From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 28 Jul 2024 23:40:34 +0000 (+0900)
Subject: liboqs: check whether Kyber768 is compiled in
X-Git-Tag: 3.8.7~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfac4bb0d96507a409e3c3434c04bd8f79ac479f;p=thirdparty%2Fgnutls.git

liboqs: check whether Kyber768 is compiled in

In the default build configuration of liboqs 0.10.1, Kyber768 is
disabled. This adds a guard against it and skip tests if not
available.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---

diff --git a/devel/dlwrap/oqs.syms b/devel/dlwrap/oqs.syms
index 8f067b2dd3..413f887598 100644
--- a/devel/dlwrap/oqs.syms
+++ b/devel/dlwrap/oqs.syms
@@ -1,6 +1,7 @@
 OQS_SHA3_set_callbacks
 OQS_init
 OQS_destroy
+OQS_KEM_alg_is_enabled
 OQS_KEM_new
 OQS_KEM_encaps
 OQS_KEM_decaps
diff --git a/lib/dlwrap/oqsfuncs.h b/lib/dlwrap/oqsfuncs.h
index 95c1b083dc..4aa0ba4ab4 100644
--- a/lib/dlwrap/oqsfuncs.h
+++ b/lib/dlwrap/oqsfuncs.h
@@ -7,6 +7,7 @@ VOID_FUNC(void, OQS_init, (void), ())
 VOID_FUNC(void, OQS_destroy, (void), ())
 VOID_FUNC(void, OQS_SHA3_set_callbacks, (struct OQS_SHA3_callbacks *new_callbacks), (new_callbacks))
 VOID_FUNC(void, OQS_randombytes_custom_algorithm, (void (*algorithm_ptr)(uint8_t *, size_t)), (algorithm_ptr))
+FUNC(int, OQS_KEM_alg_is_enabled, (const char *method_name), (method_name))
 FUNC(OQS_KEM *, OQS_KEM_new, (const char *method_name), (method_name))
 FUNC(OQS_STATUS, OQS_KEM_keypair, (const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key), (kem, public_key, secret_key))
 FUNC(OQS_STATUS, OQS_KEM_encaps, (const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key), (kem, ciphertext, shared_secret, public_key))
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index eb8c44459d..8a987ed121 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -704,7 +704,9 @@ static int _wrap_nettle_pk_encaps(gnutls_pk_algorithm_t algo,
 		OQS_KEM *kem = NULL;
 		OQS_STATUS rc;
 
-		if (_gnutls_liboqs_ensure() < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 
 		kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768);
@@ -765,7 +767,9 @@ static int _wrap_nettle_pk_decaps(gnutls_pk_algorithm_t algo,
 		OQS_KEM *kem = NULL;
 		OQS_STATUS rc;
 
-		if (_gnutls_liboqs_ensure() < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 
 		kem = GNUTLS_OQS_FUNC(OQS_KEM_new)(OQS_KEM_alg_kyber_768);
@@ -2359,7 +2363,9 @@ static int _wrap_nettle_pk_exists(gnutls_pk_algorithm_t pk)
 		return 1;
 #ifdef HAVE_LIBOQS
 	case GNUTLS_PK_EXP_KYBER768:
-		return _gnutls_liboqs_ensure() == 0;
+		return _gnutls_liboqs_ensure() == 0 &&
+		       GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			       OQS_KEM_alg_kyber_768);
 #endif
 	default:
 		return 0;
@@ -2997,7 +3003,9 @@ static int pct_test(gnutls_pk_algorithm_t algo,
 		break;
 #ifdef HAVE_LIBOQS
 	case GNUTLS_PK_EXP_KYBER768:
-		if (_gnutls_liboqs_ensure() < 0) {
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768)) {
 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 			goto cleanup;
 		}
@@ -3736,12 +3744,12 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 		OQS_KEM *kem = NULL;
 		OQS_STATUS rc;
 
-#ifdef HAVE_LIBOQS
-		if (_gnutls_liboqs_ensure() < 0) {
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768)) {
 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 			goto cleanup;
 		}
-#endif
 
 		not_approved = true;
 
@@ -4038,8 +4046,9 @@ static int wrap_nettle_pk_verify_priv_params(gnutls_pk_algorithm_t algo,
 	}
 #ifdef HAVE_LIBOQS
 	case GNUTLS_PK_EXP_KYBER768:
-		ret = _gnutls_liboqs_ensure();
-		if (ret < 0)
+		if (_gnutls_liboqs_ensure() < 0 ||
+		    !GNUTLS_OQS_FUNC(OQS_KEM_alg_is_enabled)(
+			    OQS_KEM_alg_kyber_768))
 			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 		break;
 #endif
diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh
index b587587bd2..6d47105fa0 100644
--- a/tests/pqc-hybrid-kx.sh
+++ b/tests/pqc-hybrid-kx.sh
@@ -31,6 +31,10 @@ if ! test -x "${CLI}"; then
 	exit 77
 fi
 
+if ! "${CLI}" --list | grep '^Public Key Systems: .*Kyber768.*' >/dev/null; then
+	exit 77
+fi
+
 . "${srcdir}/scripts/common.sh"
 testdir=`create_testdir pqc-hybrid-kx`