prepare 0.5.0 release (#175)

* prepare 0.5.0 release

* test for OSX file extension

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.0 FATAL_ERROR)
 project(oqs-provider LANGUAGES C)
-set(OQSPROVIDER_VERSION_TEXT "0.5.0-dev")
+set(OQSPROVIDER_VERSION_TEXT "0.5.0")
 set(CMAKE_C_STANDARD 11)
 set_property(GLOBAL PROPERTY FIND_LIBRARY_USE_LIB64_PATHS ON)
 if(CMAKE_BUILD_TYPE STREQUAL "Debug")

RELEASE.md

@@ -1,5 +1,5 @@
-oqs-provider 0.5.0-dev
-======================
+oqs-provider 0.5.0
+==================
 
 About
 -----
@@ -17,7 +17,7 @@ Further details on building, testing and use can be found in [README.md](https:/
 Release notes
 =============
 
-This is the development pre-release version 0.5.0 of oqs-provider.
+This is version 0.5.0 of oqs-provider.
 
 Security considerations
 -----------------------
@@ -27,17 +27,26 @@ None.
 What's New
 ----------
 
-This release continues from the 0.4.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of [liboqs](https://github.com/open-quantum-safe/liboqs). 
+This release continues from the 0.4.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of [liboqs](https://github.com/open-quantum-safe/liboqs). This release is guaranteed to be in sync with v0.8.0 of `liboqs`.
 
 oqs-provider now also enables use of QSC algorithms during TLS1.3 handshake. The required OpenSSL code updates are contained in https://github.com/openssl/openssl/pull/19312. Prior to this code merging, the functionality can be tested by using https://github.com/baentsch/openssl/tree/sigload.
 
 ### Algorithm updates
 
-None.
+All algorithms no longer supported in the [NIST PQC competition](https://csrc.nist.gov/projects/post-quantum-cryptography) and not under consideration for standardization by ISO have been removed. All remaining algorithms with the exception of McEliece have been lifted to their final round 3 variants as documented in [liboqs](https://github.com/open-quantum-safe/liboqs/blob/main/RELEASE.md#release-notes). Most notably, algorithm names for Sphincs+ have been changed to the naming chosen by its authors.
 
 ### Functional updates
 
 - Enablement of oqs-provider as a (first) dynamically fetchable OpenSSL3 TLS1.3 signature provider.
+- OSX support
+- Full support for CA functionality
+- Algorithms can now be selected by their respective bit strength using the property string "oqsprovider.security_bits"
+- Documentation of (O)IDs used by the different PQC algorithms used and supported in current and past releases of oqs-openssl and oqs-provider
+- Testing is now completely independent of a source code distribution of OpenSSL being available
+- oqsprovider can be built and installed making use of pre-existing installations of `OpenSSL` and `liboqs`. Details are found in the "scripts" directory's build and test scripts.
+- Automated creation of (Debian) packaging information
+- Graceful handling (by way of functional degradation) of the feature sets contained in different OpenSSL releases; all oqsprovider capabilities are only available when using a version > than OpenSSL3.1.
+- A bug regarding handling of hybrid algorithms has been fixed as well as some memory leaks.
 
 ### Misc updates
 
@@ -46,6 +55,8 @@ None.
 
 ---
 
+**Full Changelog**: https://github.com/open-quantum-safe/oqs-provider/compare/0.4.0...0.5.0.
+
 Previous Release Notes
 ======================
 
@@ -81,3 +92,4 @@ oqs-provider has been integrated as an external test component for [OpenSSL3 tes
 
 **Full Changelog**: https://github.com/open-quantum-safe/oqs-provider/compare/0.3.0...0.4.0.
 
+

scripts/fullbuild.sh

@@ -8,11 +8,14 @@
 # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD"
 # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use
 # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3
+# EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to
 
 if [[ "$OSTYPE" == "darwin"* ]]; then
    SHLIBEXT="dylib"
+   STATLIBEXT="dylib"
 else
    SHLIBEXT="so"
+   STATLIBEXT="a"
 fi
 
 if [ $# -gt 0 ]; then
@@ -56,9 +59,10 @@ if [ -z "$OPENSSL_INSTALL" ]; then
  fi
 fi
 
-# Check whether liboqs is built:
-if [ ! -f ".local/lib/liboqs.a" ]; then
-  echo "liboqs static lib not built..."
+# Check whether liboqs is built or has been configured:
+if [ -z $liboqs_DIR ]; then
+ if [ ! -f ".local/lib/liboqs.$STATLIBEXT" ]; then
+  echo "need to re-build static liboqs..."
   if [ ! -d liboqs ]; then
     echo "cloning liboqs $LIBOQS_BRANCH..."
     git clone --depth 1 --branch $LIBOQS_BRANCH https://github.com/open-quantum-safe/liboqs.git
@@ -81,16 +85,18 @@ if [ ! -f ".local/lib/liboqs.a" ]; then
     fi
   fi
 
- # for full debug build add: -DCMAKE_BUILD_TYPE=Debug
- # to optimize for size add -DOQS_ALGS_ENABLED= suitably to one of these values:
- #    STD: only include NIST standardized algorithms
- #    NIST_R4: only include algorithms in round 4 of the NIST competition
- #    All: include all algorithms supported by liboqs (default)
- cd liboqs && cmake -GNinja $DOQS_ALGS_ENABLED -DCMAKE_INSTALL_PREFIX=$(pwd)/../.local -S . -B _build && cd _build && ninja && ninja install && cd ../..
- if [ $? -ne 0 ]; then
-     echo "liboqs build failed. Exiting."
-     exit -1
+  # for full debug build add: -DCMAKE_BUILD_TYPE=Debug
+  # to optimize for size add -DOQS_ALGS_ENABLED= suitably to one of these values:
+  #    STD: only include NIST standardized algorithms
+  #    NIST_R4: only include algorithms in round 4 of the NIST competition
+  #    All: include all algorithms supported by liboqs (default)
+  cd liboqs && cmake -GNinja $DOQS_ALGS_ENABLED -DCMAKE_INSTALL_PREFIX=$(pwd)/../.local -S . -B _build && cd _build && ninja && ninja install && cd ../..
+  if [ $? -ne 0 ]; then
+      echo "liboqs build failed. Exiting."
+      exit -1
+  fi
  fi
+ export liboqs_DIR=$(pwd)/.local
 fi
 
 # Check whether provider is built:
@@ -101,9 +107,9 @@ if [ ! -f "_build/lib/oqsprovider.$SHLIBEXT" ]; then
    BUILD_TYPE=""
    # for omitting public key in private keys add -DNOPUBKEY_IN_PRIVKEY=ON
    if [ -z "$OPENSSL_INSTALL" ]; then
-       cmake -DOPENSSL_ROOT_DIR=$(pwd)/.local $BUILD_TYPE -DCMAKE_PREFIX_PATH=$(pwd)/.local -S . -B _build && cmake --build _build
+       cmake -DOPENSSL_ROOT_DIR=$(pwd)/.local $BUILD_TYPE -S . -B _build && cmake --build _build
    else
-       cmake -DOPENSSL_ROOT_DIR=$OPENSSL_INSTALL $BUILD_TYPE -DCMAKE_PREFIX_PATH=$(pwd)/.local -S . -B _build && cmake --build _build
+       cmake -DOPENSSL_ROOT_DIR=$OPENSSL_INSTALL $BUILD_TYPE -S . -B _build && cmake --build _build
    fi
    if [ $? -ne 0 ]; then
      echo "provider build failed. Exiting."

scripts/oqsprovider-ca.sh

@@ -16,6 +16,10 @@ if [ -z "$OPENSSL_MODULES" ]; then
     echo "Warning: OPENSSL_MODULES env var not set."
 fi
 
+if [ -z "$OPENSSL_CONF" ]; then
+    echo "Warning: OPENSSL_CONF env var not set."
+fi
+
 # Set OSX DYLD_LIBRARY_PATH if not already externally set
 if [ -z "$DYLD_LIBRARY_PATH" ]; then
     export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
@@ -28,21 +32,21 @@ mkdir -p tmp && cd tmp
 rm -rf demoCA && mkdir -p demoCA/newcerts
 touch demoCA/index.txt
 echo '01' > demoCA/serial
-$OPENSSL_APP req -x509 -new -newkey $1 -keyout $1_rootCA.key -out $1_rootCA.crt -subj "/CN=test CA" -nodes -config ../scripts/openssl-ca.cnf
+$OPENSSL_APP req -x509 -new -newkey $1 -keyout $1_rootCA.key -out $1_rootCA.crt -subj "/CN=test CA" -nodes
 
 if [ $? -ne 0 ]; then
    echo "Failed to generate root CA. Exiting."
    exit 1
 fi
 
-$OPENSSL_APP req -new -newkey $1 -keyout $1.key -out $1.csr -nodes -config ../scripts/openssl-ca.cnf -subj "/CN=test Server"
+$OPENSSL_APP req -new -newkey $1 -keyout $1.key -out $1.csr -nodes -subj "/CN=test Server"
 
 if [ $? -ne 0 ]; then
    echo "Failed to generate test server CSR. Exiting."
    exit 1
 fi
 
-$OPENSSL_APP ca -batch -startdate 150123080000Z -enddate 250823090000Z -keyfile $1_rootCA.key -cert $1_rootCA.crt -policy policy_anything -config ../scripts/openssl-ca.cnf -notext -out $1.crt -infiles $1.csr
+$OPENSSL_APP ca -batch -startdate 150123080000Z -enddate 250823090000Z -keyfile $1_rootCA.key -cert $1_rootCA.crt -policy policy_anything -notext -out $1.crt -infiles $1.csr
 
 if [ $? -ne 0 ]; then
    echo "Failed to generate server CRT. Exiting."

scripts/runtests.sh

@@ -42,6 +42,9 @@ interop() {
 	else
             localalgtest $1
         fi
+    else
+        echo "Algorithm $1 not enabled. Exit testing."
+        exit 1
     fi
 
     if [ $? -ne 0 ]; then
@@ -139,22 +142,39 @@ if [ $? -eq 0 ]; then
    exit 0
 fi
 
-$OPENSSL_APP list -providers -verbose -provider-path _build/lib -provider oqsprovider
+$OPENSSL_APP list -providers -verbose
 if [ $? -ne 0 ]; then
    echo "Baseline openssl invocation failed. Exiting test."
    exit 1
 fi
 
+# Ensure "oqsprovider" is registered:
+$OPENSSL_APP list -providers -verbose | grep oqsprovider > /dev/null
+if [ $? -ne 0 ]; then
+   echo "oqsprovider not registered. Exit test."
+   exit 1
+fi
+
 # Run interop-tests:
 echo "Cert gen/verify, CMS sign/verify, CA tests for all enabled OQS signature algorithms commencing: "
-for alg in `$OPENSSL_APP list -signature-algorithms | grep oqsprovider | sed -e "s/ @ oqsprovider//g" | sed -e "s/^  //g"`
+for alg in `$OPENSSL_APP list -signature-algorithms | grep oqsprovider | sed -e "s/ @ .*//g" | sed -e "s/^  //g"`
 do 
    if [ "$1" = "-V" ]; then
       echo "Testing $alg"
    fi
    interop $alg
+   certsgenerated=1
 done
 
+if [ -z $certsgenerated ]; then
+   echo "No OQS signature algorithms found in provider 'oqsprovider'. No certs generated. Exiting."
+   exit 1
+else
+   if [ "$1" = "-V" ]; then
+      echo "Certificates successfully generated in $(pwd)/tmp"
+   fi
+fi
+
 echo
 
 # Run built-in tests:

test/CMakeLists.txt

@@ -45,7 +45,7 @@ add_test(
     COMMAND oqs_test_tlssig
             "oqsprovider"
             "${CMAKE_CURRENT_SOURCE_DIR}/oqs.cnf"
-            "${CMAKE_CURRENT_SOURCE_DIR}/../tmp"
+            "${CMAKE_CURRENT_BINARY_DIR}/../../tmp"
     WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
 )
 set_tests_properties(oqs_tlssig