open-quantum-safe / liboqs / 26035933620
82%

DEFAULT BRANCH: main
Ran
Jobs 3
Files 2877
Run time 8min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 82.265% (+0.002%) from 82.263%
26035933620

push

github

web-flow 
Probe once for EVP_DigestSqueeze; fall back when unsupported (#2433)

Fixes #2042 and open-quantum-safe/liboqs-python#122.

EVP_DigestSqueeze was called unconditionally whenever liboqs was built
against OpenSSL >= 3.3 headers. Two failure modes followed:

  1. Runtime provider mismatch (#2042): a FIPS 3.0 provider loaded under
     libcrypto >= 3.3 rejects EVP_DigestSqueeze with
     EVP_R_METHOD_NOT_SUPPORTED, leaving SHA3_shake{128,256}{,_x4}_inc_squeeze
     with no output.
  2. Dynamic-loader failure (liboqs-python#122): with
     OQS_DLOPEN_OPENSSL=ON, EVP_DigestSqueeze was referenced directly
     instead of through the function-pointer indirection used for every
     other OpenSSL EVP call. liboqs.so therefore carried an undefined
     reference and dlopen failed on systems whose libcrypto lacked the
     symbol.

Resolved in one mechanism:

* Introduce OPTIONAL_FUNC for dlopen-wrapped symbols that may legitimately
  be absent at runtime. The loader uses a non-fatal dlsym; the wrapper
  returns 0 when the pointer is NULL; OSSL_FUNC_AVAILABLE(name) lets
  callers probe. EVP_DigestSqueeze is the only consumer today.
* Probe the active provider once per process via pthread_once: allocate
  a throwaway SHAKE128 context and attempt a 1-byte squeeze. Cache the
  result in oqs_ossl_can_digest_squeeze().
* SHA3_shake{128,256}{,_x4}_inc_squeeze consult the cached flag. Hot
  path: call EVP_DigestSqueeze. Cold path: clone + EVP_DigestFinalXOF
  (the existing pre-3.3 fallback, unchanged).
* Squeeze calls are wrapped in OQS_OPENSSL_GUARD so a post-probe failure
  aborts loudly rather than silently emitting wrong cryptographic output.

Verified in Docker on ubuntu:25.04 (OpenSSL 3.4.1, aarch64):

* `nm -uD liboqs.so | grep EVP_Digest` is empty under
  OQS_DLOPEN_OPENSSL=ON (was `U EVP_DigestSqueeze` on main).
* test_sha3 (SHA3-256/384/512, SHAKE-128/256, four-way parallel SHAKE)
  passes under both OQS_DLOPEN_OPENSSL=OFF and =ON.
* ML-KEM-768 and ML-DSA-65 ... (continued)

0 of 12 new or added lines in 1 file covered. (0.0%)

4 existing lines in 4 files now uncovered.

207985 of 252823 relevant lines covered (82.27%)

8194527.96 hits per line

Uncovered Changes

Lines Coverage File
12
54.63
 -6.83% src/common/ossl_helpers.c

Coverage Regressions

Lines Coverage File
1
54.63
 -6.83% src/common/ossl_helpers.c
1
98.72
 -1.28% src/kem/classic_mceliece/pqclean_mceliece6960119_clean/pk_gen.c
1
95.55
 -0.09% src/sig/falcon/pqclean_falcon-512_clean/keygen.c
1
95.65
 -2.17% src/sig/uov/pqov_ov_Is_avx2/ov.c
Jobs
ID Job ID Ran Files Coverage
1 x64-distbuild - 26035933620.1 2346
56.5
 GitHub Action Run
2 x64-generic - 26035933620.2 1259
85.36
 GitHub Action Run
3 arm64-distbuild - 26035933620.3 1789
60.31
 GitHub Action Run
Source Files on build 26035933620