Should we worry about leaving the KEM_NID range open ended? Is there any chance something will be put in after the last KEM NID?

In addition, I wonder whether this is the most robust implementation when I read the original issue:

RC2 flipped the order of sigs and KEXs in the NID list (vs. RC1)

The new macros suggested above would fail if this happened again. Is there an easy way to define SIG and KEX_NID_MIN and _MAX? and base the macros off those?

Our templating code always adds our NIDs at the end of OpenSSL's list, so no @dstebila, we don't have to worry that something will be added after (at least not by us; and when sync'ing with a new upstream release, we re-run our templating code). True, this could change again @baentsch, but at least that's in our control, and we would set these macros correctly. Nonetheless, agreed that adding lower and upper bounds would make this more robust. I'm a bit confused by the jinja formatting rules. @xvzcf, can you help to get the syntax right, WHAT GOES HERE to select the last KEM/sig? Can you access arrays by numerical index or only by string name? If only the latter, do I need to iterate over collection and "remember" the last alg seen, or is there a better way?

#define IS_OQS_OPENSSL_SIG_NID(a) ( (a >= NID_oqs_sig_default) && (a <= NID_{{ WHAT GOES HERE? }}) )

NID_{{ config['sigs'] | last}} gets me close, but I can't get the last part to work to get the variant['name'] from there.

If we know that we're doing them consecutively from when we start to when we end, could you do a a <= NID_oqs_sig_default + 3 * {{ config['sigs'] | count}}? (3 * is coming from the fact that I think there is the original alg + 2 hybrid variants, but I could be remembering incorrectly.)

If we know that we're doing them consecutively from when we start to when we end, could you do a a <= NID_oqs_sig_default + 3 * {{ config['sigs'] | count}}? (3 * is coming from the fact that I think there is the original alg + 2 hybrid variants, but I could be remembering incorrectly.)

That'd be an upper bound but things can be configured manually in the template file to enable/disable certain variants. We'd want the code to provide the exact value. I'm just missing the code to properly access the name of the last signature: {{ config['sigs'] | last}} gives me the last signature config blob; I just need to pipe it correctly to get the name value.

This should work:

{%- set last_sig_variant = (config['sigs']|last)['variants']|last  -%}
#define IS_OQS_OPENSSL_SIG_NID(a) ((a >= NID_oqs_sig_default) && (a <= NID_{{ (last_sig_variant['mix_with']|last)['name'] }}_{{ last_sig_variant['name'] }}))

This should work:

{%- set last_sig_variant = (config['sigs']|last)['variants']|last  -%}
#define IS_OQS_OPENSSL_SIG_NID(a) ((a >= NID_oqs_sig_default) && (a <= NID_{{ (last_sig_variant['mix_with']|last)['name'] }}_{{ last_sig_variant['name'] }}))

That works indeed. I need another one for the kems, but yml file doesn't list the variants, it just lists the security level. Using it, I should infer the EC curve to use and generate the name. Sounds a bit complicated... Any idea?

I'll take a look at that and get back to you.

I'll take a look at that and get back to you.

Got it to work. Let me know how it looks.