Skip to content

Latest commit

 

History

History
447 lines (315 loc) · 36.1 KB

RELEASE.md

File metadata and controls

447 lines (315 loc) · 36.1 KB

oqs-provider 0.7.1-dev

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on the website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.7.1-dev of oqs-provider which continues from the earlier 0.7.0 release. This release is fully tested to be used in conjunction with the main branch of liboqs and is guaranteed to be in sync with v0.12.0 of liboqs as and when released.

Previous Release Notes

oqs-provider 0.7.0

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on the website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.7.0 of oqs-provider which continues from the earlier 0.6.1 release. This release is fully tested to be used in conjunction with the main branch of liboqs and is guaranteed to be in sync with v0.11.0 of liboqs.

Errata

This release was updated on October 10, 2024 after being first published on October 08, 2024. Prior to being updated the release notes heading incorrectly reported the release version number to be 0.7.1; this error was limited to oqs-provider 0.7.0 release notes and did not affect any oqs-provider functionality.

Security considerations

None.

What's New

In addition to updating documentation, improving the CI, and fixing issues uncovered by compiler warnings and static analysis, this release of oqs-provider:

What's Changed

  • Point CI back to liboqs main by @SWilson4 in #431
  • Fix a typo in NOTES-Windows.md by @qnfm in #436
  • Fix #439: install the static library under $PREFIX/lib. by @thb-sb in #441
  • Fix #440: disable tests and examples using BUILD_TESTING. by @thb-sb in #442
  • Add MAYO by @bhess in #413
  • update the composite to draft-ietf-lamps-pq-composite-sigs-02 by @feventura in #454
  • Update codeowners by @baentsch in #458
  • Remove external encoding lib by @baentsch in #460
  • update coding style and test facilities by @baentsch in #477
  • Fix various warnings. by @ashman-p in #480
  • A note about key encapsulation/decapsulation support in OpenSSL by @beldmit in #486
  • Force liboqs as a debian package dependency requirement only if it is not a static linked library. by @fwh-dc in #493
  • openssl and contribution documentation updates [skip ci] by @baentsch in #499
  • Adds note on supported openssl versions for tls certificates. by @fwh-dc in #498
  • add support for the CMAKE_PARAMS environment variable by @jschauma in #510
  • update MLKEM code points by @baentsch in #511
  • Actionlint workflow checking by @jplomas in #516
  • add explicit usage warning [skip ci] by @baentsch in #515
  • Address some Static Analysis Issues #519 by @ashman-p in #521
  • Only overwrite default library prefix for module library type build. by @fwh-dc in #525
  • Add build option to toggle libjade implementations in liboqs by @praveksharma in #529
  • Reverse TLS hybrid keyshares for x25519/x448-mlkem hybrids by @bhess in #524
  • Rebase and add CROSS by @praveksharma in #530
  • Remove unmanaged KEM OIDs by @baentsch in #522
  • Use more future-proof hash for signature by @beldmit in #532

New Contributors

  • @ashman-p made their first contribution in #480
  • @fwh-dc made their first contribution in #493
  • @jschauma made their first contribution in #510
  • @jplomas made their first contribution in #516
  • @praveksharma made their first contribution in #529

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.6.1...0.7.0

oqs-provider 0.6.1

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on the website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.6.1 of oqs-provider. This version is closely in sync with liboqs v.0.10.1.

Most important updates are fixed references to a security update to liboqs, fixes of potential buffer overrun errors in hybrid key decoding, adding of composite OID setting logic and several documentation updates.

Security considerations

This fixes potential buffer overrun problems in hybrid key decoding. Use of prior versions is strongly discouraged.

What's Changed

  • reverting to dev mode [skip ci] by @baentsch in #394
  • add caveat regarding OpenSSL installs [skip ci] by @baentsch in #402
  • cpack x64 CI fix by @baentsch in #401
  • Add PKCS#12 test by @iyanmv in #400
  • Fix CI (Add Ubuntu 24 support) by @baentsch in #410
  • Bump jinja2 from 3.1.3 to 3.1.4 in /oqs-template by @dependabot in #409
  • Extra parentheses removed by @bencemali in #405
  • No unwanted error left in queue from OBJ_create by @bencemali in #404
  • update security issue reporting [skip ci] by @baentsch in #414
  • DECODE_UINT32 without lengths checked fixed by @bencemali in #416
  • add composite OIDs to getenv logic by @baentsch in #419
  • Switch to https for git access by @baentsch in #423
  • STANDARDS.md update by @baentsch in #420

New Contributors

  • @iyanmv made their first contribution in #400

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.6.0...0.6.1

oqs-provider 0.6.0

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.6.0 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.5.3 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.10.0 of liboqs.

This release also makes available ready-to-run binaries for Windows (.dll) and MacOS (.dylib) compiled for x64 CPUs. Activation and use is documented in USAGE.md.

Additional new feature highlights

  • First availability of standardized PQ algorithms, e.g., ML-KEM, ML-DSA
  • Support for Composite PQ operations
  • Alignment with PQ algorithm implementations as provided by liboqs 0.10.0, most notably updating HQC and Falcon.
  • Implementation of security code review recommendations
  • Support for more hybrid operations as fully documented here.
  • Support for extraction of classical and hybrid key material

What's Changed

  • Clarify liboqs_DIR naming convention by @ajbozarth in #292
  • check empty params lists passed by @baentsch in #296
  • Fix minor typos in documentation by @johnma14 in #304
  • HQC code point update by @baentsch in #306
  • Fix broken circleci job for macOS by @johnma14 in #305
  • Contribution policy by @baentsch in #286
  • Fix link in GOVERNANCE.md [skip ci] by @pi-314159 in #309
  • Add a example of how to load oqsprovider using OSSL_PROVIDER_add_builtin. by @thb-sb in #308
  • Get Windows CI to work again by @qnfm in #310
  • Use build directory instead of _build. by @thb-sb in #314
  • correct upstream and Windows CI snafus by @baentsch in #322
  • Revert "Use build directory instead of _build. (#314)" by @baentsch in #325
  • reverting to dev by @baentsch in #327
  • Bump jinja2 from 3.0.3 to 3.1.3 in /oqs-template by @dependabot in #334
  • LICENSE copyright update [skip ci] by @baentsch in #336
  • update to 0.5.4-dev by @baentsch in #337
  • bring GOVERNANCE in line with liboqs [skip ci] by @baentsch in #342
  • Automatically run release tests on liboqs release candidates by @SWilson4 in #345
  • add more defensive error handling by @baentsch in #346
  • correct wrong use of sizeof by @baentsch in #347
  • Protecting from NULL parameters by @baentsch in #350
  • guard external testing against algorithm absence by @baentsch in #352
  • first cut adding ML-* by @baentsch in #348
  • Adapt Kyber OIDs and avoid testing using downlevel brew releases by @baentsch in #356
  • Add extra debug information in case of TLS handshake failure. by @beldmit in #357
  • p384_mlkem1024 hybrid added by @bencemali in #361
  • length and null checks in en/decaps by @bencemali in #364
  • documentation update [skip ci] by @baentsch in #366
  • Set Kyber OIDs by @bhess in #368
  • Add code points for PADDED variant of Falcon [skip ci] by @SWilson4 in #362
  • Fix #372: expose hybrid_classical_ and hybrid_pq_ OSSL_PARAMS for EVP_PKEY. by @thb-sb in #374
  • Implementation of Composite Sig by @feventura in #317
  • Do not duplicate call to getenv. by @thb-sb in #369
  • Fix #338 and #339: output a valid aarch64 debian package with a valid directory layout. by @thb-sb in #377
  • Move the clang-format check from CircleCI to GitHub actions. by @thb-sb in #376
  • fix ossl32 cache miss for cygwin by @baentsch in #387
  • Remove --repeat until-pass:5 workaround for ASan tests. by @thb-sb in #382
  • Add composite signatures to sigalg list & add code points. by @bhess in #386
  • openssl provider support documentation update [skip ci] by @baentsch in #388

New Contributors

  • @ajbozarth made their first contribution in #292
  • @johnma14 made their first contribution in #304
  • @pi-314159 made their first contribution in #309
  • @dependabot made their first contribution in #334
  • @beldmit made their first contribution in #357
  • @bencemali made their first contribution in #361
  • @feventura made their first contribution in #317

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.3...0.6.0

oqs-provider 0.5.3

This is a maintenance release not changing any oqsprovider functionality but only tracking a security update in liboqs (0.9.2).

oqs-provider 0.5.2

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.5.2 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.5.1 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.9.0 of liboqs.

This release also makes available ready-to-run binaries for Windows (.dll) and MacOS (.dylib) compiled for x64 CPUs. Activation and use is documented in USAGE.md.

Additional new feature highlights

What's Changed

  • switch repo to -dev mode/unlock release by @baentsch in #225
  • add C API and cleanup PQ terminology [skip ci] by @baentsch in #226
  • Clarify install instructions by @baentsch in #232
  • sigalg config warning by @baentsch in #235
  • Fix a missing -DOQS_PROVIDER_BUILD_STATIC=ON in CircleCI build static jobs. by @thb-sb in #242
  • Fix DOQS_ALGS_ENABLED setting for cmake by @marcbrevoort-cyberhive in #238
  • Fix #224: Add a clang-format that matches the best the OpenSSL coding style. by @thb-sb in #241
  • corner case object creation added by @baentsch in #243
  • fix for runtests.sh: skip non-working OpenSSL versions by @bhess in #244
  • Add a GithubCI job to test oqs-provider against memory leaks. by @thb-sb in #246
  • Fix various memory leaks. by @thb-sb in #245
  • remove unneeded OQS context reference from CCI PRs by @baentsch in #250
  • Cross-compile to linux-aarch64 from linux-x64 in GitHub actions. by @thb-sb in #253
  • add manual approval step to use restricted CCI context by @baentsch in #254
  • Create SECURITY.md by @baentsch in #257
  • Create CODE_OF_CONDUCT.md by @baentsch in #258
  • adding contributing guideline [skip ci] by @baentsch in #259
  • CI & cmake changes by @qnfm in #263
  • fix for txt output length of plain PQ key material by @baentsch in #268
  • KEM en/decoders by @baentsch in #266
  • Remove duplicate LIBOQS_BRANCH option in CONFIGURE.md by @psschwei in #274
  • add cloudflare interop tests by @baentsch in #278
  • Add releasetest by @baentsch in #281
  • Support web proxy in external interop tests by @mouse07410 in #288
  • Get Windows CI to work again; prepare for release by @baentsch in #291

New Contributors

  • @marcbrevoort-cyberhive made their first contribution in #238
  • @qnfm made their first contribution in #263
  • @psschwei made their first contribution in #274
  • @mouse07410 made their first contribution in #288

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.1...0.5.2

This is version 0.5.1 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.5.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.8.0 of liboqs.

Additional new feature highlights

  • Support for Windows platform
  • Added brew support for MacOS
  • Documentation restructured supporting different platforms
  • Enable statically linkable oqsprovider

What's Changed (full commit list)

  • trigger oqs-demos build when pushing to main by @baentsch in #182
  • Enable building on platforms without _Atomic support by @baentsch in #183
  • Standalone ctest by @baentsch in #184
  • Convert oqs-kem-info.md code points to hex by @WillChilds-Klein in #188
  • Documentation update by @baentsch in #187
  • Add full Windows support by @baentsch in #192
  • Improve installation by @baentsch in #196
  • document specs [skip ci] by @baentsch in #190
  • Add .DS_Store (macOS), .vscode (visual studio code), and .idea (Jetbr… by @planetf1 in #200
  • first test for macos CI by @baentsch in #198
  • Add brew to preinstall test matrix by @baentsch in #205
  • General documentation overhaul by @baentsch in #204
  • change TLS demo to use QSC alg [skip ci] by @baentsch in #208
  • Build a module instead of a shared library. by @thb-sb in #207
  • explain groups in USAGE [skip ci] by @baentsch in #214
  • ensure OpenSSL3 is linked to liboqs during script build by @baentsch in #212
  • Remove trailing whitespaces in generated code. by @thb-sb in #215
  • Fix a minor bug in the runtests.sh. by @thb-sb in #216
  • Specify version 3.1 while installing OpenSSL using brew. by @thb-sb in #217
  • Allow the user to build oqs-provider as a static library. by @thb-sb in #201
  • Add a line to RELEASE.md to highlight the support for static libraries by @thb-sb in #220
  • Enhance github bug report template by @baentsch in #219
  • Use OpenSSL 3 if available to build liboqs on CircleCI/macOS. by @thb-sb in #222
  • Fix a bug in the CMake script. by @thb-sb in #221

New Contributors

  • @WillChilds-Klein made their first contribution in #188
  • @planetf1 made their first contribution in #200
  • @thb-sb made their first contribution in #207

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.0...0.5.1

This is version 0.5.0 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.4.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.8.0 of liboqs.

oqs-provider now also enables use of QSC algorithms during TLS1.3 handshake. The required OpenSSL code updates are contained in openssl/openssl#19312. Prior to this code merging, the functionality can be tested by using https://github.com/baentsch/openssl/tree/sigload.

Algorithm updates

All algorithms no longer supported in the NIST PQC competition and not under consideration for standardization by ISO have been removed. All remaining algorithms with the exception of McEliece have been lifted to their final round 3 variants as documented in liboqs. Most notably, algorithm names for Sphincs+ have been changed to the naming chosen by its authors.

Functional updates

  • Enablement of oqs-provider as a (first) dynamically fetchable OpenSSL3 TLS1.3 signature provider.
  • MacOS support
  • Full support for CA functionality
  • Algorithms can now be selected by their respective bit strength using the property string "oqsprovider.security_bits"
  • Documentation of (O)IDs used by the different PQC algorithms used and supported in current and past releases of oqs-openssl and oqs-provider
  • Testing is now completely independent of a source code distribution of OpenSSL being available
  • oqsprovider can be built and installed making use of pre-existing installations of OpenSSL and liboqs. Details are found in the "scripts" directory's build and test scripts.
  • Automated creation of (Debian) packaging information
  • Graceful handling (by way of functional degradation) of the feature sets contained in different OpenSSL releases; all oqsprovider capabilities are only available when using a version > than OpenSSL3.1.
  • A bug regarding handling of hybrid algorithms has been fixed as well as some memory leaks.

Misc updates

  • Dynamic code point and OID changes via environment variables. See ALGORITHMS.md.
  • Dynamic key encoding changes via environment variable using external qsc_key_encoder library. See ALGORITHMS.md.

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.4.0...0.5.0.

This is version 0.4.0 of oqs-provider.

Security considerations

This release removes Rainbow level 1 and all variants of SIDH and SIKE due to cryptanalytic breaks of those algorithms. Users are advised to move away from use of those algorithms immediately.

What's New

This release continues from the 0.3.0 release of oqs-provider and is fully tested to be used in conjunction with version 0.7.2 of liboqs.

oqs-provider has been integrated as an external test component for OpenSSL3 testing and will thus remain in line with any possibly required provider API enhancements.

Algorithm updates

  • Removal of SIKE/SIDH and Rainbow level I due to cryptographic breaks

Functional updates

Misc updates

  • Additional testing
  • Integration with and of OpenSSL test harness

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.3.0...0.4.0.

0.3.0 - January 2022

About

This is the first official release of oqsprovider, a plugin/shared library making available quantum safe cryptography (QSC) to OpenSSL (3) installations via the provider API. Work on this project began in oqs-openssl's branch "OQS-OpenSSL3" by @baentsch. This original code dependent on OpenSSL APIs was transferred into a standalone project by @levitte and subsequently branched by the OQS project into this code base.

This project is part of the Open Quantum Safe (OQS) project: More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

Release Notes

The current feature set of oqsprovider comprises

  • support of all QSC KEM algorithms contained in liboqs (v.0.7.1) including hybrid classic/QSC algorithm pairs
  • integration of all QSC KEM algorithms into TLS 1.3 using the groups interface
  • support of all QSC signature algorithms contained in liboqs (v.0.7.1) including hybrid classic/QSC algorithm pairs
  • integration for persistent data structures (X.509) of all QSC signature algorithms using the standard OpenSSL toolset

Limitations