From e38fea8ab2345f2aa1f0e22c653f526261b451aa Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:56:28 +0100 Subject: [PATCH 01/10] First cut at DTLS1.3 tracker Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .circleci/config.yml | 4 +- .github/workflows/linux.yml | 2 +- .github/workflows/windows.yml | 2 +- .../group_assignments.fragment | 4 +- oqsprov/oqsprov_capabilities.c | 106 +++++++++--------- scripts/fullbuild.sh | 3 + test/tlstest_helpers.c | 8 +- 7 files changed, 66 insertions(+), 63 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 456813c8..00029830 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,9 +53,9 @@ jobs: equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ] steps: - run: - name: Clone and build OpenSSL(3) master + name: Clone and build OpenSSL(3) dtls-1.3 feature branch command: | - git clone --branch master https://github.com/openssl/openssl.git openssl && + git clone --branch feature/dtls-1.3 https://github.com/openssl/openssl.git openssl && cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd .. - run: name: Build OQS-OpenSSL provider diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 0b3981e5..c96c3f36 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - ossl-branch: [openssl-3.3.2, master] + ossl-branch: [feature/dtls-1.3] libjade-build: - "ON" - "OFF" diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3747c7a2..d9876120 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -39,7 +39,7 @@ jobs: repository: openssl/openssl path: openssl # TODO: Revert ref tag once openssl master doesn't crash any more - ref: openssl-3.3.0 + ref: feature/dtls-1.3 - name: checkout liboqs uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: diff --git a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment index 227c59e2..7e94628c 100644 --- a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment +++ b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment @@ -1,7 +1,7 @@ {% for kem in config['kems'] %} - { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 }, + { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 }, {% for hybrid in kem['hybrids'] %} - { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 }, + { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 }, {%- endfor %} {%- endfor %} diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index a809aa08..1b21fb1c 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -35,77 +35,77 @@ typedef struct oqs_group_constants_st { static OQS_GROUP_CONSTANTS oqs_group_list[] = { // ad-hoc assignments - take from OQS generate data structures ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_START - {65024, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {65024, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F00, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F80, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {65025, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F00, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F80, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {65025, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F01, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F81, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {65026, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F01, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F81, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {65026, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F02, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F82, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0203, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F02, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F82, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0203, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F03, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F83, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0204, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F03, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F83, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0204, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F04, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0205, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F04, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0205, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F05, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023A, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F05, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3A, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F39, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F39, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F90, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x6399, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x639A, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F90, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x6399, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x639A, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x023D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {512, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F3D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {512, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {513, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4B, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB6, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {513, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x11ec, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x11eb, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {514, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB7, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x11ec, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x11eb, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {514, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F4D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2F4E, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0241, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FAE, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0242, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F41, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FAE, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0242, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F42, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FAF, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0243, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F42, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FAF, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0243, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F43, 256, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0244, 128, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F43, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0244, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F44, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB0, 128, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0245, 192, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F44, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB0, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0245, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F45, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x2FB1, 192, TLS1_3_VERSION, 0, -1, -1, 1}, - {0x0246, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F45, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x2FB1, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, + {0x0246, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, - {0x2F46, 256, TLS1_3_VERSION, 0, -1, -1, 1}, + {0x2F46, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1}, ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_END }; diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index 41eb3b0b..d9bd1dd9 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -12,6 +12,9 @@ # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to +# Track openssl dtls-1.3 feature branch +OPENSSL_BRANCH="feature/dtls-1.3" + if [[ "$OSTYPE" == "darwin"* ]]; then SHLIBEXT="dylib" STATLIBEXT="dylib" diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 93626f54..42f8a487 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -56,10 +56,10 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, goto err; SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); - SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION); - SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION); - SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION); + SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM)) goto err; From d33f60d25c1b44d81b8c09c41e8fdb776415bb3c Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 12:41:31 +0100 Subject: [PATCH 02/10] exclude non-applicable CI Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .circleci/config.yml | 3 +++ .github/workflows/linux.yml | 4 ++-- .github/workflows/macos.yml | 3 ++- .github/workflows/windows.yml | 3 ++- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 00029830..349a03fa 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -116,6 +116,9 @@ jobs: workflows: version: 2.1 build: + when: + and: + - not equal: [ dtls-1.3 , << pipeline.git.branch >> ] jobs: - macOS: name: macOS-noopenssl diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index c96c3f36..1fb9fca5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -103,7 +103,7 @@ jobs: CXX: "clang++" ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer" ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1" - OPENSSL_BRANCH: "openssl-3.3.2" + OPENSSL_BRANCH: "feature/dtls-1.3" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -174,7 +174,7 @@ jobs: container: image: openquantumsafe/ci-ubuntu-jammy:latest env: - OPENSSL_BRANCH: "master" + OPENSSL_BRANCH: "feature/dtls-1.3" INSTALL_DIR: "/opt/install" CMAKE_TOOLCHAIN_FILE: "/opt/linux-aarch64-toolchain.cmake" diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 0c537db7..54b03269 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,6 +1,7 @@ name: MacOS tests -on: [pull_request, push] +# Disable for DTLS1.3 for now (TODO) +# on: [pull_request, push] permissions: contents: read diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index d9876120..3d8a43f0 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,6 +1,7 @@ name: Windows tests -on: [pull_request, push] +# Disable for DTLS1.3 for now (TODO) +#on: [pull_request, push] permissions: contents: read From fbc2b3ab5f62c89194e6a9816a958e1eeee95c80 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 14:29:30 +0100 Subject: [PATCH 03/10] add separate DTLS object creation and testing Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- test/oqs_test_groups.c | 22 +++++++++++++++++++--- test/oqs_test_tlssig.c | 22 +++++++++++++++++++--- test/tlstest_helpers.c | 28 +++++++++++++++++++++------- test/tlstest_helpers.h | 2 +- 4 files changed, 60 insertions(+), 14 deletions(-) diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index cb1485ab..ba7fd4d8 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -33,7 +33,7 @@ char *test_mk_file_path(const char *dir, const char *file) { return full_file; } -static int test_oqs_groups(const char *group_name) { +static int test_oqs_groups(const char *group_name, int dtls_flag) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int ret = 1, testresult = 0; @@ -42,7 +42,7 @@ static int test_oqs_groups(const char *group_name) { printf("Not testing disabled algorithm %s.\n", group_name); return 1; } - testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey); + testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey, dtls_flag); if (!testresult) { ret = -1; goto err; @@ -94,7 +94,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { char *group_name = OPENSSL_strdup(p->data); - ret = test_oqs_groups(group_name); + ret = test_oqs_groups(group_name, 0); if (ret >= 0) { fprintf(stderr, @@ -110,6 +110,22 @@ static int test_group(const OSSL_PARAM params[], void *data) { (*errcnt)++; } + ret = test_oqs_groups(group_name, 1); + + if (ret >= 0) { + fprintf(stderr, + cGREEN " DTLS-KEM handshake test succeeded: %s" cNORM "\n", + group_name); + } else { + fprintf(stderr, + cRED + " DTLS-KEM handshake test failed: %s, return code: %d" cNORM + "\n", + group_name, ret); + ERR_print_errors_fp(stderr); + (*errcnt)++; + } + err: OPENSSL_free(group_name); return ret; diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index 5e653f56..7dc4fd38 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -18,7 +18,7 @@ static char *configfile = NULL; static char *certsdir = NULL; #ifdef OSSL_CAPABILITY_TLS_SIGALG_NAME -static int test_oqs_tlssig(const char *sig_name) { +static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int ret = 1, testresult = 0; @@ -54,7 +54,7 @@ static int test_oqs_tlssig(const char *sig_name) { } testresult = - create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, privkeypath); + create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, privkeypath, dtls_flag); if (!testresult) { ret = -1; @@ -109,7 +109,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { if (sigalg_name == NULL) return 0; - ret = test_oqs_tlssig(sigalg_name); + ret = test_oqs_tlssig(sigalg_name, 0); if (ret >= 0) { fprintf(stderr, @@ -125,6 +125,22 @@ static int test_signature(const OSSL_PARAM params[], void *data) { (*errcnt)++; } + ret = test_oqs_tlssig(sigalg_name, 1); + + if (ret >= 0) { + fprintf(stderr, + cGREEN " DTLS-SIG handshake test succeeded: %s" cNORM "\n", + sigalg_name); + } else { + fprintf(stderr, + cRED + " DTLS-SIG handshake test failed: %s, return code: %d" cNORM + "\n", + sigalg_name, ret); + ERR_print_errors_fp(stderr); + (*errcnt)++; + } + err: OPENSSL_free(sigalg_name); return ret; diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 42f8a487..107f9646 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -43,23 +43,37 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename, } /* end steal */ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, - char *certfile, char *privkeyfile) { + char *certfile, char *privkeyfile, int dtls_flag) { SSL_CTX *serverctx = NULL, *clientctx = NULL; if (sctx == NULL || cctx == NULL) goto err; - serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); + if (dtls_flag) { + serverctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method()); + clientctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method()); + } + else { + serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); + clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); + } if (serverctx == NULL || clientctx == NULL) goto err; SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); - SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); + if (dtls_flag) { + SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); + } + else { + SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); + SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); + SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); + } if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM)) goto err; diff --git a/test/tlstest_helpers.h b/test/tlstest_helpers.h index 63c10b9f..74d122ce 100644 --- a/test/tlstest_helpers.h +++ b/test/tlstest_helpers.h @@ -4,7 +4,7 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename, char *privkeyfilename); int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, - char *certfile, char *privkeyfile); + char *certfile, char *privkeyfile, int dtls_flag); int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, SSL **cssl); From 8ced9114f58fce877641f129ee425b9e47f3f109 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 14:53:55 +0100 Subject: [PATCH 04/10] better error checks Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- test/tlstest_helpers.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 107f9646..50d28877 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -63,16 +63,18 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); if (dtls_flag) { - SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); + if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) + || !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) + || !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) + || !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) + goto err; } else { - SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION); - SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION); - SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION); + if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) + || !SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION) + || !SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION) + || !SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION)) + goto err; } if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM)) From bd4148d655eddc4e1fe073b8af5ce7874e207bb0 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 15:26:09 +0100 Subject: [PATCH 05/10] add feature branch warning [skip ci] Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index aa2feb21..ce9774ee 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,9 @@ in a standard OpenSSL (3.x) distribution by way of implementing a single shared library, the OQS [provider](https://www.openssl.org/docs/manmaster/man7/provider.html). +THIS IS A FEATURE BRANCH TO TRIAL DTLS1.3 OPERATIONS -- DO NOT MERGE! +(dependent on https://github.com/openssl/openssl/tree/feature/dtls-1.3 merging). + Status ------ From f4c93cf1fafc6427a64a36648f0b1939d76ae78e Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:09:31 +0100 Subject: [PATCH 06/10] formatting fixed Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- test/oqs_test_groups.c | 3 ++- test/oqs_test_tlssig.c | 4 ++-- test/tlstest_helpers.c | 22 ++++++++++------------ 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index ba7fd4d8..09ca5ff0 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -42,7 +42,8 @@ static int test_oqs_groups(const char *group_name, int dtls_flag) { printf("Not testing disabled algorithm %s.\n", group_name); return 1; } - testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey, dtls_flag); + testresult = + create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey, dtls_flag); if (!testresult) { ret = -1; goto err; diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index 7dc4fd38..237ea429 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -53,8 +53,8 @@ static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { goto err; } - testresult = - create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, privkeypath, dtls_flag); + testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, + privkeypath, dtls_flag); if (!testresult) { ret = -1; diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 50d28877..0e9176a8 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -52,8 +52,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, if (dtls_flag) { serverctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method()); clientctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method()); - } - else { + } else { serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); } @@ -63,17 +62,16 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); if (dtls_flag) { - if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) - || !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) - || !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) - || !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) + if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) || + !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) goto err; - } - else { - if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) - || !SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION) - || !SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION) - || !SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION)) + } else { + if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION) || + !SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION) || + !SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION)) goto err; } From fc258cafdce3e3085083c2d3fc2a269bfea6fee9 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Dec 2024 13:58:20 +0100 Subject: [PATCH 07/10] enables conditional use of DTLS1.3 Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/workflows/linux.yml | 6 +++--- .github/workflows/macos.yml | 3 +-- .github/workflows/windows.yml | 5 ++--- README.md | 3 --- oqsprov/oqsprov_capabilities.c | 5 +++++ scripts/fullbuild.sh | 4 +--- test/oqs_test_groups.c | 4 +++- test/oqs_test_tlssig.c | 4 +++- test/tlstest_helpers.c | 20 +++++++++++++++++--- test/tlstest_helpers.h | 2 +- 10 files changed, 36 insertions(+), 20 deletions(-) diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 1fb9fca5..0b3981e5 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -38,7 +38,7 @@ jobs: strategy: fail-fast: false matrix: - ossl-branch: [feature/dtls-1.3] + ossl-branch: [openssl-3.3.2, master] libjade-build: - "ON" - "OFF" @@ -103,7 +103,7 @@ jobs: CXX: "clang++" ASAN_C_FLAGS: "-fsanitize=address -fno-omit-frame-pointer" ASAN_OPTIONS: "detect_stack_use_after_return=1,detect_leaks=1" - OPENSSL_BRANCH: "feature/dtls-1.3" + OPENSSL_BRANCH: "openssl-3.3.2" steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 @@ -174,7 +174,7 @@ jobs: container: image: openquantumsafe/ci-ubuntu-jammy:latest env: - OPENSSL_BRANCH: "feature/dtls-1.3" + OPENSSL_BRANCH: "master" INSTALL_DIR: "/opt/install" CMAKE_TOOLCHAIN_FILE: "/opt/linux-aarch64-toolchain.cmake" diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 54b03269..0c537db7 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,7 +1,6 @@ name: MacOS tests -# Disable for DTLS1.3 for now (TODO) -# on: [pull_request, push] +on: [pull_request, push] permissions: contents: read diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3d8a43f0..f4a52cdb 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,7 +1,6 @@ name: Windows tests -# Disable for DTLS1.3 for now (TODO) -#on: [pull_request, push] +on: [pull_request, push] permissions: contents: read @@ -40,7 +39,7 @@ jobs: repository: openssl/openssl path: openssl # TODO: Revert ref tag once openssl master doesn't crash any more - ref: feature/dtls-1.3 + ref: master - name: checkout liboqs uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 with: diff --git a/README.md b/README.md index ce9774ee..aa2feb21 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,6 @@ in a standard OpenSSL (3.x) distribution by way of implementing a single shared library, the OQS [provider](https://www.openssl.org/docs/manmaster/man7/provider.html). -THIS IS A FEATURE BRANCH TO TRIAL DTLS1.3 OPERATIONS -- DO NOT MERGE! -(dependent on https://github.com/openssl/openssl/tree/feature/dtls-1.3 merging). - Status ------ diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index 1b21fb1c..894a261c 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -20,6 +20,11 @@ // internal, but useful OSSL define: #define OSSL_NELEM(x) (sizeof(x) / sizeof((x)[0])) +// enables DTLS1.3 testing even before available in openssl master: +#if !defined(DTLS1_3_VERSION) +# define DTLS1_3_VERSION 0xFEFC +#endif + #include "oqs_prov.h" typedef struct oqs_group_constants_st { diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index d9bd1dd9..b781b219 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -10,11 +10,9 @@ # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD" # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3 +# Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to -# Track openssl dtls-1.3 feature branch -OPENSSL_BRANCH="feature/dtls-1.3" - if [[ "$OSTYPE" == "darwin"* ]]; then SHLIBEXT="dylib" STATLIBEXT="dylib" diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index 09ca5ff0..aed820b8 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -49,7 +49,7 @@ static int test_oqs_groups(const char *group_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -111,6 +111,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION ret = test_oqs_groups(group_name, 1); if (ret >= 0) { @@ -126,6 +127,7 @@ static int test_group(const OSSL_PARAM params[], void *data) { ERR_print_errors_fp(stderr); (*errcnt)++; } +#endif err: OPENSSL_free(group_name); diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index 237ea429..ea21d2d2 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -61,7 +61,7 @@ static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl); + testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; @@ -125,6 +125,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { (*errcnt)++; } +#ifdef DTLS1_3_VERSION ret = test_oqs_tlssig(sigalg_name, 1); if (ret >= 0) { @@ -140,6 +141,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) { ERR_print_errors_fp(stderr); (*errcnt)++; } +#endif err: OPENSSL_free(sigalg_name); diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index 0e9176a8..cbfaaa31 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -62,10 +62,12 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION); if (dtls_flag) { +#ifdef DTLS1_3_VERSION if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) || !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) || !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) || !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION)) +#endif goto err; } else { if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) || @@ -95,7 +97,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, } int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl) { + SSL **cssl, int use_dgram) { SSL *serverssl = NULL, *clientssl = NULL; BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; @@ -108,8 +110,20 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, if (serverssl == NULL || clientssl == NULL) goto err; - s_to_c_bio = BIO_new(BIO_s_mem()); - c_to_s_bio = BIO_new(BIO_s_mem()); + if (use_dgram) { +#if (OPENSSL_VERSION_PREREQ(3, 2)) + s_to_c_bio = BIO_new(BIO_s_dgram_mem()); + c_to_s_bio = BIO_new(BIO_s_dgram_mem()); +#else + fprintf(stderr, "No DGRAM memory supported in this OpenSSL version.\n"); + ERR_print_errors_fp(stderr); + goto err; +#endif + } + else { + s_to_c_bio = BIO_new(BIO_s_mem()); + c_to_s_bio = BIO_new(BIO_s_mem()); + } if (s_to_c_bio == NULL || c_to_s_bio == NULL) goto err; diff --git a/test/tlstest_helpers.h b/test/tlstest_helpers.h index 74d122ce..e52b9888 100644 --- a/test/tlstest_helpers.h +++ b/test/tlstest_helpers.h @@ -7,6 +7,6 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, char *privkeyfile, int dtls_flag); int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl); + SSL **cssl, int use_dgram); int create_tls_connection(SSL *serverssl, SSL *clientssl, int want); From 9ad45e4a5b92271eb0c2aa729414c3d219d9f59c Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:01:57 +0100 Subject: [PATCH 08/10] fix formatting Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .circleci/config.yml | 4 ++-- oqsprov/oqsprov_capabilities.c | 2 +- scripts/fullbuild.sh | 2 +- test/oqs_test_groups.c | 3 ++- test/oqs_test_tlssig.c | 3 ++- test/tlstest_helpers.c | 3 +-- 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 349a03fa..65e3557f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,9 +53,9 @@ jobs: equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ] steps: - run: - name: Clone and build OpenSSL(3) dtls-1.3 feature branch + name: Clone and build OpenSSL(3) master feature branch command: | - git clone --branch feature/dtls-1.3 https://github.com/openssl/openssl.git openssl && + git clone --branch master https://github.com/openssl/openssl.git openssl && cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd .. - run: name: Build OQS-OpenSSL provider diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c index 894a261c..0e7e12e3 100644 --- a/oqsprov/oqsprov_capabilities.c +++ b/oqsprov/oqsprov_capabilities.c @@ -22,7 +22,7 @@ // enables DTLS1.3 testing even before available in openssl master: #if !defined(DTLS1_3_VERSION) -# define DTLS1_3_VERSION 0xFEFC +#define DTLS1_3_VERSION 0xFEFC #endif #include "oqs_prov.h" diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh index b781b219..aaa381f9 100755 --- a/scripts/fullbuild.sh +++ b/scripts/fullbuild.sh @@ -10,7 +10,7 @@ # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD" # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3 -# Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 +# Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 feature branch # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to if [[ "$OSTYPE" == "darwin"* ]]; then diff --git a/test/oqs_test_groups.c b/test/oqs_test_groups.c index aed820b8..d73e85f5 100644 --- a/test/oqs_test_groups.c +++ b/test/oqs_test_groups.c @@ -49,7 +49,8 @@ static int test_oqs_groups(const char *group_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); + testresult = + create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; diff --git a/test/oqs_test_tlssig.c b/test/oqs_test_tlssig.c index ea21d2d2..24aa0cf1 100644 --- a/test/oqs_test_tlssig.c +++ b/test/oqs_test_tlssig.c @@ -61,7 +61,8 @@ static int test_oqs_tlssig(const char *sig_name, int dtls_flag) { goto err; } - testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); + testresult = + create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag); if (!testresult) { ret = -2; diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c index cbfaaa31..52a49f96 100644 --- a/test/tlstest_helpers.c +++ b/test/tlstest_helpers.c @@ -119,8 +119,7 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, ERR_print_errors_fp(stderr); goto err; #endif - } - else { + } else { s_to_c_bio = BIO_new(BIO_s_mem()); c_to_s_bio = BIO_new(BIO_s_mem()); } From 95efe5142b30455e4937a71b26099bcce3937a6b Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:25:10 +0100 Subject: [PATCH 09/10] correct retest after code regen Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .circleci/config.yml | 2 +- .github/workflows/linux.yml | 4 ++-- .github/workflows/windows.yml | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 65e3557f..01bdfcac 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -53,7 +53,7 @@ jobs: equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ] steps: - run: - name: Clone and build OpenSSL(3) master feature branch + name: Clone and build OpenSSL(3) master command: | git clone --branch master https://github.com/openssl/openssl.git openssl && cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd .. diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 0b3981e5..39116e00 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -73,8 +73,8 @@ jobs: export LIBOQS_SRC_DIR=`pwd`/liboqs && \ ! pip3 install -r oqs-template/requirements.txt 2>&1 | grep ERROR && \ python3 oqs-template/generate.py - - name: Full re-build - run: rm -rf _build && ./scripts/fullbuild.sh + - name: Full re-build & test + run: rm -rf _build && OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=main OQS_LIBJADE_BUILD=${{ matrix.libjade-build }} ./scripts/fullbuild.sh && ./scripts/runtests.sh - name: Build .deb install package run: cpack -C DebPack working-directory: _build diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index f4a52cdb..d817a672 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -38,7 +38,6 @@ jobs: set-safe-directory: true repository: openssl/openssl path: openssl - # TODO: Revert ref tag once openssl master doesn't crash any more ref: master - name: checkout liboqs uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 From 9d9e11c7b05b3d8b072705190f867b1ab9524818 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:26:10 +0100 Subject: [PATCH 10/10] remove DTLS from CCI Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .circleci/config.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 01bdfcac..456813c8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -116,9 +116,6 @@ jobs: workflows: version: 2.1 build: - when: - and: - - not equal: [ dtls-1.3 , << pipeline.git.branch >> ] jobs: - macOS: name: macOS-noopenssl