Allow the user to build oqs-provider as a static library.

This commit removes the `SHARED` argument of the `add_library`.
By doing so, we let the user choose the build type of library.

By default, CMake will build a static library. Thus, [`BUILD_SHARED_LIBS`]
must be used to switch to a shared library.

`oqs-provider` as a static library allows us to use the provider without
having to store its shared library somewhere. In addition, it happens that
some operating systems prohibit the use of `dlopen`/`dlsym`.

To load `oqs-provider` when it is embedded into a library of a binary, one
can use the [`OSSL_PROVIDER_add_builtin`] API from OpenSSL 3.

[`BUILD_SHARED_LIBS`]: https://cmake.org/cmake/help/latest/variable/BUILD_SHARED_LIBS.html
[`OSSL_PROVIDER_add_builtin`]: https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_add_builtin.html

.circleci/config.yml

@@ -46,7 +46,7 @@ jobs:
               equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ]
           steps:
             - run:
-                name: Clone and build OpenSSL(3) 
+                name: Clone and build OpenSSL(3)
                 command: |
                    git clone --branch master git://git.openssl.org/openssl.git openssl &&
                    cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd ..
@@ -69,11 +69,11 @@ jobs:
       - run:
           name: Run tests (with encodings, positive and negative test)
           command: |
-            ./scripts/runtests_encodings.sh -V > log 
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            ./scripts/runtests_encodings.sh -V > log
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
       - run:
@@ -88,10 +88,10 @@ jobs:
           name: Run tests (-DNOPUBKEY_IN_PRIVKEY=ON, with encodings, positive and negative test)
           command: |
             ./scripts/runtests_encodings.sh -V
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
 
@@ -120,7 +120,7 @@ jobs:
              git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git &&
              export LIBOQS_INSTALLPATH=$(pwd)/.local && cd liboqs && mkdir _build && cd _build &&
              cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LIBOQS_INSTALLPATH << parameters.CMAKE_ARGS >> .. && ninja install &&
-             cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV" 
+             cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV"
       - when:
           condition:
             not:
@@ -158,11 +158,11 @@ jobs:
       - run:
           name: Run tests (with encodings)
           command: |
-            ./scripts/runtests_encodings.sh -V > log 
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            ./scripts/runtests_encodings.sh -V > log
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
 
@@ -202,6 +202,12 @@ workflows:
           IMAGE: openquantumsafe/ci-ubuntu-jammy:latest
           CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD
           OPENSSL_PREINSTALL: openssl@3
+      - ubuntu:
+          name: ubuntu-jammy-static
+          context: openquantumsafe
+          IMAGE: openquantumsafe/ci-ubuntu-jammy:latest
+          CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DOQS_PROVIDER_BUILD_STATIC=ON
+          OPENSSL_PREINSTALL: openssl@3
       - macOS:
           name: macOS-noopenssl
           CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF
@@ -210,6 +216,10 @@ workflows:
           name: macOS-shared
           CMAKE_ARGS: -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF
           OPENSSL_PREINSTALL: openssl@3
+      - macOS:
+          name: macOS-static
+          CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF -DOQS_PROVIDER_BUILD_STATIC=ON
+          OPENSSL_PREINSTALL: openssl@3
   on-main-branch:
     when:
       or:

.github/workflows/windows.yml

@@ -68,7 +68,7 @@ jobs:
         if: steps.cache-openssl32.outputs.cache-hit != 'true'
         run: bash -c "./config --prefix=/opt/openssl32 ${{ matrix.platform.config }} && perl configdata.pm --dump && make $MAKE_PARAMS && make install_sw"
         working-directory: openssl
-      - name: Check OpenSSL install3 
+      - name: Check OpenSSL install3
         run: dir c:\cygwin\opt\openssl32
       - name: Save OpenSSL
         id: cache-openssl-save

CMakeLists.txt

@@ -40,6 +40,11 @@ else()
     message(STATUS "Build will not include external encoding library for SPKI/PKCS#8")
 endif()
 
+option(OQS_PROVIDER_BUILD_STATIC "Build a static library instead of a shared library" OFF)
+if(OQS_PROVIDER_BUILD_STATIC AND BUILD_SHARED_LIBS)
+  message(FATAL_ERROR "`OQS_PROVIDER_BUILD_STATIC` is not compatible with `BUILD_SHARED_LIBS`.")
+endif()
+
 include(CheckLibraryExists)
 include(CheckFunctionExists)
 

CONFIGURE.md

@@ -45,6 +45,16 @@ By setting this to "ON", it can be specified to omit explicitly serializing
 the public key in a `privateKey` structure, e.g., for interoperability testing.
 The default value is `OFF`.
 
+### OQS_PROVIDER_BUILD_STATIC
+
+By setting `-DOQS_PROVIDER_BUILD_STATIC=ON` at compile-time, oqs-provider can be
+compiled as a static library (`oqs-provider.a`).
+The provider can be added using the [`OSSL_PROVIDER_add_builtin`](https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_add_builtin.html)
+function.
+
+> **Warning**
+> `OQS_PROVIDER_BUILD_STATIC` and `BUILD_SHARED_LIBS` are mutually exclusive.
+
 ## Convenience build script options
 
 For anyone interested in building the complete software stack
@@ -106,7 +116,7 @@ performed by default but can be manually enabled in the script `scripts/runtests
 
 ### OPENSSL_CONF
 
-This test environment variable can be used to instruct `openssl` to use a 
+This test environment variable can be used to instruct `openssl` to use a
 configuration file from a non-standard location. Setting this value also
 disables the automation logic built into `runtests.sh`, thus requiring
 knowledge of `openssl` operations when setting it.

README.md

@@ -152,6 +152,7 @@ Contributors to the `oqsprovider` include:
 - Julian Segeth
 - Alex Zaslavsky
 - Will Childs-Klein
+- Thomas Bailleux
 
 History
 -------

oqsprov/CMakeLists.txt

@@ -31,7 +31,13 @@ set(PROVIDER_SOURCE_FILES
 set(PROVIDER_HEADER_FILES
   oqs_prov.h oqs_endecoder_local.h
 )
-add_library(oqsprovider SHARED ${PROVIDER_SOURCE_FILES})
+
+set(OQS_LIBRARY_TYPE SHARED)
+if(OQS_PROVIDER_BUILD_STATIC)
+  set(OQS_LIBRARY_TYPE STATIC)
+endif()
+
+add_library(oqsprovider ${OQS_LIBRARY_TYPE} ${PROVIDER_SOURCE_FILES})
 if (USE_ENCODING_LIB)
   add_dependencies(oqsprovider encoder)
 endif()

test/CMakeLists.txt

@@ -5,6 +5,13 @@ else()
 set(OQS_PROV_BINARY_DIR ${CMAKE_BINARY_DIR}/lib)
 endif()
 
+function(targets_set_static_provider)
+  foreach(target ${ARGN})
+    target_compile_definitions(${target} PRIVATE "OQS_PROVIDER_STATIC")
+    target_link_libraries(${target} PRIVATE oqsprovider)
+  endforeach()
+endfunction()
+
 add_test(
   NAME oqs_signatures
   COMMAND oqs_test_signatures
@@ -24,7 +31,7 @@ set_tests_properties(oqs_signatures
 endif()
 
 add_executable(oqs_test_signatures oqs_test_signatures.c test_common.c)
-target_link_libraries(oqs_test_signatures ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
+target_link_libraries(oqs_test_signatures PRIVATE ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
 
 add_test(
   NAME oqs_kems
@@ -45,7 +52,7 @@ set_tests_properties(oqs_kems
 endif()
 
 add_executable(oqs_test_kems oqs_test_kems.c test_common.c)
-target_link_libraries(oqs_test_kems ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
+target_link_libraries(oqs_test_kems PRIVATE ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
 
 add_test(
     NAME oqs_groups
@@ -66,7 +73,7 @@ set_tests_properties(oqs_groups
 )
 endif()
 add_executable(oqs_test_groups oqs_test_groups.c test_common.c tlstest_helpers.c)
-target_link_libraries(oqs_test_groups ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
+target_link_libraries(oqs_test_groups PRIVATE ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
 
 add_test(
     NAME oqs_tlssig
@@ -88,10 +95,10 @@ set_tests_properties(oqs_tlssig
 )
 endif()
 add_executable(oqs_test_tlssig oqs_test_tlssig.c test_common.c tlstest_helpers.c)
-target_link_libraries(oqs_test_tlssig ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
+target_link_libraries(oqs_test_tlssig PRIVATE ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
 
 add_executable(oqs_test_endecode oqs_test_endecode.c test_common.c)
-target_link_libraries(oqs_test_endecode ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
+target_link_libraries(oqs_test_endecode PRIVATE ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
 add_test(
   NAME oqs_endecode
   COMMAND oqs_test_endecode
@@ -109,3 +116,12 @@ set_tests_properties(oqs_endecode
     PROPERTIES ENVIRONMENT "OPENSSL_MODULES=${OQS_PROV_BINARY_DIR}"
 )
 endif()
+
+if (OQS_PROVIDER_BUILD_STATIC)
+  targets_set_static_provider(oqs_test_signatures
+    oqs_test_kems
+    oqs_test_groups
+    oqs_test_tlssig
+    oqs_test_endecode
+  )
+endif()

test/oqs_test_endecode.c

@@ -212,9 +212,8 @@ int main(int argc, char *argv[]) {
     modulename = argv[1];
     configfile = argv[2];
 
-    T(OSSL_LIB_CTX_load_config(libctx, configfile));
+    load_oqs_provider(libctx, modulename, configfile);
 
-    T(OSSL_PROVIDER_available(libctx, modulename));
     keyctx = OSSL_LIB_CTX_new();
     dfltprov = OSSL_PROVIDER_load(NULL, "default");
     dfltprov = OSSL_PROVIDER_load(keyctx, "default");

test/oqs_test_groups.c

@@ -139,10 +139,9 @@ int main(int argc, char *argv[])
   T(cert = test_mk_file_path(certsdir, "servercert.pem"));
   T(privkey = test_mk_file_path(certsdir, "serverkey.pem"));
 
-  T(OSSL_LIB_CTX_load_config(libctx, configfile));
+  load_oqs_provider(libctx, modulename, configfile);
 
-  T(OSSL_PROVIDER_available(libctx, modulename));
-  T(OSSL_PROVIDER_available(libctx, "default")); 
+  T(OSSL_PROVIDER_available(libctx, "default"));
 
   T(OSSL_PROVIDER_do_all(libctx, test_provider_groups, &errcnt));
 

test/oqs_test_kems.c

@@ -80,9 +80,8 @@ int main(int argc, char *argv[])
   modulename = argv[1];
   configfile = argv[2];
 
-  T(OSSL_LIB_CTX_load_config(libctx, configfile));
+  load_oqs_provider(libctx, modulename, configfile);
 
-  T(OSSL_PROVIDER_available(libctx, modulename));
   oqsprov = OSSL_PROVIDER_load(libctx, modulename);
 
   kemalgs = OSSL_PROVIDER_query_operation(oqsprov, OSSL_OP_KEM, &query_nocache);

test/oqs_test_signatures.c

@@ -101,9 +101,8 @@ int main(int argc, char *argv[])
   modulename = argv[1];
   configfile = argv[2];
 
-  T(OSSL_LIB_CTX_load_config(libctx, configfile));
+  load_oqs_provider(libctx, modulename, configfile);
 
-  T(OSSL_PROVIDER_available(libctx, modulename));
   oqsprov = OSSL_PROVIDER_load(libctx, modulename);
 
   sigalgs = OSSL_PROVIDER_query_operation(oqsprov, OSSL_OP_SIGNATURE, &query_nocache);

test/oqs_test_tlssig.c

@@ -85,7 +85,7 @@ static void test_oqs_sigs(EVP_SIGNATURE *evpsig, void *vp) {
 	OSSL_PROVIDER* prov = EVP_SIGNATURE_get0_provider(evpsig);
 	if (!strcmp(OSSL_PROVIDER_get0_name(prov), "oqsprovider")) {
 		printf("Commencing test of %s:\n", EVP_SIGNATURE_get0_name(evpsig));
-		test_oqs_tlssig(EVP_SIGNATURE_get0_name(evpsig)); 
+		test_oqs_tlssig(EVP_SIGNATURE_get0_name(evpsig));
 	}
 }
 */
@@ -153,10 +153,9 @@ int main(int argc, char *argv[])
   configfile = argv[2];
   certsdir = argv[3];
 
-  T(OSSL_LIB_CTX_load_config(libctx, configfile));
+  load_oqs_provider(libctx, modulename, configfile);
 
-  T(OSSL_PROVIDER_available(libctx, modulename));
-  T(OSSL_PROVIDER_available(libctx, "default")); 
+  T(OSSL_PROVIDER_available(libctx, "default"));
 
 #ifdef OSSL_CAPABILITY_TLS_SIGALG_NAME
   // crashes: EVP_SIGNATURE_do_all_provided(libctx, test_oqs_sigs, &errcnt);

test/test_common.c

@@ -33,3 +33,21 @@ int alg_is_enabled(const char *algname) {
     return strstr(algname, alglist) == NULL;
 }
 
+#ifndef OQS_PROVIDER_STATIC
+
+/* Loads the oqs-provider from a shared module (.so). */
+void load_oqs_provider(OSSL_LIB_CTX *libctx, const char *modulename, const char *configfile) {
+  T(OSSL_LIB_CTX_load_config(libctx, configfile));
+  T(OSSL_PROVIDER_available(libctx, modulename));
+}
+
+#else
+
+/* Loads the statically linked oqs-provider. */
+void load_oqs_provider(OSSL_LIB_CTX *libctx, const char *modulename, const char *configfile) {
+  (void)configfile;
+  T(OSSL_PROVIDER_add_builtin(libctx, modulename, OSSL_provider_init));
+  T(OSSL_PROVIDER_load(libctx, "default"));
+}
+
+# endif // ifndef OQS_PROVIDER_STATIC

test/test_common.h

@@ -2,6 +2,7 @@
 
 #include <stdio.h>
 #include <openssl/err.h>
+#include <openssl/provider.h>
 
 /* For controlled success */
 #define T(e)                                    \
@@ -34,3 +35,6 @@
 
 void hexdump(const void *ptr, size_t len);
 int alg_is_enabled(const char *algname);
+
+/* Loads the oqs-provider. */
+void load_oqs_provider(OSSL_LIB_CTX *libctx, const char *modulename, const char *configfile);