Merge branch 'open-quantum-safe:main' into na_81_rsc_leak

.github/CODEOWNERS

@@ -5,6 +5,6 @@
 /oqs-template/generate.yml @baentsch @bhess @feventura
 /CMakeLists.txt @baentsch @thb-sb
 /.circleci/config.yml @baentsch @thb-sb
-/.github/workflows @baentsch @thb-sb
+/.github/workflows @baentsch @thb-sb @jplomas
 /oqsprov/oqs_sig.c @baentsch @feventura
 /scripts/oqsprovider-pkcs12gen.sh @iyanmv

.github/workflows/check_workflows.yml

@@ -0,0 +1,14 @@
+name: Check GitHub workflows
+
+on: [pull_request, push, workflow_call]
+
+jobs:
+  workflowcheck:
+    name: Check validity of GitHub workflows
+    runs-on: ubuntu-latest
+    container: openquantumsafe/ci-ubuntu-latest:latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+      - name: Ensure GitHub actions are valid
+        run: actionlint -shellcheck "" # run *without* shellcheck

.github/workflows/coding_style.yml

@@ -14,7 +14,7 @@ jobs:
         run: apt-get update && apt-get install -y clang-format
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
 
       - name: Check coding style using clang-format
         run: ./scripts/do_code_format.sh

.github/workflows/linux.yml

@@ -23,7 +23,7 @@ jobs:
       LIBOQS_BRANCH: "main"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Full build
         run: OQSPROV_CMAKE_PARAMS=${{ matrix.cmake-params}} ./scripts/fullbuild.sh
       - name: Enable sibling oqsprovider for testing
@@ -53,7 +53,7 @@ jobs:
       LIBOQS_BRANCH: "main"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Full build
         run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} ./scripts/fullbuild.sh
       - name: Enable sibling oqsprovider for testing
@@ -103,7 +103,7 @@ jobs:
       OPENSSL_BRANCH: "openssl-3.1"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
 
       - name: Install dependencies
         run: apt-get update && apt-get install -y clang llvm ninja-build git cmake libclang-14-dev libclang-common-14-dev
@@ -177,7 +177,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
 
       - name: Install dependencies
         run: apt-get update && apt-get install -y ninja-build git cmake nodejs gcc-aarch64-linux-gnu libc6-dev-arm64-cross qemu-user

.github/workflows/macos.yml

@@ -25,15 +25,15 @@ jobs:
       MAKE_PARAMS: -j 4
     steps:
       - name: Checkout provider
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Checkout openssl
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: openssl/openssl
           path: openssl
       - name: checkout liboqs
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: open-quantum-safe/liboqs

.github/workflows/standalone.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Install prerequisites
         run: brew install liboqs
       - name: Checkout oqsprovider code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Build and test oqsprovider
         # try this only if brew'd liboqs knows about ML-KEM:
         run: |
@@ -46,7 +46,7 @@ jobs:
       - name: Update container
         run: apt update && apt install -y cmake ninja-build gcc libssl-dev git
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Full build
         run: LIBOQS_BRANCH=main ./scripts/fullbuild.sh
       - name: Test

.github/workflows/windows.yml

@@ -18,6 +18,8 @@ jobs:
         platform:
           - arch: win64
             oqsconfig: -DOQS_ALGS_ENABLED=STD
+            # empty `config` property here to prevent actionlint error (property "config" is not defined in object type) on line 62 below
+            config:
 #          - arch: win32
 #            config: --strict-warnings no-fips enable-quic
     runs-on: ${{matrix.os}}
@@ -29,17 +31,17 @@ jobs:
       MAKE_PARAMS: -j 4
     steps:
       - name: Checkout provider
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Checkout openssl
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: openssl/openssl
           path: openssl
           # TODO: Revert ref tag once openssl master doesn't crash any more
           ref: openssl-3.3.0
       - name: checkout liboqs
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: open-quantum-safe/liboqs
@@ -126,15 +128,15 @@ jobs:
         with:
           path: c:\openssl32
           key: ${{ runner.os }}-msvcopenssl32
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
       - name: Checkout OpenSSL master
         if: steps.cache-openssl32.outputs.cache-hit != 'true'
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: openssl/openssl
           path: openssl
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
           set-safe-directory: true
           repository: open-quantum-safe/liboqs
@@ -240,15 +242,15 @@ jobs:
           with:
             path: c:\openssl32n
             key: ${{ runner.os }}-msvcopenssl32n
-        - uses: actions/checkout@v3
+        - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         - name: Checkout OpenSSL master
           if: steps.cache-openssl32n.outputs.cache-hit != 'true'
-          uses: actions/checkout@v3
+          uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
           with:
             set-safe-directory: true
             repository: openssl/openssl
             path: openssl
-        - uses: actions/checkout@v3
+        - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
           with:
             set-safe-directory: true
             repository: open-quantum-safe/liboqs

README.md

@@ -249,6 +249,27 @@ THIS SOFTWARE IS PROVIDED WITH NO WARRANTIES, EXPRESS OR IMPLIED, AND
 ALL IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING ANY WARRANTY OF
 MERCHANTABILITY AND WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE.
 
+## Standards compliance
+
+This project follows the [NIST PQC standardization process](https://csrc.nist.gov/projects/post-quantum-cryptography)
+and aims to support experimentation with the various PQC algorithms
+under evaluation and in different stages of standardization by NIST.
+`oqsprovider` at this time cannot claim or prove adherence to any
+standards documents published. For more details, review the file
+[STANDARDS.md](STANDARDS.md) carefully. Most notably, hybrid and
+composite implementations exclusively implemented in `oqsprovider`
+are at a pre-standard/draft stage only. Over time the project aims
+to provide standards compliance and solicits input by way of
+contributions to achieve this state.
+
 ## Component disclaimer
 
+`oqsprovider` for the implementation of all pure PQC functionality
+is completely dependent on [liboqs](https://github.com/open-quantum-safe/liboqs) and accordingly
+cannot recommend any use beyond experimentation purposes:
+
+WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS SOFTWARE IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA. This software is meant to help with research and prototyping. While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use.
+
+Further details and background available at:
+
 [liboqs disclaimer](https://github.com/open-quantum-safe/liboqs#limitations-and-security)

scripts/oqsprovider-externalinterop.sh

@@ -28,6 +28,11 @@ fi
 
 # Ascertain algorithms are available:
 
+# skipping these tests for now as per https://mailarchive.ietf.org/arch/msg/tls/hli5ogDbUudAA4tZXskVbOqeor4
+# TBD replace with suitable ML-KEM hybrid tests as and when available XXX 
+
+exit 0
+
 echo " Cloudflare:"
 
 if ! ($OPENSSL_APP list -kem-algorithms | grep x25519_kyber768); then