From bc2099c93482e3a49688f6ff2c6be814003123bb Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Fri, 4 Oct 2024 23:04:05 +0200 Subject: [PATCH 1/6] Bump version string Signed-off-by: Pravek Sharma --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 46967512..ae513753 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4,7 +4,7 @@ else() cmake_minimum_required(VERSION 3.5 FATAL_ERROR) endif() project(oqs-provider LANGUAGES C) -set(OQSPROVIDER_VERSION_TEXT "0.6.2-dev") +set(OQSPROVIDER_VERSION_TEXT "0.7.0") set(CMAKE_C_STANDARD 11) set_property(GLOBAL PROPERTY FIND_LIBRARY_USE_LIB64_PATHS ON) if(CMAKE_BUILD_TYPE STREQUAL "Debug") From be6a0ad63d130ab1894a092b61a9f215b8bbd2a6 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Fri, 4 Oct 2024 23:04:25 +0200 Subject: [PATCH 2/6] Point CI to liboqs 0.11.0 Signed-off-by: Pravek Sharma --- .github/workflows/linux.yml | 12 ++++++------ .github/workflows/macos.yml | 2 +- .github/workflows/windows.yml | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 58c864da..09222149 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -21,7 +21,7 @@ jobs: image: openquantumsafe/ci-ubuntu-jammy:latest env: MAKE_PARAMS: "-j 18" - LIBOQS_BRANCH: "main" + LIBOQS_BRANCH: "0.11.0" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - ossl-branch: [openssl-3.1.0, master] + ossl-branch: [openssl-3.2.0, master] libjade-build: - "ON" - "OFF" @@ -59,7 +59,7 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - name: Full build - run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} OQS_LIBJADE_BUILD=${{ matrix.libjade-build }} ./scripts/fullbuild.sh + run: OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=0.11.0 OQS_LIBJADE_BUILD=${{ matrix.libjade-build }} ./scripts/fullbuild.sh - name: Enable sibling oqsprovider for testing run: cd _build/lib && ln -s oqsprovider.so oqsprovider2.so - name: Test @@ -104,7 +104,7 @@ jobs: CXX: "clang++" ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer" ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1" - OPENSSL_BRANCH: "openssl-3.1" + OPENSSL_BRANCH: "openssl-3.2.0" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -128,7 +128,7 @@ jobs: - name: Clone and build liboqs with ASan run: | - git clone --depth=1 --branch main https://github.com/open-quantum-safe/liboqs.git liboqs + git clone --depth=1 --branch 0.11.0 https://github.com/open-quantum-safe/liboqs.git liboqs cd liboqs mkdir build install cmake -GNinja -B build \ @@ -210,7 +210,7 @@ jobs: - name: Clone and build liboqs for linux-aarch64 working-directory: /opt/ run: | - git clone --depth=1 --branch main https://github.com/open-quantum-safe/liboqs.git liboqs + git clone --depth=1 --branch 0.11.0 https://github.com/open-quantum-safe/liboqs.git liboqs cd liboqs mkdir build install cmake --toolchain "${CMAKE_TOOLCHAIN_FILE}" \ diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 1446ff94..243f493a 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -40,7 +40,7 @@ jobs: with: set-safe-directory: true repository: open-quantum-safe/liboqs - ref: main + ref: 0.11.0 path: liboqs - name: Retrieve OpenSSL32 from cache id: cache-openssl32 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3747c7a2..a7e5c3ac 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -45,7 +45,7 @@ jobs: with: set-safe-directory: true repository: open-quantum-safe/liboqs - ref: main + ref: 0.11.0 path: liboqs - name: Install cygwin uses: cygwin/cygwin-install-action@master @@ -140,7 +140,7 @@ jobs: with: set-safe-directory: true repository: open-quantum-safe/liboqs - ref: main + ref: 0.11.0 path: liboqs - uses: ilammy/msvc-dev-cmd@v1 with: @@ -254,7 +254,7 @@ jobs: with: set-safe-directory: true repository: open-quantum-safe/liboqs - ref: main + ref: 0.11.0 path: liboqs - uses: ilammy/msvc-dev-cmd@v1 with: From 21164ffbe56288ab6dae5f0edfc0274c3e1d6a69 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Fri, 4 Oct 2024 23:51:02 +0200 Subject: [PATCH 3/6] Update release notes Signed-off-by: Pravek Sharma --- RELEASE.md | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/RELEASE.md b/RELEASE.md index 1f9ae6cb..7fb6503c 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,3 +1,71 @@ +# oqs-provider 0.7.1 + +## About + +The **Open Quantum Safe (OQS) project** has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on the website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/. + +**oqs-provider** is a standalone [OpenSSL 3](https://github.com/openssl/openssl) [provider](https://www.openssl.org/docs/manmaster/man7/provider.html) enabling [liboqs](https://github.com/open-quantum-safe/liboqs)-based quantum-safe and [hybrid key exchange](https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-terminology) for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and `dgst` (signature) operations. + +When deployed, the `oqs-provider` binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all `openssl` functionality shall be [PQC-enabled](https://csrc.nist.gov/projects/post-quantum-cryptography). + +In general, the oqs-provider `main` branch is meant to be usable in conjunction with the `main` branch of [liboqs](https://github.com/open-quantum-safe/liboqs) and the `master` branch of [OpenSSL](https://github.com/openssl/openssl). + +Further details on building, testing and use can be found in [README.md](https://github.com/open-quantum-safe/oqs-provider/blob/main/README.md). See in particular limitations on intended use. + +## Release notes + +This is release candidate 1 of version 0.7.0 of oqs-provider which continues from the earlier 0.6.1 release. This release is fully tested to be used in conjunction with the main branch of [liboqs](https://github.com/open-quantum-safe/liboqs) and is guaranteed to be in sync with v0.11.0 of `liboqs`. + +### Security considerations + +None. + +### What's New + +In addition to updating documentation, improving the CI, and fixing issues uncovered by compiler warnings and static analysis, this release of oqs-provider: + +* Adds support for MAYO from Round 1 of [NIST’s Post-Quantum Signature On-Ramp process](https://csrc.nist.gov/projects/pqc-dig-sig/round-1-additional-signatures). +* Adds support for CROSS from Round 1 of [NIST’s Post-Quantum Signature On-Ramp process](https://csrc.nist.gov/projects/pqc-dig-sig/round-1-additional-signatures). +* Updates ML-KEM's code points in line with internet draft [draft-kwiatkowski-tls-ecdhe-mlkem-02](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html). +* Updates the `fullbuild.sh` build script to build against liboqs with formally verified Kyber-512 and Kyber-768 from [libjade](https://github.com/formosa-crypto/libjade) turned on by default; see `OQS_LIBJADE_BUILD` under `CONFIGURE.md` for more information. +* Reverses keyshares for X25519MLKEM768, SecP256r1MLKEM768, and X448-ML-KEM-768 TLS hybrids in line with [draft-kwiatkowski-tls-ecdhe-mlkem-02](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html). + +## What's Changed +* Point CI back to liboqs main by @SWilson4 in https://github.com/open-quantum-safe/oqs-provider/pull/431 +* Fix a typo in NOTES-Windows.md by @qnfm in https://github.com/open-quantum-safe/oqs-provider/pull/436 +* Fix #439: install the static library under `$PREFIX/lib`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/441 +* Fix #440: disable tests and examples using `BUILD_TESTING`. by @thb-sb in https://github.com/open-quantum-safe/oqs-provider/pull/442 +* Add MAYO by @bhess in https://github.com/open-quantum-safe/oqs-provider/pull/413 +* update the composite to draft-ietf-lamps-pq-composite-sigs-02 by @feventura in https://github.com/open-quantum-safe/oqs-provider/pull/454 +* Update codeowners by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/458 +* Remove external encoding lib by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/460 +* update coding style and test facilities by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/477 +* Fix various warnings. by @ashman-p in https://github.com/open-quantum-safe/oqs-provider/pull/480 +* A note about key encapsulation/decapsulation support in OpenSSL by @beldmit in https://github.com/open-quantum-safe/oqs-provider/pull/486 +* Force liboqs as a debian package dependency requirement only if it is not a static linked library. by @fwh-dc in https://github.com/open-quantum-safe/oqs-provider/pull/493 +* openssl and contribution documentation updates [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/499 +* Adds note on supported openssl versions for tls certificates. by @fwh-dc in https://github.com/open-quantum-safe/oqs-provider/pull/498 +* add support for the CMAKE_PARAMS environment variable by @jschauma in https://github.com/open-quantum-safe/oqs-provider/pull/510 +* update MLKEM code points by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/511 +* Actionlint workflow checking by @jplomas in https://github.com/open-quantum-safe/oqs-provider/pull/516 +* add explicit usage warning [skip ci] by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/515 +* Address some Static Analysis Issues #519 by @ashman-p in https://github.com/open-quantum-safe/oqs-provider/pull/521 +* Only overwrite default library prefix for module library type build. by @fwh-dc in https://github.com/open-quantum-safe/oqs-provider/pull/525 +* Add build option to toggle libjade implementations in liboqs by @praveksharma in https://github.com/open-quantum-safe/oqs-provider/pull/529 +* Reverse TLS hybrid keyshares for x25519/x448-mlkem hybrids by @bhess in https://github.com/open-quantum-safe/oqs-provider/pull/524 +* Rebase and add CROSS by @praveksharma in https://github.com/open-quantum-safe/oqs-provider/pull/530 +* Remove unmanaged KEM OIDs by @baentsch in https://github.com/open-quantum-safe/oqs-provider/pull/522 +* Use more future-proof hash for signature by @beldmit in https://github.com/open-quantum-safe/oqs-provider/pull/532 + +## New Contributors +* @ashman-p made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/480 +* @fwh-dc made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/493 +* @jschauma made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/510 +* @jplomas made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/516 +* @praveksharma made their first contribution in https://github.com/open-quantum-safe/oqs-provider/pull/529 + +**Full Changelog**: https://github.com/open-quantum-safe/oqs-provider/compare/0.6.1...0.7.0-rc1 + # oqs-provider 0.6.1 ## About From de2a74b0494ed5042382e9f5a90db723dc8e3308 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Sat, 5 Oct 2024 01:12:17 +0200 Subject: [PATCH 4/6] fixup! Update release notes Signed-off-by: Pravek Sharma --- RELEASE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index 7fb6503c..7cb72110 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,4 +1,4 @@ -# oqs-provider 0.7.1 +# oqs-provider 0.7.1 release candidate 1 ## About From cc14b5aa056ed0d4eadb59ff82d9499463b6e960 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 7 Oct 2024 19:15:53 +0200 Subject: [PATCH 5/6] fixup! Update release notes Signed-off-by: Pravek Sharma --- RELEASE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index 7cb72110..130ff5fe 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -28,7 +28,7 @@ In addition to updating documentation, improving the CI, and fixing issues uncov * Adds support for CROSS from Round 1 of [NIST’s Post-Quantum Signature On-Ramp process](https://csrc.nist.gov/projects/pqc-dig-sig/round-1-additional-signatures). * Updates ML-KEM's code points in line with internet draft [draft-kwiatkowski-tls-ecdhe-mlkem-02](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html). * Updates the `fullbuild.sh` build script to build against liboqs with formally verified Kyber-512 and Kyber-768 from [libjade](https://github.com/formosa-crypto/libjade) turned on by default; see `OQS_LIBJADE_BUILD` under `CONFIGURE.md` for more information. -* Reverses keyshares for X25519MLKEM768, SecP256r1MLKEM768, and X448-ML-KEM-768 TLS hybrids in line with [draft-kwiatkowski-tls-ecdhe-mlkem-02](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html). +* Reverses keyshares for X25519MLKEM768 and X448-ML-KEM-768 TLS hybrids in line with [draft-kwiatkowski-tls-ecdhe-mlkem-02](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html). ## What's Changed * Point CI back to liboqs main by @SWilson4 in https://github.com/open-quantum-safe/oqs-provider/pull/431 From bc399b79c7992a6652601fd127290633728e79ae Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 7 Oct 2024 19:19:28 +0200 Subject: [PATCH 6/6] fixup! Point CI to liboqs 0.11.0 Signed-off-by: Pravek Sharma --- .github/workflows/linux.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 09222149..ebaf1751 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - ossl-branch: [openssl-3.2.0, master] + ossl-branch: [openssl-3.3.2, master] libjade-build: - "ON" - "OFF" @@ -104,7 +104,7 @@ jobs: CXX: "clang++" ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer" ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1" - OPENSSL_BRANCH: "openssl-3.2.0" + OPENSSL_BRANCH: "openssl-3.3.2" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4