | 0x2FB6 | Yes | OQS_CODEPOINT_X25519_MLKEM512 | +| mlkem768 | 0x0768 | Yes | OQS_CODEPOINT_MLKEM768 | +| p384_mlkem768 | 0x2F4C | Yes | OQS_CODEPOINT_P384_MLKEM768 | +| x448_mlkem768 | 0x2FB7 | Yes | OQS_CODEPOINT_X448_MLKEM768 | +| x25519_mlkem768 | 0x2FB8 | Yes | OQS_CODEPOINT_X25519_MLKEM768 | +| p256_mlkem768 | 4587 | Yes | OQS_CODEPOINT_P256_MLKEM768 | +| mlkem1024 | 0x1024 | Yes | OQS_CODEPOINT_MLKEM1024 | +| p521_mlkem1024 | 0x2F4D | Yes | OQS_CODEPOINT_P521_MLKEM1024 | +| p384_mlkem1024 | 0x2F4E | Yes | OQS_CODEPOINT_P384_MLKEM1024 | | bikel1 | 0x0241 | Yes | OQS_CODEPOINT_BIKEL1 | | p256_bikel1 | 0x2F41 | Yes | OQS_CODEPOINT_P256_BIKEL1 | | x25519_bikel1 | 0x2FAE | Yes | OQS_CODEPOINT_X25519_BIKEL1 | @@ -254,15 +254,15 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li | p256_kyber768 | 1.3.9999.99.52 | OQS_OID_P256_KYBER768 | kyber1024 | 1.3.6.1.4.1.2.267.8.4.4 | OQS_OID_KYBER1024 | p521_kyber1024 | 1.3.9999.99.74 | OQS_OID_P521_KYBER1024 -| mlkem512 | 1.3.6.1.4.1.22554.5.6.1 | OQS_OID_MLKEM512 +| mlkem512 | 2.16.840.1.101.3.4.4.1 | OQS_OID_MLKEM512 | p256_mlkem512 | 1.3.6.1.4.1.22554.5.7.1 | OQS_OID_P256_MLKEM512 | x25519_mlkem512 | 1.3.6.1.4.1.22554.5.8.1 | OQS_OID_X25519_MLKEM512 -| mlkem768 | 1.3.6.1.4.1.22554.5.6.2 | OQS_OID_MLKEM768 +| mlkem768 | 2.16.840.1.101.3.4.4.2 | OQS_OID_MLKEM768 | p384_mlkem768 | 1.3.9999.99.75 | OQS_OID_P384_MLKEM768 | x448_mlkem768 | 1.3.9999.99.53 | OQS_OID_X448_MLKEM768 | x25519_mlkem768 | 1.3.9999.99.54 | OQS_OID_X25519_MLKEM768 | p256_mlkem768 | 1.3.9999.99.55 | OQS_OID_P256_MLKEM768 -| mlkem1024 | 1.3.6.1.4.1.22554.5.6.3 | OQS_OID_MLKEM1024 +| mlkem1024 | 2.16.840.1.101.3.4.4.3 | OQS_OID_MLKEM1024 | p521_mlkem1024 | 1.3.9999.99.76 | OQS_OID_P521_MLKEM1024 | p384_mlkem1024 | 1.3.6.1.4.1.42235.6 | OQS_OID_P384_MLKEM1024 | bikel1 | 1.3.9999.99.78 | OQS_OID_BIKEL1 diff --git a/oqs-template/generate.yml b/oqs-template/generate.yml index 571dfdc1..514c05e6 100644 --- a/oqs-template/generate.yml +++ b/oqs-template/generate.yml @@ -1,5 +1,5 @@ # This is the master document for ID interoperability for KEM IDs, p-hybrid KEM IDs, SIG (O)IDs -# Next free plain KEM ID: 0x024A, p-hybrid: 0x2F4B, X-hybrid: 0x2FB6 +# Next free plain KEM ID: 0x024D, p-hybrid: 0x2F4F, X-hybrid: 0x2FB9 kems: - family: 'FrodoKEM' @@ -143,40 +143,58 @@ kems: hybrid_group: secp521_r1 nid: '0x2F11' oqs_alg: 'OQS_KEM_alg_kyber_1024' +# end of IBM support section +# NIST OIDs see https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration +# KEM prefix 2.16.840.1.101.3.4.4. - family: 'ML-KEM' name_group: 'mlkem512' - nid: '0x0247' - oid: '1.3.6.1.4.1.22554.5.6.1' - nid_hybrid: '0x2F47' +# code point not standardized: Why? XXX + nid: '0x024A' +# NIST kem 1 + oid: '2.16.840.1.101.3.4.4.1' +# code point not standardized: Why? XXX + nid_hybrid: '0x2F4B' +# retain OIDs of the Legion of the BouncyCastle: XXX check if OK hybrid_oid: '1.3.6.1.4.1.22554.5.7.1' oqs_alg: 'OQS_KEM_alg_ml_kem_512' extra_nids: current: - hybrid_group: "x25519" +# retain OIDs of the Legion of the BouncyCastle: XXX check if OK hybrid_oid: '1.3.6.1.4.1.22554.5.8.1' - nid: '0x2FB2' +# code point not standardized: Why? XXX + nid: '0x2FB6' - family: 'ML-KEM' name_group: 'mlkem768' - nid: '0x0248' - oid: '1.3.6.1.4.1.22554.5.6.2' - nid_hybrid: '0x2F48' +# https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-01.html + nid: '0x0768' +# NIST kem 2 + oid: '2.16.840.1.101.3.4.4.2' +# code point not standardized: Why? XXX + nid_hybrid: '0x2F4C' oqs_alg: 'OQS_KEM_alg_ml_kem_768' extra_nids: current: - hybrid_group: "x448" - nid: '0x2FB3' +# code point not standardized: Why? XXX + nid: '0x2FB7' +# To change when hybrid order change implemented, see https://github.com/open-quantum-safe/oqs-provider/issues/503 - hybrid_group: "x25519" - nid: '0x2FB4' + nid: '0x2FB8' - hybrid_group: "p256" - nid: '0x2FB5' +# https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-01.html#name-iana-considerations + nid: '4587' - family: 'ML-KEM' name_group: 'mlkem1024' - nid: '0x0249' - oid: '1.3.6.1.4.1.22554.5.6.3' - nid_hybrid: '0x2F49' +# https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-01.html + nid: '0x1024' +# NIST kem 3 + oid: '2.16.840.1.101.3.4.4.3' +# code point not standardized: Why? XXX + nid_hybrid: '0x2F4D' oqs_alg: 'OQS_KEM_alg_ml_kem_1024' extra_nids: current: @@ -184,8 +202,10 @@ kems: # this oid is proposed by Tresorit # if the hybrid combination is standardized, feel free to change it - hybrid_group: "p384" +# does Tresorit want to update? hybrid_oid: '1.3.6.1.4.1.42235.6' - nid: '0x2F4A' +# code point not standardized: Why? XXX + nid: '0x2F4E' - family: 'BIKE' name_group: 'bike1l1fo' diff --git a/oqs-template/oqs-kem-info.md b/oqs-template/oqs-kem-info.md index dafa41cb..db953c5b 100644 --- a/oqs-template/oqs-kem-info.md +++ b/oqs-template/oqs-kem-info.md @@ -85,14 +85,14 @@ | HQC | 2023-04-30 | hqc192 | 4 | 3 | 0x2FB1 | x448 | | HQC | 2023-04-30 | hqc256 | 4 | 5 | 0x0246 | | | HQC | 2023-04-30 | hqc256 | 4 | 5 | 0x2F46 | secp521_r1 | -| ML-KEM | ML-KEM-ipd | mlkem1024 | ipd | 5 | 0x0249 | | -| ML-KEM | ML-KEM-ipd | mlkem1024 | ipd | 5 | 0x2F49 | secp521_r1 | -| ML-KEM | ML-KEM-ipd | mlkem1024 | ipd | 5 | 0x2F4A | p384 | -| ML-KEM | ML-KEM-ipd | mlkem512 | ipd | 1 | 0x0247 | | -| ML-KEM | ML-KEM-ipd | mlkem512 | ipd | 1 | 0x2F47 | secp256_r1 | -| ML-KEM | ML-KEM-ipd | mlkem512 | ipd | 1 | 0x2FB2 | x25519 | -| ML-KEM | ML-KEM-ipd | mlkem768 | ipd | 3 | 0x0248 | | -| ML-KEM | ML-KEM-ipd | mlkem768 | ipd | 3 | 0x2F48 | secp384_r1 | -| ML-KEM | ML-KEM-ipd | mlkem768 | ipd | 3 | 0x2FB3 | x448 | -| ML-KEM | ML-KEM-ipd | mlkem768 | ipd | 3 | 0x2FB4 | x25519 | -| ML-KEM | ML-KEM-ipd | mlkem768 | ipd | 3 | 0x2FB5 | p256 | +| ML-KEM | ML-KEM | mlkem1024 | FIPS203 | 5 | 0x1024 | | +| ML-KEM | ML-KEM | mlkem1024 | FIPS203 | 5 | 0x2F4D | secp521_r1 | +| ML-KEM | ML-KEM | mlkem1024 | FIPS203 | 5 | 0x2F4E | p384 | +| ML-KEM | ML-KEM | mlkem512 | FIPS203 | 1 | 0x024A | | +| ML-KEM | ML-KEM | mlkem512 | FIPS203 | 1 | 0x2F4B | secp256_r1 | +| ML-KEM | ML-KEM | mlkem512 | FIPS203 | 1 | 0x2FB6 | x25519 | +| ML-KEM | ML-KEM | mlkem768 | FIPS203 | 3 | 0x0768 | | +| ML-KEM | ML-KEM | mlkem768 | FIPS203 | 3 | 0x2F4C | secp384_r1 | +| ML-KEM | ML-KEM | mlkem768 | FIPS203 | 3 | 0x2FB7 | x448 | +| ML-KEM | ML-KEM | mlkem768 | FIPS203 | 3 | 0x2FB8 | x25519 | +| ML-KEM | ML-KEM | mlkem768 | FIPS203 | 3 | 4587 | p256 | diff --git a/oqsprov/oqsprov.c b/oqsprov/oqsprov.c index 5a2f93ce..b95a1741 100644 --- a/oqsprov/oqsprov.c +++ b/oqsprov/oqsprov.c @@ -111,13 +111,13 @@ const char *oqs_oid_alg_list[OQS_OID_CNT] = { "kyber1024", "1.3.9999.99.30", "p521_kyber1024", - "1.3.6.1.4.1.22554.5.6.1", + "2.16.840.1.101.3.4.4.1", "mlkem512", "1.3.6.1.4.1.22554.5.7.1", "p256_mlkem512", "1.3.6.1.4.1.22554.5.8.1", "x25519_mlkem512", - "1.3.6.1.4.1.22554.5.6.2", + "2.16.840.1.101.3.4.4.2", "mlkem768", "1.3.9999.99.31", "p384_mlkem768", @@ -127,7 +127,7 @@ const char *oqs_oid_alg_list[OQS_OID_CNT] = { "x25519_mlkem768", "1.3.9999.99.11", "p256_mlkem768", - "1.3.6.1.4.1.22554.5.6.3", + "2.16.840.1.101.3.4.4.3", "mlkem1024", "1.3.9999.99.32", "p521_mlkem1024", diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index f3e3ea70..d51631b0 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -70,20 +70,20 @@ static OQS_GROUP_CONSTANTS oqs_group_list[] = { {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0247, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x024A, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F47, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB2, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0248, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x0768, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F48, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB3, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB4, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB5, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0249, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2FB8, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {4587, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x1024, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F49, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F4A, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1}, {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1}, {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1},