From 38aaf692dd814a966af5f921d523f852c656a56a Mon Sep 17 00:00:00 2001 From: JP Lomas Date: Thu, 12 Sep 2024 11:26:22 +0100 Subject: [PATCH 1/2] Actionlint workflow checking (#516) * Actionlint workflow checking Integrate Actionlint to check GitHub workflows for errors as part of CI. It also fixes issues highlighted in other workflows, primarily the `checkout` version and missing property. Signed-off-by: JP Lomas * Update CODEOWNERS Signed-off-by: JP Lomas --------- Signed-off-by: JP Lomas --- .github/CODEOWNERS | 2 +- .github/workflows/check_workflows.yml | 14 ++++++++++++++ .github/workflows/coding_style.yml | 2 +- .github/workflows/linux.yml | 8 ++++---- .github/workflows/macos.yml | 6 +++--- .github/workflows/standalone.yml | 4 ++-- .github/workflows/windows.yml | 20 +++++++++++--------- 7 files changed, 36 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/check_workflows.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index af0eb104..9d57fd03 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -5,6 +5,6 @@ /oqs-template/generate.yml @baentsch @bhess @feventura /CMakeLists.txt @baentsch @thb-sb /.circleci/config.yml @baentsch @thb-sb -/.github/workflows @baentsch @thb-sb +/.github/workflows @baentsch @thb-sb @jplomas /oqsprov/oqs_sig.c @baentsch @feventura /scripts/oqsprovider-pkcs12gen.sh @iyanmv diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml new file mode 100644 index 00000000..3bbb6650 --- /dev/null +++ b/.github/workflows/check_workflows.yml @@ -0,0 +1,14 @@ +name: Check GitHub workflows + +on: [pull_request, push, workflow_call] + +jobs: + workflowcheck: + name: Check validity of GitHub workflows + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Ensure GitHub actions are valid + run: actionlint -shellcheck "" # run *without* shellcheck diff --git a/.github/workflows/coding_style.yml b/.github/workflows/coding_style.yml index e4304be6..e990a32a 100644 --- a/.github/workflows/coding_style.yml +++ b/.github/workflows/coding_style.yml @@ -14,7 +14,7 @@ jobs: run: apt-get update && apt-get install -y clang-format - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Check coding style using clang-format run: ./scripts/do_code_format.sh diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 9bbb3db6..0e4510c0 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -23,7 +23,7 @@ jobs: LIBOQS_BRANCH: "main" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Full build run: OQSPROV_CMAKE_PARAMS=${{ matrix.cmake-params}} ./scripts/fullbuild.sh - name: Enable sibling oqsprovider for testing @@ -53,7 +53,7 @@ jobs: LIBOQS_BRANCH: "main" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Full build run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} ./scripts/fullbuild.sh - name: Enable sibling oqsprovider for testing @@ -103,7 +103,7 @@ jobs: OPENSSL_BRANCH: "openssl-3.1" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Install dependencies run: apt-get update && apt-get install -y clang llvm ninja-build git cmake libclang-14-dev libclang-common-14-dev @@ -177,7 +177,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Install dependencies run: apt-get update && apt-get install -y ninja-build git cmake nodejs gcc-aarch64-linux-gnu libc6-dev-arm64-cross qemu-user diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index b8b130f4..5bfc8c5b 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -25,15 +25,15 @@ jobs: MAKE_PARAMS: -j 4 steps: - name: Checkout provider - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: openssl/openssl path: openssl - name: checkout liboqs - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: open-quantum-safe/liboqs diff --git a/.github/workflows/standalone.yml b/.github/workflows/standalone.yml index ee227f99..9c763971 100644 --- a/.github/workflows/standalone.yml +++ b/.github/workflows/standalone.yml @@ -18,7 +18,7 @@ jobs: - name: Install prerequisites run: brew install liboqs - name: Checkout oqsprovider code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Build and test oqsprovider # try this only if brew'd liboqs knows about ML-KEM: run: | @@ -46,7 +46,7 @@ jobs: - name: Update container run: apt update && apt install -y cmake ninja-build gcc libssl-dev git - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Full build run: LIBOQS_BRANCH=main ./scripts/fullbuild.sh - name: Test diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 384e376d..3747c7a2 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -18,6 +18,8 @@ jobs: platform: - arch: win64 oqsconfig: -DOQS_ALGS_ENABLED=STD + # empty `config` property here to prevent actionlint error (property "config" is not defined in object type) on line 62 below + config: # - arch: win32 # config: --strict-warnings no-fips enable-quic runs-on: ${{matrix.os}} @@ -29,9 +31,9 @@ jobs: MAKE_PARAMS: -j 4 steps: - name: Checkout provider - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Checkout openssl - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: openssl/openssl @@ -39,7 +41,7 @@ jobs: # TODO: Revert ref tag once openssl master doesn't crash any more ref: openssl-3.3.0 - name: checkout liboqs - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: open-quantum-safe/liboqs @@ -126,15 +128,15 @@ jobs: with: path: c:\openssl32 key: ${{ runner.os }}-msvcopenssl32 - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Checkout OpenSSL master if: steps.cache-openssl32.outputs.cache-hit != 'true' - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: openssl/openssl path: openssl - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: open-quantum-safe/liboqs @@ -240,15 +242,15 @@ jobs: with: path: c:\openssl32n key: ${{ runner.os }}-msvcopenssl32n - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Checkout OpenSSL master if: steps.cache-openssl32n.outputs.cache-hit != 'true' - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: openssl/openssl path: openssl - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: set-safe-directory: true repository: open-quantum-safe/liboqs From 4db09a9dc540543ff0e22b2713757a7e90e1f0c6 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Thu, 12 Sep 2024 20:06:31 +0200 Subject: [PATCH 2/2] add explicit usage warning [skip ci] (#515) * add explicit usage warning [skip ci] Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> * copying the liboqs core warning over to avoid any misunderstanding [skip ci] Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> * Update README.md Co-authored-by: Spencer Wilson Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> * disable CF hybrid interop testing Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --------- Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Co-authored-by: Spencer Wilson --- README.md | 21 +++++++++++++++++++++ scripts/oqsprovider-externalinterop.sh | 5 +++++ 2 files changed, 26 insertions(+) diff --git a/README.md b/README.md index 77997f0f..a4b11c52 100644 --- a/README.md +++ b/README.md @@ -249,6 +249,27 @@ THIS SOFTWARE IS PROVIDED WITH NO WARRANTIES, EXPRESS OR IMPLIED, AND ALL IMPLIED WARRANTIES ARE DISCLAIMED, INCLUDING ANY WARRANTY OF MERCHANTABILITY AND WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. +## Standards compliance + +This project follows the [NIST PQC standardization process](https://csrc.nist.gov/projects/post-quantum-cryptography) +and aims to support experimentation with the various PQC algorithms +under evaluation and in different stages of standardization by NIST. +`oqsprovider` at this time cannot claim or prove adherence to any +standards documents published. For more details, review the file +[STANDARDS.md](STANDARDS.md) carefully. Most notably, hybrid and +composite implementations exclusively implemented in `oqsprovider` +are at a pre-standard/draft stage only. Over time the project aims +to provide standards compliance and solicits input by way of +contributions to achieve this state. + ## Component disclaimer +`oqsprovider` for the implementation of all pure PQC functionality +is completely dependent on [liboqs](https://github.com/open-quantum-safe/liboqs) and accordingly +cannot recommend any use beyond experimentation purposes: + +WE DO NOT CURRENTLY RECOMMEND RELYING ON THIS SOFTWARE IN A PRODUCTION ENVIRONMENT OR TO PROTECT ANY SENSITIVE DATA. This software is meant to help with research and prototyping. While we make a best-effort approach to avoid security bugs, this library has not received the level of auditing and analysis that would be necessary to rely on it for high security use. + +Further details and background available at: + [liboqs disclaimer](https://github.com/open-quantum-safe/liboqs#limitations-and-security) diff --git a/scripts/oqsprovider-externalinterop.sh b/scripts/oqsprovider-externalinterop.sh index 7a161a4e..5a6e3129 100755 --- a/scripts/oqsprovider-externalinterop.sh +++ b/scripts/oqsprovider-externalinterop.sh @@ -28,6 +28,11 @@ fi # Ascertain algorithms are available: +# skipping these tests for now as per https://mailarchive.ietf.org/arch/msg/tls/hli5ogDbUudAA4tZXskVbOqeor4 +# TBD replace with suitable ML-KEM hybrid tests as and when available XXX + +exit 0 + echo " Cloudflare:" if ! ($OPENSSL_APP list -kem-algorithms | grep x25519_kyber768); then