[Windows] OQS Provider Deployment

[mingw-io]

Hi.

We are trying to deploy OpenSSL, liboqs & OQS provider on Windows 10 x64 for the very first time.

• OpenSSL 3.2.0 master branch built from source
• liboqs 0.7.2 built from source
• oqs-provider 0.4.0 built from source

When running the (unit) tests in oqs-provider, one of them fails.

D:\oqs-provider\bin>oqs_test_endecode.exe oqsprovider ..\etc\oqs.cnf

# INFO:  @ d:\oqs-provider-0.4.0\test\oqs_test_endecode.c:1078
# Generating keys...
1..216
# ERROR: (bool) 'OSSL_ENCODER_to_bio(ectx, mem_ser) == true' failed @ d:\oqs-provider-0.4.0\test\oqs_test_endecode.c:495
# false
# ERROR: (bool) 'encode_cb(file, line, &encoded, &encoded_len, pkey, selection, output_type, output_structure, pass, pcipher) == true' failed @ d:\oqs-provider-0.4.0\test\oqs_test_endecode.c:136
# false
# OPENSSL_TEST_RAND_ORDER=1666474314
not ok 1 - test_unprotected_dilithium2_via_DER

Due to our quite limited knowledge of this project, it is really hard for us to debug or troubleshoot this issue.
Any pointers are greatly appreciated.

Regards.

[baentsch]

Thanks for giving this a try under Windows. Also glad to see so many tests pass.

The error line in your screenshot unfortunately is too high level to let me get a definite idea what may be wrong.
On the positive side, oqsprovider has many debug facilities: In this case I'd suggest you'd set at least "OQSENC" to get more information what's actually going on.

If you'd be willing to share the (Windows) build scripts that get you to this point I could try to set up a Windows VM somewhere to reproduce. Very important to see for me are path changes as well as changes to "oqs.cnf"...

[mingw-io]

Thanks for your prompt response.
Unfortunately I don't have more (detailed) info about the failing tests!

I have set the env variable suggested by you and run the same test. This is the output:

OQS PROV: successfully registered dilithium2 with NID 0
OQS PROV: successfully registered p256_dilithium2 with NID 0
OQS PROV: successfully registered rsa3072_dilithium2 with NID 0
OQS PROV: successfully registered dilithium3 with NID 0
OQS PROV: successfully registered p384_dilithium3 with NID 0
OQS PROV: successfully registered dilithium5 with NID 0
OQS PROV: successfully registered p521_dilithium5 with NID 0
OQS PROV: successfully registered dilithium2_aes with NID 0
OQS PROV: successfully registered p256_dilithium2_aes with NID 0
OQS PROV: successfully registered rsa3072_dilithium2_aes with NID 0
OQS PROV: successfully registered dilithium3_aes with NID 0
OQS PROV: successfully registered p384_dilithium3_aes with NID 0
OQS PROV: successfully registered dilithium5_aes with NID 0
OQS PROV: successfully registered p521_dilithium5_aes with NID 0
OQS PROV: successfully registered falcon512 with NID 0
OQS PROV: successfully registered p256_falcon512 with NID 0
OQS PROV: successfully registered rsa3072_falcon512 with NID 0
OQS PROV: successfully registered falcon1024 with NID 0
OQS PROV: successfully registered p521_falcon1024 with NID 0
OQS PROV: successfully registered picnicl1full with NID 0
OQS PROV: successfully registered p256_picnicl1full with NID 0
OQS PROV: successfully registered rsa3072_picnicl1full with NID 0
OQS PROV: successfully registered picnic3l1 with NID 0
OQS PROV: successfully registered p256_picnic3l1 with NID 0
OQS PROV: successfully registered rsa3072_picnic3l1 with NID 0
OQS PROV: successfully registered rainbowVclassic with NID 0
OQS PROV: successfully registered p521_rainbowVclassic with NID 0
OQS PROV: successfully registered sphincsharaka128frobust with NID 0
OQS PROV: successfully registered p256_sphincsharaka128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincsharaka128frobust with NID 0
OQS PROV: successfully registered sphincssha256128frobust with NID 0
OQS PROV: successfully registered p256_sphincssha256128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincssha256128frobust with NID 0
OQS PROV: successfully registered sphincsshake256128frobust with NID 0
OQS PROV: successfully registered p256_sphincsshake256128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincsshake256128frobust with NID 0
OQS PROV: Default or FIPS provider available.
OQS PROV: successfully registered dilithium2 with NID 0
OQS PROV: successfully registered p256_dilithium2 with NID 0
OQS PROV: successfully registered rsa3072_dilithium2 with NID 0
OQS PROV: successfully registered dilithium3 with NID 0
OQS PROV: successfully registered p384_dilithium3 with NID 0
OQS PROV: successfully registered dilithium5 with NID 0
OQS PROV: successfully registered p521_dilithium5 with NID 0
OQS PROV: successfully registered dilithium2_aes with NID 0
OQS PROV: successfully registered p256_dilithium2_aes with NID 0
OQS PROV: successfully registered rsa3072_dilithium2_aes with NID 0
OQS PROV: successfully registered dilithium3_aes with NID 0
OQS PROV: successfully registered p384_dilithium3_aes with NID 0
OQS PROV: successfully registered dilithium5_aes with NID 0
OQS PROV: successfully registered p521_dilithium5_aes with NID 0
OQS PROV: successfully registered falcon512 with NID 0
OQS PROV: successfully registered p256_falcon512 with NID 0
OQS PROV: successfully registered rsa3072_falcon512 with NID 0
OQS PROV: successfully registered falcon1024 with NID 0
OQS PROV: successfully registered p521_falcon1024 with NID 0
OQS PROV: successfully registered picnicl1full with NID 0
OQS PROV: successfully registered p256_picnicl1full with NID 0
OQS PROV: successfully registered rsa3072_picnicl1full with NID 0
OQS PROV: successfully registered picnic3l1 with NID 0
OQS PROV: successfully registered p256_picnic3l1 with NID 0
OQS PROV: successfully registered rsa3072_picnic3l1 with NID 0
OQS PROV: successfully registered rainbowVclassic with NID 0
OQS PROV: successfully registered p521_rainbowVclassic with NID 0
OQS PROV: successfully registered sphincsharaka128frobust with NID 0
OQS PROV: successfully registered p256_sphincsharaka128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincsharaka128frobust with NID 0
OQS PROV: successfully registered sphincssha256128frobust with NID 0
OQS PROV: successfully registered p256_sphincssha256128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincssha256128frobust with NID 0
OQS PROV: successfully registered sphincsshake256128frobust with NID 0
OQS PROV: successfully registered p256_sphincsshake256128frobust with NID 0
OQS PROV: successfully registered rsa3072_sphincsshake256128frobust with NID 0
OQS PROV: Default or FIPS provider available.
1..216
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (1)
OQS ENC provider: key2any_check_selection returns 1
OQS ENC provider: key2any_newctx called
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (1)
OQS ENC provider: key2any_check_selection returns 1
OQS ENC provider: key2any_newctx called
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (1)
OQS ENC provider: key2any_check_selection returns 1
OQS ENC provider: key2any_newctx called
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (1)
OQS ENC provider: key2any_check_selection returns 1
OQS ENC provider: key2any_newctx called
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (2)
OQS ENC provider: key2any_check_selection returns 0
OQS ENC provider: _does_selection called
OQS ENC provider: key2any_check_selection called with selection 135 (2)
OQS ENC provider: key2any_check_selection returns 0
OQS ENC provider: key2any_set_ctx_params called
 cipher set to 0000000000000000: 
OQS ENC provider: key2any_set_ctx_params called
 cipher set to 0000000000000000: 
OQS ENC provider: key2any_set_ctx_params called
 cipher set to 0000000000000000: 
OQS ENC provider: key2any_set_ctx_params called
 cipher set to 0000000000000000: 
OQS ENC provider: _encode called
OQS ENC provider: key2any_encode called with type 0 (dilithium2)
OQS ENC provider: key2any_encode called with pemname dilithium2 PRIVATE KEY
 encode result: 0
OQS ENC provider: key2any_freectx called
OQS ENC provider: key2any_freectx called
OQS ENC provider: key2any_freectx called
OQS ENC provider: key2any_freectx called
# OPENSSL_TEST_RAND_ORDER=1666507336
not ok 1 - test_unprotected_dilithium2_via_DER

Just to be sure I have run all OpenSSL tests and they all pass!

How can I further troubleshoot or debug the failing tests?

Thanks again.

[baentsch]

Thanks for sharing the logs: They already tell us the cause of the error: The NIDs ("type") for the algorithms are not properly set: value 0 is clearly wrong and causes the subsequent encode error ("encode result 0" should be 1). OQSPROV output at the start already shows the problem: It should be something like

OQS PROV: successfully registered dilithium2 with NID 1288
OQS PROV: successfully registered p256_dilithium2 with NID 1289
[...]

This in turn is caused by errors calling into an OpenSSL provider core method. The reason for that should be found out by debugging into the function core_obj_create. Again, I would need to set up my own Windows environment (i.e., the Windows-equivalent of https://github.com/open-quantum-safe/oqs-provider/blob/main/scripts/fullbuild.sh) to get to that point. Any assistance with that would be very helpful & welcome.

[mingw-io]

Hi again.
I am debugging that OpenSSL method at the moment.

I have not used any Windows specific build scripts. Just the same tools but on Windows.
For example: cmake -DCMAKE_INSTALL_PREFIX= ..; then cmake --build; finally ctest.

[mingw-io]

Me again!
Is it possible that oqs-provider does NOT support static linking? I switched to dynamic linking and the above test passes!

It can be useful to 'embed' oqs-provider into libcryto like we do with the legacy provider!

I will continue my testing. More to come!

Cheers.

[mingw-io]

[baentsch]

I have not used any Windows specific build scripts. Just the same tools but on Windows.

Which compiler/debugger setup, please? MSVC? Which version?

Is it possible that oqs-provider does NOT support static linking?

That confuses me: My understanding of the provider concept so far was that providers must be shared libs such as to be dynamically loaded at runtime into pre-installed/existing openssl(3) installations.

It can be useful to 'embed' oqs-provider into libcryto like we do with the legacy provider!

This certainly would make life easier for consumers.

I will continue my testing. More to come!

Looking forward to that. Reading up on providers in the meantime....

[baentsch]

Is the newly opened issue #82 meant to suggest that dynamic provider loading as discussed above just isn't "flying" under Windows? Allow me to re-iterate my request for a Windows script that builds and tests (and fails) as per your description. Alternatively, could you provide a written description along the lines of https://github.com/open-quantum-safe/liboqs/wiki/Platform-specific-notes-for-building-liboqs#building-on-windows how to reproduce the problems you see? Thanks in advance.

[baentsch]

Closing due to inactivity, also seems like a duplicate of #47.