Gracefully handle algorithm enablement
baentsch opened this issue · 3 comments
As soon as open-quantum-safe/liboqs#1331 lands, tests for algorithms disabled in oqs-openssl would fail if only an algorithm subset is enabled, e.g., STD. This issue is to collect options how to handle this:
Initial ideas:
- Don't care, i.e., do not support/perform (CI) testing with "standard-only" algorithm selections.
- Create a possibly convoluted script to filter algorithms under test in https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-test/common.py using information from "oqsconfig.h" (un-set #defines).
- Add code throughout oqs-openssl to explicitly permit unavailability of an algorithm, possibly guarded by an environment variable "OQS_TEST_ONLY".
Preferences? Further alternatives? @xvzcf @dstebila @christianpaquin ?
Options 1 (not testing what is actually deployed) and 3 (possibly extensive code changes for test-only behaviour changes) have such undesirable consequences that I personally think 2 ought to be implemented. But I'm all ears for alternatives.
Option 2 indeed sounds more robust. Meanwhile, a README warning to explain the failure should be added (option 1-ish).
Does OpenSSL support a mechanism to deal with non-always present algs (like GOST)?
Does OpenSSL support a mechanism to deal with non-always present algs (like GOST)?
OpenSSL is built with or without algs, i.e., things are compiled (by defines) to handle alg absence/presence gracefully (incl.GOST). The same is valid for oqs-provider (as it statically links in available algorithms). This is only not true for oqs-openssl as it dynamically links to liboqs -- and then such "surprises" can occur.
The OpenSSL project has indicated that OpenSSL 1.1.1 will reach end-of-life in September 2023. As such, we are discontinuing development on OQS-OpenSSL 1.1.1, and recommend all users switch to OpenSSL 3 and the OQS Provider for OpenSSL 3, which provides all the same functionality that OQS-OpenSSL 1.1.1 does. Hence we are closing open pull requests and issues in OQS-OpenSSL 1.1.1 as won't-fix.