removed default provider load and added documentation

README.md

@@ -21,7 +21,8 @@ Status
 Currently this provider fully enables quantum-safe cryptography for KEM
 key establishment in TLS1.3 including management of such keys via the
 OpenSSL (3.0) provider interface and hybrid KEM schemes. Also, OQS 
-signatures are available via the OpenSSL EVP interface. 
+signatures are available via the OpenSSL EVP interface. Key persistence is
+provided via the encode/decode mechanism (still WIP for X.509).
 
 For information about the available OQS algorithms,
 [refer to the OQS-OpenSSL documentation](https://github.com/open-quantum-safe/openssl#supported-algorithms).
@@ -34,11 +35,16 @@ If any of these features are needed, please refer to and use the
 [OQS-OpenSSL1.1.1](https://github.com/open-quantum-safe/openssl) fork
 where they are already implemented.
 
+*Note:* `oqsprovider` depends for TLS session setup and hybrid operations
+on OpenSSL providers for classic crypto operations. Therefore it is essential
+that a provider such as `default` or `fips` is configured to be active. See
+`tests/oqs.cnf` for an example.
+
 Building and testing -- Quick start
 -----------------------------------
 
-All component builds and tests described in detail below can be executed by
-running the script `scripts/fullbuild.sh` (tested on Linux Ubuntu and Mint).
+All component builds and testing described in detail below can be executed by
+running the scripts `scripts/fullbuild.sh` and `scripts/runtests.sh` respectively (tested on Linux Ubuntu and Mint).
 
 
 Building and testing
@@ -91,7 +97,7 @@ Further `liboqs` build options are [documented here](https://github.com/open-qua
 
 ## Testing
 
-Testing can be run via the following command:
+Core component testing can be run via the following command:
 
     (cd _build; ctest)
 
@@ -101,6 +107,9 @@ Add `-V` to the `ctest` command for verbose output.
 activated by executing `./scripts/preptests.sh` before building the provider. 
 See [the test README](test/README.md) for details.
 
+Additional interoperability tests (with OQS-OpenSSL1.1.1) are available in the
+script `scripts/runtests.sh`.
+
 ## Build options
 
 ### NDEBUG

oqsprov/oqsprov.c

@@ -320,13 +320,11 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
 {
     const OSSL_DISPATCH *orig_in=in;
     OSSL_FUNC_core_obj_create_fn *c_obj_create= NULL;
-    OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL;
 
     OSSL_FUNC_core_obj_add_sigid_fn *c_obj_add_sigid= NULL;
     BIO_METHOD *corebiometh;
     OSSL_LIB_CTX *libctx = NULL;
-    int i;
-    int rc = 0;
+    int i, rc = 0;
 
     if (!oqs_prov_bio_from_dispatch(in))
         return 0;
@@ -336,9 +334,6 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
         case OSSL_FUNC_CORE_GETTABLE_PARAMS:
             c_gettable_params = OSSL_FUNC_core_gettable_params(in);
             break;
-        case OSSL_FUNC_CORE_GET_LIBCTX:
-            c_get_libctx = OSSL_FUNC_core_get_libctx(in);
-            break;
         case OSSL_FUNC_CORE_GET_PARAMS:
             c_get_params = OSSL_FUNC_core_get_params(in);
             break;
@@ -355,12 +350,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
     }
 
     // we need these functions:
-    if (c_obj_create == NULL || c_obj_add_sigid==NULL || c_get_libctx==NULL)
+    if (c_obj_create == NULL || c_obj_add_sigid==NULL)
         return 0;
 
-    // try to get pre-existing context
-    libctx = (OSSL_LIB_CTX *)c_get_libctx(handle);
-
     // insert all OIDs to the global objects list
     for (i=0; i<OQS_OID_CNT;i+=2) {
 	if (!c_obj_create(handle, oqs_oid_alg_list[i], oqs_oid_alg_list[i+1], oqs_oid_alg_list[i+1]))
@@ -378,7 +370,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
 
     // if libctx not yet existing, create a new one
     if ( ((corebiometh = oqs_bio_prov_init_bio_method()) == NULL) ||
-         ((libctx = libctx?libctx:OSSL_LIB_CTX_new_child(handle, orig_in)) == NULL) ||
+         ((libctx = OSSL_LIB_CTX_new_child(handle, orig_in)) == NULL) ||
          ((*provctx = oqsx_newprovctx(libctx, handle, corebiometh)) == NULL ) ) { 
         OQS_PROV_PRINTF("OQS PROV: error creating new provider context\n");
         ERR_raise(ERR_LIB_USER, OQSPROV_R_LIB_CREATE_ERR);
@@ -387,15 +379,14 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
 
     *out = oqsprovider_dispatch_table;
 
-    // finally, check availability of default provider: Without it, this provider won't function:
-    if (!OSSL_PROVIDER_available(libctx, "default")) {
-        OQS_PROV_PRINTF("OQS PROV: Default provider not available. Activating.\n");
-        rc = (OSSL_PROVIDER_load(libctx, "default") != NULL);
+    // finally, warn if neither default nor fips provider are present:
+    if (!OSSL_PROVIDER_available(libctx, "default") && !OSSL_PROVIDER_available(libctx, "fips")) {
+        OQS_PROV_PRINTF("OQS PROV: Default and FIPS provider not available. Errors may result.\n");
     }
     else {
-        OQS_PROV_PRINTF("OQS PROV: Default provider available.\n");
-        rc = 1;
+        OQS_PROV_PRINTF("OQS PROV: Default or FIPS provider available.\n");
     }
+    rc = 1;
 
 end_init:
     if (!rc) {

scripts/fullbuild.sh

@@ -5,8 +5,8 @@ if [ $# -gt 0 ]; then
 fi
 
 if [ ! -d "openssl" ]; then
-   echo "openssl doesn't reside where expected: Cloning and building... Full debug and tracing enabled:"
-   git clone git://git.openssl.org/openssl.git && cd openssl && ./config enable-trace --debug --prefix=$(echo $(pwd)/../.local) && make && make install_sw && cd ..
+   echo "openssl doesn't reside where expected: Cloning and building... Full debug and tracing and FIPS enabled:"
+   git clone git://git.openssl.org/openssl.git && cd openssl && ./config enable-trace enable-fips --debug --prefix=$(echo $(pwd)/../.local) && make && make install_sw && cd ..
    if [ $? -ne 0 ]; then
      echo "openssl build failed. Exiting."
      exit -1

test/oqs.cnf

@@ -6,9 +6,13 @@ providers = provider_sect
 [provider_sect]
 oqsprovider = oqsprovider_sect
 default = default_sect
+# fips = fips_sect
 
 [default_sect]
 activate = 1
 
+#[fips_sect]
+#activate = 1
+
 [oqsprovider_sect]
 activate = 1