From b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Mon, 9 Sep 2024 10:43:59 -0400 Subject: [PATCH] Refactor liboqs CI and update Ubuntu images (#1909) * Refactor liboqs CI to utilize reusable workflows * Add CI.md documentation file * Update all Focal jobs to Noble (the latest Ubuntu LTS) * Minor fixes to address issues related to the update (CT files / syntax / static analysis) Signed-off-by: Spencer Wilson --- .github/CODEOWNERS | 2 +- .github/workflows/android.yml | 2 +- .github/workflows/apple.yml | 2 +- .github/workflows/basic.yml | 75 +++++++ .github/workflows/commit-to-main.yml | 111 +++------- .github/workflows/downstream-basic.yml | 83 +++++++ ...elease-test.yml => downstream-release.yml} | 16 +- .github/workflows/extended.yml | 74 +++++++ .github/workflows/{unix.yml => linux.yml} | 207 +++--------------- .github/workflows/macos.yml | 58 +++++ .github/workflows/platforms.yml | 26 +++ .github/workflows/pr.yml | 42 ++++ .github/workflows/push.yml | 33 +++ .github/workflows/release.yml | 17 ++ .github/workflows/scorecard.yml | 11 +- .github/workflows/weekly.yml | 99 +++------ .github/workflows/windows.yml | 2 +- .github/workflows/zephyr.yml | 2 +- CI.md | 107 +++++++++ CONTRIBUTING.md | 20 +- PLATFORMS.md | 6 +- .../copy_from_upstream/copy_from_libjade.yml | 6 +- .../copy_from_upstream/copy_from_upstream.py | 2 +- scripts/format_code.sh | 2 +- scripts/update_docs_from_yaml.py | 42 ++-- .../kem/issues/classic-mceliece-348864f | 6 +- .../kem/issues/classic-mceliece-460896 | 24 ++ .../kem/issues/classic-mceliece-460896f | 36 ++- .../kem/issues/classic-mceliece-6688128f | 38 +--- .../kem/issues/classic-mceliece-6960119 | 2 +- .../kem/issues/classic-mceliece-6960119f | 28 +-- .../kem/issues/classic-mceliece-8192128f | 30 +-- tests/constant_time/sig/issues/falcon | 10 +- tests/test_sig_stfl.c | 4 +- 34 files changed, 754 insertions(+), 471 deletions(-) create mode 100644 .github/workflows/basic.yml create mode 100644 .github/workflows/downstream-basic.yml rename .github/workflows/{release-test.yml => downstream-release.yml} (63%) create mode 100644 .github/workflows/extended.yml rename .github/workflows/{unix.yml => linux.yml} (61%) create mode 100644 .github/workflows/macos.yml create mode 100644 .github/workflows/platforms.yml create mode 100644 .github/workflows/pr.yml create mode 100644 .github/workflows/push.yml create mode 100644 .github/workflows/release.yml create mode 100644 CI.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0530ff1c12..737aea16cd 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,7 @@ # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners * @dstebila -/.circleci @baentsch +/.github/workflows @SWilson4 /scripts/copy_from_upstream @baentsch @bhess @alexrow /src/common @dstebila /src/kem/bike @crockeea diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 459c0e32ec..60847ff578 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -3,7 +3,7 @@ name: android build permissions: contents: read -on: [ push, pull_request ] +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml index 3c11bc3e7d..38671cc2c6 100644 --- a/.github/workflows/apple.yml +++ b/.github/workflows/apple.yml @@ -3,7 +3,7 @@ name: apple build permissions: contents: read -on: [ push, pull_request ] +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml new file mode 100644 index 0000000000..3364ec77ed --- /dev/null +++ b/.github/workflows/basic.yml @@ -0,0 +1,75 @@ +name: Basic checks + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + stylecheck: + name: Check code formatting + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Ensure code conventions are upheld + run: python3 -m pytest --verbose tests/test_code_conventions.py + - name: Check that doxygen can parse the documentation + run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build + - name: Validate CBOM + run: scripts/validate_cbom.sh + + upstreamcheck: + name: Check upstream code is properly integrated + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: | + git config --global user.name "ciuser" && \ + git config --global user.email "ci@openquantumsafe.org" && \ + git config --global --add safe.directory "$PWD" && \ + echo "LIBOQS_DIR=$PWD" >> "$GITHUB_ENV" + - name: Verify copy_from_upstream state after copy + working-directory: 'scripts/copy_from_upstream' + run: | + python3 copy_from_upstream.py copy && \ + ! git status | grep -i modified + - name: Verify copy_from_upstream state after libjade + working-directory: 'scripts/copy_from_upstream' + run: | + python3 copy_from_upstream.py libjade && \ + ! git status | grep -i modified + + buildcheck: + name: Check that code passes a basic build + needs: [ stylecheck, upstreamcheck ] + runs-on: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + env: + KEM_NAME: ml_kem_768 + SIG_NAME: ml_dsa_65 + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: | + mkdir build && \ + cd build && \ + cmake -GNinja -DOQS_STRICT_WARNINGS=ON \ + -GNinja \ + -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ + --warn-uninitialized .. > config.log 2>&1 && \ + cat config.log && \ + cmake -LA -N .. && \ + ! (grep -i "uninitialized variable" config.log) + - name: Build code + run: ninja + working-directory: build + - name: Build documentation + run: ninja gen_docs + working-directory: build diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml index 92e73bd359..100598154b 100644 --- a/.github/workflows/commit-to-main.yml +++ b/.github/workflows/commit-to-main.yml @@ -1,88 +1,39 @@ -name: Trigger basic downstream CI +name: Main branch tests permissions: contents: read on: push: - branches: [ "main" ] + branches: ['main'] jobs: - trigger-downstream-ci: - strategy: - fail-fast: false - runs-on: ubuntu-latest - steps: - # TODO: missing projects? - - name: Trigger OQS-OpenSSL CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "OQS-OpenSSL_1_1_1-stable", "parameters": { "run_downstream_tests": true } }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/openssl/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger OQS-BoringSSL CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master", "parameters": { "run_downstream_tests": true } }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/boringssl/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger OQS-OpenSSH CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --request POST \ - --header "Accept: application/vnd.github+json" \ - --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ - --header "X-GitHub-Api-Version: 2022-11-28" \ - --data '{"ref":"OQS-v9"}' \ - https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \ - && grep -q "204" curl_out - - name: Trigger oqs-provider CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "main" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-dotnet CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-dotnet/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-java CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ - --request POST \ - --header "Content-Type: application/json" \ - --data '{ "branch": "master" }' \ - https://circleci.com/api/v2/project/gh/open-quantum-safe/liboqs-java/pipeline | tee curl_out \ - && grep -q "201" curl_out - - name: Trigger liboqs-python CI - run: | - curl --silent \ - --write-out "\n%{response_code}\n" \ - --request POST \ - --header "Accept: application/vnd.github+json" \ - --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ - --header "X-GitHub-Api-Version: 2022-11-28" \ - --data '{"event_type":"liboqs-upstream-trigger"}' \ - https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \ - && grep -q "204" curl_out + + platform-tests: + uses: ./.github/workflows/platforms.yml + + scorecard: + uses: ./.github/workflows/scorecard.yml + secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read + + basic-downstream: + uses: ./.github/workflows/downstream-basic.yml + secrets: inherit diff --git a/.github/workflows/downstream-basic.yml b/.github/workflows/downstream-basic.yml new file mode 100644 index 0000000000..a97cb6c533 --- /dev/null +++ b/.github/workflows/downstream-basic.yml @@ -0,0 +1,83 @@ +name: Trigger basic downstream CI + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + trigger-downstream-ci: + runs-on: ubuntu-latest + steps: + - name: Trigger OQS-BoringSSL CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/boringssl/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger OQS-OpenSSH CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"ref":"OQS-v9"}' \ + https://api.github.com/repos/open-quantum-safe/openssh/actions/workflows/ubuntu.yaml/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger oqs-provider CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --user ${{ secrets.BUILD_TRIGGER_TOKEN }}: \ + --request POST \ + --header "Content-Type: application/json" \ + --data '{ "branch": "main" }' \ + https://circleci.com/api/v2/project/gh/open-quantum-safe/oqs-provider/pipeline | tee curl_out \ + && grep -q "201" curl_out + - name: Trigger liboqs-cpp CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-cpp/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger liboqs-go CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-go/dispatches | tee curl_out \ + && grep -q "204" curl_out + - name: Trigger liboqs-python CI + if: ${{ !cancelled() }} # run all steps independent of failures + run: | + curl --silent \ + --write-out "\n%{response_code}\n" \ + --request POST \ + --header "Accept: application/vnd.github+json" \ + --header "Authorization: Bearer ${{ secrets.OQSBOT_GITHUB_ACTIONS }}" \ + --header "X-GitHub-Api-Version: 2022-11-28" \ + --data '{"event_type":"liboqs-upstream-trigger"}' \ + https://api.github.com/repos/open-quantum-safe/liboqs-python/dispatches | tee curl_out \ + && grep -q "204" curl_out diff --git a/.github/workflows/release-test.yml b/.github/workflows/downstream-release.yml similarity index 63% rename from .github/workflows/release-test.yml rename to .github/workflows/downstream-release.yml index 2a4addd541..6acf12beed 100644 --- a/.github/workflows/release-test.yml +++ b/.github/workflows/downstream-release.yml @@ -1,23 +1,17 @@ -name: Release tests +name: Downstream release tests permissions: contents: read +on: [workflow_call, workflow_dispatch] + # Trigger oqs-provider release tests. -# Runs whenever a release is published, or when a commit message ends with "[trigger downstream]" -# When triggered by a release, the liboqs release tag and the provider "-tracker" branch are used. -# When triggered by a commit message, the triggering liboqs branch and the provider "-tracker" branch are used. +# When triggered by a release (see release.yml), the liboqs release tag and the provider "-tracker" branch are used. +# When triggered by a commit message (see filter.yml), the triggering liboqs branch and the provider "-tracker" branch are used. # If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead. -on: - push: - workflow_dispatch: - release: - types: [ published ] - jobs: oqs-provider-release-test: - if: github.event_name == 'release' || contains( github.event.head_commit.message, '[trigger downstream]' ) runs-on: ubuntu-latest steps: - name: Checkout release tests script diff --git a/.github/workflows/extended.yml b/.github/workflows/extended.yml new file mode 100644 index 0000000000..73bad5ba01 --- /dev/null +++ b/.github/workflows/extended.yml @@ -0,0 +1,74 @@ +name: Extended tests + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + constant-time-x64: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - name: generic + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON + PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*' + - name: extensions + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON + PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' + SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*' + container: + image: ${{ matrix.container }} + steps: + - name: Checkout code + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2 + - name: Configure + run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + timeout-minutes: 360 + run: mkdir -p tmp && SKIP_ALGS='${{ matrix.SKIP_ALGS }}' python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} + + nistkat-x64: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - name: generic + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: generic-libjade + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: extensions + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + - name: extensions-libjade + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST}}" + PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' + container: + image: ${{ matrix.container }} + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Configure + run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + timeout-minutes: 360 + run: mkdir -p tmp && python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} diff --git a/.github/workflows/unix.yml b/.github/workflows/linux.yml similarity index 61% rename from .github/workflows/unix.yml rename to .github/workflows/linux.yml index 0f5b5dbe4e..f41d1b718a 100644 --- a/.github/workflows/unix.yml +++ b/.github/workflows/linux.yml @@ -1,110 +1,20 @@ -name: Linux and MacOS tests +name: Linux tests permissions: contents: read -on: [ push, pull_request , workflow_dispatch] - -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" +on: [workflow_call, workflow_dispatch] jobs: - stylecheck: - name: Check code formatting - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Ensure code conventions are upheld - run: python3 -m pytest --verbose tests/test_code_conventions.py - - name: Check that doxygen can parse the documentation - run: mkdir build && ./scripts/run_doxygen.sh $(which doxygen) ./docs/.Doxyfile ./build - - name: Validate CBOM - run: scripts/validate_cbom.sh - - upstreamcheck: - name: Check upstream code is properly integrated - strategy: - fail-fast: false - matrix: - copy-mode: - - copy - - libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - runs-on: ubuntu-latest - steps: - - name: Setup nix - uses: cachix/install-nix-action@v26 - - name: Setup jasmin-compiler - run: | - nix-channel --add https://nixos.org/channels/nixos-23.11 nixpkgs && \ - nix-channel --update && nix-env -iA nixpkgs.jasmin-compiler - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Verify copy_from_upstream state after "${{ matrix.copy-mode}}" - run: | - git config --global user.name "ciuser" && \ - git config --global user.email "ci@openquantumsafe.org" && \ - export LIBOQS_DIR=`pwd` && \ - git config --global --add safe.directory $LIBOQS_DIR && \ - cd scripts/copy_from_upstream && \ - ! pip3 install --require-hashes -r requirements.txt 2>&1 | grep ERROR && \ - python3 copy_from_upstream.py ${{ matrix.copy-mode }} && \ - ! git status | grep modified - - buildcheck: - name: Check that code passes a basic build before starting heavier tests - needs: [ stylecheck, upstreamcheck ] - strategy: - matrix: - include: - - runner: oqs-arm64 - container: openquantumsafe/ci-ubuntu-focal-arm64:latest - - runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - - runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-latest:latest - runs-on: ${{ matrix.runner }} - container: ${{ matrix.container }} - env: - KEM_NAME: kyber_768 - SIG_NAME: dilithium_3 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: | - mkdir build && \ - cd build && \ - cmake .. --warn-uninitialized \ - -GNinja \ - -DOQS_MINIMAL_BUILD="KEM_$KEM_NAME;SIG_$SIG_NAME" \ - > config.log 2>&1 && \ - cat config.log && \ - cmake -LA -N .. && \ - ! (grep "uninitialized variable" config.log) - - name: Build code - run: ninja - working-directory: build - - name: Build documentation - run: ninja gen_docs - working-directory: build - if: matrix.runner == 'ubuntu-latest' - linux: - needs: buildcheck strategy: fail-fast: false matrix: include: - name: arm64 runner: oqs-arm64 - container: openquantumsafe/ci-ubuntu-focal-arm64:latest + container: openquantumsafe/ci-ubuntu-latest:latest PYTEST_ARGS: --maxprocesses=10 --ignore=tests/test_kat_all.py CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON - name: alpine @@ -112,10 +22,10 @@ jobs: container: openquantumsafe/ci-alpine-amd64:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - - name: alpine + - name: alpine-libjade runner: ubuntu-latest container: openquantumsafe/ci-alpine-amd64:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - name: alpine-no-stfl-key-sig-gen runner: ubuntu-latest @@ -132,36 +42,41 @@ jobs: container: openquantumsafe/ci-alpine-amd64:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py - - name: focal-nistr4-openssl + - name: noble-nistr4-openssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_R4 PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-nistonramp-openssl + - name: noble-nistonramp-openssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=NIST_SIG_ONRAMP PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-noopenssl + - name: noble-noopenssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-noopenssl + - name: noble-noopenssl-libjade runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - - name: focal-shared-noopenssl + - name: noble-shared-noopenssl runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON PYTEST_ARGS: --ignore=tests/test_namespace.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-clang runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang PYTEST_ARGS: --ignore=tests/test_kat_all.py + - name: noble-clang + runner: ubuntu-latest + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang + PYTEST_ARGS: --ignore=tests/test_kat_all.py -k 'not (leaks and (Dilithium or ML-DSA))' - name: jammy-std-openssl3 runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest @@ -170,7 +85,7 @@ jobs: - name: jammy-std-openssl3-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: jammy-std-openssl3-dlopen runner: ubuntu-latest @@ -180,22 +95,22 @@ jobs: - name: jammy-std-openssl3-dlopen-libjade runner: ubuntu-latest container: openquantumsafe/ci-ubuntu-jammy:latest - CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_ALGS_ENABLED=STD -DBUILD_SHARED_LIBS=ON -DOQS_DLOPEN_OPENSSL=ON -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py - name: address-sanitizer runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-no-stfl-key-sig-gen runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 - name: address-sanitizer-libjade runner: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST + container: openquantumsafe/ci-ubuntu-latest:latest + CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --maxprocesses=10 runs-on: ${{ matrix.runner }} container: @@ -227,7 +142,6 @@ jobs: working-directory: build linux_arm_emulated: - needs: buildcheck runs-on: ubuntu-latest strategy: fail-fast: false @@ -275,9 +189,8 @@ jobs: --ignore=tests/test_code_conventions.py ${{ matrix.PYTEST_ARGS }}" linux_cross_compile: - needs: buildcheck runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest strategy: fail-fast: false matrix: @@ -295,56 +208,7 @@ jobs: run: ninja working-directory: build - macos: - needs: buildcheck - strategy: - fail-fast: false - matrix: - os: - # macos-14 runs on aarch64; the others run on x64 - - macos-12 - - macos-13 - - macos-14 - CMAKE_ARGS: - - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON - - -DCMAKE_C_COMPILER=gcc-13 - - -DOQS_USE_OPENSSL=OFF - - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF - libjade-build: - - -DOQS_LIBJADE_BUILD=OFF - # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by - # libjade to minimise repeated tests - - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - exclude: - # macos-14 runs on aarch64, libjade targets x86 - # Skip testing libjade on macos-14 - - os: macos-14 - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - runs-on: ${{ matrix.os }} - steps: - - name: Install Python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 - with: - python-version: '3.12' - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Install dependencies - run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt - - name: Patch GCC - run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb - - name: Get system information - run: sysctl -a | grep machdep.cpu - - name: Configure - run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} ${{ matrix.libjade-build }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py - timeout-minutes: 60 - linux_openssl330-dev: - needs: buildcheck runs-on: ubuntu-latest container: image: openquantumsafe/ci-ubuntu-jammy:latest @@ -391,14 +255,13 @@ jobs: run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py scan_build: - needs: buildcheck runs-on: ubuntu-latest - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest + container: openquantumsafe/ci-ubuntu-latest:latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Configure - run: mkdir build && cd build && scan-build-15 cmake -GNinja .. + run: mkdir build && cd build && scan-build --status-bugs cmake -GNinja .. - name: Build - run: scan-build-15 --status-bugs ninja + run: scan-build --status-bugs ninja working-directory: build diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml new file mode 100644 index 0000000000..5cc2949b23 --- /dev/null +++ b/.github/workflows/macos.yml @@ -0,0 +1,58 @@ +name: MacOS tests + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + macos: + strategy: + fail-fast: false + matrix: + os: + # macos-14 runs on aarch64; the others run on x64 + - macos-12 + - macos-13 + - macos-14 + CMAKE_ARGS: + - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + - -DCMAKE_C_COMPILER=gcc-13 + - -DOQS_USE_OPENSSL=OFF + - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF + libjade-build: + - -DOQS_LIBJADE_BUILD=OFF + # Restrict -DOQS_LIBJADE_BUILD=ON build to algs provided by + # libjade to minimise repeated tests + - -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + exclude: + # macos-14 runs on aarch64, libjade targets x86 + # Skip testing libjade on macos-14 + - os: macos-14 + libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + # No point in testing stateful sigs with minimal libjade build + - libjade-build: -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD="${{ vars.LIBJADE_ALG_LIST }}" + CMAKE_ARGS: -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON + runs-on: ${{ matrix.os }} + steps: + - name: Install Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # pin@v5 + with: + python-version: '3.12' + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + - name: Install dependencies + run: env HOMEBREW_NO_AUTO_UPDATE=1 brew install ninja && pip3 install --require-hashes --break-system-packages -r .github/workflows/requirements.txt + - name: Patch GCC + run: env HOMEBREW_NO_AUTO_UPDATE=1 brew uninstall --ignore-dependencies gcc@13 && wget https://raw.githubusercontent.com/Homebrew/homebrew-core/eb6dd225d093b66054e18e07d56509cf670793b1/Formula/g/gcc%4013.rb && env HOMEBREW_NO_AUTO_UPDATE=1 brew install --ignore-dependencies --formula gcc@13.rb + - name: Get system information + run: sysctl -a | grep machdep.cpu + - name: Configure + run: mkdir -p build && cd build && source ~/.bashrc && cmake -GNinja -DOQS_STRICT_WARNINGS=ON ${{ matrix.CMAKE_ARGS }} ${{ matrix.libjade-build }} .. && cmake -LA -N .. + - name: Build + run: ninja + working-directory: build + - name: Run tests + run: mkdir -p tmp && python3 -m pytest --verbose --ignore=tests/test_code_conventions.py --ignore=tests/test_kat_all.py + timeout-minutes: 60 diff --git a/.github/workflows/platforms.yml b/.github/workflows/platforms.yml new file mode 100644 index 0000000000..a26b29cee5 --- /dev/null +++ b/.github/workflows/platforms.yml @@ -0,0 +1,26 @@ +name: Tests for all supported platforms + +permissions: + contents: read + +on: [workflow_call, workflow_dispatch] + +jobs: + + android-tests: + uses: ./.github/workflows/android.yml + + ios-tests: + uses: ./.github/workflows/apple.yml + + linux-tests: + uses: ./.github/workflows/linux.yml + + macos-tests: + uses: ./.github/workflows/macos.yml + + windows-tests: + uses: ./.github/workflows/windows.yml + + zephyr-tests: + uses: ./.github/workflows/zephyr.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 0000000000..41776b6e6a --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,42 @@ +name: Pull request tests + +permissions: + contents: read + +on: pull_request + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + + basic-checks: + uses: ./.github/workflows/basic.yml + + platform-tests: + needs: basic-checks + uses: ./.github/workflows/platforms.yml + + scorecard: + needs: basic-checks + uses: ./.github/workflows/scorecard.yml + secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000000..df5b5eef6a --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,33 @@ +name: Push tests + +permissions: + contents: read + +on: + push: + branches-ignore: 'main' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + + basic-checks: + uses: ./.github/workflows/basic.yml + + full-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[full tests]' ) + uses: ./.github/workflows/platforms.yml + + extended-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[extended tests]' ) + uses: ./.github/workflows/extended.yml + + downstream-release-tests: + needs: basic-checks + if: contains( github.event.head_commit.message, '[trigger downstream]' ) + uses: ./.github/workflows/downstream-release.yml + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..23f74b16ff --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,17 @@ +name: Release tests + +permissions: + contents: read + +on: + release: + types: [ published ] + +jobs: + + extended-tests: + uses: ./.github/workflows/extended.yml + + downstream-release-tests: + uses: ./.github/workflows/downstream-release.yml + secrets: inherit diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ff54bf3f20..f3e5f06ec2 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -5,14 +5,9 @@ permissions: read-all on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: # To guarantee Maintained check is occasionally updated. See - - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '29 9 * * 4' - push: - branches: [ "main" ] - pull_request: + branch_protection_rule: + workflow_call: + workflow_dispatch: jobs: analysis: diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 8f66afced2..e1bf8fd94a 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -1,4 +1,4 @@ -name: Weekly extended tests +name: Weekly tests permissions: contents: read @@ -6,77 +6,32 @@ permissions: on: schedule: - cron: "5 0 * * 0" - workflow_dispatch: - -env: - # Semi-colon separated list of algorithims with libjade implementations to - # be passed as input to CMake option as: -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - # See CONFIGURE.md under ## OQS_MINIMAL_BUILD - LIBJADE_ALG_LIST: "KEM_kyber_512;KEM_kyber_768" jobs: - constant-time-x64: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - include: - - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON - PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' - - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON - PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA(.)*s-simple,SPHINCS\+-SHAKE-(.)*,Classic-McEliece-[^3](.)*' - container: - image: ${{ matrix.container }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - timeout-minutes: 360 - run: mkdir -p tmp && SKIP_ALGS='${{ matrix.SKIP_ALGS }}' python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} - nistkat-x64: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - include: - - name: generic - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: generic-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=generic -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: extensions - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - - name: extensions-libjade - container: openquantumsafe/ci-ubuntu-focal-x86_64:latest - CMAKE_ARGS: -DOQS_DIST_BUILD=OFF -DOQS_OPT_TARGET=auto -DOQS_LIBJADE_BUILD=ON -DOQS_MINIMAL_BUILD=$LIBJADE_ALG_LIST - PYTEST_ARGS: --numprocesses=auto -k 'test_kat_all' - container: - image: ${{ matrix.container }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 - - name: Configure - run: mkdir build && cd build && cmake -GNinja ${{ matrix.CMAKE_ARGS }} .. && cmake -LA -N .. - - name: Build - run: ninja - working-directory: build - - name: Run tests - timeout-minutes: 360 - run: mkdir -p tmp && python3 -m pytest --verbose ${{ matrix.PYTEST_ARGS }} + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + scorecard: + uses: ./.github/workflows/scorecard.yml + secrets: inherit + # complete list of permissions keys as per + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions + # accessed September 4, 2024 + permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + id-token: write + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: write + statuses: read + + extended-tests: + uses: ./.github/workflows/extended.yml diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index df4eeab1e7..e7dee41668 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -3,7 +3,7 @@ name: Windows tests permissions: contents: read -on: [ push, pull_request ] +on: [workflow_call, workflow_dispatch] jobs: diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index d18d148e81..73d0342596 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -3,7 +3,7 @@ name: Zephyr tests permissions: contents: read -on: [push, pull_request] +on: [workflow_call, workflow_dispatch] jobs: diff --git a/CI.md b/CI.md new file mode 100644 index 0000000000..95ad9c2cb6 --- /dev/null +++ b/CI.md @@ -0,0 +1,107 @@ +# Continuous Integration (CI) + +This document aims to provide a accessible yet comprehensive overview of the liboqs CI setup. + +## GitHub Actions + +liboqs relies on GitHub Actions for almost all of its CI and makes extensive use of [reusable workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows). +All workflow files are located in the `.github/workflows` subdirectory. + +### Caller workflows + +These workflows are triggered by GitHub events (for example, a pull request or a release). +They implement the logic dictating which tests should run on which events. + +#### Push workflow (`push.yml`) + +This workflow is triggered by pushes to non-`main` branches. +It calls only [basic checks](#basic.yml) unless one of the following strings is included in the commit message: +- "[full tests]": calls [all platform tests](#platforms.yml). +- "[extended tests]": calls the [extended tests](#extended.yml). +- "[trigger downstream]": calls the [downstream release tests](#downstream-release.yml). + +To trigger multiple test suites, include multiple trigger strings in the commit message. +For example, "[full tests] [trigger downstream]" will trigger both the platform tests and the downstream release tests. + +#### Pull request workflow (`pr.yml`) + +This workflow runs on pull requests. +It calls [basic checks](#basic.yml), [platform tests](#platforms.yml) and [scorecard analysis](#scorecard.yml). + +#### Commit-to-main workflow (`commit-to-main.yml`) + +This workflow runs on pushes to the `main` branch (typically done automatically when a pull request is merged). +It calls [platform tests](#platforms.yml), [scorecard analysis](#scorecard.yml), and [basic downstream tests](#downstream-basic.yml). + +#### Weekly workflow (`weekly.yml`) + +This workflow is triggered by a weekly schedule. +It calls [extended tests](#extended.yml) and [scorecard analysis](#scorecard.yml). + +#### Release workflow (`release.yml`) + +This workflow is triggered when a release (including a pre-release) is published on GitHub. +It calls [extended tests](#extended) and [downstream release tests](#downstream-release.yml). + +### Callable workflows + +These workflows are not triggered directly by any GitHub event. +They are instead called by one of the [caller workflows](#caller-workflows). +Users with "write" permissions can also trigger them manually via the GitHub web UI or REST API. + +#### Basic checks (`basic.yml`) + +This workflow runs a minimal set of tests that should pass before heavier tests are triggered. + +#### Individual platform tests (`.yml`) + +These workflows contain tests for the individual [platforms supported by liboqs](PLATFORMS.md). +Currently, these include +- `android.yml`, +- `apple.yml`, +- `macos.yml`, +- `linux.yml`, +- `windows.yml`, and +- `zephyr.yml`. + +All of these these are wrapped by [`platforms.yml`](#platforms.yml). + +#### All platform tests (`platforms.yml`) + +This workflow calls all of the [platform-specific tests](#.yml). + +#### Extended tests (`extended.yml`) + +This workflow calls tests which are either resource intensive or rarely need to be triggered. +Currently, this includes constant-time testing with valgrind and the full suite of NIST Known Answer Tests. + +#### Basic downstream trigger (`downstream-basic.yml`) + +This workflow triggers basic CI for a selection of projects that depend on `liboqs`. +Currently, these include +- [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider) +- [`OQS-BoringSSL`](https://github.com/open-quantum-safe/boringssl) +- [`OQS-OpenSSH`](https://github.com/open-quantum-safe/openssh) +- [`OQS Demos`](https://github.com/open-quantum-safe/oqs-demos) +- [`liboqs-cpp`](https://github.com/open-quantum-safe/liboqs-cpp) +- [`liboqs-go`](https://github.com/open-quantum-safe/liboqs-go) +- [`liboqs-python`](https://github.com/open-quantum-safe/liboqs-python) + +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. + +#### Downstream release trigger (`downstream-release.yml`) + +This workflow triggers release tests for a selection of projects that depend on `liboqs`. +Currently, this is only the [`OQS OpenSSL3 provider`](https://github.com/open-quantum-safe/oqs-provider). +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. + +#### OpenSSF scorecard analysis (`scorecard.yml`) + +This workflow runs the [OpenSSF scorecard](https://github.com/ossf/scorecard) tool. +It is additionally triggered automatically when branch protection rules are changed. +Callers must include `secrets: inherit` in order for the appropriate access tokens to be passed to this workflow. + +## Travis CI + +In the past, we used Travis CI to test on [some IBM platforms](PLATFORMS.md#tier-3-1) that are not supported by GitHub Actions. +Our Travis builds are currently disabled pending resolution of [issue #1888](https://github.com/open-quantum-safe/liboqs/issues/1888). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c37061702e..b87108e37f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -34,17 +34,27 @@ LIBOQS_DIR= ./scripts/format_code.sh ``` This script has been tested on x86\_64 Ubuntu and arm64 macOS. Contributions for other platforms are welcome and appreciated! -### Running CI locally +### Continuous Integration (CI) -#### Github CI +`liboqs` uses GitHub Actions for CI. +For a comprehensive overview of our CI setup, see [CI.md](CI.md). + +#### Running CI on your branch + +OQS attempts to be responsible with resource usage and only runs a minimal set of tests automatically on push. +A more thorough test suite runs automatically on pull requests. +To trigger these tests before creating a PR, include the string "[full tests]" in a commit message. +Other trigger strings are documented in [CI.md](CI.md#push.yml). + +#### Running CI locally [Act](https://github.com/nektos/act) is a tool facilitating local execution of -github CI jobs. When executed in the main `oqsprovider` directory, +GitHub CI jobs. When executed in the main `liboqs` directory, - act -l Displays all github CI jobs + act -l Displays all GitHub CI jobs act -j some-job Executes "some-job" -When installing `act` as a github extension, prefix the commands with `gh `. +When installing `act` as a GitHub extension, prefix the commands with `gh `. ### New features diff --git a/PLATFORMS.md b/PLATFORMS.md index e2220229ae..d33efa2722 100644 --- a/PLATFORMS.md +++ b/PLATFORMS.md @@ -44,9 +44,9 @@ In this policy, the words "must" and "must not" specify absolute requirements th ### Tier 1 -- x86_64/amd64/x64 for Ubuntu Linux (Focal)† +- x86_64/amd64/x64 for Ubuntu Linux (Noble)† - x86_64/amd64/x64 for MacOS (XCode 14 and 15) -- aarch64 for Ubuntu (Focal) +- aarch64 for Ubuntu (Noble) - aarch64 for MacOS (XCode 15) - armhf/ARM7 and aarch64 emulation on Ubuntu @@ -60,5 +60,3 @@ In this policy, the words "must" and "must not" specify absolute requirements th ### Tier 3 - x86 for Windows (Visual Studio Toolchain) -- ppc64le for Ubuntu (Focal) -- s390x for Ubuntu (Focal) diff --git a/scripts/copy_from_upstream/copy_from_libjade.yml b/scripts/copy_from_upstream/copy_from_libjade.yml index 620949c399..db2f19c4b8 100644 --- a/scripts/copy_from_upstream/copy_from_libjade.yml +++ b/scripts/copy_from_upstream/copy_from_libjade.yml @@ -1,8 +1,8 @@ # When adding an algorithm to copy_from_libjade.yml, the boolean # 'libjade_implementation' and list of implementation 'libjade_implementations' # must updated for the relevant algorithm in copy_from_upstream.yml -# Additionaly, the algorithm name must be appended to env.LIBJADE_ALG_LIST -# in the unix.yml and weekly.yml GitHub Actions workflows +# Additionaly, the algorithm name must be appended to the GitHub repository +# environment variable LIBJADE_ALG_LIST. jasmin_version: '2023.06.3' upstreams: - @@ -27,4 +27,4 @@ kems: scheme: "768" pqclean_scheme: kyber768 pretty_name_full: Kyber768 -sigs: [] \ No newline at end of file +sigs: [] diff --git a/scripts/copy_from_upstream/copy_from_upstream.py b/scripts/copy_from_upstream/copy_from_upstream.py index 6cd9b12eca..85eebf96b6 100755 --- a/scripts/copy_from_upstream/copy_from_upstream.py +++ b/scripts/copy_from_upstream/copy_from_upstream.py @@ -123,7 +123,7 @@ def replacer_contextual(destination_file_path, template_file_path, delimiter, fa contents = preamble + identifier_start + jinja2.Template(template).render(f) + postamble file_put_contents(destination_file_path, contents) -def load_instructions(file): +def load_instructions(file='copy_from_upstream.yml'): instructions = file_get_contents( os.path.join(os.environ['LIBOQS_DIR'], 'scripts', 'copy_from_upstream', file), encoding='utf-8') diff --git a/scripts/format_code.sh b/scripts/format_code.sh index e8b617b83e..a2b5f4ef19 100755 --- a/scripts/format_code.sh +++ b/scripts/format_code.sh @@ -19,4 +19,4 @@ then exit 1 fi -docker run --rm -v"$LIBOQS_DIR":/root/liboqs -w /root/liboqs openquantumsafe/ci-ubuntu-focal-$arch:latest ./tests/run_astyle.sh --no-dry-run +docker run --rm -v"$LIBOQS_DIR":/root/liboqs -w /root/liboqs openquantumsafe/ci-ubuntu-latest:latest ./tests/run_astyle.sh --no-dry-run diff --git a/scripts/update_docs_from_yaml.py b/scripts/update_docs_from_yaml.py index 2535d0ffaa..2c642332a7 100644 --- a/scripts/update_docs_from_yaml.py +++ b/scripts/update_docs_from_yaml.py @@ -89,7 +89,7 @@ def do_it(liboqs_root): out_md.write('\n') for index, parameter_set in enumerate(kem_yaml['parameter-sets']): - out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\_"))) + out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\\_"))) table_header = ['Implementation source', 'Identifier in upstream', 'Supported architecture(s)', @@ -108,7 +108,7 @@ def do_it(liboqs_root): # if all platforms are supported, assuming not optimized and is primary upstream if impl['supported-platforms'] == 'all': table.append(['[Primary Source](#primary-source)', - impl['upstream-id'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), 'All', 'All', 'None', @@ -132,8 +132,8 @@ def do_it(liboqs_root): anchor = impl['upstream'] upstream_name = '[{}](#{})'.format(name, anchor) table.append([upstream_name, - impl['upstream-id'].replace('_', '\_'), - platform['architecture'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), + platform['architecture'].replace('_', '\\_'), op_systems, flags, impl['no-secret-dependent-branching-claimed'], @@ -202,7 +202,7 @@ def do_it(liboqs_root): 'Secret key size (bytes)', 'Signature size (bytes)']] for parameter_set in sig_yaml['parameter-sets']: - table.append([parameter_set['name'].replace('_', '\_'), + table.append([parameter_set['name'].replace('_', '\\_'), parameter_set['alias'] if 'alias' in parameter_set else "NA", parameter_set['claimed-security'], parameter_set['claimed-nist-level'], @@ -213,7 +213,7 @@ def do_it(liboqs_root): out_md.write('\n') for index, parameter_set in enumerate(sig_yaml['parameter-sets']): - out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\_"))) + out_md.write('\n## {} implementation characteristics\n\n'.format(parameter_set['name'].replace("_", "\\_"))) table_header = ['Implementation source', 'Identifier in upstream', 'Supported architecture(s)', @@ -232,7 +232,7 @@ def do_it(liboqs_root): # if all platforms are supported, assuming not optimized and is primary upstream if impl['supported-platforms'] == 'all': table.append(['[Primary Source](#primary-source)', - impl['upstream-id'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), 'All', 'All', 'None', @@ -256,8 +256,8 @@ def do_it(liboqs_root): anchor = impl['upstream'] upstream_name = '[{}](#{})'.format(name, anchor) table.append([upstream_name, - impl['upstream-id'].replace('_', '\_'), - platform['architecture'].replace('_', '\_'), + impl['upstream-id'].replace('_', '\\_'), + platform['architecture'].replace('_', '\\_'), op_systems, flags, impl['no-secret-dependent-branching-claimed'], @@ -396,36 +396,36 @@ def do_it(liboqs_root): for sig_yaml in sig_yamls[:-1]: # SPHINCS is last in this sorted list and requires special handling. parameter_sets = sig_yaml['parameter-sets'] if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']): - readme.write('- **{}**: {}†'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **{}**: {}†'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\\_'))) if 'alias' in parameter_sets[0]: - readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\\_')) else: - readme.write('- **{}**: {}'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **{}**: {}'.format(sig_yaml['name'], parameter_sets[0]['name'].replace('_','\\_'))) if 'alias' in parameter_sets[0]: - readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_sets[0]['alias']).replace('_','\\_')) for parameter_set in parameter_sets[1:]: if any(impl['large-stack-usage'] for impl in parameter_set['implementations']): - readme.write(', {}†'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_'))) if 'alias' in parameter_set: - readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\\_')) else: - readme.write(', {}'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_'))) if 'alias' in parameter_set: - readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\_')) + readme.write(' (alias: {})'.format(parameter_set['alias']).replace('_','\\_')) readme.write('\n') sphincs_yml = sig_yamls[-1] for hash_func in ['SHA2', 'SHAKE']: parameter_sets = [pset for pset in sphincs_yml['parameter-sets'] if hash_func in pset['name']] if any(impl['large-stack-usage'] for impl in parameter_sets[0]['implementations']): - readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **SPHINCS+-{}**: {}†'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_'))) else: - readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\_'))) + readme.write('- **SPHINCS+-{}**: {}'.format(hash_func, parameter_sets[0]['name'].replace('_','\\_'))) for parameter_set in parameter_sets[1:]: if any(impl['large-stack-usage'] for impl in parameter_set['implementations']): - readme.write(', {}†'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}†'.format(parameter_set['name'].replace('_', '\\_'))) else: - readme.write(', {}'.format(parameter_set['name'].replace('_', '\_'))) + readme.write(', {}'.format(parameter_set['name'].replace('_', '\\_'))) readme.write('\n') readme.write(postamble) diff --git a/tests/constant_time/kem/issues/classic-mceliece-348864f b/tests/constant_time/kem/issues/classic-mceliece-348864f index 5c5c9e6bd8..023304d5bf 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-348864f +++ b/tests/constant_time/kem/issues/classic-mceliece-348864f @@ -153,15 +153,15 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE348864F_AVX2_pk_gen fun:PQCLEAN_MCELIECE348864F_AVX2_crypto_kem_keypair } { This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:444 + Memcheck:Value8 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE348864F_AVX2_pk_gen fun:PQCLEAN_MCELIECE348864F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/kem/issues/classic-mceliece-460896 b/tests/constant_time/kem/issues/classic-mceliece-460896 index 4108964c45..14cce9aed8 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-460896 +++ b/tests/constant_time/kem/issues/classic-mceliece-460896 @@ -78,6 +78,22 @@ fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Cond + src:util.h:16 + # fun:store_i + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:util.h:17 + # fun:store_i + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 @@ -86,6 +102,14 @@ fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:util.h:78 + # fun:store8 + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-460896f b/tests/constant_time/kem/issues/classic-mceliece-460896f index 4eb3eaf8bf..58b7a612c1 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-460896f +++ b/tests/constant_time/kem/issues/classic-mceliece-460896f @@ -1,7 +1,23 @@ +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Cond + src:util.h:16 + # fun:store_i + fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:util.h:17 + # fun:store_i + fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -9,7 +25,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -17,7 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen } @@ -25,7 +41,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:423 + src:pk_gen.c:422 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -33,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:437 + src:pk_gen.c:436 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -129,7 +145,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:442 + src:pk_gen.c:440 # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } @@ -342,6 +358,14 @@ fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:437 + # fun:PQCLEAN_MCELIECE460896F_AVX2_pk_gen + fun:PQCLEAN_MCELIECE460896F_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-6688128f b/tests/constant_time/kem/issues/classic-mceliece-6688128f index f59b36de50..8c63db87d1 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6688128f +++ b/tests/constant_time/kem/issues/classic-mceliece-6688128f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:426 - fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - # fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:426 + src:pk_gen.c:425 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:440 + src:pk_gen.c:439 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -65,15 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:444 - # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:440 + src:pk_gen.c:443 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } @@ -201,15 +185,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 - # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Value8 - src:pk_gen.c:445 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE6688128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6688128F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/kem/issues/classic-mceliece-6960119 b/tests/constant_time/kem/issues/classic-mceliece-6960119 index b01c1b15c4..2c81769112 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6960119 +++ b/tests/constant_time/kem/issues/classic-mceliece-6960119 @@ -81,7 +81,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:util.h:81 + src:util.h:78 # fun:store8 fun:PQCLEAN_MCELIECE6960119_AVX2_pk_gen } diff --git a/tests/constant_time/kem/issues/classic-mceliece-6960119f b/tests/constant_time/kem/issues/classic-mceliece-6960119f index 8b9544fd2a..28d1a3c20f 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6960119f +++ b/tests/constant_time/kem/issues/classic-mceliece-6960119f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:432 - # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:432 + src:pk_gen.c:431 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:446 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -65,7 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:450 + src:pk_gen.c:449 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair } @@ -201,14 +193,6 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:451 - # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond src:pk_gen.c:450 # fun:PQCLEAN_MCELIECE6960119F_AVX2_pk_gen fun:PQCLEAN_MCELIECE6960119F_AVX2_crypto_kem_keypair diff --git a/tests/constant_time/kem/issues/classic-mceliece-8192128f b/tests/constant_time/kem/issues/classic-mceliece-8192128f index 7e2e569bab..bdd008263e 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-8192128f +++ b/tests/constant_time/kem/issues/classic-mceliece-8192128f @@ -1,7 +1,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:201 + src:pk_gen.c:200 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -9,7 +9,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:199 + src:pk_gen.c:198 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -17,7 +17,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:196 + src:pk_gen.c:195 # fun:to_bitslicing_2x fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen } @@ -33,15 +33,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:426 - # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:426 + src:pk_gen.c:425 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -57,7 +49,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Cond - src:pk_gen.c:441 + src:pk_gen.c:440 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -65,15 +57,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:445 - # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen - fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair -} - -{ - This implementation of Classic McEliece may not be constant time. - Memcheck:Cond - src:pk_gen.c:441 + src:pk_gen.c:444 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } @@ -202,7 +186,7 @@ { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 - src:pk_gen.c:446 + src:pk_gen.c:445 # fun:PQCLEAN_MCELIECE8192128F_AVX2_pk_gen fun:PQCLEAN_MCELIECE8192128F_AVX2_crypto_kem_keypair } diff --git a/tests/constant_time/sig/issues/falcon b/tests/constant_time/sig/issues/falcon index bc5bebe269..1e73c0eedd 100644 --- a/tests/constant_time/sig/issues/falcon +++ b/tests/constant_time/sig/issues/falcon @@ -12,4 +12,12 @@ src:sign.c:1140 # fun:BerExp fun:PQCLEAN_FALCON*_AVX2_sampler -} \ No newline at end of file +} + +{ + This constant time error has not been studied/analysed. + Memcheck:Cond + src:fpr.h:352 + # fun:fpr_floor + fun:PQCLEAN_FALCON*_CLEAN_sampler +} diff --git a/tests/test_sig_stfl.c b/tests/test_sig_stfl.c index 70686fbee7..9867dbf60a 100644 --- a/tests/test_sig_stfl.c +++ b/tests/test_sig_stfl.c @@ -243,7 +243,9 @@ OQS_STATUS sig_stfl_keypair_from_KATs(OQS_SIG_STFL *sig, uint8_t *public_key, OQ ret = OQS_ERROR; cleanup: - fclose(fp_rsp); + if (fp_rsp) { + fclose(fp_rsp); + } return ret; }