diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 0b3981e5..39116e00 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -73,8 +73,8 @@ jobs: export LIBOQS_SRC_DIR=`pwd`/liboqs && \ ! pip3 install -r oqs-template/requirements.txt 2>&1 | grep ERROR && \ python3 oqs-template/generate.py - - name: Full re-build - run: rm -rf _build && ./scripts/fullbuild.sh + - name: Full re-build & test + run: rm -rf _build && OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=main OQS_LIBJADE_BUILD=${{ matrix.libjade-build }} ./scripts/fullbuild.sh && ./scripts/runtests.sh - name: Build .deb install package run: cpack -C DebPack working-directory: _build diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3747c7a2..d817a672 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -38,8 +38,7 @@ jobs: set-safe-directory: true repository: openssl/openssl path: openssl - # TODO: Revert ref tag once openssl master doesn't crash any more - ref: openssl-3.3.0 + ref: master - name: checkout liboqs uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: diff --git a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment index 227c59e2..7e94628c 100644 --- a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment +++ b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment @@ -1,7 +1,7 @@ {% for kem in config['kems'] %} - { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 }, + { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 }, {% for hybrid in kem['hybrids'] %} - { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 }, + { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 }, {%- endfor %} {%- endfor %} diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index a809aa08..0e7e12e3 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -20,6 +20,11 @@ // internal, but useful OSSL define: #define OSSL_NELEM(x) (sizeof(x) / sizeof((x)[0])) +// enables DTLS1.3 testing even before available in openssl master: +#if !defined(DTLS1_3_VERSION) +#define DTLS1_3_VERSION 0xFEFC +#endif + #include "oqs_prov.h" typedef struct oqs_group_constants_st { @@ -35,77 +40,77 @@ typedef struct oqs_group_constants_st { static OQS_GROUP_CONSTANTS oqs_group_list[] = { // ad-hoc assignments - take from OQS generate data structures ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_START - {65024, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {65024, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F00, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F80, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {65025, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F00, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F80, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {65025, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F01, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F81, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {65026, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F01, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F81, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {65026, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F02, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F82, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0203, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F02, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F82, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0203, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F03, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F83, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0204, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F03, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F83, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0204, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F04, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0205, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F04, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0205, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F05, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023A, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F05, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3A, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F39, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F39, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F90, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x6399, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x639A, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F90, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x6399, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x639A, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {512, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {512, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {513, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4B, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB6, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {513, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x11ec, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x11eb, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {514, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB7, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x11ec, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x11eb, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {514, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F4E, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0241, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FAE, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0242, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F41, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FAE, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0242, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F42, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FAF, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0243, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F42, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FAF, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0243, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F43, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0244, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F43, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0244, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F44, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB0, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0245, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F44, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB0, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0245, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F45, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB1, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0246, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F45, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB1, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0246, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F46, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F46, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_END }; diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index 41eb3b0b..aaa381f9 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -10,6 +10,7 @@ # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD" # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3 +# Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 feature branch # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to if [[ "$OSTYPE" == "darwin"* ]]; then diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index cb1485ab..d73e85f5 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -33,7 +33,7 @@ char *test_mk_file_path(const char *dir, const char *file) { return full_file; } -static int test_oqs_groups(const char *group_name) { +static int test_oqs_groups(const char *group_name, int dtls_flag) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int ret = 1, testresult = 0; @@ -42,13 +42,15 @@ static int test_oqs_groups(const char *group_name) { printf("Not testing disabled algorithm %s.\n", group_name); return 1; } - testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey); + testresult = + create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey, dtls_flag); if (!testresult) { ret = -1; goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = + create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -94,7 +96,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { char *group_name = OPENSSL_strdup(p->data); - ret = test_oqs_groups(group_name); + ret = test_oqs_groups(group_name, 0); if (ret >= 0) { fprintf(stderr, @@ -110,6 +112,24 @@ static int test_group(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION + ret = test_oqs_groups(group_name, 1); + + if (ret >= 0) { + fprintf(stderr, + cGREEN " DTLS-KEM handshake test succeeded: %s" cNORM "\n", + group_name); + } else { + fprintf(stderr, + cRED + " DTLS-KEM handshake test failed: %s, return code: %d" cNORM + "\n", + group_name, ret); + ERR_print_errors_fp(stderr); + (*errcnt)++; + } +#endif + err: OPENSSL_free(group_name); return ret; diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index 5e653f56..24aa0cf1 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -18,7 +18,7 @@ static char *configfile = NULL; static char *certsdir = NULL; #ifdef OSSL_CAPABILITY_TLS_SIGALG_NAME -static int test_oqs_tlssig(const char *sig_name) { +static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int ret = 1, testresult = 0; @@ -53,15 +53,16 @@ static int test_oqs_tlssig(const char *sig_name) { goto err; } - testresult = - create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, privkeypath); + testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, + privkeypath, dtls_flag); if (!testresult) { ret = -1; goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = + create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -109,7 +110,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { if (sigalg_name == NULL) return 0; - ret = test_oqs_tlssig(sigalg_name); + ret = test_oqs_tlssig(sigalg_name, 0); if (ret >= 0) { fprintf(stderr, @@ -125,6 +126,24 @@ static int test_signature(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION + ret = test_oqs_tlssig(sigalg_name, 1); + + if (ret >= 0) { + fprintf(stderr, + cGREEN " DTLS-SIG handshake test succeeded: %s" cNORM "\n", + sigalg_name); + } else { + fprintf(stderr, + cRED + " DTLS-SIG handshake test failed: %s, return code: %d" cNORM + "\n", + sigalg_name, ret); + ERR_print_errors_fp(stderr); + (*errcnt)++; + } +#endif + err: OPENSSL_free(sigalg_name); return ret; diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 93626f54..52a49f96 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -43,23 +43,39 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename, } /* end steal */ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, - char *certfile, char *privkeyfile) { + char *certfile, char *privkeyfile, int dtls_flag) { SSL_CTX *serverctx = NULL, *clientctx = NULL; if (sctx == NULL || cctx == NULL) goto err; - serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); + if (dtls_flag) { + serverctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method()); + clientctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method()); + } else { + serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); + clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); + } if (serverctx == NULL || clientctx == NULL) goto err; SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); - SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION); - SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION); + if (dtls_flag) { +#ifdef DTLS1_3_VERSION + if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) || + !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) +#endif + goto err; + } else { + if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION) || + !SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION)) + goto err; + } if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM)) goto err; @@ -81,7 +97,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, } int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl) { + SSL **cssl, int use_dgram) { SSL *serverssl = NULL, *clientssl = NULL; BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; @@ -94,8 +110,19 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, if (serverssl == NULL || clientssl == NULL) goto err; - s_to_c_bio = BIO_new(BIO_s_mem()); - c_to_s_bio = BIO_new(BIO_s_mem()); + if (use_dgram) { +#if (OPENSSL_VERSION_PREREQ(3, 2)) + s_to_c_bio = BIO_new(BIO_s_dgram_mem()); + c_to_s_bio = BIO_new(BIO_s_dgram_mem()); +#else + fprintf(stderr, "No DGRAM memory supported in this OpenSSL version.\n"); + ERR_print_errors_fp(stderr); + goto err; +#endif + } else { + s_to_c_bio = BIO_new(BIO_s_mem()); + c_to_s_bio = BIO_new(BIO_s_mem()); + } if (s_to_c_bio == NULL || c_to_s_bio == NULL) goto err; diff --git a/test/tlstest_helpers.h b/test/tlstest_helpers.h index 63c10b9f..e52b9888 100644 --- a/test/tlstest_helpers.h +++ b/test/tlstest_helpers.h @@ -4,9 +4,9 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename, char *privkeyfilename); int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, - char *certfile, char *privkeyfile); + char *certfile, char *privkeyfile, int dtls_flag); int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl); + SSL **cssl, int use_dgram); int create_tls_connection(SSL *serverssl, SSL *clientssl, int want);