Resolving history issue

Author: jgoertzen-sb [email protected]

.github/workflows/codeql.yml

@@ -37,23 +37,22 @@ jobs:
         packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply astyle cmake gcc ninja-build python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind
 
         version: 1.0
-    - name: Install liboqs 0.9.0
+    - name: Install Openssl3.2.0
       run: |
-        git clone --branch 0.9.0 https://github.com/open-quantum-safe/liboqs.git
+        git clone --branch openssl-3.2.0 https://github.com/openssl/openssl.git
+        cd openssl
+        ./Configure --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR no-docs -lm && make && make $NPROC install LIBDIR=lib
+      env:
+        OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
+    - name: Install liboqs from stateful-sigs branch
+      run: |
+        git clone --branch stateful-sigs https://github.com/open-quantum-safe/liboqs.git
         cd liboqs
         mkdir build
         cd build
-        cmake -GNinja .. -DCMAKE_INSTALL_PREFIX=$liboqs_DIR && ninja && ninja run_tests && ninja install
+        cmake -GNinja .. -DCMAKE_INSTALL_PREFIX=$liboqs_DIR -DOQS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -D-DOQS_ENABLE_SIG_STFL_XMSS=ON && ninja && ninja run_tests && ninja install
       env:
         liboqs_DIR: ${{ runner.workspace }}/local_deps/oqs
-    - name: Install Openssl3.2.0-beta1
-      run: |
-        git clone --branch openssl-3.2.0-beta1 https://github.com/openssl/openssl.git
-        cd openssl
-        ./Configure --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR no-docs -lm && make && make $NPROC install LIBDIR=lib
-      env:
-        OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
-
     - name: Install OQS-provider
       run: |
         git clone https://github.com/open-quantum-safe/oqs-provider.git
@@ -68,22 +67,11 @@ jobs:
       uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
-
-    #- name: Autobuild
-      #uses: github/codeql-action/autobuild@v2
-      #env:
-      #  OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
     - name: Build bind9
       run: |
         cd ${{ runner.workspace }}/OQS-bind
         autoreconf -fi
-        ./configure --with-openssl=$OPENSSL_ROOT_DIR
+        ./configure LIBS="-loqs" --with-openssl=$OPENSSL_ROOT_DIR
         make -j $NPROC
       env:
         OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl

bin/delv/delv.c

@@ -635,11 +635,11 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client, dns_view_t *toview) {
 	dns_rdata_ds_t ds;
 	uint32_t rdata1, rdata2, rdata3;
 	const char *datastr = NULL, *keynamestr = NULL, *atstr = NULL;
-	// OQS updated from 4096 to 8192
-	unsigned char data[8192];
+	// OQS updated from 4096 to 39000
+	unsigned char data[39000];
 	isc_buffer_t databuf;
-	// OQS updated from 4096 to 8192
-	unsigned char rrdata[8192];
+	// OQS updated from 4096 to 39000
+	unsigned char rrdata[39000];
 	isc_buffer_t rrdatabuf;
 	isc_region_t r;
 	dns_fixedname_t fkeyname;

bin/dig/host.c

@@ -209,8 +209,8 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	isc_result_t result, loopresult;
 	isc_region_t r;
 	dns_name_t empty_name;
-	// OQS updated from 4096 to 8192
-	char tbuf[8192] = { 0 };
+	// OQS updated from 4096 to 65355
+	char tbuf[65355] = { 0 };
 	bool first;
 	bool no_rdata = (sectionid == DNS_SECTION_QUESTION);
 
@@ -330,8 +330,8 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset,
 	isc_buffer_t target;
 	isc_result_t result;
 	isc_region_t r;
-	// OQS updated from 4096 to 8192
-	char tbuf[8192];
+	// OQS updated from 4096 to 39000
+	char tbuf[39000];
 
 	UNUSED(msg);
 	if (headers) {

bin/dnssec/dnssec-keyfromlabel.c

@@ -401,6 +401,8 @@ main(int argc, char **argv) {
 			case DST_ALG_FALCON512:
 			case DST_ALG_DILITHIUM2:
 			case DST_ALG_SPHINCSSHA256128S:
+			case DST_ALG_XMSS:
+			case DST_ALG_XMSSMT:
 				break;
 			default:
 				fatal("%s is incompatible with NSEC3; "

bin/dnssec/dnssec-keygen.c

@@ -55,6 +55,7 @@
 #include <dns/secalg.h>
 
 #include <dst/dst.h>
+#include <dst/xmss.h>
 
 #include <isccfg/cfg.h>
 #include <isccfg/grammar.h>
@@ -64,6 +65,7 @@
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
+#include <oqs/oqs.h>
 
 #include "dnssectool.h"
 
@@ -305,7 +307,6 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
 		dns_kasp_detach(&kasp);
 	}
 }
-
 static void
 keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	char filename[255];
@@ -354,7 +355,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				break;
 			}
 		}
-
 		if (ctx->use_nsec3) {
 			switch (ctx->alg) {
 			case DST_ALG_RSASHA1:
@@ -370,6 +370,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			case DST_ALG_FALCON512:
 			case DST_ALG_DILITHIUM2:
 			case DST_ALG_SPHINCSSHA256128S:
+			case DST_ALG_XMSS:
+			case DST_ALG_XMSSMT:
 				break;
 			default:
 				fatal("algorithm %s is incompatible with NSEC3"
@@ -423,6 +425,8 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			case DST_ALG_FALCON512:
 			case DST_ALG_DILITHIUM2:
 			case DST_ALG_SPHINCSSHA256128S:
+			case DST_ALG_XMSS:
+			case DST_ALG_XMSSMT:
 				break;
 			default:
 				fatal("key size not specified (-b option)");
@@ -596,6 +600,32 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	case DST_ALG_SPHINCSSHA256128S:
 		ctx->size = 256;
 		break;
+	case DST_ALG_XMSS:
+		if (ctx->algname == NULL) {
+			fatal("XMSS has a NULL algorithm name");
+		}
+		param = xmss_name_to_oid(ctx->algname);
+		if (param == -1) {
+			fatal("XMSS failed to get param based on algname");
+		}
+		ctx->size = xmss_name_to_bits(ctx->algname);
+		if (ctx->size == -1) {
+			fatal("XMSS failed to get bits based on param");
+		}
+		break;
+	case DST_ALG_XMSSMT:
+		if (ctx->algname == NULL) {
+			fatal("XMSSMT has a NULL algorithm name");
+		}
+		param = xmssmt_name_to_oid(ctx->algname);
+		if (param == -1) {
+			fatal("XMSSMT failed to get param based on algname");
+		}
+		ctx->size = xmssmt_name_to_bits(ctx->algname);
+		if (ctx->size == -1) {
+			fatal("XMSSMT failed to get bits based on param");
+		}
+		break;
 	}
 
 	if (ctx->nametype == NULL) {
@@ -690,7 +720,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 			fatal("failed to generate key %s/%s: %s\n", namestr,
 			      algstr, isc_result_totext(ret));
 		}
-
 		dst_key_setbits(key, ctx->dbits);
 		/*
 		 * Set key timing metadata (unless using -C)
@@ -890,7 +919,6 @@ main(int argc, char **argv) {
 	OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL,
 		      *default_provider = NULL;
 #endif
-
 	keygen_ctx_t ctx = {
 		.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
 		.prepub = -1,
@@ -1233,8 +1261,18 @@ main(int argc, char **argv) {
 		if (algname == NULL) {
 			fatal("no algorithm specified");
 		}
-		r.base = algname;
-		r.length = strlen(algname);
+		if (strncmp(algname, "XMSSMT", 6) == 0) {
+			ctx.algname = (char *)xmssmt_bindname_to_name(algname);
+			r.base = (char *)"XMSSMT";
+			r.length = strlen("XMSSMT");
+		} else if (strncmp(algname, "XMSS", 4) == 0) {
+			ctx.algname = (char *)xmss_bindname_to_name(algname);
+			r.base = (char *)"XMSS";
+			r.length = strlen("XMSS");
+		} else {
+			r.base = algname;
+			r.length = strlen(algname);
+		}
 		ret = dns_secalg_fromtext(&ctx.alg, &r);
 		if (ret != ISC_R_SUCCESS) {
 			fatal("unknown algorithm %s", algname);

bin/dnssec/dnssec-signzone.c

@@ -111,8 +111,8 @@ static int nsec_datatype = dns_rdatatype_nsec;
 #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
 
 #define BUFSIZE \
-	8192 // OQS increased from 2049 to 8192 to account for SPHINCS+ 128S
-	     // signatures.
+	39000 // OQS increased from 2049 to 39000 to account for
+	      // XMSSMT-SHAKE256_60/12 signatures.
 #define MAXDSKEYS 8
 
 #define SIGNER_EVENTCLASS  ISC_EVENTCLASS(0x4453)

bin/dnssec/dnssectool.c

@@ -502,7 +502,6 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
 	if (result == ISC_R_NOTFOUND) {
 		return (false);
 	}
-
 	while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
 		key = ISC_LIST_HEAD(matchkeys);
 		if (dst_key_alg(key->key) != alg) {

bin/named/config.c

@@ -73,7 +73,7 @@ options {\n\
 	max-rsa-exponent-size 0; /* no limit */\n\
 	max-udp-size 1232;\n\
 	memstatistics-file \"named.memstats\";\n\
-	nocookie-udp-size 8192;\n/*OQS updated from 4096*/\
+	nocookie-udp-size 65355;\n/*OQS updated from 4096*/\
 	notify-rate 20;\n\
 	nta-lifetime 3600;\n\
 	nta-recheck 300;\n\

bin/named/fuzz.c

@@ -113,11 +113,11 @@ fuzz_thread_client(void *arg) {
 			goto next;
 		}
 
-		// OQS updated from 4096 to 8192
+		// OQS updated from 4096 to 65355
 		/*
-		 * Ignore packets that are larger than 8192 bytes.
+		 * Ignore packets that are larger than 65355 bytes.
 		 */
-		if (length > 8192) {
+		if (length > 65355) {
 			/*
 			 * AFL_CMIN doesn't support persistent mode, so
 			 * shutdown the server.
@@ -367,8 +367,8 @@ fuzz_thread_resolver(void *arg) {
 			continue;
 		}
 
-		// OQS updated from 4096 to 8192
-		if (length > 8192) {
+		// OQS updated from 4096 to 65355
+		if (length > 65355) {
 			if (getenv("AFL_CMIN")) {
 				free(buf);
 				free(rbuf);