From 9eaa075bdc2d033e9eb32d9fe6f40d1d5efa55e6 Mon Sep 17 00:00:00 2001 From: thb-sb Date: Fri, 30 Jun 2023 18:11:47 +0200 Subject: [PATCH] Allow the user to build oqs-provider as a static library. This commit removes the `SHARED` argument of the `add_library`. By doing so, we let the user choose the build type of library. By default, CMake will build a static library. Thus, [`BUILD_SHARED_LIBS`] must be used to switch to a shared library. `oqs-provider` as a static library allows us to use the provider without having to store its shared library somewhere. In addition, it happens that some operating systems prohibit the use of `dlopen`/`dlsym`. To load `oqs-provider` when it is embedded into a library of a binary, one can use the [`OSSL_PROVIDER_add_builtin`] API from OpenSSL 3. [`BUILD_SHARED_LIBS`]: https://cmake.org/cmake/help/latest/variable/BUILD_SHARED_LIBS.html [`OSSL_PROVIDER_add_builtin`]: https://www.openssl.org/docs/man3.1/man3/OSSL_PROVIDER_add_builtin.html --- .circleci/config.yml | 30 ++++++++++++++++++++---------- .github/workflows/windows.yml | 2 +- CMakeLists.txt | 5 +++++ README.md | 21 +++++++++++++++++---- oqsprov/CMakeLists.txt | 8 +++++++- 5 files changed, 50 insertions(+), 16 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3e53cbf0..6816d288 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -46,7 +46,7 @@ jobs: equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ] steps: - run: - name: Clone and build OpenSSL(3) + name: Clone and build OpenSSL(3) command: | git clone --branch master git://git.openssl.org/openssl.git openssl && cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd .. @@ -69,11 +69,11 @@ jobs: - run: name: Run tests (with encodings, positive and negative test) command: | - ./scripts/runtests_encodings.sh -V > log - if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then + ./scripts/runtests_encodings.sh -V > log + if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then cat log ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V - else + else cat log fi - run: @@ -88,10 +88,10 @@ jobs: name: Run tests (-DNOPUBKEY_IN_PRIVKEY=ON, with encodings, positive and negative test) command: | ./scripts/runtests_encodings.sh -V - if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then + if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then cat log ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V - else + else cat log fi @@ -120,7 +120,7 @@ jobs: git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git && export LIBOQS_INSTALLPATH=$(pwd)/.local && cd liboqs && mkdir _build && cd _build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=$LIBOQS_INSTALLPATH << parameters.CMAKE_ARGS >> .. && ninja install && - cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV" + cd .. && cd .. && echo "export DYLD_LIBRARY_PATH=$DYLD_LIBRARY_PATH:$LIBOQS_INSTALLPATH/lib" >> "$BASH_ENV" - when: condition: not: @@ -158,11 +158,11 @@ jobs: - run: name: Run tests (with encodings) command: | - ./scripts/runtests_encodings.sh -V > log - if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then + ./scripts/runtests_encodings.sh -V > log + if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then cat log ! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V - else + else cat log fi @@ -202,6 +202,12 @@ workflows: IMAGE: openquantumsafe/ci-ubuntu-jammy:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD OPENSSL_PREINSTALL: openssl@3 + - ubuntu: + name: ubuntu-jammy-static + context: openquantumsafe + IMAGE: openquantumsafe/ci-ubuntu-jammy:latest + CMAKE_ARGS: -DOQS_PROVIDER_BUILD_STATIC=ON -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD + OPENSSL_PREINSTALL: openssl@3 - macOS: name: macOS-noopenssl CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF @@ -210,6 +216,10 @@ workflows: name: macOS-shared CMAKE_ARGS: -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF OPENSSL_PREINSTALL: openssl@3 + - macOS: + name: macOS-static + CMAKE_ARGS: -DOQS_PROVIDER_BUILD_STATIC=ON -DOQS_DIST_BUILD=OFF -DOQS_ENABLE_KEM_CLASSIC_MCELIECE=OFF + OPENSSL_PREINSTALL: openssl@3 on-main-branch: when: or: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 2da8e6ec..7cffc45a 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -68,7 +68,7 @@ jobs: if: steps.cache-openssl32.outputs.cache-hit != 'true' run: bash -c "./config --prefix=/opt/openssl32 ${{ matrix.platform.config }} && perl configdata.pm --dump && make $MAKE_PARAMS && make install_sw" working-directory: openssl - - name: Check OpenSSL install3 + - name: Check OpenSSL install3 run: dir c:\cygwin\opt\openssl32 - name: Save OpenSSL id: cache-openssl-save diff --git a/CMakeLists.txt b/CMakeLists.txt index 855140a8..132462a6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,6 +40,11 @@ else() message(STATUS "Build will not include external encoding library for SPKI/PKCS#8") endif() +option(OQS_PROVIDER_BUILD_STATIC "Build a static library instead of a shared library" OFF) +if(OQS_PROVIDER_BUILD_STATIC AND BUILD_SHARED_LIBS) + message(FATAL_ERROR "`OQS_PROVIDER_BUILD_STATIC` is not compatible with `BUILD_SHARED_LIBS`.") +endif() + include(CheckLibraryExists) include(CheckFunctionExists) diff --git a/README.md b/README.md index 4130452c..0be0bbd2 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ key establishment in TLS1.3 including management of such keys via the OpenSSL (3.0) provider interface and hybrid KEM schemes. Also, QSC signatures including CMS and CMP functionality are available via the OpenSSL EVP interface. Key persistence is provided via the encode/decode -mechanism and X.509 data structures. Also available is support for +mechanism and X.509 data structures. Also available is support for TLS1.3 signature functionality via the [OpenSSL3 fetchable signature algorithm feature](https://github.com/openssl/openssl/pull/19312). @@ -100,7 +100,7 @@ e.g., as such: `openssl list -kem-algorithms -propquery oqsprovider.security_bit The bit strength of hybrid algorithms is always defined by the bit strength of the classic algorithm. -In order to enable parallel use of classic and quantum-safe cryptography +In order to enable parallel use of classic and quantum-safe cryptography this provider also provides different hybrid algorithms, combining classic and quantum-safe methods: These are listed above with a prefix denoting a classic algorithm, e.g., for elliptic curve: "p256_". @@ -281,6 +281,18 @@ By setting `-DNOPUBKEY_IN_PRIVKEY=` at compile-time, it can be further specified to omit explicitly serializing the public key in a `privateKey` structure. The default value is `OFF`. +### Static library + +oqs-provider can also be compiled as a static library, using the `OQS_PROVIDER_BUILD_STATIC` +option: + +```shell +$ cmake -B build -DOQS_PROVIDER_BUILD_STATIC=ON +``` + +> **Warning** +> `OQS_PROVIDER_BUILD_STATIC` and `BUILD_SHARED_LIBS` are mutually exclusive. + Building on Windows -------------------- Building `oqsprovider` following the steps outlined above have been @@ -311,7 +323,7 @@ eliminates the need for specific PATH setting as showcased below. ## Checking provider version information - LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl list -providers -verbose -provider-path _build/lib -provider oqsprovider + LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl list -providers -verbose -provider-path _build/lib -provider oqsprovider If using a standard install of openssl(3) and including `oqsprovider` activation in the global "openssl.cnf" file, the command accordingly gets simplified to: @@ -364,7 +376,7 @@ Step 1: Create quantum-safe key pair and self-signed certificate: LD_LIBRARY_PATH=.local/lib64 .local/bin/openssl req -x509 -new -newkey dilithium3 -keyout qsc.key -out qsc.crt -nodes -subj "/CN=oqstest" -days 365 -config openssl/apps/openssl.cnf -provider-path _build/lib -provider oqsprovider -provider default -By changing the `-newkey` parameter algorithm name [any of the +By changing the `-newkey` parameter algorithm name [any of the supported quantum-safe or hybrid algorithms](#signature-algorithms) can be utilized instead of the sample algorithm `dilithium3`. @@ -490,6 +502,7 @@ Contributors to the `oqsprovider` include: - Julian Segeth - Alex Zaslavsky - Will Childs-Klein +- Thomas Bailleux Acknowledgments --------------- diff --git a/oqsprov/CMakeLists.txt b/oqsprov/CMakeLists.txt index 690e75cf..1e4afd16 100644 --- a/oqsprov/CMakeLists.txt +++ b/oqsprov/CMakeLists.txt @@ -31,7 +31,13 @@ set(PROVIDER_SOURCE_FILES set(PROVIDER_HEADER_FILES oqs_prov.h oqs_endecoder_local.h ) -add_library(oqsprovider SHARED ${PROVIDER_SOURCE_FILES}) + +set(OQS_LIBRARY_TYPE SHARED) +if(OQS_PROVIDER_BUILD_STATIC) + set(OQS_LIBRARY_TYPE STATIC) +endif() + +add_library(oqsprovider ${OQS_LIBRARY_TYPE} ${PROVIDER_SOURCE_FILES}) if (USE_ENCODING_LIB) add_dependencies(oqsprovider encoder) endif()