diff --git a/.github/workflows/coding_style.yml b/.github/workflows/coding_style.yml index e990a32a..06dbdc6f 100644 --- a/.github/workflows/coding_style.yml +++ b/.github/workflows/coding_style.yml @@ -18,3 +18,17 @@ jobs: - name: Check coding style using clang-format run: ./scripts/do_code_format.sh + + - name: Verify nothing changes on re-generate code + run: | + git config --global user.name "ciuser" && \ + git clone https://github.com/open-quantum-safe/liboqs.git && \ + git config --global user.email "ci@openquantumsafe.org" && \ + git config --global --add safe.directory `pwd` && \ + export LIBOQS_SRC_DIR=`pwd`/liboqs && \ + ! pip3 install -r oqs-template/requirements.txt 2>&1 | grep ERROR && \ + python3 oqs-template/generate.py && \ + ./scripts/do_code_format.sh --no-dry-run && \ + git diff && \ + ! git status | grep modified + diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 5d336ddc..0b3981e5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -64,7 +64,7 @@ jobs: run: cd _build/lib && ln -s oqsprovider.so oqsprovider2.so - name: Test run: ./scripts/runtests.sh -V - - name: Verify nothing changes on re-generate code + - name: Re-generate code run: | apt-get update && apt-get install -y clang-format && \ git config --global user.name "ciuser" && \ @@ -72,10 +72,9 @@ jobs: git config --global --add safe.directory `pwd` && \ export LIBOQS_SRC_DIR=`pwd`/liboqs && \ ! pip3 install -r oqs-template/requirements.txt 2>&1 | grep ERROR && \ - python3 oqs-template/generate.py && \ - ./scripts/do_code_format.sh --no-dry-run && \ - git diff && \ - ! git status | grep modified + python3 oqs-template/generate.py + - name: Full re-build + run: rm -rf _build && ./scripts/fullbuild.sh - name: Build .deb install package run: cpack -C DebPack working-directory: _build diff --git a/README.md b/README.md index ca5949f6..aa2feb21 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,9 @@ Also not fully supported in 3.0.2 is performance testing as per the openssl These versions have full support for all TLS1.3 operations using PQ algorithms when deploying `oqsprovider`, particularly with regard to the use of signature -algorithms. +algorithms. This also includes support for the "OSSL_SIGNATURE_PARAM_CONTEXT_STRING" +parameter that had not been supported before and for which limited support in +single PQ algorithms is available since `liboqs` version 0.12. ## 3.4 and greater diff --git a/oqsprov/oqs_sig.c b/oqsprov/oqs_sig.c index 91250642..b6f07a70 100644 --- a/oqsprov/oqs_sig.c +++ b/oqsprov/oqs_sig.c @@ -121,6 +121,8 @@ ASN1_NDEF_SEQUENCE(CompositeSignature) = size_t mdsize; // for collecting data if no MD is active: unsigned char *mddata; + void *context_string; + size_t context_string_length; int operation; } PROV_OQSSIG_CTX; @@ -517,9 +519,19 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen, oqs_sig_len = oqsxkey->oqsx_provider_ctx.oqsx_qs_ctx.sig ->length_signature; buf = OPENSSL_malloc(oqs_sig_len); +#if !defined OQS_VERSION_MINOR || \ + (OQS_VERSION_MAJOR == 0 && OQS_VERSION_MINOR < 12) if (OQS_SIG_sign(oqs_key, buf, &oqs_sig_len, (const unsigned char *)final_tbs, final_tbslen, oqsxkey->comp_privkey[i]) != OQS_SUCCESS) { +#else + if (OQS_SIG_sign_with_ctx_str( + oqs_key, buf, &oqs_sig_len, + (const unsigned char *)final_tbs, final_tbslen, + poqs_sigctx->context_string, + poqs_sigctx->context_string_length, + oqsxkey->comp_privkey[i]) != OQS_SUCCESS) { +#endif ERR_raise(ERR_LIB_USER, OQSPROV_R_SIGNING_FAILED); CompositeSignature_free(compsig); OPENSSL_free(final_tbs); @@ -666,7 +678,15 @@ static int oqs_sig_sign(void *vpoqs_sigctx, unsigned char *sig, size_t *siglen, CompositeSignature_free(compsig); OPENSSL_free(final_tbs); +#if !defined OQS_VERSION_MINOR || \ + (OQS_VERSION_MAJOR == 0 && OQS_VERSION_MINOR < 12) } else if (OQS_SIG_sign(oqs_key, sig + index, &oqs_sig_len, tbs, tbslen, +#else + } else if (OQS_SIG_sign_with_ctx_str( + oqs_key, sig + index, &oqs_sig_len, tbs, tbslen, + poqs_sigctx->context_string, + poqs_sigctx->context_string_length, +#endif oqsxkey->comp_privkey[oqsxkey->numkeys - 1]) != OQS_SUCCESS) { ERR_raise(ERR_LIB_USER, OQSPROV_R_SIGNING_FAILED); @@ -878,9 +898,18 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig, } if (get_oqsname_fromtls(name)) { +#if !defined OQS_VERSION_MINOR || \ + (OQS_VERSION_MAJOR == 0 && OQS_VERSION_MINOR < 12) if (OQS_SIG_verify(oqs_key, (const unsigned char *)final_tbs, final_tbslen, buf, buf_len, oqsxkey->comp_pubkey[i]) != OQS_SUCCESS) { +#else + if (OQS_SIG_verify_with_ctx_str( + oqs_key, (const unsigned char *)final_tbs, final_tbslen, + buf, buf_len, poqs_sigctx->context_string, + poqs_sigctx->context_string_length, + oqsxkey->comp_pubkey[i]) != OQS_SUCCESS) { +#endif ERR_raise(ERR_LIB_USER, OQSPROV_R_VERIFY_ERROR); OPENSSL_free(name); CompositeSignature_free(compsig); @@ -994,9 +1023,17 @@ static int oqs_sig_verify(void *vpoqs_sigctx, const unsigned char *sig, ERR_raise(ERR_LIB_USER, OQSPROV_R_WRONG_PARAMETERS); goto endverify; } +#if !defined OQS_VERSION_MINOR || \ + (OQS_VERSION_MAJOR == 0 && OQS_VERSION_MINOR < 12) if (OQS_SIG_verify( oqs_key, tbs, tbslen, sig + index, siglen - classical_sig_len, oqsxkey->comp_pubkey[oqsxkey->numkeys - 1]) != OQS_SUCCESS) { +#else + if (OQS_SIG_verify_with_ctx_str( + oqs_key, tbs, tbslen, sig + index, siglen - classical_sig_len, + poqs_sigctx->context_string, poqs_sigctx->context_string_length, + oqsxkey->comp_pubkey[oqsxkey->numkeys - 1]) != OQS_SUCCESS) { +#endif ERR_raise(ERR_LIB_USER, OQSPROV_R_VERIFY_ERROR); goto endverify; } @@ -1176,6 +1213,9 @@ static void oqs_sig_freectx(void *vpoqs_sigctx) { OPENSSL_free(ctx->aid); ctx->aid = NULL; ctx->aid_len = 0; + OPENSSL_free(ctx->context_string); + ctx->context_string = NULL; + ctx->context_string_length = 0; OPENSSL_free(ctx); } @@ -1299,6 +1339,16 @@ static int oqs_sig_set_ctx_params(void *vpoqs_sigctx, if (!oqs_sig_setup_md(poqs_sigctx, mdname, mdprops)) return 0; } +#if (OPENSSL_VERSION_PREREQ(3, 2)) + p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING); + if (p != NULL) { + if (!OSSL_PARAM_get_octet_string(p, &poqs_sigctx->context_string, 0, + &poqs_sigctx->context_string_length)) { + poqs_sigctx->context_string_length = 0; + return 0; + } + } +#endif // not passing in parameters we can act on is no error return 1; @@ -1307,6 +1357,9 @@ static int oqs_sig_set_ctx_params(void *vpoqs_sigctx, static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PROPERTIES, NULL, 0), +#if (OPENSSL_VERSION_PREREQ(3, 2)) + OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), +#endif OSSL_PARAM_END}; static const OSSL_PARAM *