Sync from SUSE:SLFO:Main liboqs revision 9d053785ca7b3cbb4bd64311889228cc

baselibs.conf

@@ -1,2 +1,2 @@
-liboqs5
+liboqs7
 liboqs-devel

liboqs-fix-prototypemismatch.patch

@@ -1,15 +1,17 @@
-Index: liboqs-0.8.0/src/kem/frodokem/kem_frodokem.h
+Index: liboqs-0.13.0/src/kem/frodokem/kem_frodokem.h
 ===================================================================
---- liboqs-0.8.0.orig/src/kem/frodokem/kem_frodokem.h
-+++ liboqs-0.8.0/src/kem/frodokem/kem_frodokem.h
-@@ -11,9 +11,9 @@
- #define OQS_KEM_frodokem_640_aes_length_ciphertext 9720
+--- liboqs-0.13.0.orig/src/kem/frodokem/kem_frodokem.h
++++ liboqs-0.13.0/src/kem/frodokem/kem_frodokem.h
+@@ -12,10 +12,10 @@
  #define OQS_KEM_frodokem_640_aes_length_shared_secret 16
+ #define OQS_KEM_frodokem_640_aes_length_keypair_seed 0
  OQS_KEM *OQS_KEM_frodokem_640_aes_new(void);
 -OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_keypair(uint8_t *public_key, uint8_t *secret_key);
+-OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_keypair_derand(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed);
 -OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 -OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
 +OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_keypair(unsigned char *public_key, unsigned char *secret_key);
++OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_keypair_derand(unsigned char *public_key, unsigned char *secret_key, const unsigned char *seed);
 +OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_encaps(unsigned char *ciphertext, unsigned char *shared_secret, const unsigned char *public_key);
 +OQS_API OQS_STATUS OQS_KEM_frodokem_640_aes_decaps(unsigned char *shared_secret, const unsigned char *ciphertext, const unsigned char *secret_key);
  #endif

liboqs.changes

@@ -1,3 +1,107 @@
+-------------------------------------------------------------------
+Mon May 12 09:30:45 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- add -DOQS_ENABLE_KEM_HQC=ON even due to security issues, as otherwise
+  we dropped binary compatibility with postquantumcryptoengine (bsc#1242701)
+
+-------------------------------------------------------------------
+Sun May 11 16:10:22 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add reproducible.patch to not embed the buildhost's kernel version (boo#1101107)
+
+-------------------------------------------------------------------
+Thu Apr 17 16:03:16 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- Updated to 0.13.0:
+  - Key encapsulation mechanisms                                                                                                                                                             
+    - New API: Added a deterministic key generation and API for KEMs (only ML-KEM supported at the moment).
+    - ML-KEM: Changed the default ML-KEM implementation to [PQCP's mlkem-native](https://github.com/pq-code-package/mlkem-native). There are three variants: Portable C, AVX2, and AArch64. Large +parts of these implementations are formally verified: all of the C code is verified for memory and type safety using [CBMC](https://github.com/diffblue/cbmc) and the functional correctness +of the core AArch64 assembly routines is verified using [HOL-Light](https://github.com/jrh13/hol-light).
+    - ML-KEM: Added support for the ML-KEM implementation from [Nvidia cuPQC](https://developer.nvidia.com/cupqc), a GPU accelerated cryptography library.
+    - ML-KEM: Implementation from mlkem-native upstream updated to add Pair-wise Consistency Test (PCT) and Intel CET support.
+    - ML-KEM: Improved testing of ML-KEM keys.
+    - HQC: Disabled HQC by default until [a new security flaw](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP8) is fixed.
+
+  - Digital signature schemes
+    - ML-DSA: Improved testing for ML-DSA.
+    - CROSS: Updated to NIST Additional Signatures Round 2 version.
+    - MAYO: Updated to NIST Additional Signatures Round 2 version.
+    - UOV: Added support for UOV algorithm from NIST Additional Signatures Round 2.
+
+-------------------------------------------------------------------
+Tue Dec 10 07:51:25 UTC 2024 - Marcus Meissner <meissner@suse.com>
+
+- Updated to 0.12.0:
+  - This release updates the ML-DSA implementation to the [final
+    FIPS 204](https://csrc.nist.gov/pubs/fips/204/final) version. This
+    release still includes the NIST Round 3 version of Dilithium for
+    interoperability purposes, but we plan to remove Dilithium Round 3 in
+    a future release.
+
+  - This will be the last release of liboqs to include Kyber (that is,
+    the NIST Round 3 version of Kyber, prior to its standardization by NIST
+    as ML-KEM in FIPS 203). Applications should switch to ML-KEM (FIPS 203).
+
+  - The addition of ML-DSA FIPS 204 final version to liboqs has
+    introduced a new signature API which includes a context string
+    parameter. We are planning to remove the old version of the API
+    without a context string in the next release to streamline the
+    API and bring it in line with NIST specifications. Users who
+    have an opinion on this removal are invited to provide input at
+    https://github.com/open-quantum-safe/liboqs/issues/2001.
+
+  Security issues:
+
+  - CVE-2024-54137: Fixed bug in HQC decapsulation that leads to incorrect
+    shared secret value during decapsulation when called with an invalid
+    ciphertext. (bsc#1234292)
+
+-------------------------------------------------------------------
+Sun Sep 29 09:48:19 UTC 2024 - Marcus Meissner <meissner@suse.com>
+
+- Updated to 0.11.0:
+  * This release updates ML-KEM implementations to their final FIPS 203
+    https://csrc.nist.gov/pubs/fips/203/final versions .
+  * This release still includes the NIST Round 3 version of Kyber for
+    interoperability purposes, but we plan to remove Kyber Round 3 in a
+    future release.
+  * Additionally, this release adds support for MAYO and CROSS
+    digital signature schemes from [NIST Additional Signatures Round 1
+    https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures
+    along with stateful hash-based signature schemes XMSS
+    https://datatracker.ietf.org/doc/html/rfc8391 and LMS
+    https://datatracker.ietf.org/doc/html/rfc8554.
+  * Finally, this release provides formally verified
+    implementations of Kyber-512 and Kyber-768 from libjade
+    https://github.com/formosa-crypto/libjade/releases/tag/release%2F2023.05-2
+
+  * LMS and XMSS are disabled by default due to the security risks associated with their use in software.
+    See the note on stateful hash-based signatures in CONFIGURE.md
+
+  * Key encapsulation mechanisms:
+
+  - Kyber: Added formally-verified portable C and AVX2 implementations
+    of Kyber-512 and Kyber-768 from libjade.
+  - ML-KEM: Updated portable C and AVX2 implementations of ML-KEM-512,
+    ML-KEM-768, and ML-KEM-1024 to FIP 203 version.
+  - Kyber: Patched ARM64 implementations of Kyber-512, Kyber-768, and
+    Kyber-1024 to work with AddressSanitizer.
+
+  * Digital signature schemes:
+
+  - LMS/XMSS: Added implementations of stateful hash-based signature
+    schemes: XMSS and LMS
+  - MAYO: Added portable C and AVX2 implementations of MAYO signature
+    scheme from NIST Additional Signatures Round 1.
+  - CROSS: Added portable C and AVX2 implementations of CROSS signature
+    scheme from NIST Additional Signatures Round 1.
+
+  * Other changes:
+
+  - Added callback API to use custom implementations of AES, SHA2, and SHA3.
+  - Refactor SHA3 implementation to use OpenSSL's EVP_DigestSqueeze() API.
+
+- new library major version 6
+
 -------------------------------------------------------------------
 Tue Jun 11 08:39:32 UTC 2024 - Marcus Meissner <meissner@suse.com>
 

liboqs.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package liboqs
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           liboqs
-Version:        0.10.1
+Version:        0.13.0
 Release:        0
 Summary:        C library for quantum-resistant cryptographic algorithms
 License:        MIT
@@ -27,6 +27,7 @@ Source:         https://github.com/open-quantum-safe/liboqs/archive/refs/tags/%{
 Source1:        baselibs.conf
 Patch0:         liboqs-fix-build.patch
 Patch1:         liboqs-fix-prototypemismatch.patch
+Patch2:         reproducible.patch
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  libopenssl-devel
@@ -35,18 +36,18 @@ BuildRequires:  libopenssl-devel
 liboqs is a C library for quantum-resistant cryptographic algorithms.
 See the bundled README.md for particular limitations on intended use.
 
-%package -n liboqs5
+%package -n liboqs7
 Summary:        C library for quantum-resistant cryptographic algorithms
 Group:          System/Libraries
 
-%description -n liboqs5
+%description -n liboqs7
 liboqs is a C library for quantum-resistant cryptographic algorithms.
 See the bundled README.md for particular limitations on intended use.
 
 %package devel
 Summary:        Headers for liboqs, a library for quantum-resistant cryptography
 Group:          Development/Languages/C and C++
-Requires:       liboqs5 = %{version}
+Requires:       liboqs7 = %{version}
 
 %description devel
 liboqs is a C library for quantum-resistant cryptographic algorithms.
@@ -60,7 +61,7 @@ export RPM_OPT_FLAGS="%{optflags} -std=gnu11"
 
 # 20220702: The %%cmake macro can't be used because a 'CMakeLists.txt' folder
 # exists
-cmake -S . -B build -DBUILD_SHARED_LIBS:BOOL=ON -DOQS_DIST_BUILD:BOOL=ON
+cmake -S . -B build -DBUILD_SHARED_LIBS:BOOL=ON -DOQS_DIST_BUILD:BOOL=ON -DOQS_ENABLE_KEM_HQC=ON
 
 pushd build
 %cmake_build
@@ -78,13 +79,13 @@ mv %{buildroot}%{_prefix}/local/* %{buildroot}%{_prefix}
 
 rmdir %{buildroot}%{_prefix}/local/
 
-%post -n liboqs5 -p /sbin/ldconfig
-%postun -n liboqs5 -p /sbin/ldconfig
+%post -n liboqs7 -p /sbin/ldconfig
+%postun -n liboqs7 -p /sbin/ldconfig
 
-%files -n liboqs5
+%files -n liboqs7
 %license LICENSE.txt
 %{_libdir}/liboqs.so.%version
-%{_libdir}/liboqs.so.5
+%{_libdir}/liboqs.so.7
 %doc README.md
 
 %files devel

reproducible.patch

@@ -0,0 +1,13 @@
+Index: liboqs-0.13.0/CMakeLists.txt
+===================================================================
+--- liboqs-0.13.0.orig/CMakeLists.txt
++++ liboqs-0.13.0/CMakeLists.txt
+@@ -46,7 +46,7 @@ set(OQS_VERSION_MINOR 13)
+ set(OQS_VERSION_PATCH 0)
+ set(OQS_VERSION_PRE_RELEASE "")
+ set(OQS_VERSION_TEXT "${OQS_VERSION_MAJOR}.${OQS_VERSION_MINOR}.${OQS_VERSION_PATCH}${OQS_VERSION_PRE_RELEASE}")
+-set(OQS_COMPILE_BUILD_TARGET "${CMAKE_SYSTEM_PROCESSOR}-${CMAKE_HOST_SYSTEM}")
++set(OQS_COMPILE_BUILD_TARGET "${CMAKE_SYSTEM_PROCESSOR}-Linux-6.14.0-OBS")
+ set(OQS_MINIMAL_GCC_VERSION "7.1.0")
+ set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
+