Allow the user to build oqs-provider as a static library.

This commit removes the `SHARED` argument of the `add_library`.
By doing so, we let the user choose the build type of library.

By default, CMake will build a static library. Thus, [`BUILD_SHARED_LIBS`]
must be used to switch to a shared library.

`oqs-provider` as a static library allows us to use the provider without
having to store its shared library somewhere. In addition, it happens that
some operating systems prohibit the use of `dlopen`/`dlsym`.

To load `oqs-provider` when it is embedded into a library of a binary, one
can use the [`OSSL_PROVIDER_add_builtin`] API from OpenSSL 3.

[`BUILD_SHARED_LIBS`]: https://cmake.org/cmake/help/latest/variable/BUILD_SHARED_LIBS.html
[`OSSL_PROVIDER_add_builtin`]: https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_add_builtin.html

.circleci/config.yml

@@ -46,7 +46,7 @@ jobs:
               equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ]
           steps:
             - run:
-                name: Clone and build OpenSSL(3) 
+                name: Clone and build OpenSSL(3)
                 command: |
                    git clone --branch master git://git.openssl.org/openssl.git openssl &&
                    cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd ..
@@ -69,11 +69,11 @@ jobs:
       - run:
           name: Run tests (with encodings, positive and negative test)
           command: |
-            ./scripts/runtests_encodings.sh -V > log 
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            ./scripts/runtests_encodings.sh -V > log
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
       - run:
@@ -88,10 +88,10 @@ jobs:
           name: Run tests (-DNOPUBKEY_IN_PRIVKEY=ON, with encodings, positive and negative test)
           command: |
             ./scripts/runtests_encodings.sh -V
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
 
@@ -120,7 +120,7 @@ jobs:
              git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git &&
              export LIBOQS_INSTALLPATH=$(pwd)/.local && cd liboqs && mkdir _build && cd _build &&
              cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LIBOQS_INSTALLPATH << parameters.CMAKE_ARGS >> .. && ninja install &&
-             cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV" 
+             cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV"
       - when:
           condition:
             not:
@@ -158,11 +158,11 @@ jobs:
       - run:
           name: Run tests (with encodings)
           command: |
-            ./scripts/runtests_encodings.sh -V > log 
-            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then 
+            ./scripts/runtests_encodings.sh -V > log
+            if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
                cat log
                ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
-            else 
+            else
                cat log
             fi
 
@@ -202,6 +202,12 @@ workflows:
           IMAGE: openquantumsafe/ci-ubuntu-jammy:latest
           CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD
           OPENSSL_PREINSTALL: openssl@3
+      - ubuntu:
+          name: ubuntu-jammy-static
+          context: openquantumsafe
+          IMAGE: openquantumsafe/ci-ubuntu-jammy:latest
+          CMAKE_ARGS: -DOQS_PROVIDER_BUILD_STATIC=ON -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD
+          OPENSSL_PREINSTALL: openssl@3
       - macOS:
           name: macOS-noopenssl
           CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF
@@ -210,6 +216,10 @@ workflows:
           name: macOS-shared
           CMAKE_ARGS: -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF
           OPENSSL_PREINSTALL: openssl@3
+      - macOS:
+          name: macOS-static
+          CMAKE_ARGS: -DOQS_PROVIDER_BUILD_STATIC=ON -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF
+          OPENSSL_PREINSTALL: openssl@3
   on-main-branch:
     when:
       or:

.github/workflows/windows.yml

@@ -68,7 +68,7 @@ jobs:
         if: steps.cache-openssl32.outputs.cache-hit != 'true'
         run: bash -c "./config --prefix=/opt/openssl32 ${{ matrix.platform.config }} && perl configdata.pm --dump && make $MAKE_PARAMS && make install_sw"
         working-directory: openssl
-      - name: Check OpenSSL install3 
+      - name: Check OpenSSL install3
         run: dir c:\cygwin\opt\openssl32
       - name: Save OpenSSL
         id: cache-openssl-save

CMakeLists.txt

@@ -40,6 +40,11 @@ else()
     message(STATUS "Build will not include external encoding library for SPKI/PKCS#8")
 endif()
 
+option(OQS_PROVIDER_BUILD_STATIC "Build a static library instead of a shared library" OFF)
+if(OQS_PROVIDER_BUILD_STATIC AND BUILD_SHARED_LIBS)
+  message(FATAL_ERROR "`OQS_PROVIDER_BUILD_STATIC` is not compatible with `BUILD_SHARED_LIBS`.")
+endif()
+
 include(CheckLibraryExists)
 include(CheckFunctionExists)
 

README.md

@@ -25,7 +25,7 @@ key establishment in TLS1.3 including management of such keys via the
 OpenSSL (3.0) provider interface and hybrid KEM schemes. Also, QSC
 signatures including CMS and CMP functionality are available via the OpenSSL
 EVP interface. Key persistence is provided via the encode/decode
-mechanism and X.509 data structures. Also available is support for 
+mechanism and X.509 data structures. Also available is support for
 TLS1.3 signature functionality via the [OpenSSL3 fetchable signature
 algorithm feature](https://github.com/openssl/openssl/pull/19312).
 
@@ -100,7 +100,7 @@ e.g., as such: `openssl list -kem-algorithms -propquery oqsprovider.security_bit
 The bit strength of hybrid algorithms is always defined by the bit strength
 of the classic algorithm.
 
-In order to enable parallel use of classic and quantum-safe cryptography 
+In order to enable parallel use of classic and quantum-safe cryptography
 this provider also provides different hybrid algorithms, combining classic
 and quantum-safe methods: These are listed above with a prefix denoting a
 classic algorithm, e.g., for elliptic curve: "p256_".
@@ -281,6 +281,18 @@ By setting `-DNOPUBKEY_IN_PRIVKEY=<ON/OFF>` at compile-time, it can be further
 specified to omit explicitly serializing the public key in a `privateKey`
 structure. The default value is `OFF`.
 
+### Static library
+
+oqs-provider can also be compiled as a static library, using the `OQS_PROVIDER_BUILD_STATIC`
+option:
+
+```shell
+$ cmake -B build -DOQS_PROVIDER_BUILD_STATIC=ON
+```
+
+> **Warning**
+> `OQS_PROVIDER_BUILD_STATIC` and `BUILD_SHARED_LIBS` are mutually exclusive.
+
 Building on Windows
 --------------------
 Building `oqsprovider` following the steps outlined above have been
@@ -311,7 +323,7 @@ eliminates the need for specific PATH setting as showcased below.
 
 ## Checking provider version information
 
-    LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl list -providers -verbose -provider-path _build/lib -provider oqsprovider 
+    LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl list -providers -verbose -provider-path _build/lib -provider oqsprovider
 
 If using a standard install of openssl(3) and including `oqsprovider` activation
 in the global "openssl.cnf" file, the command accordingly gets simplified to:
@@ -364,7 +376,7 @@ Step 1: Create quantum-safe key pair and self-signed certificate:
 
     LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl req -x509 -new -newkey dilithium3 -keyout qsc.key -out qsc.crt -nodes -subj "/CN=oqstest" -days 365 -config openssl/apps/openssl.cnf -provider-path _build/lib -provider oqsprovider -provider default
 
-By changing the `-newkey` parameter algorithm name [any of the 
+By changing the `-newkey` parameter algorithm name [any of the
 supported quantum-safe or hybrid algorithms](#signature-algorithms)
 can be utilized instead of the sample algorithm `dilithium3`.
 
@@ -490,6 +502,7 @@ Contributors to the `oqsprovider` include:
 - Julian Segeth
 - Alex Zaslavsky
 - Will Childs-Klein
+- Thomas Bailleux
 
 Acknowledgments
 ---------------

oqsprov/CMakeLists.txt

@@ -31,7 +31,13 @@ set(PROVIDER_SOURCE_FILES
 set(PROVIDER_HEADER_FILES
   oqs_prov.h oqs_endecoder_local.h
 )
-add_library(oqsprovider SHARED ${PROVIDER_SOURCE_FILES})
+
+set(OQS_LIBRARY_TYPE SHARED)
+if(OQS_PROVIDER_BUILD_STATIC)
+  set(OQS_LIBRARY_TYPE STATIC)
+endif()
+
+add_library(oqsprovider ${OQS_LIBRARY_TYPE} ${PROVIDER_SOURCE_FILES})
 if (USE_ENCODING_LIB)
   add_dependencies(oqsprovider encoder)
 endif()