From 2928a530b074439df3fbe25a3d3fb8b3753d765d Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 24 Oct 2024 18:13:41 +0200
Subject: [PATCH] OQS provider should provide only standard groups

Resolves: RHEL-64277
---
 01-iana-kem-only.patch | 126 +++++++++++++++++++++++++++++++++++++++++
 oqsprovider.spec       |  10 +++-
 2 files changed, 134 insertions(+), 2 deletions(-)
 create mode 100644 01-iana-kem-only.patch

diff --git a/01-iana-kem-only.patch b/01-iana-kem-only.patch
new file mode 100644
index 0000000..7d573fc
--- /dev/null
+++ b/01-iana-kem-only.patch
@@ -0,0 +1,126 @@
+diff -up oqs-provider-0.7.0/oqsprov/oqsprov_capabilities.c.xxx oqs-provider-0.7.0/oqsprov/oqsprov_capabilities.c
+--- oqs-provider-0.7.0/oqsprov/oqsprov_capabilities.c.xxx	2024-10-24 17:53:18.851079647 +0200
++++ oqs-provider-0.7.0/oqsprov/oqsprov_capabilities.c	2024-10-24 17:54:02.535120220 +0200
+@@ -138,122 +138,9 @@ static OQS_GROUP_CONSTANTS oqs_group_lis
+ static const OSSL_PARAM oqs_param_group_list[][11] = {
+ ///// OQS_TEMPLATE_FRAGMENT_GROUP_NAMES_START
+ 
+-#ifdef OQS_ENABLE_KEM_frodokem_640_aes
+-    OQS_GROUP_ENTRY(frodo640aes, frodo640aes, frodo640aes, 0),
+-
+-    OQS_GROUP_ENTRY(p256_frodo640aes, p256_frodo640aes, p256_frodo640aes, 1),
+-    OQS_GROUP_ENTRY(x25519_frodo640aes, x25519_frodo640aes, x25519_frodo640aes,
+-                    2),
+-#endif
+-#ifdef OQS_ENABLE_KEM_frodokem_640_shake
+-    OQS_GROUP_ENTRY(frodo640shake, frodo640shake, frodo640shake, 3),
+-
+-    OQS_GROUP_ENTRY(p256_frodo640shake, p256_frodo640shake, p256_frodo640shake,
+-                    4),
+-    OQS_GROUP_ENTRY(x25519_frodo640shake, x25519_frodo640shake,
+-                    x25519_frodo640shake, 5),
+-#endif
+-#ifdef OQS_ENABLE_KEM_frodokem_976_aes
+-    OQS_GROUP_ENTRY(frodo976aes, frodo976aes, frodo976aes, 6),
+-
+-    OQS_GROUP_ENTRY(p384_frodo976aes, p384_frodo976aes, p384_frodo976aes, 7),
+-    OQS_GROUP_ENTRY(x448_frodo976aes, x448_frodo976aes, x448_frodo976aes, 8),
+-#endif
+-#ifdef OQS_ENABLE_KEM_frodokem_976_shake
+-    OQS_GROUP_ENTRY(frodo976shake, frodo976shake, frodo976shake, 9),
+-
+-    OQS_GROUP_ENTRY(p384_frodo976shake, p384_frodo976shake, p384_frodo976shake,
+-                    10),
+-    OQS_GROUP_ENTRY(x448_frodo976shake, x448_frodo976shake, x448_frodo976shake,
+-                    11),
+-#endif
+-#ifdef OQS_ENABLE_KEM_frodokem_1344_aes
+-    OQS_GROUP_ENTRY(frodo1344aes, frodo1344aes, frodo1344aes, 12),
+-
+-    OQS_GROUP_ENTRY(p521_frodo1344aes, p521_frodo1344aes, p521_frodo1344aes,
+-                    13),
+-#endif
+-#ifdef OQS_ENABLE_KEM_frodokem_1344_shake
+-    OQS_GROUP_ENTRY(frodo1344shake, frodo1344shake, frodo1344shake, 14),
+-
+-    OQS_GROUP_ENTRY(p521_frodo1344shake, p521_frodo1344shake,
+-                    p521_frodo1344shake, 15),
+-#endif
+-#ifdef OQS_ENABLE_KEM_kyber_512
+-    OQS_GROUP_ENTRY(kyber512, kyber512, kyber512, 16),
+-
+-    OQS_GROUP_ENTRY(p256_kyber512, p256_kyber512, p256_kyber512, 17),
+-    OQS_GROUP_ENTRY(x25519_kyber512, x25519_kyber512, x25519_kyber512, 18),
+-#endif
+-#ifdef OQS_ENABLE_KEM_kyber_768
+-    OQS_GROUP_ENTRY(kyber768, kyber768, kyber768, 19),
+-
+-    OQS_GROUP_ENTRY(p384_kyber768, p384_kyber768, p384_kyber768, 20),
+-    OQS_GROUP_ENTRY(x448_kyber768, x448_kyber768, x448_kyber768, 21),
+-    OQS_GROUP_ENTRY(x25519_kyber768, x25519_kyber768, x25519_kyber768, 22),
+-    OQS_GROUP_ENTRY(p256_kyber768, p256_kyber768, p256_kyber768, 23),
+-#endif
+-#ifdef OQS_ENABLE_KEM_kyber_1024
+-    OQS_GROUP_ENTRY(kyber1024, kyber1024, kyber1024, 24),
+-
+-    OQS_GROUP_ENTRY(p521_kyber1024, p521_kyber1024, p521_kyber1024, 25),
+-#endif
+-#ifdef OQS_ENABLE_KEM_ml_kem_512
+-    OQS_GROUP_ENTRY(mlkem512, mlkem512, mlkem512, 26),
+-
+-    OQS_GROUP_ENTRY(p256_mlkem512, p256_mlkem512, p256_mlkem512, 27),
+-    OQS_GROUP_ENTRY(x25519_mlkem512, x25519_mlkem512, x25519_mlkem512, 28),
+-#endif
+-#ifdef OQS_ENABLE_KEM_ml_kem_768
+-    OQS_GROUP_ENTRY(mlkem768, mlkem768, mlkem768, 29),
+-
+-    OQS_GROUP_ENTRY(p384_mlkem768, p384_mlkem768, p384_mlkem768, 30),
+-    OQS_GROUP_ENTRY(x448_mlkem768, x448_mlkem768, x448_mlkem768, 31),
+     OQS_GROUP_ENTRY(X25519MLKEM768, X25519MLKEM768, X25519MLKEM768, 32),
+     OQS_GROUP_ENTRY(SecP256r1MLKEM768, SecP256r1MLKEM768, SecP256r1MLKEM768,
+                     33),
+-#endif
+-#ifdef OQS_ENABLE_KEM_ml_kem_1024
+-    OQS_GROUP_ENTRY(mlkem1024, mlkem1024, mlkem1024, 34),
+-
+-    OQS_GROUP_ENTRY(p521_mlkem1024, p521_mlkem1024, p521_mlkem1024, 35),
+-    OQS_GROUP_ENTRY(p384_mlkem1024, p384_mlkem1024, p384_mlkem1024, 36),
+-#endif
+-#ifdef OQS_ENABLE_KEM_bike_l1
+-    OQS_GROUP_ENTRY(bikel1, bikel1, bikel1, 37),
+-
+-    OQS_GROUP_ENTRY(p256_bikel1, p256_bikel1, p256_bikel1, 38),
+-    OQS_GROUP_ENTRY(x25519_bikel1, x25519_bikel1, x25519_bikel1, 39),
+-#endif
+-#ifdef OQS_ENABLE_KEM_bike_l3
+-    OQS_GROUP_ENTRY(bikel3, bikel3, bikel3, 40),
+-
+-    OQS_GROUP_ENTRY(p384_bikel3, p384_bikel3, p384_bikel3, 41),
+-    OQS_GROUP_ENTRY(x448_bikel3, x448_bikel3, x448_bikel3, 42),
+-#endif
+-#ifdef OQS_ENABLE_KEM_bike_l5
+-    OQS_GROUP_ENTRY(bikel5, bikel5, bikel5, 43),
+-
+-    OQS_GROUP_ENTRY(p521_bikel5, p521_bikel5, p521_bikel5, 44),
+-#endif
+-#ifdef OQS_ENABLE_KEM_hqc_128
+-    OQS_GROUP_ENTRY(hqc128, hqc128, hqc128, 45),
+-
+-    OQS_GROUP_ENTRY(p256_hqc128, p256_hqc128, p256_hqc128, 46),
+-    OQS_GROUP_ENTRY(x25519_hqc128, x25519_hqc128, x25519_hqc128, 47),
+-#endif
+-#ifdef OQS_ENABLE_KEM_hqc_192
+-    OQS_GROUP_ENTRY(hqc192, hqc192, hqc192, 48),
+-
+-    OQS_GROUP_ENTRY(p384_hqc192, p384_hqc192, p384_hqc192, 49),
+-    OQS_GROUP_ENTRY(x448_hqc192, x448_hqc192, x448_hqc192, 50),
+-#endif
+-#ifdef OQS_ENABLE_KEM_hqc_256
+-    OQS_GROUP_ENTRY(hqc256, hqc256, hqc256, 51),
+-
+-    OQS_GROUP_ENTRY(p521_hqc256, p521_hqc256, p521_hqc256, 52),
+-#endif
+-    ///// OQS_TEMPLATE_FRAGMENT_GROUP_NAMES_END
+ };
+ 
+ typedef struct oqs_sigalg_constants_st {
diff --git a/oqsprovider.spec b/oqsprovider.spec
index 16fec82..8b406d4 100644
--- a/oqsprovider.spec
+++ b/oqsprovider.spec
@@ -1,8 +1,8 @@
 %global oqs_version 0.7.0
-%global liboqs_min_version 0.11.0
+%global liboqs_min_version 0.11.0-3
 Name:       oqsprovider
 Version:    %{oqs_version}
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    oqsprovider is an OpenSSL provider for quantum-safe algorithms based on liboqs
 
 License:    Apache-2.0 AND MIT
@@ -10,6 +10,8 @@ URL:        https://github.com/open-quantum-safe/oqs-provider.git
 Source0:    https://github.com/open-quantum-safe/oqs-provider/archive/refs/tags/%{oqs_version}.tar.gz
 Source1:    oqsprovider.conf
 
+Patch01:    01-iana-kem-only.patch
+
 Requires: liboqs >= %{liboqs_min_version}
 Requires: openssl
 BuildRequires: ninja-build
@@ -52,6 +54,10 @@ install -m644 '%{SOURCE1}' \
 %config(noreplace) %{_sysconfdir}/pki/tls/openssl.d/oqsprovider.conf
 
 %changelog
+* Thu Oct 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 0.7.0-2
+- OQS provider should provide only standard groups
+  Resolves: RHEL-64277
+
 * Thu Oct 17 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 0.7.0-1
 - Rebase oqsprovider to 0.7.0
   Resolves: RHEL-56155