react-native-quick-crypto 1.0.0 → 1.0.2

package/cpp/sign/HybridSignHandle.cpp

@@ -9,6 +9,12 @@
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#define RNQC_HAS_ML_DSA 1
+#else
+#define RNQC_HAS_ML_DSA 0
+#endif
+
 namespace margelo::nitro::crypto {
 
 using margelo::nitro::NativeArrayBuffer;
@@ -22,17 +28,28 @@ HybridSignHandle::~HybridSignHandle() {
 
 void HybridSignHandle::init(const std::string& algorithm) {
   algorithm_name = algorithm;
-  md = getDigestByName(algorithm);
 
-  md_ctx = EVP_MD_CTX_new();
-  if (!md_ctx) {
-    throw std::runtime_error("Failed to create message digest context");
-  }
+  // For ML-DSA and other pure signature schemes, algorithm may be empty/null
+  if (!algorithm.empty()) {
+    md = getDigestByName(algorithm);
 
-  if (EVP_DigestInit_ex(md_ctx, md, nullptr) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
-    md_ctx = nullptr;
-    throw std::runtime_error("Failed to initialize message digest");
+    md_ctx = EVP_MD_CTX_new();
+    if (!md_ctx) {
+      throw std::runtime_error("Failed to create message digest context");
+    }
+
+    if (EVP_DigestInit_ex(md_ctx, md, nullptr) <= 0) {
+      EVP_MD_CTX_free(md_ctx);
+      md_ctx = nullptr;
+      throw std::runtime_error("Failed to initialize message digest");
+    }
+  } else {
+    // No digest for pure signature schemes like ML-DSA
+    md = nullptr;
+    md_ctx = EVP_MD_CTX_new();
+    if (!md_ctx) {
+      throw std::runtime_error("Failed to create message digest context");
+    }
   }
 }
 
@@ -43,22 +60,60 @@ void HybridSignHandle::update(const std::shared_ptr<ArrayBuffer>& data) {
 
   auto native_data = ToNativeArrayBuffer(data);
 
-  // Accumulate raw data for potential one-shot signing (Ed25519/Ed448)
+  // Accumulate raw data for potential one-shot signing (Ed25519/Ed448/ML-DSA)
   const uint8_t* ptr = reinterpret_cast<const uint8_t*>(native_data->data());
   data_buffer.insert(data_buffer.end(), ptr, ptr + native_data->size());
 
-  if (EVP_DigestUpdate(md_ctx, native_data->data(), native_data->size()) <= 0) {
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to update digest: " + std::string(err_buf));
+  // Only update digest if we have one (not needed for pure signature schemes)
+  if (md != nullptr) {
+    if (EVP_DigestUpdate(md_ctx, native_data->data(), native_data->size()) <= 0) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Failed to update digest: " + std::string(err_buf));
+    }
   }
 }
 
-// Check if key type requires one-shot signing (Ed25519, Ed448)
+// Check if key type requires one-shot signing (Ed25519, Ed448, ML-DSA)
 static bool isOneShotVariant(EVP_PKEY* pkey) {
   int type = EVP_PKEY_id(pkey);
+#if RNQC_HAS_ML_DSA
+  return type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448 || type == EVP_PKEY_ML_DSA_44 || type == EVP_PKEY_ML_DSA_65 ||
+         type == EVP_PKEY_ML_DSA_87;
+#else
   return type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448;
+#endif
+}
+
+// Get the algorithm name for creating PKEY_CTX (for ML-DSA variants)
+static const char* getAlgorithmName(EVP_PKEY* pkey) {
+  int type = EVP_PKEY_id(pkey);
+#if RNQC_HAS_ML_DSA
+  switch (type) {
+    case EVP_PKEY_ML_DSA_44:
+      return "ML-DSA-44";
+    case EVP_PKEY_ML_DSA_65:
+      return "ML-DSA-65";
+    case EVP_PKEY_ML_DSA_87:
+      return "ML-DSA-87";
+    case EVP_PKEY_ED25519:
+      return "ED25519";
+    case EVP_PKEY_ED448:
+      return "ED448";
+    default:
+      return nullptr;
+  }
+#else
+  switch (type) {
+    case EVP_PKEY_ED25519:
+      return "ED25519";
+    case EVP_PKEY_ED448:
+      return "ED448";
+    default:
+      return nullptr;
+  }
+#endif
 }
 
 std::shared_ptr<ArrayBuffer> HybridSignHandle::sign(const std::shared_ptr<HybridKeyObjectHandleSpec>& keyHandle,
@@ -78,18 +133,35 @@ std::shared_ptr<ArrayBuffer> HybridSignHandle::sign(const std::shared_ptr<Hybrid
   size_t sig_len = 0;
   std::unique_ptr<uint8_t[]> sig_buf;
 
-  // Ed25519/Ed448 require one-shot signing with EVP_DigestSign
-  if (isOneShotVariant(pkey)) {
+  int pkey_type = EVP_PKEY_id(pkey);
+  bool is_one_shot = isOneShotVariant(pkey);
+
+  // Ed25519/Ed448/ML-DSA require one-shot signing with EVP_DigestSign
+  // Also use one-shot path if no digest was specified (md == nullptr)
+  if (is_one_shot || md == nullptr) {
     // Create a new context for one-shot signing
     EVP_MD_CTX* sign_ctx = EVP_MD_CTX_new();
     if (!sign_ctx) {
       throw std::runtime_error("Failed to create signing context");
     }
 
-    // Initialize for one-shot signing (pass nullptr for md - Ed25519/Ed448 have built-in hash)
-    if (EVP_DigestSignInit(sign_ctx, nullptr, nullptr, nullptr, pkey) <= 0) {
+    // Get algorithm name and create PKEY_CTX for ML-DSA
+    const char* alg_name = getAlgorithmName(pkey);
+    EVP_PKEY_CTX* pkey_ctx = nullptr;
+    if (alg_name != nullptr) {
+      pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, alg_name, nullptr);
+      if (!pkey_ctx) {
+        EVP_MD_CTX_free(sign_ctx);
+        throw std::runtime_error(std::string("Failed to create signing context for ") + alg_name);
+      }
+    }
+
+    // Initialize for one-shot signing (pass nullptr for md - these algorithms have built-in hash)
+    if (EVP_DigestSignInit(sign_ctx, pkey_ctx ? &pkey_ctx : nullptr, nullptr, nullptr, pkey) <= 0) {
       EVP_MD_CTX_free(sign_ctx);
-      throw std::runtime_error("Failed to initialize Ed signing");
+      if (pkey_ctx)
+        EVP_PKEY_CTX_free(pkey_ctx);
+      throw std::runtime_error("Failed to initialize one-shot signing");
     }
 
     // Get the accumulated data from the digest context
@@ -130,7 +202,10 @@ std::shared_ptr<ArrayBuffer> HybridSignHandle::sign(const std::shared_ptr<Hybrid
 
     if (EVP_PKEY_sign_init(pkey_ctx) <= 0) {
       EVP_PKEY_CTX_free(pkey_ctx);
-      throw std::runtime_error("Failed to initialize signing");
+      char err_buf[512];
+      snprintf(err_buf, sizeof(err_buf), "Failed to initialize signing for key type %d (expected one-shot: %s, RNQC_HAS_ML_DSA=%d)",
+               pkey_type, is_one_shot ? "true" : "false", RNQC_HAS_ML_DSA);
+      throw std::runtime_error(std::string(err_buf) + ": " + getOpenSSLError());
     }
 
     if (padding.has_value()) {

package/cpp/sign/HybridVerifyHandle.cpp

@@ -9,6 +9,12 @@
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#define RNQC_HAS_ML_DSA 1
+#else
+#define RNQC_HAS_ML_DSA 0
+#endif
+
 namespace margelo::nitro::crypto {
 
 using margelo::nitro::NativeArrayBuffer;
@@ -22,17 +28,28 @@ HybridVerifyHandle::~HybridVerifyHandle() {
 
 void HybridVerifyHandle::init(const std::string& algorithm) {
   algorithm_name = algorithm;
-  md = getDigestByName(algorithm);
 
-  md_ctx = EVP_MD_CTX_new();
-  if (!md_ctx) {
-    throw std::runtime_error("Failed to create message digest context");
-  }
+  // For ML-DSA and other pure signature schemes, algorithm may be empty/null
+  if (!algorithm.empty()) {
+    md = getDigestByName(algorithm);
 
-  if (EVP_DigestInit_ex(md_ctx, md, nullptr) <= 0) {
-    EVP_MD_CTX_free(md_ctx);
-    md_ctx = nullptr;
-    throw std::runtime_error("Failed to initialize message digest");
+    md_ctx = EVP_MD_CTX_new();
+    if (!md_ctx) {
+      throw std::runtime_error("Failed to create message digest context");
+    }
+
+    if (EVP_DigestInit_ex(md_ctx, md, nullptr) <= 0) {
+      EVP_MD_CTX_free(md_ctx);
+      md_ctx = nullptr;
+      throw std::runtime_error("Failed to initialize message digest");
+    }
+  } else {
+    // No digest for pure signature schemes like ML-DSA
+    md = nullptr;
+    md_ctx = EVP_MD_CTX_new();
+    if (!md_ctx) {
+      throw std::runtime_error("Failed to create message digest context");
+    }
   }
 }
 
@@ -43,22 +60,60 @@ void HybridVerifyHandle::update(const std::shared_ptr<ArrayBuffer>& data) {
 
   auto native_data = ToNativeArrayBuffer(data);
 
-  // Accumulate raw data for potential one-shot verification (Ed25519/Ed448)
+  // Accumulate raw data for potential one-shot verification (Ed25519/Ed448/ML-DSA)
   const uint8_t* ptr = reinterpret_cast<const uint8_t*>(native_data->data());
   data_buffer.insert(data_buffer.end(), ptr, ptr + native_data->size());
 
-  if (EVP_DigestUpdate(md_ctx, native_data->data(), native_data->size()) <= 0) {
-    unsigned long err = ERR_get_error();
-    char err_buf[256];
-    ERR_error_string_n(err, err_buf, sizeof(err_buf));
-    throw std::runtime_error("Failed to update digest: " + std::string(err_buf));
+  // Only update digest if we have one (not needed for pure signature schemes)
+  if (md != nullptr) {
+    if (EVP_DigestUpdate(md_ctx, native_data->data(), native_data->size()) <= 0) {
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Failed to update digest: " + std::string(err_buf));
+    }
   }
 }
 
-// Check if key type requires one-shot verification (Ed25519, Ed448)
+// Check if key type requires one-shot verification (Ed25519, Ed448, ML-DSA)
 static bool isOneShotVariant(EVP_PKEY* pkey) {
   int type = EVP_PKEY_id(pkey);
+#if RNQC_HAS_ML_DSA
+  return type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448 || type == EVP_PKEY_ML_DSA_44 || type == EVP_PKEY_ML_DSA_65 ||
+         type == EVP_PKEY_ML_DSA_87;
+#else
   return type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448;
+#endif
+}
+
+// Get the algorithm name for creating PKEY_CTX (for ML-DSA variants)
+static const char* getAlgorithmName(EVP_PKEY* pkey) {
+  int type = EVP_PKEY_id(pkey);
+#if RNQC_HAS_ML_DSA
+  switch (type) {
+    case EVP_PKEY_ML_DSA_44:
+      return "ML-DSA-44";
+    case EVP_PKEY_ML_DSA_65:
+      return "ML-DSA-65";
+    case EVP_PKEY_ML_DSA_87:
+      return "ML-DSA-87";
+    case EVP_PKEY_ED25519:
+      return "ED25519";
+    case EVP_PKEY_ED448:
+      return "ED448";
+    default:
+      return nullptr;
+  }
+#else
+  switch (type) {
+    case EVP_PKEY_ED25519:
+      return "ED25519";
+    case EVP_PKEY_ED448:
+      return "ED448";
+    default:
+      return nullptr;
+  }
+#endif
 }
 
 bool HybridVerifyHandle::verify(const std::shared_ptr<HybridKeyObjectHandleSpec>& keyHandle, const std::shared_ptr<ArrayBuffer>& signature,
@@ -78,17 +133,31 @@ bool HybridVerifyHandle::verify(const std::shared_ptr<HybridKeyObjectHandleSpec>
   const unsigned char* sig_data = native_sig->data();
   size_t sig_len = native_sig->size();
 
-  // Ed25519/Ed448 require one-shot verification with EVP_DigestVerify
-  if (isOneShotVariant(pkey)) {
+  // Ed25519/Ed448/ML-DSA require one-shot verification with EVP_DigestVerify
+  // Also use one-shot path if no digest was specified (md == nullptr)
+  if (isOneShotVariant(pkey) || md == nullptr) {
     EVP_MD_CTX* verify_ctx = EVP_MD_CTX_new();
     if (!verify_ctx) {
       throw std::runtime_error("Failed to create verification context");
     }
 
-    // Initialize for one-shot verification (pass nullptr for md - Ed25519/Ed448 have built-in hash)
-    if (EVP_DigestVerifyInit(verify_ctx, nullptr, nullptr, nullptr, pkey) <= 0) {
+    // Get algorithm name and create PKEY_CTX for ML-DSA
+    const char* alg_name = getAlgorithmName(pkey);
+    EVP_PKEY_CTX* pkey_ctx = nullptr;
+    if (alg_name != nullptr) {
+      pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, alg_name, nullptr);
+      if (!pkey_ctx) {
+        EVP_MD_CTX_free(verify_ctx);
+        throw std::runtime_error(std::string("Failed to create verification context for ") + alg_name);
+      }
+    }
+
+    // Initialize for one-shot verification (pass nullptr for md - these algorithms have built-in hash)
+    if (EVP_DigestVerifyInit(verify_ctx, pkey_ctx ? &pkey_ctx : nullptr, nullptr, nullptr, pkey) <= 0) {
       EVP_MD_CTX_free(verify_ctx);
-      throw std::runtime_error("Failed to initialize Ed verification");
+      if (pkey_ctx)
+        EVP_PKEY_CTX_free(pkey_ctx);
+      throw std::runtime_error("Failed to initialize one-shot verification");
     }
 
     int result = EVP_DigestVerify(verify_ctx, sig_data, sig_len, data_buffer.data(), data_buffer.size());

package/deps/ncrypto/.bazelignore

@@ -0,0 +1,4 @@
+build
+cmake-build-debug-coverage
+cmake-build-debug
+cmake-build-release

package/deps/ncrypto/.bazelrc

@@ -0,0 +1,2 @@
+common --enable_workspace
+build --cxxopt="-std=c++20"

package/deps/ncrypto/.bazelversion

@@ -0,0 +1 @@
+8.0.0

package/deps/ncrypto/.clang-format

@@ -0,0 +1,111 @@
+---
+Language:        Cpp
+# BasedOnStyle:  Google
+AccessModifierOffset: -1
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+AlignEscapedNewlines: Right
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: Inline
+AllowShortIfStatementsOnASingleLine: true
+AllowShortLoopsOnASingleLine: true
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: true
+BinPackArguments: false
+BinPackParameters: false
+BraceWrapping:
+  AfterClass:      false
+  AfterControlStatement: false
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:      80
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DerivePointerAlignment: false
+DisableFormat:   false
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IncludeBlocks:   Preserve
+IncludeCategories:
+  - Regex:           '^<ext/.*\.h>'
+    Priority:        2
+  - Regex:           '^<.*\.h>'
+    Priority:        1
+  - Regex:           '^<.*'
+    Priority:        2
+  - Regex:           '.*'
+    Priority:        3
+IncludeIsMainRegex: '([-_](test|unittest))?$'
+IndentCaseLabels: true
+IndentPPDirectives: None
+IndentWidth:     2
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: false
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: false
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 1
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 200
+PointerAlignment: Left
+ReflowComments:  true
+SortIncludes:    true
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeParens: ControlStatements
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 2
+SpacesInAngles:  false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard:        Auto
+TabWidth:        8
+UseTab:          Never

package/deps/ncrypto/.github/workflows/bazel.yml

@@ -0,0 +1,58 @@
+name: Bazel
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
+permissions:
+  contents: read
+  actions: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  macos:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: bazel-contrib/setup-bazel@bbf8fe8b219f642c7f8bc673215f28eb1d9dec51 # v0.10.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}
+          repository-cache: true
+      - name: Build & Test
+        run: bazel test //...
+  ubuntu:
+    strategy:
+      fail-fast: false
+      matrix:
+        shared: [ON, OFF]
+        include:
+          - cc: gcc-14
+            cxx: g++-14
+          - cc: clang-18
+            cxx: clang++-18
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: bazel-contrib/setup-bazel@bbf8fe8b219f642c7f8bc673215f28eb1d9dec51 # v0.10.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}
+          repository-cache: true
+      - name: Build & Test
+        run: bazel test //...
+        env:
+          CC: ${{matrix.cc}}
+          CXX: ${{matrix.cxx}}

package/deps/ncrypto/.github/workflows/linter.yml

@@ -0,0 +1,38 @@
+name: Linter
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Run clang-format
+        uses: jidicula/clang-format-action@c74383674bf5f7c69f60ce562019c1c94bc1421a # v4.13.0
+        with:
+          clang-format-version: '17'
+          fallback-style: 'Google'
+
+      - uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1.0.0
+        name: Lint with Ruff
+        with:
+          version: 0.5.1

package/deps/ncrypto/.github/workflows/macos.yml

@@ -0,0 +1,43 @@
+name: macOS
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ubuntu-build:
+    strategy:
+      fail-fast: false
+      matrix:
+        runs-on: [macos-14, macos-15]
+    runs-on: ${{matrix.runs-on}}
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: ${{github.job}}-${{matrix.os}}
+      - name: Prepare
+        run: cmake -B build
+      - name: Build
+        # m1 machines have 3 CPU
+        # Ref: https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners
+        run: cmake --build build -j=3
+      - name: Test
+        run: ctest --output-on-failure --test-dir build

package/deps/ncrypto/.github/workflows/ubuntu.yml

@@ -0,0 +1,46 @@
+name: Ubuntu
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        runs-on: [ubuntu-latest]
+        shared: [ON, OFF]
+        cxx: [g++-14]
+    runs-on: ${{matrix.runs-on}}
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: ${{github.job}}-${{matrix.os}}-{{matrix.shared}}
+      - name: Setup Ninja
+        run: sudo apt-get install ninja-build
+      - name: Prepare
+        run: cmake -DBUILD_SHARED_LIBS=${{matrix.shared}} -G Ninja -B build
+        env:
+          CXX: ${{matrix.cxx}}
+      - name: Build
+        run: cmake --build build -j=4
+      - name: Test
+        run: ctest --output-on-failure --test-dir build

package/deps/ncrypto/.github/workflows/visual-studio.yml

@@ -0,0 +1,49 @@
+name: Windows
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: windows-2025
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - {gen: Visual Studio 17 2022, arch: x64, config: Release}
+          - {gen: Visual Studio 17 2022, arch: x64, config: Debug}
+    steps:
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - name: ccache
+      uses: hendrikmuhs/ccache-action@v1.2
+      with:
+          key: ${{github.job}}-${{matrix.os}}-${{matrix.config}}
+    - name: Install Dependencies
+      run: |
+        choco install nasm
+        echo "C:\Program Files\NASM" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+    - name: Configure
+      run: |
+        cmake -G "${{matrix.gen}}" -A ${{matrix.arch}}  -B build
+    - name: Build
+      run: cmake --build build --config "${{matrix.config}}" --verbose
+    - name: Run  tests
+      working-directory: build
+      run: ctest -C "${{matrix.config}}"  --output-on-failure