From fc258cafdce3e3085083c2d3fc2a269bfea6fee9 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Dec 2024 13:58:20 +0100 Subject: [PATCH] enables conditional use of DTLS1.3 Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/workflows/linux.yml | 6 +++--- .github/workflows/macos.yml | 3 +-- .github/workflows/windows.yml | 5 ++--- README.md | 3 --- oqsprov/oqsprov_capabilities.c | 5 +++++ scripts/fullbuild.sh | 4 +--- test/oqs_test_groups.c | 4 +++- test/oqs_test_tlssig.c | 4 +++- test/tlstest_helpers.c | 20 +++++++++++++++++--- test/tlstest_helpers.h | 2 +- 10 files changed, 36 insertions(+), 20 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 1fb9fca5..0b3981e5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - ossl-branch: [feature/dtls-1.3] + ossl-branch: [openssl-3.3.2, master] libjade-build: - "ON" - "OFF" @@ -103,7 +103,7 @@ jobs: CXX: "clang++" ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer" ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1" - OPENSSL_BRANCH: "feature/dtls-1.3" + OPENSSL_BRANCH: "openssl-3.3.2" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -174,7 +174,7 @@ jobs: container: image: openquantumsafe/ci-ubuntu-jammy:latest env: - OPENSSL_BRANCH: "feature/dtls-1.3" + OPENSSL_BRANCH: "master" INSTALL_DIR: "/opt/install" CMAKE_TOOLCHAIN_FILE: "/opt/linux-aarch64-toolchain.cmake" diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 54b03269..0c537db7 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,7 +1,6 @@ name: MacOS tests -# Disable for DTLS1.3 for now (TODO) -# on: [pull_request, push] +on: [pull_request, push] permissions: contents: read diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3d8a43f0..f4a52cdb 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,7 +1,6 @@ name: Windows tests -# Disable for DTLS1.3 for now (TODO) -#on: [pull_request, push] +on: [pull_request, push] permissions: contents: read @@ -40,7 +39,7 @@ jobs: repository: openssl/openssl path: openssl # TODO: Revert ref tag once openssl master doesn't crash any more - ref: feature/dtls-1.3 + ref: master - name: checkout liboqs uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: diff --git a/README.md b/README.md index ce9774ee..aa2feb21 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,6 @@ in a standard OpenSSL (3.x) distribution by way of implementing a single shared library, the OQS [provider](https://www.openssl.org/docs/manmaster/man7/provider.html). -THIS IS A FEATURE BRANCH TO TRIAL DTLS1.3 OPERATIONS -- DO NOT MERGE! -(dependent on https://github.com/openssl/openssl/tree/feature/dtls-1.3 merging). - Status ------ diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index 1b21fb1c..894a261c 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -20,6 +20,11 @@ // internal, but useful OSSL define: #define OSSL_NELEM(x) (sizeof(x) / sizeof((x)[0])) +// enables DTLS1.3 testing even before available in openssl master: +#if !defined(DTLS1_3_VERSION) +# define DTLS1_3_VERSION 0xFEFC +#endif + #include "oqs_prov.h" typedef struct oqs_group_constants_st { diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index d9bd1dd9..b781b219 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -10,11 +10,9 @@ # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD" # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3 +# Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to -# Track openssl dtls-1.3 feature branch -OPENSSL_BRANCH="feature/dtls-1.3" - if [[ "$OSTYPE" == "darwin"* ]]; then SHLIBEXT="dylib" STATLIBEXT="dylib" diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index 09ca5ff0..aed820b8 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -49,7 +49,7 @@ static int test_oqs_groups(const char *group_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -111,6 +111,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION ret = test_oqs_groups(group_name, 1); if (ret >= 0) { @@ -126,6 +127,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { ERR_print_errors_fp(stderr); (*errcnt)++; } +#endif err: OPENSSL_free(group_name); diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index 237ea429..ea21d2d2 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -61,7 +61,7 @@ static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -125,6 +125,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION ret = test_oqs_tlssig(sigalg_name, 1); if (ret >= 0) { @@ -140,6 +141,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { ERR_print_errors_fp(stderr); (*errcnt)++; } +#endif err: OPENSSL_free(sigalg_name); diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 0e9176a8..cbfaaa31 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -62,10 +62,12 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); if (dtls_flag) { +#ifdef DTLS1_3_VERSION if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) || !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) || !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) || !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) +#endif goto err; } else { if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) || @@ -95,7 +97,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, } int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl) { + SSL **cssl, int use_dgram) { SSL *serverssl = NULL, *clientssl = NULL; BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; @@ -108,8 +110,20 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, if (serverssl == NULL || clientssl == NULL) goto err; - s_to_c_bio = BIO_new(BIO_s_mem()); - c_to_s_bio = BIO_new(BIO_s_mem()); + if (use_dgram) { +#if (OPENSSL_VERSION_PREREQ(3, 2)) + s_to_c_bio = BIO_new(BIO_s_dgram_mem()); + c_to_s_bio = BIO_new(BIO_s_dgram_mem()); +#else + fprintf(stderr, "No DGRAM memory supported in this OpenSSL version.\n"); + ERR_print_errors_fp(stderr); + goto err; +#endif + } + else { + s_to_c_bio = BIO_new(BIO_s_mem()); + c_to_s_bio = BIO_new(BIO_s_mem()); + } if (s_to_c_bio == NULL || c_to_s_bio == NULL) goto err; diff --git a/test/tlstest_helpers.h b/test/tlstest_helpers.h index 74d122ce..e52b9888 100644 --- a/test/tlstest_helpers.h +++ b/test/tlstest_helpers.h @@ -7,6 +7,6 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, char *privkeyfile, int dtls_flag); int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl); + SSL **cssl, int use_dgram); int create_tls_connection(SSL *serverssl, SSL *clientssl, int want);