Remove unmanaged KEM OIDs #522
Conversation
Signed-off-by: Michael Baentsch <[email protected]>
Signed-off-by: Michael Baentsch <[email protected]>
|
Do we have any idea of who might be using this functionality? For example, the IETC PQC certificate hackathon group? If so, would be good to know if/how this impacts them. @praveksharma have you been in recent contact with them at all? Or perhaps experiment in the NCCoe -- @christianpaquin any insight from NCCoE? Did you consider removing our hard-coded OIDs but still letting it be enabled at runtime if the relevant environment variable is set? (Without needing to regenerate from generate.yml and rebuild.) |
The NCCoE follows closely the work of the IETF hackathon, so their feedback would be helpful. Can you give some guidance, @johngray-dev? |
I haven't had recent contact regarding OID mappings but the relevant documentation in the IETF repo does not list any of the OIDs affected by this PR. |
No. I have never received positive nor negative feedback regarding this feature (added originally in support of an IETF hackathon) so consider it safe to drop for unassigned OIDs. Again, if someone wants to test any of the KEMs without OIDs, they should have an idea about the OID -- it's otherwise impossible to test :) -- and this PR is also meant to create an incentive to contribute such ideas to the community. Also, please note again that this is a completely voluntary effort on my part: I have to be(come) more efficient in how many features/options I keep supporting in my unpaid time. Things are even more acute as I have to now devote (waste) my time to working around (or using their processes to revert) problems created by LinuxFoundation: That org has easily cost (lost) me several hundred work hours this year.... But looking at the code again, it seems I created it such to enable the feature you're asking for @dstebila . It really would be nice if more people were contributing to the project..... I seem to forget more about the code than all other contributors combined added :-/
Thanks for that re-confirmation, @praveksharma . Supports my line of thinking. |
I confirmed (locally) that the en/decode tests do indeed pass for the NULL-ified KEMs when run with an appropriate environment variable set. |
test/oqs_test_endecode.c
Outdated
| @@ -175,6 +175,11 @@ static int test_oqs_encdec(const char *alg_name) { | |||
| if (pkey == NULL) | |||
| goto end; | |||
|
|
|||
| if (!OBJ_sn2nid(alg_name)) { | |||
| printf("No OID registered for %s", alg_name); | |||
| ok = 1; | |||
There was a problem hiding this comment.
May I suggest that we mark these as "skipped" instead of "passed"? We might be grateful for it later if we end up revisiting this code---we'll be able to tell from output alone if the tests are actually running for a given algorithm.
I'll add a suggestion to the test code as well to handle the extra return value.
| ok = 1; | |
| ok = -1; |
There was a problem hiding this comment.
OK, it seems that I can't add a suggestion directly on unmodified lines of code, but we could replace lines 221--231 with
switch(test_oqs_encdec(algs->algorithm_names)) {
case 1:
fprintf(stderr,
cGREEN " Encoding/Decoding test succeeded: %s" cNORM "\n",
algs->algorithm_names);
break;
case -1:
fprintf(stderr,
cBLUE " Encoding/Decoding test skipped: %s" cNORM "\n",
algs->algorithm_names);
break;
default:
fprintf(stderr,
cRED " Encoding/Decoding test failed: %s" cNORM "\n",
algs->algorithm_names);
ERR_print_errors_fp(stderr);
errcnt++;
break;
}There was a problem hiding this comment.
If you think this is a good idea, I can commit it directly to the branch to save you the trouble of copy-paste-format.
There was a problem hiding this comment.
@baentsch are you OK with my pushing the above code snippet to print "skipped" instead of "passed" on a -1 return code?
Co-authored-by: Spencer Wilson <[email protected]> Signed-off-by: Michael Baentsch <[email protected]>
Co-authored-by: Spencer Wilson <[email protected]> Signed-off-by: Michael Baentsch <[email protected]>
| | p384_mlkem768 | NULL | OQS_OID_P384_MLKEM768 | ||
| | x448_mlkem768 | NULL | OQS_OID_X448_MLKEM768 | ||
| | x25519_mlkem768 | NULL | OQS_OID_X25519_MLKEM768 | ||
| | p256_mlkem768 | NULL | OQS_OID_P256_MLKEM768 |
There was a problem hiding this comment.
You are dropping the two standardized *_mlkem768 hybrids while retaining the unused *_mlkem512 ones, shouldn't it be the other way around?
Now I have to correct myself: There is a code point but no OID for x25519_mlkem768. So the logic is correct. @ghen2 Can you please confirm what OID you are aware of for that algorithm? Same with your comment on the MLKEM512 hybrids: They do have code points, so should not be NULL. What leads you to think otherwise? In other words, the PR is OK. |
This comment gave the impression that those algorithms would no longer be supported. |
Ah; no, this never was the intention. Hence there's a "Yes" for all those algs higher up in the list where the code points are listed.
Exactly. No OID means no X.509 storage/retrieval. Rest of functionality unaffected. If you'd have a better way to formulate things, by all means please provide suggested wording. |
Signed-off-by: Michael Baentsch <[email protected]>
Thanks, Spencer! |
commit c4f6eac Merge: f0fe7d1 0312c00 Author: Michael Baentsch <[email protected]> Date: Mon Sep 23 17:05:42 2024 +0200 Merge branch 'main' into mb-disabletempoids Signed-off-by: Michael Baentsch <[email protected]> commit f0fe7d1 Author: Michael Baentsch <[email protected]> Date: Mon Sep 23 11:19:08 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson <[email protected]> Signed-off-by: Michael Baentsch <[email protected]> commit 3d5b68e Author: Michael Baentsch <[email protected]> Date: Mon Sep 23 11:18:58 2024 +0200 Update test/oqs_test_endecode.c Co-authored-by: Spencer Wilson <[email protected]> Signed-off-by: Michael Baentsch <[email protected]> commit e94338d Author: Michael Baentsch <[email protected]> Date: Sun Sep 15 18:19:33 2024 +0200 disable tests on no-OID KEMs Signed-off-by: Michael Baentsch <[email protected]> commit a60f6b7 Author: Michael Baentsch <[email protected]> Date: Sun Sep 15 17:31:57 2024 +0200 disable tmp OID generation Signed-off-by: Michael Baentsch <[email protected]>
Fixes #520