Add OQS_MINIMAL_BUILD option and redefine CI workflow (#903)

* Add OQS_MINIMAL_BUILD option that builds only the default KEM/SIG

* CI: add buildcheck job, which uses minimal build

* Add buildcheck and testapproval to CI workflow

* CI: Only run address-sanitizer on audit branches

* CI: Disable centos-8 and debian-buster

.CMake/alg_support.cmake

@@ -368,3 +368,42 @@ if(ARCH STREQUAL "x86_64" AND OQS_USE_AVX2_INSTRUCTIONS)
     cmake_dependent_option(OQS_ENABLE_SIG_sphincs_shake256_256s_simple_avx2 "" ON "OQS_ENABLE_SIG_sphincs_shake256_256s_simple" OFF)
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ENABLE_BY_ALG_END
+
+if(OQS_MINIMAL_BUILD)
+  # Set every OQS_ENABLE_* variable =OFF unless it one of the following.
+  #  1. the switch for the default algorithm's family, e.g OQS_ENABLE_KEM_KYBER
+  #  2. the switch for the default algorithm, e.g. OQS_ENABLE_KEM_kyber_768.
+  #  3. the switch for platform-specific ("_aesni" or "_avx2") implementation of
+  #     the default algorithm, e.g. OQS_ENABLE_KEM_kyber_768_avx2.
+
+  string(REPLACE "OQS_KEM_alg_" "OQS_ENABLE_KEM_" default_kem_switch ${OQS_KEM_DEFAULT})
+  string(REPLACE "OQS_SIG_alg_" "OQS_ENABLE_SIG_" default_sig_switch ${OQS_SIG_DEFAULT})
+  string(TOUPPER ${default_kem_switch} default_kem_switch_upper) # The default kem's family is a prefix of this string.
+  string(TOUPPER ${default_sig_switch} default_sig_switch_upper)
+
+  get_cmake_property(_vars VARIABLES)
+  foreach (_var ${_vars})
+      if(_var MATCHES "^OQS_ENABLE_..._" AND NOT _var MATCHES "_AVAILABLE$")
+          set(${_var} OFF)
+          # Case 1, family name
+          if(${default_kem_switch_upper} MATCHES "^${_var}"
+          OR ${default_sig_switch_upper} MATCHES "^${_var}")
+              set(${_var} ON)
+          endif()
+          # Case 2, exact match
+          if(${_var}X STREQUAL ${default_kem_switch}X
+          OR ${_var}X STREQUAL ${default_sig_switch}X)
+              set(${_var} ON)
+          endif()
+          # Case 3, platform specific
+          string(REPLACE "_aesni" "" _var_base ${_var})
+          string(REPLACE "_avx2" "" _var_base ${_var_base})
+          if(${_var}_AVAILABLE)
+              if(${_var_base}X STREQUAL ${default_kem_switch}X
+              OR ${_var_base}X STREQUAL ${default_sig_switch}X)
+                  set(${_var} ON)
+              endif()
+          endif()
+      endif()
+  endforeach()
+endif()

.CMake/compiler_opts.cmake

@@ -1,8 +1,5 @@
 # SPDX-License-Identifier: MIT
 
-option(OQS_PORTABLE_BUILD "Ensure the resulting library is portable. This implies having run-time checks for CPU extensions." ON)
-option(OQS_BUILD_ONLY_LIB "Build only liboqs and do not expose build targets for tests, documentation, and pretty-printing available." OFF)
-
 if(CMAKE_C_COMPILER_ID MATCHES "Clang")
     add_compile_options(-Werror)
     add_compile_options(-Wall)

.circleci/config.yml

@@ -4,6 +4,17 @@ require_stylecheck: &require_stylecheck
   requires:
     - stylecheck
 
+require_buildcheck: &require_buildcheck
+  requires:
+    - stylecheck
+    - buildcheck
+
+require_testapproval: &require_testapproval
+  requires:
+    - stylecheck
+    - buildcheck
+    - testapproval
+
 # CircleCI doesn't handle large file sets properly for local builds
 # https://github.com/CircleCI-Public/circleci-cli/issues/281#issuecomment-472808051
 localCheckout: &localCheckout
@@ -32,6 +43,34 @@ jobs:
           name: Check that doxygen can parse the documentation
           command: mkdir -p build/docs && doxygen docs/.Doxyfile
 
+  buildcheck:
+    description: Test that we can build a single KEM/Signature pair as part of a minimal build.
+    parameters:
+      CONTAINER:
+        description: "The docker container to use."
+        type: string
+      CMAKE_ARGS:
+        description: "Arguments to pass to CMake."
+        type: string
+        default: ''
+      KEM_NAME:
+        description: "The KEM to build."
+        type: string
+      SIG_NAME:
+        description: "The signature scheme to build."
+        type: string
+    docker:
+      - image: << parameters.CONTAINER >>
+    steps:
+      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
+      - run:
+          name: Configure
+          command: mkdir build && cd build && source ~/.bashrc && cmake -GNinja << parameters.CMAKE_ARGS >> -DOQS_MINIMAL_BUILD=ON -DOQS_KEM_DEFAULT=OQS_KEM_alg_<< parameters.KEM_NAME >> -DOQS_SIG_DEFAULT=OQS_SIG_alg_<< parameters.SIG_NAME >> .. && cmake -LA ..
+      - run:
+          name: Build
+          command: ninja
+          working_directory: build
+
   linux_x64:
     description: A template for running liboqs tests on x64 Linux Docker VMs
     parameters:
@@ -204,52 +243,67 @@ workflows:
         equal: [ main, << pipeline.git.branch >> ]
     jobs:
       - stylecheck
-      - linux_x64:
+      - buildcheck:
           <<: *require_stylecheck
+          context: openquantumsafe
+          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
+          KEM_NAME: kyber_768
+          SIG_NAME: dilithium_3
+      - testapproval:
+          <<: *require_buildcheck
+          type: approval
+      - linux_x64:
+          <<: *require_buildcheck
           name: alpine-noopenssl
           context: openquantumsafe
           CONTAINER: openquantumsafe/ci-alpine-amd64:latest
           CMAKE_ARGS: -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=OFF
       - linux_x64:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: alpine
           context: openquantumsafe
           CONTAINER: openquantumsafe/ci-alpine-amd64:latest
           CMAKE_ARGS: -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON
+      # Disabling centos-8 and debian-buster.
+      # Re-enable if specific configurations (package versions etc) that need to be tested are identified.
+      #- linux_x64:
+      #    <<: *require_buildcheck
+      #    name: centos-8
+      #    context: openquantumsafe
+      #    CONTAINER: openquantumsafe/ci-centos-8-amd64:latest
+      #    CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Release -DOQS_PORTABLE_BUILD=OFF
+      #- linux_x64:
+      #    <<: *require_buildcheck
+      #    name: debian-buster
+      #    context: openquantumsafe
+      #    CONTAINER: openquantumsafe/ci-debian-buster-amd64:latest
       - linux_x64:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
-          name: centos-8
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-centos-8-amd64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Release -DOQS_PORTABLE_BUILD=OFF
-      - linux_x64:
-          <<: *require_stylecheck
-          name: debian-buster
-          context: openquantumsafe
-          CONTAINER: openquantumsafe/ci-debian-buster-amd64:latest
-      - linux_x64:
-          <<: *require_stylecheck
           name: ubuntu-focal-noopenssl
           context: openquantumsafe
           CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
           CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-8 -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=OFF
       - linux_x64:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: ubuntu-focal-shared-noopenssl
           context: openquantumsafe
           CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
           CMAKE_ARGS: -DCMAKE_C_COMPILER=gcc-7 -DCMAKE_BUILD_TYPE=Release -DOQS_USE_OPENSSL=OFF -DBUILD_SHARED_LIBS=ON
           PYTEST_ARGS: --ignore=tests/test_namespace.py --numprocesses=auto
       - linux_x64:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: ubuntu-focal-clang9
           context: openquantumsafe
           CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
           CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9
       - linux_x64:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: address-sanitizer
           context: openquantumsafe
+          filters:
+            branches:
+              only:
+                - /^audit.*/
           CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
           CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address
           PYTEST_ARGS: --ignore=tests/test_portability.py --numprocesses=auto
@@ -266,27 +320,27 @@ workflows:
       # SPHINCS exhausts memory on CircleCI servers
       # for these configurations.
       - arm_emulated:
-          <<: *require_stylecheck
+          <<: *require_testapproval
           name: arm64
           ARCH: arm64
           CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF
       - arm_emulated:
-          <<: *require_stylecheck
+          <<: *require_testapproval
           name: armhf
           ARCH: armhf
           CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF
       - arm_emulated:
-          <<: *require_stylecheck
+          <<: *require_testapproval
           name: armel
           ARCH: armel
           CMAKE_ARGS: -DCMAKE_BUILD_TYPE=Release  -DOQS_ENABLE_SIG_SPHINCS=OFF
 
       - macOS:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: macOS-noopenssl
           CMAKE_ARGS: -DOQS_USE_OPENSSL=OFF
       - macOS:
-          <<: *require_stylecheck
+          <<: *require_buildcheck
           name: macOS-shared
           CMAKE_ARGS: -DBUILD_SHARED_LIBS=ON
 

CMakeLists.txt

@@ -35,9 +35,14 @@ endif()
 if(WIN32)
     set(CMAKE_GENERATOR_CC cl)
 endif()
-include(.CMake/compiler_opts.cmake)
 
+option(OQS_PORTABLE_BUILD "Ensure the resulting library is portable. This implies having run-time checks for CPU extensions." ON)
+option(OQS_BUILD_ONLY_LIB "Build only liboqs and do not expose build targets for tests, documentation, and pretty-printing available." OFF)
+option(OQS_MINIMAL_BUILD  "Only build the default KEM and Signature schemes." OFF)
+
+include(.CMake/compiler_opts.cmake)
 include(.CMake/alg_support.cmake)
+
 if(OQS_USE_OPENSSL)
     if(NOT DEFINED OPENSSL_ROOT_DIR)
         if(${CMAKE_HOST_SYSTEM_NAME} STREQUAL "Darwin")