open-quantum-safe · baentsch · Dec 13, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
@@ -73,8 +73,8 @@ jobs:
           export LIBOQS_SRC_DIR=`pwd`/liboqs && \
           ! pip3 install -r oqs-template/requirements.txt 2>&1 | grep ERROR && \
           python3 oqs-template/generate.py
-      - name: Full re-build
-        run: rm -rf _build && ./scripts/fullbuild.sh
+      - name: Full re-build & test
+        run: rm -rf _build && OPENSSL_BRANCH=${{ matrix.ossl-branch }} LIBOQS_BRANCH=main OQS_LIBJADE_BUILD=${{ matrix.libjade-build }} ./scripts/fullbuild.sh && ./scripts/runtests.sh
       - name: Build .deb install package
         run: cpack -C DebPack
         working-directory: _build

@@ -38,8 +38,7 @@ jobs:
           set-safe-directory: true
           repository: openssl/openssl
           path: openssl
-          # TODO: Revert ref tag once openssl master doesn't crash any more
-          ref: openssl-3.3.0
+          ref: master
       - name: checkout liboqs
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:

@@ -1,7 +1,7 @@
 {% for kem in config['kems'] %}
-   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {% for hybrid in kem['hybrids'] %}
-   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {%- endfor %}
 {%- endfor %}
 
@@ -20,6 +20,11 @@
 // internal, but useful OSSL define:
 #define OSSL_NELEM(x) (sizeof(x) / sizeof((x)[0]))
 
+// enables DTLS1.3 testing even before available in openssl master:
+#if !defined(DTLS1_3_VERSION)
+#define DTLS1_3_VERSION 0xFEFC
+#endif
+
 #include "oqs_prov.h"
 
 typedef struct oqs_group_constants_st {
@@ -35,77 +40,77 @@ typedef struct oqs_group_constants_st {
 static OQS_GROUP_CONSTANTS oqs_group_list[] = {
     // ad-hoc assignments - take from OQS generate data structures
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_START
-    {65024, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {65024, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F00, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F80, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65025, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F00, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F80, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65025, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F01, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F81, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65026, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F01, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F81, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65026, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F02, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F82, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0203, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F02, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F82, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0203, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F03, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F83, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0204, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F03, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F83, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0204, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F04, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0205, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F04, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0205, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F05, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F05, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F39, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F39, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F90, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x6399, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x639A, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F90, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x6399, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x639A, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {512, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {512, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {513, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4B, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB6, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {513, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11ec, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11eb, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {514, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB7, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11ec, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11eb, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {514, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F4E, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0241, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAE, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0242, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F41, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAE, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0242, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F42, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAF, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0243, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F42, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAF, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0243, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F43, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0244, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F43, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0244, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F44, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB0, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0245, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F44, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB0, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0245, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F45, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB1, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0246, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F45, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB1, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0246, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F46, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F46, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_END
 };
 

@@ -10,6 +10,7 @@
 # EnvVar OQS_ALGS_ENABLED: If set, defines OQS algs to be enabled, e.g., "STD"
 # EnvVar OPENSSL_INSTALL: If set, defines (binary) OpenSSL installation to use
 # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3
+#        Setting this to feature/dtls-1.3 enables build&test of all PQ algs using DTLS1.3 feature branch
 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to
 
 if [[ "$OSTYPE" == "darwin"* ]]; then

@@ -33,7 +33,7 @@ char *test_mk_file_path(const char *dir, const char *file) {
     return full_file;
 }
 
-static int test_oqs_groups(const char *group_name) {
+static int test_oqs_groups(const char *group_name, int dtls_flag) {
     SSL_CTX *cctx = NULL, *sctx = NULL;
     SSL *clientssl = NULL, *serverssl = NULL;
     int ret = 1, testresult = 0;
@@ -42,13 +42,15 @@ static int test_oqs_groups(const char *group_name) {
         printf("Not testing disabled algorithm %s.\n", group_name);
         return 1;
     }
-    testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey);
+    testresult =
+        create_tls1_3_ctx_pair(libctx, &sctx, &cctx, cert, privkey, dtls_flag);
     if (!testresult) {
         ret = -1;
         goto err;
     }
 
-    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl);
+    testresult =
+        create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag);
 
     if (!testresult) {
         ret = -2;
@@ -94,7 +96,7 @@ static int test_group(const OSSL_PARAM params[], void *data) {
 
     char *group_name = OPENSSL_strdup(p->data);
 
-    ret = test_oqs_groups(group_name);
+    ret = test_oqs_groups(group_name, 0);
 
     if (ret >= 0) {
         fprintf(stderr,
@@ -110,6 +112,24 @@ static int test_group(const OSSL_PARAM params[], void *data) {
         (*errcnt)++;
     }
 
+#ifdef DTLS1_3_VERSION
+    ret = test_oqs_groups(group_name, 1);
+
+    if (ret >= 0) {
+        fprintf(stderr,
+                cGREEN "  DTLS-KEM handshake test succeeded: %s" cNORM "\n",
+                group_name);
+    } else {
+        fprintf(stderr,
+                cRED
+                "  DTLS-KEM handshake test failed: %s, return code: %d" cNORM
+                "\n",
+                group_name, ret);
+        ERR_print_errors_fp(stderr);
+        (*errcnt)++;
+    }
+#endif
+
 err:
     OPENSSL_free(group_name);
     return ret;

@@ -18,7 +18,7 @@ static char *configfile = NULL;
 static char *certsdir = NULL;
 
 #ifdef OSSL_CAPABILITY_TLS_SIGALG_NAME
-static int test_oqs_tlssig(const char *sig_name) {
+static int test_oqs_tlssig(const char *sig_name, int dtls_flag) {
     SSL_CTX *cctx = NULL, *sctx = NULL;
     SSL *clientssl = NULL, *serverssl = NULL;
     int ret = 1, testresult = 0;
@@ -53,15 +53,16 @@ static int test_oqs_tlssig(const char *sig_name) {
         goto err;
     }
 
-    testresult =
-        create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath, privkeypath);
+    testresult = create_tls1_3_ctx_pair(libctx, &sctx, &cctx, certpath,
+                                        privkeypath, dtls_flag);
 
     if (!testresult) {
         ret = -1;
         goto err;
     }
 
-    testresult = create_tls_objects(sctx, cctx, &serverssl, &clientssl);
+    testresult =
+        create_tls_objects(sctx, cctx, &serverssl, &clientssl, dtls_flag);
 
     if (!testresult) {
         ret = -2;
@@ -109,7 +110,7 @@ static int test_signature(const OSSL_PARAM params[], void *data) {
     if (sigalg_name == NULL)
         return 0;
 
-    ret = test_oqs_tlssig(sigalg_name);
+    ret = test_oqs_tlssig(sigalg_name, 0);
 
     if (ret >= 0) {
         fprintf(stderr,
@@ -125,6 +126,24 @@ static int test_signature(const OSSL_PARAM params[], void *data) {
         (*errcnt)++;
     }
 
+#ifdef DTLS1_3_VERSION
+    ret = test_oqs_tlssig(sigalg_name, 1);
+
+    if (ret >= 0) {
+        fprintf(stderr,
+                cGREEN "  DTLS-SIG handshake test succeeded: %s" cNORM "\n",
+                sigalg_name);
+    } else {
+        fprintf(stderr,
+                cRED
+                "  DTLS-SIG handshake test failed: %s, return code: %d" cNORM
+                "\n",
+                sigalg_name, ret);
+        ERR_print_errors_fp(stderr);
+        (*errcnt)++;
+    }
+#endif
+
 err:
     OPENSSL_free(sigalg_name);
     return ret;

@@ -43,23 +43,39 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,
 }
 /* end steal */
 int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
-                           char *certfile, char *privkeyfile) {
+                           char *certfile, char *privkeyfile, int dtls_flag) {
     SSL_CTX *serverctx = NULL, *clientctx = NULL;
 
     if (sctx == NULL || cctx == NULL)
         goto err;
 
-    serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
-    clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
+    if (dtls_flag) {
+        serverctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());
+        clientctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method());
+    } else {
+        serverctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+        clientctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
+    }
 
     if (serverctx == NULL || clientctx == NULL)
         goto err;
 
     SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
-    SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION);
+    if (dtls_flag) {
+#ifdef DTLS1_3_VERSION
+        if (!SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION) ||
+            !SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION) ||
+            !SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION) ||
+            !SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION))
+#endif
+            goto err;
+    } else {
+        if (!SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION) ||
+            !SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION) ||
+            !SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION) ||
+            !SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION))
+            goto err;
+    }
 
     if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM))
         goto err;
@@ -81,7 +97,7 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
 }
 
 int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
-                       SSL **cssl) {
+                       SSL **cssl, int use_dgram) {
     SSL *serverssl = NULL, *clientssl = NULL;
     BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL;
 
@@ -94,8 +110,19 @@ int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
     if (serverssl == NULL || clientssl == NULL)
         goto err;
 
-    s_to_c_bio = BIO_new(BIO_s_mem());
-    c_to_s_bio = BIO_new(BIO_s_mem());
+    if (use_dgram) {
+#if (OPENSSL_VERSION_PREREQ(3, 2))
+        s_to_c_bio = BIO_new(BIO_s_dgram_mem());
+        c_to_s_bio = BIO_new(BIO_s_dgram_mem());
+#else
+        fprintf(stderr, "No DGRAM memory supported in this OpenSSL version.\n");
+        ERR_print_errors_fp(stderr);
+        goto err;
+#endif
+    } else {
+        s_to_c_bio = BIO_new(BIO_s_mem());
+        c_to_s_bio = BIO_new(BIO_s_mem());
+    }
 
     if (s_to_c_bio == NULL || c_to_s_bio == NULL)
         goto err;

@@ -4,9 +4,9 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,
                     char *privkeyfilename);
 
 int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
-                           char *certfile, char *privkeyfile);
+                           char *certfile, char *privkeyfile, int dtls_flag);
 
 int create_tls_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
-                       SSL **cssl);
+                       SSL **cssl, int use_dgram);
 
 int create_tls_connection(SSL *serverssl, SSL *clientssl, int want);