liboqs: check whether Kyber768 is compiled in

Related: RHEL-50011 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-07-29 08:54:00 +09:00 · 2024-07-29 08:54:00 +09:00 · 0ad408d5bc
commit 0ad408d5bc
parent 3559e33707
1 changed files with 135 additions and 0 deletions
--- a/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch
+++ b/gnutls-3.8.6-liboqs-x25519-kyber768d00.patch
@ -3109,3 +3109,138 @@ index 4155a540ed..79f7988d50 100644
 -- 
 2.45.2

+From dfac4bb0d96507a409e3c3434c04bd8f79ac479f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 29 Jul 2024 08:40:34 +0900
+Subject: [PATCH 1/2] liboqs: check whether Kyber768 is compiled in
+
+In the default build configuration of liboqs 0.10.1, Kyber768 is
+disabled. This adds a guard against it and skip tests if not
+available.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ devel/dlwrap/oqs.syms  |  1 +
+ lib/dlwrap/oqsfuncs.h  |  1 +
+ lib/nettle/pk.c        | 27 ++++++++++++++++++---------
+ tests/pqc-hybrid-kx.sh |  4 ++++
+ 4 files changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/devel/dlwrap/oqs.syms b/devel/dlwrap/oqs.syms
+index 8f067b2dd3..413f887598 100644
+--- a/devel/dlwrap/oqs.syms
+++ b/devel/dlwrap/oqs.syms
+@@ -1,6 +1,7 @@
+ OQS_SHA3_set_callbacks
+ OQS_init
+ OQS_destroy
+OQS_KEM_alg_is_enabled
+ OQS_KEM_new
+ OQS_KEM_encaps
+ OQS_KEM_decaps
+diff --git a/lib/dlwrap/oqsfuncs.h b/lib/dlwrap/oqsfuncs.h
+index 95c1b083dc..4aa0ba4ab4 100644
+--- a/lib/dlwrap/oqsfuncs.h
+++ b/lib/dlwrap/oqsfuncs.h
+@@ -7,6 +7,7 @@ VOID_FUNC(void, OQS_init, (void), ())
+ VOID_FUNC(void, OQS_destroy, (void), ())
+ VOID_FUNC(void, OQS_SHA3_set_callbacks, (struct OQS_SHA3_callbacks *new_callbacks), (new_callbacks))
+ VOID_FUNC(void, OQS_randombytes_custom_algorithm, (void (*algorithm_ptr)(uint8_t *, size_t)), (algorithm_ptr))
+FUNC(int, OQS_KEM_alg_is_enabled, (const char *method_name), (method_name))
+ FUNC(OQS_KEM *, OQS_KEM_new, (const char *method_name), (method_name))
+ FUNC(OQS_STATUS, OQS_KEM_keypair, (const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key), (kem, public_key, secret_key))
+ FUNC(OQS_STATUS, OQS_KEM_encaps, (const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key), (kem, ciphertext, shared_secret, public_key))
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index eb8c44459d..8a987ed121 100644
+--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
+@@ -704,7 +704,9 @@ static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo,
+ 		OQS_KEM *kem = NULL;
+ 		OQS_STATUS rc;
+ 
+-		if (_gnutls_liboqs_ensure() < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
+ 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+ 
+ 		kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768);
+@@ -765,7 +767,9 @@ static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo,
+ 		OQS_KEM *kem = NULL;
+ 		OQS_STATUS rc;
+ 
+-		if (_gnutls_liboqs_ensure() < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
+ 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+ 
+ 		kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768);
+@@ -2359,7 +2363,9 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
+ 		return 1;
+ #ifdef HAVE_LIBOQS
+ 	case GNUTLS_PK_EXP_KYBER768:
+-		return _gnutls_liboqs_ensure() == 0;
+		return _gnutls_liboqs_ensure() == 0 &&
+		       GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			       OQS_KEM_alg_kyber_768);
+ #endif
+ 	default:
+ 		return 0;
+@@ -2997,7 +3003,9 @@ static int pct_test(gnutls_pk_algorithm_t algo,
+ 		break;
+ #ifdef HAVE_LIBOQS
+ 	case GNUTLS_PK_EXP_KYBER768:
+-		if (_gnutls_liboqs_ensure() < 0) {
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768)) {
+ 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+ 			goto cleanup;
+ 		}
+@@ -3736,12 +3744,12 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 		OQS_KEM *kem = NULL;
+ 		OQS_STATUS rc;
+ 
+-#ifdef HAVE_LIBOQS
+-		if (_gnutls_liboqs_ensure() < 0) {
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768)) {
+ 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+ 			goto cleanup;
+ 		}
+-#endif
+ 
+ 		not_approved = true;
+ 
+@@ -4038,8 +4046,9 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
+ 	}
+ #ifdef HAVE_LIBOQS
+ 	case GNUTLS_PK_EXP_KYBER768:
+-		ret = _gnutls_liboqs_ensure();
+-		if (ret < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
+ 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+ 		break;
+ #endif
+diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh
+index b587587bd2..6d47105fa0 100644
+--- a/tests/pqc-hybrid-kx.sh
+++ b/tests/pqc-hybrid-kx.sh
+@@ -31,6 +31,10 @@ if ! test -x "${CLI}"; then
+ 	exit 77
+ fi
+ 
+if ! "${CLI}" --list | grep '^Public Key Systems: .*Kyber768.*' >/dev/null; then
+	exit 77
+fi
+
+ . "${srcdir}/scripts/common.sh"
+ testdir=`create_testdir pqc-hybrid-kx`
+ 
+-- 
+2.45.2
+