oqs-provider 0.8.0

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on the website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.8.0 of oqs-provider which continues from the earlier 0.7.0 release. This release is fully tested to be used in conjunction with the main branch of liboqs and is guaranteed to be in sync with v0.12.0 of liboqs.

Deprecation notice

This is to notify users of Kyber and Dilithium (Round 3 version) to switch to the ML-KEM (FIPS 203 final version) and ML-DSA (FIPS 204 final version), respectively, as support for both will be removed with the next release of oqsprovider.

Security considerations

CVE-2024-54137: The associated liboqs v0.12.0 release fixed a bug in HQC decapsulation that leads to incorrect shared secret value during decapsulation when called with an invalid ciphertext. Thank you to Célian Glénaz and Dahmun Goudarzi from Quarkslab for identifying the issue.

What's New

In addition to improving testing, CI, and fixing platform specific build issues this release of oqs-provider:

Updates IANA code points for ML-KEM and changes FrodoKEM code points.
Adds support for ML-DSA (FIPS 204 final version).
Adds support for context strings in OpenSSL versions >= 3.2.
Updates the implementation of draft-ietf-lamps-pq-composite-sigs from version 01 to version 02.
Adds a SBOM template in the CycloneDX 1.6 format.
Adds support for DTLS 1.3 (pending support in OpenSSL).

What's Changed

Switch to dev mode again by @praveksharma in #535
Add alexrow to CODEOWNERS by @praveksharma in #537
Correct 0.7.0 release notes by @praveksharma in #540
switch doc to release, add backlevel liboqs support by @baentsch in #544
fix file location error in P12 test by @baentsch in #546
update MLKEM code points by @baentsch in #559
Composite sigs update by @feventura in #549
Remove macos-12 runner due to GitHub deprecation. by @SWilson4 in #563
update IANA code points for ML-KEM by @baentsch in #577
Adding version-conditional context string support by @baentsch in #583
Tracker for FIPS204 / ML-DSA by @bhess in #568
Add a SBOM template in CycloneDX format by @hughsie in #585
Changes needed when building with a static libcrypto on Linux by @ashman-p in #584
Add DTLS 1.3 support by @baentsch in #586

New Contributors

@hughsie made their first contribution in #585

Full Changelog: 0.7.0...0.8.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0.8.0