enables conditional use of DTLS1.3

Signed-off-by: Michael Baentsch <[email protected]>
open-quantum-safe · Dec 10, 2024 · fc258ca · fc258ca
1 parent f4c93cf
commit fc258ca
Show file tree

Hide file tree

Showing 10 changed files with 36 additions and 20 deletions.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ossl-branch: [feature/dtls-1.3]
+        ossl-branch: [openssl-3.3.2, master]
         libjade-build:
           - "ON" 
           - "OFF"
@@ -103,7 +103,7 @@ jobs:
       CXX: "clang++"
       ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer"
       ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1"
-      OPENSSL_BRANCH: "feature/dtls-1.3"
+      OPENSSL_BRANCH: "openssl-3.3.2"
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
@@ -174,7 +174,7 @@ jobs:
     container:
       image: openquantumsafe/ci-ubuntu-jammy:latest
     env:
-      OPENSSL_BRANCH: "feature/dtls-1.3"
+      OPENSSL_BRANCH: "master"
       INSTALL_DIR: "/opt/install"
       CMAKE_TOOLCHAIN_FILE: "/opt/linux-aarch64-toolchain.cmake"
 

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -1,7 +1,6 @@
 name: MacOS tests
 
-# Disable for DTLS1.3 for now (TODO)
-# on: [pull_request, push]
+on: [pull_request, push]
 
 permissions:
   contents: read

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,7 +1,6 @@
 name: Windows tests
 
-# Disable for DTLS1.3 for now (TODO)
-#on: [pull_request, push]
+on: [pull_request, push]
 
 permissions:
   contents: read
@@ -40,7 +39,7 @@ jobs:
           repository: openssl/openssl
           path: openssl
           # TODO: Revert ref tag once openssl master doesn't crash any more
-          ref: feature/dtls-1.3
+          ref: master
       - name: checkout liboqs
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:

diff --git a/README.md b/README.md
@@ -14,9 +14,6 @@ in a standard OpenSSL (3.x) distribution by way of implementing a single
 shared library, the OQS
 [provider](https://www.openssl.org/docs/manmaster/man7/provider.html).
 
-THIS IS A FEATURE BRANCH TO TRIAL DTLS1.3 OPERATIONS -- DO NOT MERGE!
-(dependent on https://github.com/openssl/openssl/tree/feature/dtls-1.3 merging).
-
 Status
 ------
 

diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
@@ -20,6 +20,11 @@
 // internal, but useful OSSL define:
 #define OSSL_NELEM(x) (sizeof(x) / sizeof((x)[0]))
 
+// enables DTLS1.3 testing even before available in openssl master:
+#if !defined(DTLS1_3_VERSION)
+# define DTLS1_3_VERSION 0xFEFC
+#endif
+
 #include "oqs_prov.h"
 
 typedef struct oqs_group_constants_st {

diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh
@@ -10,11 +10,9 @@
 # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD"
 # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use
 # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3
+#        Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3
 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to
 
-# Track openssl dtls-1.3 feature branch
-OPENSSL_BRANCH="feature/dtls-1.3"
-
 if [[ "$OSTYPE" == "darwin"* ]]; then
    SHLIBEXT="dylib"
    STATLIBEXT="dylib"

diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c
@@ -49,7 +49,7 @@ static int test_oqs_groups(const char *group_name, int dtls_flag) {
         goto err;
     }
 
-    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl);
+    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag);
 
     if (!testresult) {
         ret = -2;
@@ -111,6 +111,7 @@ static int test_group(const OSSL_PARAM params[], void *data) {
         (*errcnt)++;
     }
 
+#ifdef DTLS1_3_VERSION
     ret = test_oqs_groups(group_name, 1);
 
     if (ret >= 0) {
@@ -126,6 +127,7 @@ static int test_group(const OSSL_PARAM params[], void *data) {
         ERR_print_errors_fp(stderr);
         (*errcnt)++;
     }
+#endif
 
 err:
     OPENSSL_free(group_name);

diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c
@@ -61,7 +61,7 @@ static int test_oqs_tlssig(const char *sig_name, int dtls_flag) {
         goto err;
     }
 
-    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl);
+    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag);
 
     if (!testresult) {
         ret = -2;
@@ -125,6 +125,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) {
         (*errcnt)++;
     }
 
+#ifdef DTLS1_3_VERSION
     ret = test_oqs_tlssig(sigalg_name, 1);
 
     if (ret >= 0) {
@@ -140,6 +141,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) {
         ERR_print_errors_fp(stderr);
         (*errcnt)++;
     }
+#endif
 
 err:
     OPENSSL_free(sigalg_name);

diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
@@ -62,10 +62,12 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
 
     SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
     if (dtls_flag) {
+#ifdef DTLS1_3_VERSION
         if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) ||
             !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) ||
             !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) ||
             !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION))
+#endif
             goto err;
     } else {
         if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) ||
@@ -95,7 +97,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
 }
 
 int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
-                       SSL **cssl) {
+                       SSL **cssl, int use_dgram) {
     SSL *serverssl = NULL, *clientssl = NULL;
     BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL;
 
@@ -108,8 +110,20 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
     if (serverssl == NULL || clientssl == NULL)
         goto err;
 
-    s_to_c_bio = BIO_new(BIO_s_mem());
-    c_to_s_bio = BIO_new(BIO_s_mem());
+    if (use_dgram) {
+#if (OPENSSL_VERSION_PREREQ(3, 2))
+        s_to_c_bio = BIO_new(BIO_s_dgram_mem());
+        c_to_s_bio = BIO_new(BIO_s_dgram_mem());
+#else
+        fprintf(stderr, "No DGRAM memory supported in this OpenSSL version.\n");
+        ERR_print_errors_fp(stderr);
+        goto err;
+#endif
+    }
+    else {
+        s_to_c_bio = BIO_new(BIO_s_mem());
+        c_to_s_bio = BIO_new(BIO_s_mem());
+    }
 
     if (s_to_c_bio == NULL || c_to_s_bio == NULL)
         goto err;

diff --git a/test/tlstest_helpers.h b/test/tlstest_helpers.h
@@ -7,6 +7,6 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
                            char *certfile, char *privkeyfile, int dtls_flag);
 
 int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
-                       SSL **cssl);
+                       SSL **cssl, int use_dgram);
 
 int create_tls_connection(SSL *serverssl, SSL *clientssl, int want);