Top Level Namespace

Defined Under Namespace

Modules: PQCrypto

Constant Summary collapse

VENDOR_ONLY_CFLAGS = 
"-Wno-unused-parameter -Wno-unused-function -Wno-strict-prototypes -Wno-pedantic -Wno-c23-extensions -Wno-undef"
SANITIZE = 
ENV["PQCRYPTO_SANITIZE"]
NATIVE_ASM = 
parse_native_asm_env(ENV["PQCRYPTO_NATIVE_ASM"])
NATIVE_ARITH = 
parse_native_backend_env("PQCRYPTO_NATIVE_ARITH")
NATIVE_FIPS202 = 
parse_native_backend_env("PQCRYPTO_NATIVE_FIPS202")

Instance Method Summary collapse

Instance Method Details

#configure_compiler_environmentObject 



82
83
84
85
86
87
88
 
# File 'ext/pqcrypto/extconf.rb', line 82

def configure_compiler_environment
  return unless RUBY_PLATFORM.include?("darwin")

  dir_config("homebrew", "/opt/homebrew")
  $CPPFLAGS << " -I/opt/homebrew/include"
  $LDFLAGS << " -L/opt/homebrew/lib"
end

#configure_openssl!Object 



157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
 
# File 'ext/pqcrypto/extconf.rb', line 157

def configure_openssl!
  configure_compiler_environment

  abort "OpenSSL libcrypto is required" unless have_library("crypto")
  abort "OpenSSL libssl is required" unless have_library("ssl")
  abort "openssl/evp.h is required" unless have_header("openssl/evp.h")
  abort "openssl/rand.h is required" unless have_header("openssl/rand.h")
  abort "openssl/crypto.h is required" unless have_header("openssl/crypto.h")

  version_check = <<~SRC
    #include <openssl/opensslv.h>
    #if OPENSSL_VERSION_NUMBER < 0x30000000L
    #error "OpenSSL 3.0 or later is required"
    #endif
    int main(void) { return 0; }
  SRC
  abort "OpenSSL 3.0 or later is required" unless try_compile(version_check)

  sha3_check = <<~SRC
    #include <openssl/evp.h>
    int main(void) {
        const EVP_MD *md = EVP_sha3_256();
        return md == NULL ? 1 : 0;
    }
  SRC
  abort "OpenSSL SHA3-256 is required (X-Wing combiner)" unless try_compile(sha3_check)

  shake_check = <<~SRC
    #include <openssl/evp.h>
    int main(void) {
        const EVP_MD *md = EVP_shake256();
        return md == NULL ? 1 : 0;
    }
  SRC
  abort "OpenSSL SHAKE256 is required (X-Wing key expansion / ML-DSA streaming mu)" unless try_compile(shake_check)

  $CFLAGS << " -DHAVE_OPENSSL_EVP_H -DHAVE_OPENSSL_RAND_H"
end

#find_vendor_dirObject 



135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
 
# File 'ext/pqcrypto/extconf.rb', line 135

def find_vendor_dir
  candidates = [
    File.join(__dir__, "vendor"),
    File.expand_path("../../ext/pqcrypto/vendor", __dir__),
    File.join(Dir.pwd, "ext", "pqcrypto", "vendor")
  ]

  dir = __dir__
  6.times do
    candidates << File.join(dir, "ext", "pqcrypto", "vendor")
    dir = File.dirname(dir)
  end

  candidates.map! { |path| File.expand_path(path) }
  candidates.uniq!

  primary = File.expand_path(File.join(__dir__, "vendor"))
  run_vendor_script!(primary) unless native_vendor_ready?(primary)

  candidates.find { |path| native_vendor_ready?(path) }
end

#generate_version_header!Object 



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
# File 'ext/pqcrypto/extconf.rb', line 8

def generate_version_header!
  version = PQCrypto::VERSION
  unless version.match?(/\A[0-9A-Za-z][0-9A-Za-z._+-]*\z/)
    abort "Invalid PQCrypto::VERSION for C header: #{version.inspect}"
  end

  header = File.join(__dir__, "pqcrypto_version.h")
  File.write(header, <<~C)
    /* Generated by extconf.rb from lib/pq_crypto/version.rb. Do not edit. */
    #ifndef PQCRYPTO_VERSION_H
    #define PQCRYPTO_VERSION_H

    #define PQCRYPTO_VERSION #{version.dump}

    #endif
  C
end

#inject_native_sources!(config) ⇒ Object 



253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
 
# File 'ext/pqcrypto/extconf.rb', line 253

def inject_native_sources!(config)
  makefile = File.read("Makefile")

  vendor_objects = []
  build_rules = []

  [
    [:mlkem, "512", config[:mlkem_c], true],
    [:mlkem, "768", config[:mlkem_c], false],
    [:mlkem, "1024", config[:mlkem_c], false],
    [:mldsa, "44", config[:mldsa_c], true],
    [:mldsa, "65", config[:mldsa_c], false],
    [:mldsa, "87", config[:mldsa_c], false]
  ].each do |kind, level, source, shared|
    object = "pqnative_#{kind}_#{level}.o"
    flags = native_flags(kind, level, shared: shared)
    vendor_objects << object
    build_rules << <<~RULE
      #{object}: #{source}
      	$(ECHO) compiling #{source} [#{kind}-#{level}]
      	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
    RULE
  end

  if NATIVE_ARITH || NATIVE_FIPS202
    [
      [:mlkem, "512", config[:mlkem_asm], true],
      [:mlkem, "768", config[:mlkem_asm], false],
      [:mlkem, "1024", config[:mlkem_asm], false],
      [:mldsa, "44", config[:mldsa_asm], true],
      [:mldsa, "65", config[:mldsa_asm], false],
      [:mldsa, "87", config[:mldsa_asm], false]
    ].each do |kind, level, source, shared|
      next unless File.exist?(source)

      object = "pqnative_#{kind}_#{level}_asm.o"
      flags = native_flags(kind, level, shared: shared)
      vendor_objects << object
      build_rules << <<~RULE
        #{object}: #{source}
        	$(ECHO) assembling #{source} [#{kind}-#{level}]
        	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
      RULE
    end
  end

  objects_line = makefile.lines.find { |line| line.start_with?("OBJS = ") }
  raise "Could not find OBJS line in generated Makefile" unless objects_line

  makefile.sub!(objects_line, objects_line.chomp + " #{vendor_objects.join(' ')}\n")

  unless makefile.include?("# vendored pq-code-package objects")
    rules_block = "\n# vendored pq-code-package objects\n" + build_rules.join("\n") + "\n"
    anchor = "$(OBJS): $(HDRS) $(ruby_headers)\n"
    raise "Could not find OBJS dependency anchor in generated Makefile" unless makefile.include?(anchor)

    makefile.sub!(anchor, anchor + rules_block)
  end

  File.write("Makefile", makefile)
end

#native_asm_supported_by_default?Boolean

Returns:

  • (Boolean) 


42
43
44
45
46
47
48
 
# File 'ext/pqcrypto/extconf.rb', line 42

def native_asm_supported_by_default?
  host_cpu = RbConfig::CONFIG.fetch("host_cpu", "")
  host_os = RbConfig::CONFIG.fetch("host_os", "")
  return false if host_os =~ /mswin|mingw|cygwin/i

  host_cpu =~ /\A(?:arm64|aarch64)\z/i
end

#native_flags(kind, level, shared:) ⇒ Object 



239
240
241
242
243
244
245
246
247
248
249
250
251
 
# File 'ext/pqcrypto/extconf.rb', line 239

def native_flags(kind, level, shared:)
  prefix = kind == :mlkem ? "MLK" : "MLD"
  ns = kind == :mlkem ? "pqcr_mlkem" : "pqcr_mldsa"
  flags = []
  flags << "-D#{prefix}_CONFIG_MULTILEVEL_BUILD"
  flags << "-D#{prefix}_CONFIG_PARAMETER_SET=#{level}"
  flags << "-D#{prefix}_CONFIG_NAMESPACE_PREFIX=#{ns}"
  flags << "-D#{prefix}_CONFIG_NO_SUPERCOP"
  flags << (shared ? "-D#{prefix}_CONFIG_MULTILEVEL_WITH_SHARED" : "-D#{prefix}_CONFIG_MULTILEVEL_NO_SHARED")
  flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_ARITH" if NATIVE_ARITH
  flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_FIPS202" if NATIVE_FIPS202
  flags.join(" ")
end

#native_vendor_config(vendor_dir) ⇒ Object 



200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
 
# File 'ext/pqcrypto/extconf.rb', line 200

def native_vendor_config(vendor_dir)
  abort <<~MSG unless vendor_dir
    PQ Code Package vendored sources are required.

    Expected:
      ext/pqcrypto/vendor/mlkem-native/mlkem/mlkem_native.c
      ext/pqcrypto/vendor/mldsa-native/mldsa/mldsa_native.c

    Run:
      bundle exec rake vendor
  MSG

  mlkem_dir = File.join(vendor_dir, "mlkem-native", "mlkem")
  mldsa_dir = File.join(vendor_dir, "mldsa-native", "mldsa")
  mlkem_c = File.join(mlkem_dir, "mlkem_native.c")
  mldsa_c = File.join(mldsa_dir, "mldsa_native.c")

  missing = [mlkem_c, mldsa_c].reject { |path| File.exist?(path) }
  abort <<~MSG unless missing.empty?
    Missing PQ Code Package native source files:
      #{missing.join("\n  ")}

    This build intentionally has no PQClean fallback. Auto-vendoring did not
    produce the required files. Vendor mlkem-native and mldsa-native, then rebuild.
  MSG

  include_dirs = [__dir__, mlkem_dir, mldsa_dir, *recursive_include_dirs(mlkem_dir), *recursive_include_dirs(mldsa_dir)].uniq
  include_dirs.each { |dir| $CPPFLAGS << " -I#{dir}" }

  {
    mlkem_dir: mlkem_dir,
    mldsa_dir: mldsa_dir,
    mlkem_c: mlkem_c,
    mldsa_c: mldsa_c,
    mlkem_asm: File.join(mlkem_dir, "mlkem_native_asm.S"),
    mldsa_asm: File.join(mldsa_dir, "mldsa_native_asm.S")
  }
end

#native_vendor_ready?(vendor_dir) ⇒ Boolean

Returns:

  • (Boolean) 


97
98
99
100
 
# File 'ext/pqcrypto/extconf.rb', line 97

def native_vendor_ready?(vendor_dir)
  File.exist?(File.join(vendor_dir, ".vendored")) &&
    native_vendor_sources_for(vendor_dir).all? { |path| File.exist?(path) }
end

#native_vendor_sources_for(vendor_dir) ⇒ Object 



90
91
92
93
94
95
 
# File 'ext/pqcrypto/extconf.rb', line 90

def native_vendor_sources_for(vendor_dir)
  [
    File.join(vendor_dir, "mlkem-native", "mlkem", "mlkem_native.c"),
    File.join(vendor_dir, "mldsa-native", "mldsa", "mldsa_native.c")
  ]
end

#parse_native_asm_env(value) ⇒ Object 



50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'ext/pqcrypto/extconf.rb', line 50

def parse_native_asm_env(value)
  return native_asm_supported_by_default? if value.nil? || value.strip.empty? || value == "auto"

  case value.strip.downcase
  when "1", "true", "yes", "on", "auto"
    true
  when "0", "false", "no", "off"
    false
  else
    abort "Invalid PQCRYPTO_NATIVE_ASM=#{value.inspect}; use 1, 0, or auto"
  end
end

#parse_native_backend_env(name) ⇒ Object 



65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'ext/pqcrypto/extconf.rb', line 65

def parse_native_backend_env(name)
  value = ENV[name]
  return NATIVE_ASM if value.nil? || value.strip.empty? || value == "auto"

  case value.strip.downcase
  when "1", "true", "yes", "on"
    true
  when "0", "false", "no", "off"
    false
  else
    abort "Invalid #{name}=#{value.inspect}; use 1, 0, or auto"
  end
end

#recursive_include_dirs(root) ⇒ Object 



196
197
198
 
# File 'ext/pqcrypto/extconf.rb', line 196

def recursive_include_dirs(root)
  Dir.glob(File.join(root, "**", "*")).select { |p| File.directory?(p) }.map { |p| File.expand_path(p) }
end

#run_vendor_script!(vendor_dir) ⇒ Object 



106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
 
# File 'ext/pqcrypto/extconf.rb', line 106

def run_vendor_script!(vendor_dir)
  abort <<~MSG if ENV["PQCRYPTO_AUTO_VENDOR"] != "1"
    PQ Code Package vendored sources are missing.

    Expected:
      #{native_vendor_sources_for(vendor_dir).join("\n  ")}

    The vendor tree is committed to the repository and shipped with the gem.
    If it is missing, the source tree is incomplete or corrupted.

    To fetch upstream sources at the pinned commits run:
      ruby script/vendor_libs.rb

    Or to allow extconf.rb to do this for you set PQCRYPTO_AUTO_VENDOR=1.
  MSG

  script = vendor_script_path
  abort "PQ Code Package vendored sources are missing and script/vendor_libs.rb was not packaged." unless File.exist?(script)

  puts "PQ Code Package native sources are missing; vendoring now (PQCRYPTO_AUTO_VENDOR=1)..."
  ok = system(RbConfig.ruby, script)
  abort <<~MSG unless ok
    Failed to vendor PQ Code Package native sources.

    This build intentionally has no PQClean fallback. Install git/network access or
    vendor mlkem-native and mldsa-native before installing the gem.
  MSG
end

#vendor_script_pathObject 



102
103
104
 
# File 'ext/pqcrypto/extconf.rb', line 102

def vendor_script_path
  File.expand_path("../../script/vendor_libs.rb", __dir__)
end