From a05b0d75b0a077d280d9fd99a80f4261a5c6b4e9 Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Mon, 17 Jul 2023 16:04:48 -0400 Subject: [PATCH 01/11] Enable linking against BoringSSL --- CMakeLists.txt | 30 ++++++++++++++++++------------ lib/hpke/CMakeLists.txt | 8 +++++--- lib/hpke/test/CMakeLists.txt | 2 +- test/CMakeLists.txt | 2 +- 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6bf7f0de..7c4fecb8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -71,19 +71,25 @@ endif() ### # External libraries + +set(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/") +set(OPENSSL_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/include") +set(OPENSSL_CRYPTO_LIBRARY "${CMAKE_CURRENT_BINARY_DIR}/../boringssl/build/crypto/libcrypto.a") find_package(OpenSSL REQUIRED) -if ( OPENSSL_FOUND ) - if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3) - add_compile_definitions(WITH_OPENSSL3) - elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1) - message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") - endif() - message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}") - message(STATUS "OpenSSL Include: ${OPENSSL_INCLUDE_DIR}") - message(STATUS "OpenSSL Libraries: ${OPENSSL_LIBRARIES}") -else() - message(FATAL_ERROR "No OpenSSL library found") -endif() + +#find_package(OpenSSL REQUIRED) +#if ( OPENSSL_FOUND ) +# if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3) +# add_compile_definitions(WITH_OPENSSL3) +# elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1) +# message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") +# endif() +# message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}") +# message(STATUS "OpenSSL Include: ${OPENSSL_INCLUDE_DIR}") +# message(STATUS "OpenSSL Libraries: ${OPENSSL_LIBRARIES}") +#else() +# message(FATAL_ERROR "No OpenSSL library found") +#endif() # Internal libraries add_subdirectory(lib) diff --git a/lib/hpke/CMakeLists.txt b/lib/hpke/CMakeLists.txt index 3a1bb340..e1c1db14 100644 --- a/lib/hpke/CMakeLists.txt +++ b/lib/hpke/CMakeLists.txt @@ -3,7 +3,6 @@ set(CURRENT_LIB_NAME hpke) ### ### Dependencies ### -find_package(OpenSSL 1.1 REQUIRED) ### ### Library Config @@ -14,9 +13,12 @@ file(GLOB_RECURSE LIB_SOURCES CONFIGURE_DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/src add_library(${CURRENT_LIB_NAME} ${LIB_HEADERS} ${LIB_SOURCES}) add_dependencies(${CURRENT_LIB_NAME} bytes tls_syntax) -target_link_libraries(${CURRENT_LIB_NAME} PRIVATE bytes tls_syntax OpenSSL::Crypto) +target_link_libraries(${CURRENT_LIB_NAME} PRIVATE bytes tls_syntax crypto) target_include_directories(${CURRENT_LIB_NAME} - PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/include + PUBLIC + ${CMAKE_CURRENT_SOURCE_DIR}/include + PRIVATE + ${OPENSSL_INCLUDE_DIR} ) ### diff --git a/lib/hpke/test/CMakeLists.txt b/lib/hpke/test/CMakeLists.txt index 26b1de2b..a7c23089 100644 --- a/lib/hpke/test/CMakeLists.txt +++ b/lib/hpke/test/CMakeLists.txt @@ -8,7 +8,7 @@ file(GLOB TEST_SOURCES CONFIGURE_DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp) add_executable(${TEST_APP_NAME} ${TEST_SOURCES}) add_dependencies(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax) -target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest OpenSSL::Crypto) +target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest crypto) # Enable CTest include(doctest) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 87af1c49..d25d0108 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -11,7 +11,7 @@ add_dependencies(${TEST_APP_NAME} ${LIB_NAME} bytes tls_syntax mls_vectors) target_include_directories(${TEST_APP_NAME} PRIVATE ${PROJECT_SOURCE_DIR}/src) target_link_libraries(${TEST_APP_NAME} ${LIB_NAME} bytes tls_syntax mls_vectors - doctest::doctest OpenSSL::Crypto) + doctest::doctest crypto) # Enable CTest include(doctest) From 434b132debe6c7e1bc6d3e0739ac4a24ddd7d0ed Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Tue, 12 Sep 2023 14:10:19 -0400 Subject: [PATCH 02/11] Fix build errors with BoringSSL --- CMakeLists.txt | 4 +- include/mls/crypto.h | 4 + lib/hpke/CMakeLists.txt | 2 +- lib/hpke/include/hpke/hpke.h | 2 + lib/hpke/include/hpke/signature.h | 2 + lib/hpke/src/aead_cipher.cpp | 74 ++++++++++ lib/hpke/src/certificate.cpp | 15 +- lib/hpke/src/dhkem.cpp | 2 + lib/hpke/src/digest.cpp | 2 +- lib/hpke/src/group.cpp | 13 +- lib/hpke/src/hpke.cpp | 4 + lib/hpke/src/openssl_common.cpp | 9 ++ lib/hpke/src/signature.cpp | 4 + lib/hpke/test/CMakeLists.txt | 2 +- lib/hpke/test/common.cpp | 29 +++- lib/hpke/test/common.h | 3 + lib/hpke/test/hpke.cpp | 29 +++- lib/hpke/test/kem.cpp | 13 +- lib/hpke/test/signature.cpp | 212 +++++++++++++++------------ lib/mls_vectors/test/CMakeLists.txt | 2 +- lib/mls_vectors/test/mls_vectors.cpp | 4 +- src/credential.cpp | 2 + src/crypto.cpp | 58 +++++--- test/CMakeLists.txt | 2 +- test/session.cpp | 19 +++ 25 files changed, 378 insertions(+), 134 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7c4fecb8..755e3e77 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -74,8 +74,10 @@ endif() set(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/") set(OPENSSL_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/include") -set(OPENSSL_CRYPTO_LIBRARY "${CMAKE_CURRENT_BINARY_DIR}/../boringssl/build/crypto/libcrypto.a") +set(OPENSSL_CRYPTO_LIBRARY "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/build/crypto/libcrypto.a") find_package(OpenSSL REQUIRED) +add_compile_definitions(WITH_BORINGSSL) +add_compile_options(-Wno-gnu-anonymous-struct -Wno-nested-anon-types) #find_package(OpenSSL REQUIRED) #if ( OPENSSL_FOUND ) diff --git a/include/mls/crypto.h b/include/mls/crypto.h index ab507ebb..838f456a 100644 --- a/include/mls/crypto.h +++ b/include/mls/crypto.h @@ -133,7 +133,11 @@ struct CipherSuite static const bytes& reference_label(); }; +#if WITH_BORINGSSL +extern const std::array all_supported_suites; +#else extern const std::array all_supported_suites; +#endif // Utilities using hpke::random_bytes; diff --git a/lib/hpke/CMakeLists.txt b/lib/hpke/CMakeLists.txt index e1c1db14..b1f493c2 100644 --- a/lib/hpke/CMakeLists.txt +++ b/lib/hpke/CMakeLists.txt @@ -13,7 +13,7 @@ file(GLOB_RECURSE LIB_SOURCES CONFIGURE_DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/src add_library(${CURRENT_LIB_NAME} ${LIB_HEADERS} ${LIB_SOURCES}) add_dependencies(${CURRENT_LIB_NAME} bytes tls_syntax) -target_link_libraries(${CURRENT_LIB_NAME} PRIVATE bytes tls_syntax crypto) +target_link_libraries(${CURRENT_LIB_NAME} PRIVATE bytes tls_syntax) target_include_directories(${CURRENT_LIB_NAME} PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/include diff --git a/lib/hpke/include/hpke/hpke.h b/lib/hpke/include/hpke/hpke.h index 302a2598..5ff10682 100644 --- a/lib/hpke/include/hpke/hpke.h +++ b/lib/hpke/include/hpke/hpke.h @@ -16,7 +16,9 @@ struct KEM DHKEM_P384_SHA384 = 0x0011, DHKEM_P521_SHA512 = 0x0012, DHKEM_X25519_SHA256 = 0x0020, +#if !defined(WITH_BORINGSSL) DHKEM_X448_SHA512 = 0x0021, +#endif }; template diff --git a/lib/hpke/include/hpke/signature.h b/lib/hpke/include/hpke/signature.h index 8ee0b39b..aa1fe770 100644 --- a/lib/hpke/include/hpke/signature.h +++ b/lib/hpke/include/hpke/signature.h @@ -15,7 +15,9 @@ struct Signature P384_SHA384, P521_SHA512, Ed25519, +#if !defined(WITH_BORINGSSL) Ed448, +#endif RSA_SHA256, RSA_SHA384, RSA_SHA512, diff --git a/lib/hpke/src/aead_cipher.cpp b/lib/hpke/src/aead_cipher.cpp index 35024190..496f37c3 100644 --- a/lib/hpke/src/aead_cipher.cpp +++ b/lib/hpke/src/aead_cipher.cpp @@ -3,6 +3,10 @@ #include +#if WITH_BORINGSSL +#include +#endif + namespace hpke { /// @@ -108,6 +112,25 @@ cipher_tag_size(AEAD::ID cipher) } } +#if WITH_BORINGSSL +static const EVP_AEAD* +boringssl_cipher(AEAD::ID cipher) +{ + switch (cipher) { + case AEAD::ID::AES_128_GCM: + return EVP_aead_aes_128_gcm(); + + case AEAD::ID::AES_256_GCM: + return EVP_aead_aes_256_gcm(); + + case AEAD::ID::CHACHA20_POLY1305: + return EVP_aead_chacha20_poly1305(); + + default: + throw std::runtime_error("Unsupported algorithm"); + } +} +#else static const EVP_CIPHER* openssl_cipher(AEAD::ID cipher) { @@ -125,6 +148,7 @@ openssl_cipher(AEAD::ID cipher) throw std::runtime_error("Unsupported algorithm"); } } +#endif // WITH_BORINGSSL AEADCipher::AEADCipher(AEAD::ID id_in) : AEAD(id_in, cipher_key_size(id_in), cipher_nonce_size(id_in)) @@ -138,6 +162,30 @@ AEADCipher::seal(const bytes& key, const bytes& aad, const bytes& pt) const { +#if WITH_BORINGSSL + auto ctx = make_typed_unique( + EVP_AEAD_CTX_new(boringssl_cipher(id), key.data(), key.size(), tag_size)); + if (ctx == nullptr) { + throw openssl_error(); + } + + auto ct = bytes(pt.size() + tag_size); + auto out_len = ct.size(); + if (1 != EVP_AEAD_CTX_seal(ctx.get(), + ct.data(), + &out_len, + ct.size(), + nonce.data(), + nonce.size(), + pt.data(), + pt.size(), + aad.data(), + aad.size())) { + throw openssl_error(); + } + + return ct; +#else auto ctx = make_typed_unique(EVP_CIPHER_CTX_new()); if (ctx == nullptr) { throw openssl_error(); @@ -184,6 +232,7 @@ AEADCipher::seal(const bytes& key, ct += tag; return ct; +#endif // WITH_BORINGSSL } std::optional @@ -196,6 +245,30 @@ AEADCipher::open(const bytes& key, throw std::runtime_error("AEAD ciphertext smaller than tag size"); } +#if WITH_BORINGSSL + auto ctx = make_typed_unique(EVP_AEAD_CTX_new( + boringssl_cipher(id), key.data(), key.size(), cipher_tag_size(id))); + if (ctx == nullptr) { + throw openssl_error(); + } + + auto pt = bytes(ct.size() - tag_size); + auto out_len = pt.size(); + if (1 != EVP_AEAD_CTX_open(ctx.get(), + pt.data(), + &out_len, + pt.size(), + nonce.data(), + nonce.size(), + ct.data(), + ct.size(), + aad.data(), + aad.size())) { + throw openssl_error(); + } + + return pt; +#else auto ctx = make_typed_unique(EVP_CIPHER_CTX_new()); if (ctx == nullptr) { throw openssl_error(); @@ -242,6 +315,7 @@ AEADCipher::open(const bytes& key, } return pt; +#endif // WITH_BORINGSSL } } // namespace hpke diff --git a/lib/hpke/src/certificate.cpp b/lib/hpke/src/certificate.cpp index b7ec7d02..f1c61e59 100644 --- a/lib/hpke/src/certificate.cpp +++ b/lib/hpke/src/certificate.cpp @@ -227,13 +227,22 @@ struct Certificate::ParsedCertificate static Signature::ID public_key_algorithm(X509* x509) { - switch (EVP_PKEY_base_id(X509_get0_pubkey(x509))) { +#if WITH_BORINGSSL + const auto pub = make_typed_unique(X509_get_pubkey(x509)); + const auto* pub_ptr = pub.get(); +#else + const auto* pub_ptr = X509_get0_pubkey(x509); +#endif + + switch (EVP_PKEY_base_id(pub_ptr)) { case EVP_PKEY_ED25519: return Signature::ID::Ed25519; +#if !defined(WITH_BORINGSSL) case EVP_PKEY_ED448: return Signature::ID::Ed448; +#endif case EVP_PKEY_EC: { - auto key_size = EVP_PKEY_bits(X509_get0_pubkey(x509)); + auto key_size = EVP_PKEY_bits(pub_ptr); switch (key_size) { case 256: return Signature::ID::P256_SHA256; @@ -260,8 +269,10 @@ struct Certificate::ParsedCertificate switch (nid) { case EVP_PKEY_ED25519: return Signature::ID::Ed25519; +#if !defined(WITH_BORINGSSL) case EVP_PKEY_ED448: return Signature::ID::Ed448; +#endif case NID_ecdsa_with_SHA256: return Signature::ID::P256_SHA256; case NID_ecdsa_with_SHA384: diff --git a/lib/hpke/src/dhkem.cpp b/lib/hpke/src/dhkem.cpp index 1897d548..434d929b 100644 --- a/lib/hpke/src/dhkem.cpp +++ b/lib/hpke/src/dhkem.cpp @@ -61,6 +61,7 @@ DHKEM::get() return instance; } +#if !defined(WITH_BORINGSSL) template<> const DHKEM& DHKEM::get() @@ -70,6 +71,7 @@ DHKEM::get() KDF::get()); return instance; } +#endif DHKEM::DHKEM(KEM::ID kem_id_in, const Group& group_in, const KDF& kdf_in) : KEM(kem_id_in, diff --git a/lib/hpke/src/digest.cpp b/lib/hpke/src/digest.cpp index d2627ca7..daf7dc7c 100644 --- a/lib/hpke/src/digest.cpp +++ b/lib/hpke/src/digest.cpp @@ -142,7 +142,7 @@ Digest::hmac_for_hkdf_extract(const bytes& key, const bytes& data) const // OpenSSL 3 does not support the flag EVP_MD_CTX_FLAG_NON_FIPS_ALLOW anymore. // However, OpenSSL 3 in FIPS mode doesn't seem to check the HMAC key size // constraint. -#if !defined(WITH_OPENSSL3) +#if !defined(WITH_OPENSSL3) && !defined(WITH_BORINGSSL) static const auto fips_min_hmac_key_len = 14; if (FIPS_mode() != 0 && key_size < fips_min_hmac_key_len) { HMAC_CTX_set_flags(ctx.get(), EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); diff --git a/lib/hpke/src/group.cpp b/lib/hpke/src/group.cpp index 5afcd025..404ccf4a 100644 --- a/lib/hpke/src/group.cpp +++ b/lib/hpke/src/group.cpp @@ -5,6 +5,7 @@ #include "common.h" #include "openssl_common.h" +#include "openssl/bn.h" #include "openssl/ec.h" #include "openssl/evp.h" #include "openssl/obj_mac.h" @@ -491,7 +492,14 @@ struct ECKeyGroup : public EVPGroup #endif auto out = bytes(BN_num_bytes(d)); - if (BN_bn2bin(d, out.data()) != int(out.size())) { +#if WITH_BORINGSSL + // In BoringSSL, BN_bn2bin returns size_t + const auto out_size = out.size(); +#else + // In OpenSSL, BN_bn2bin returns int + const auto out_size = static_cast(out.size()); +#endif + if (BN_bn2bin(d, out.data()) != out_size) { throw openssl_error(); } @@ -723,6 +731,8 @@ Group::get() return instance; } +// BoringSSL doesn't support X448 / Ed448 +#if !defined(WITH_BORINGSSL) template<> const Group& Group::get() @@ -731,6 +741,7 @@ Group::get() KDF::get()); return instance; } +#endif template<> const Group& diff --git a/lib/hpke/src/hpke.cpp b/lib/hpke/src/hpke.cpp index 99c9fc07..dc64b03b 100644 --- a/lib/hpke/src/hpke.cpp +++ b/lib/hpke/src/hpke.cpp @@ -124,12 +124,14 @@ KEM::get() return DHKEM::get(); } +#if !defined(WITH_BORINGSSL) template<> const KEM& KEM::get() { return DHKEM::get(); } +#endif bytes KEM::serialize_private(const KEM::PrivateKey& /* unused */) const @@ -352,8 +354,10 @@ select_kem(KEM::ID id) return KEM::get(); case KEM::ID::DHKEM_X25519_SHA256: return KEM::get(); +#if !defined(WITH_BORINGSSL) case KEM::ID::DHKEM_X448_SHA512: return KEM::get(); +#endif default: throw std::runtime_error("Unsupported algorithm"); } diff --git a/lib/hpke/src/openssl_common.cpp b/lib/hpke/src/openssl_common.cpp index 34d5ddb3..b120f7a2 100644 --- a/lib/hpke/src/openssl_common.cpp +++ b/lib/hpke/src/openssl_common.cpp @@ -19,6 +19,15 @@ typed_delete(EVP_CIPHER_CTX* ptr) EVP_CIPHER_CTX_free(ptr); } +#if WITH_BORINGSSL +template<> +void +typed_delete(EVP_AEAD_CTX* ptr) +{ + EVP_AEAD_CTX_free(ptr); +} +#endif + template<> void typed_delete(EVP_PKEY_CTX* ptr) diff --git a/lib/hpke/src/signature.cpp b/lib/hpke/src/signature.cpp index a79cafea..6b71a092 100644 --- a/lib/hpke/src/signature.cpp +++ b/lib/hpke/src/signature.cpp @@ -39,8 +39,10 @@ struct GroupSignature : public Signature return Signature::ID::P521_SHA512; case Group::ID::Ed25519: return Signature::ID::Ed25519; +#if !defined(WITH_BORINGSSL) case Group::ID::Ed448: return Signature::ID::Ed448; +#endif default: throw std::runtime_error("Unsupported group"); } @@ -139,6 +141,7 @@ Signature::get() return instance; } +#if !defined(WITH_BORINGSSL) template<> const Signature& Signature::get() @@ -146,6 +149,7 @@ Signature::get() static const auto instance = GroupSignature(Group::get()); return instance; } +#endif template<> const Signature& diff --git a/lib/hpke/test/CMakeLists.txt b/lib/hpke/test/CMakeLists.txt index a7c23089..9e640b88 100644 --- a/lib/hpke/test/CMakeLists.txt +++ b/lib/hpke/test/CMakeLists.txt @@ -8,7 +8,7 @@ file(GLOB TEST_SOURCES CONFIGURE_DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp) add_executable(${TEST_APP_NAME} ${TEST_SOURCES}) add_dependencies(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax) -target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest crypto) +target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest ${OPENSSL_CRYPTO_LIBRARY}) # Enable CTest include(doctest) diff --git a/lib/hpke/test/common.cpp b/lib/hpke/test/common.cpp index cfd0d930..0afa36fc 100644 --- a/lib/hpke/test/common.cpp +++ b/lib/hpke/test/common.cpp @@ -49,8 +49,11 @@ fips_disable(AEAD::ID id) bool fips_disable(Signature::ID id) { - static const auto disabled = std::set{ + static const auto disabled = std::set + { +#if !defined(WITH_BORINGSSL) Signature::ID::Ed448, +#endif }; return disabled.count(id) > 0; } @@ -71,8 +74,10 @@ select_signature(Signature::ID id) case Signature::ID::Ed25519: return Signature::get(); +#if !defined(WITH_BORINGSSL) case Signature::ID::Ed448: return Signature::get(); +#endif case Signature::ID::RSA_SHA256: return Signature::get(); @@ -88,6 +93,26 @@ select_signature(Signature::ID id) } } +bool +supported_kem(KEM::ID id) +{ + switch (id) { + case KEM::ID::DHKEM_P256_SHA256: + case KEM::ID::DHKEM_P384_SHA384: + case KEM::ID::DHKEM_P521_SHA512: + case KEM::ID::DHKEM_X25519_SHA256: + return true; + +#if !defined(WITH_BORINGSSL) + case KEM::ID::DHKEM_X448_SHA512: + return true; +#endif + + default: + return false; + } +} + const KEM& select_kem(KEM::ID id) { @@ -104,8 +129,10 @@ select_kem(KEM::ID id) case KEM::ID::DHKEM_X25519_SHA256: return KEM::get(); +#if !defined(WITH_BORINGSSL) case KEM::ID::DHKEM_X448_SHA512: return KEM::get(); +#endif default: throw std::runtime_error("Unknown algorithm"); diff --git a/lib/hpke/test/common.h b/lib/hpke/test/common.h index b029ba73..3b6487c7 100644 --- a/lib/hpke/test/common.h +++ b/lib/hpke/test/common.h @@ -18,6 +18,9 @@ fips_disable(Signature::ID id); const Signature& select_signature(Signature::ID id); +bool +supported_kem(KEM::ID id); + const KEM& select_kem(KEM::ID id); diff --git a/lib/hpke/test/hpke.cpp b/lib/hpke/test/hpke.cpp index e9841cd8..42d595cd 100644 --- a/lib/hpke/test/hpke.cpp +++ b/lib/hpke/test/hpke.cpp @@ -44,6 +44,10 @@ test_context(ReceiverContext& ctxR, const HPKETestVector& tv) static void test_base_vector(const HPKETestVector& tv) { + if (!supported_kem(tv.kem_id)) { + return; + } + const auto& kem = select_kem(tv.kem_id); auto hpke = HPKE(tv.kem_id, tv.kdf_id, tv.aead_id); @@ -62,6 +66,10 @@ test_base_vector(const HPKETestVector& tv) static void test_psk_vector(const HPKETestVector& tv) { + if (!supported_kem(tv.kem_id)) { + return; + } + const auto& kem = select_kem(tv.kem_id); auto hpke = HPKE(tv.kem_id, tv.kdf_id, tv.aead_id); @@ -80,6 +88,10 @@ test_psk_vector(const HPKETestVector& tv) static void test_auth_vector(const HPKETestVector& tv) { + if (!supported_kem(tv.kem_id)) { + return; + } + const auto& kem = select_kem(tv.kem_id); auto hpke = HPKE(tv.kem_id, tv.kdf_id, tv.aead_id); @@ -106,6 +118,10 @@ test_auth_vector(const HPKETestVector& tv) static void test_auth_psk_vector(const HPKETestVector& tv) { + if (!supported_kem(tv.kem_id)) { + return; + } + const auto& kem = select_kem(tv.kem_id); auto hpke = HPKE(tv.kem_id, tv.kdf_id, tv.aead_id); @@ -166,11 +182,14 @@ TEST_CASE("HPKE Round-Trip") { ensure_fips_if_required(); - const std::vector kems{ KEM::ID::DHKEM_P256_SHA256, - KEM::ID::DHKEM_P384_SHA384, - KEM::ID::DHKEM_P384_SHA384, - KEM::ID::DHKEM_P521_SHA512, - KEM::ID::DHKEM_X448_SHA512 }; + const std::vector kems + { + KEM::ID::DHKEM_P256_SHA256, KEM::ID::DHKEM_P384_SHA384, + KEM::ID::DHKEM_P384_SHA384, KEM::ID::DHKEM_P521_SHA512, +#if !defined(WITH_BORINGSSL) + KEM::ID::DHKEM_X448_SHA512 +#endif + }; const std::vector kdfs{ KDF::ID::HKDF_SHA256, KDF::ID::HKDF_SHA384, KDF::ID::HKDF_SHA512 }; diff --git a/lib/hpke/test/kem.cpp b/lib/hpke/test/kem.cpp index a62d509f..90a6d4bc 100644 --- a/lib/hpke/test/kem.cpp +++ b/lib/hpke/test/kem.cpp @@ -9,11 +9,14 @@ TEST_CASE("KEM round-trip") { ensure_fips_if_required(); - const std::vector ids{ KEM::ID::DHKEM_P256_SHA256, - KEM::ID::DHKEM_P384_SHA384, - KEM::ID::DHKEM_P384_SHA384, - KEM::ID::DHKEM_P521_SHA512, - KEM::ID::DHKEM_X448_SHA512 }; + const std::vector ids + { + KEM::ID::DHKEM_P256_SHA256, KEM::ID::DHKEM_P384_SHA384, + KEM::ID::DHKEM_P384_SHA384, KEM::ID::DHKEM_P521_SHA512, +#if !defined(WITH_BORINGSSL) + KEM::ID::DHKEM_X448_SHA512, +#endif + }; const auto plaintext = from_hex("00010203"); const auto seedS = from_hex("A0A0A0A0"); diff --git a/lib/hpke/test/signature.cpp b/lib/hpke/test/signature.cpp index 44c4d5f0..d7d854c1 100644 --- a/lib/hpke/test/signature.cpp +++ b/lib/hpke/test/signature.cpp @@ -18,7 +18,8 @@ TEST_CASE("Signature Known-Answer") bytes signature; }; - const std::vector cases{ + const std::vector cases + { // TODO(RLB): Add ECDSA known-answer tests { // https://tools.ietf.org/html/rfc8032#section-7.1 @@ -37,31 +38,33 @@ TEST_CASE("Signature Known-Answer") "09351fc9ac90b3ecfdfbc7c66431e030" "3dca179c138ac17ad9bef1177331a704"), }, - { - // https://tools.ietf.org/html/rfc8032#section-7.2 - Signature::ID::Ed448, - true, - from_hex("d65df341ad13e008567688baedda8e9d" - "cdc17dc024974ea5b4227b6530e339bf" - "f21f99e68ca6968f3cca6dfe0fb9f4fa" - "b4fa135d5542ea3f01"), - from_hex("df9705f58edbab802c7f8363cfe5560a" - "b1c6132c20a9f1dd163483a26f8ac53a" - "39d6808bf4a1dfbd261b099bb03b3fb5" - "0906cb28bd8a081f00"), - from_hex("bd0f6a3747cd561bdddf4640a332461a" - "4a30a12a434cd0bf40d766d9c6d458e5" - "512204a30c17d1f50b5079631f64eb31" - "12182da3005835461113718d1a5ef944"), - from_hex("554bc2480860b49eab8532d2a533b7d5" - "78ef473eeb58c98bb2d0e1ce488a98b1" - "8dfde9b9b90775e67f47d4a1c3482058" - "efc9f40d2ca033a0801b63d45b3b722e" - "f552bad3b4ccb667da350192b61c508c" - "f7b6b5adadc2c8d9a446ef003fb05cba" - "5f30e88e36ec2703b349ca229c267083" - "3900"), - }, +#if !defined(WITH_BORINGSSL) + { + // https://tools.ietf.org/html/rfc8032#section-7.2 + Signature::ID::Ed448, + true, + from_hex("d65df341ad13e008567688baedda8e9d" + "cdc17dc024974ea5b4227b6530e339bf" + "f21f99e68ca6968f3cca6dfe0fb9f4fa" + "b4fa135d5542ea3f01"), + from_hex("df9705f58edbab802c7f8363cfe5560a" + "b1c6132c20a9f1dd163483a26f8ac53a" + "39d6808bf4a1dfbd261b099bb03b3fb5" + "0906cb28bd8a081f00"), + from_hex("bd0f6a3747cd561bdddf4640a332461a" + "4a30a12a434cd0bf40d766d9c6d458e5" + "512204a30c17d1f50b5079631f64eb31" + "12182da3005835461113718d1a5ef944"), + from_hex("554bc2480860b49eab8532d2a533b7d5" + "78ef473eeb58c98bb2d0e1ce488a98b1" + "8dfde9b9b90775e67f47d4a1c3482058" + "efc9f40d2ca033a0801b63d45b3b722e" + "f552bad3b4ccb667da350192b61c508c" + "f7b6b5adadc2c8d9a446ef003fb05cba" + "5f30e88e36ec2703b349ca229c267083" + "3900"), + }, +#endif }; for (const auto& tc : cases) { @@ -97,7 +100,8 @@ TEST_CASE("Signature Verify Known-Answer") bytes signature; }; - const std::vector cases{ + const std::vector cases + { { Signature::ID::P256_SHA256, from_hex( @@ -112,67 +116,87 @@ TEST_CASE("Signature Verify Known-Answer") "86f94b88c02203b6a5e140d2d13ebec80636bfb1e32d17fe3d7f2983a53104e" "101e766830453a"), }, - { - Signature::ID::P384_SHA384, - from_hex( - "04d5a2abcb844865a479af773f9db66f5b8994710e2617e8b3c7ab4555f023f8e71a42" - "291416cdf9ea288874c5cc9f38a49b6e7cc96a3a65f60a42a05e233af26c94e0cc23c8" - "ee60177f1e1e3b52514a8de018addcc97245c2bef6bdd9ea7149da"), - from_hex( - "4be880bc0ccc92f79ed58b2c78268e28610719fb654b7d8b8aceae09e9e9ec3115de63" - "3d5dbeb36762a67d48b0fd1c74cd499058557638372bb5d76f88a5ea00194f9c0b1578" - "a9b5833d8d001ce847d4a55212601d514d6134f581f4c9a1f7bc5564ceaf28169c7fff" - "70fbc67087da868826913dab1f1dcfdf045d027e7460b7"), - from_hex( - "3064023036da67b80ca54e25cffd8c7992d406118de661c9ff40ed0468938b04d71009" - "7a3f5a947d2cb5420a5af6ca9b7a8684cb023042950fa4859def74cee5066f974b7a49" - "cd43899468831970b736b7bbb95338d1dd0c9e9034c9801f414982580fe9e590"), - }, - { - Signature::ID::P521_SHA512, - from_hex( - "0400a659dcddfafe88ebbba8c04155870e0315794c7bd5a0c53ed9b57bcfaa36d79743" - "5b40a74d62ba4104d62e166538e6f88d832aa047b6ed3cd119a477000f3362df01855f" - "4e61ed4be7e81ed5f566ef6455a4fb588db6e6e44f57dc4271ac3d22cdba16d361db47" - "8fa4fb233fd71179633e722615c33cfbd1d556cc29a839121c37b982"), - from_hex( - "6abe2712353e03ef03571a9679a3f1e889937d5ffc0df431fab44a408ce8cc37449f94" - "28aae783a2ce200bb7ed546a1a92ea3555b45552844d15d6d86b662778e33124304691" - "16615523990495dd3352b374792d591384123c3c7ca81ad42b9f6e856426a82dddd284" - "d2f447df243067af6fe7f73cc4a368cb7cd53240af21d6"), - from_hex( - "3081880242015a033045a1bf86b3e1017826dd226604d78d129dcfca84f4020063beec" - "03e0b4bedbedacbf1b0d1285ddbd0c7107078ac200be9876577025ffdd898e97f648f7" - "80024201afcf701a73ab224ea5a0b6399fc231da0e7f1a8649df17ef2d5171fc4dc278" - "6923727c2edc4f0ad9e98825750596be312d0109d47888ab6481c688a287b0aac6b0"), - }, - { - Signature::ID::Ed25519, - from_hex( - "923654bbdbacc72ab6c568208719c7cb866c3f89c366914ae90d604ef360c5c8"), - from_hex( - "dab12589702ff146b4e83b808da4007ff4ea4a358af2f7baa6861f08fb11ed71e338b2" - "fa01c7a68f86daaed5c1f00683bd5a2e511f773ac3e664222692297d7b469fcae561e6" - "1a8127bef87978449ec640883c0ba17d4f1741ed4ec94443b0fa0db1a139ad219ff7a4" - "ac34ced9c7d74e4bf608a1d8f792c0bf28eedbf2536af7"), - from_hex( - "460396e559547d5faa532503b9a15bdd4d9b7415f3e71327adb1dd1cc21eb905dd9654" - "136772745f5cc9d9ffdf6bed05b9b17491a2ae8309e847bc1c7f4d6e0c"), - }, - { - Signature::ID::Ed448, - from_hex("7d60a1da10701ca4579de441643a545e334fddf18f6159ad2e8d2d914877a82" - "ea95f0b1bdac911dfb2499d3ccf814ebe69b09f9914c6aca000"), - from_hex( - "074f95d4f746a270af113b5650da98dcb247ef9839e480e99961a2cc998058e2b98be3" - "f949ceb7b000973127c0f79e54644f3b750763c2e904ac2179aa0a7e03da4e6d848f50" - "8323ff81e4a6d20b4eb89fed06a9117383daa50e13d25e6e1c740691021379005d140a" - "8e2157744cf7717f95a503d8e3740a081efa27146974c6"), - from_hex("902aa0a168a9e7a547a1736fb52b491f857fe8984b9a5a5b2ae50b3c2c3b232" - "894ae055013b256218cea79c4b4055719de3a6fbb2b0be0470062bc9e76f89e" - "4ffc4c08cbd8ce50de80bae8029b78ced07cce09bc75c9b2eedcf402ed0e74c" - "8078326f8ab69960d8062d2294ad1ff63901b00"), - }, + { + Signature::ID::P384_SHA384, + from_hex("04d5a2abcb844865a479af773f9db66f5b8994710e2617e8b3c7ab4555f02" + "3f8e71a42" + "291416cdf9ea288874c5cc9f38a49b6e7cc96a3a65f60a42a05e233af26c9" + "4e0cc23c8" + "ee60177f1e1e3b52514a8de018addcc97245c2bef6bdd9ea7149da"), + from_hex("4be880bc0ccc92f79ed58b2c78268e28610719fb654b7d8b8aceae09e9e9e" + "c3115de63" + "3d5dbeb36762a67d48b0fd1c74cd499058557638372bb5d76f88a5ea00194" + "f9c0b1578" + "a9b5833d8d001ce847d4a55212601d514d6134f581f4c9a1f7bc5564ceaf2" + "8169c7fff" + "70fbc67087da868826913dab1f1dcfdf045d027e7460b7"), + from_hex( + "3064023036da67b80ca54e25cffd8c7992d406118de661c9ff40ed0468938b04d710" + "09" + "7a3f5a947d2cb5420a5af6ca9b7a8684cb023042950fa4859def74cee5066f974b7a" + "49" + "cd43899468831970b736b7bbb95338d1dd0c9e9034c9801f414982580fe9e590"), + }, + { + Signature::ID::P521_SHA512, + from_hex("0400a659dcddfafe88ebbba8c04155870e0315794c7bd5a0c53ed9b57bcfa" + "a36d79743" + "5b40a74d62ba4104d62e166538e6f88d832aa047b6ed3cd119a477000f336" + "2df01855f" + "4e61ed4be7e81ed5f566ef6455a4fb588db6e6e44f57dc4271ac3d22cdba1" + "6d361db47" + "8fa4fb233fd71179633e722615c33cfbd1d556cc29a839121c37b982"), + from_hex("6abe2712353e03ef03571a9679a3f1e889937d5ffc0df431fab44a408ce8c" + "c37449f94" + "28aae783a2ce200bb7ed546a1a92ea3555b45552844d15d6d86b662778e33" + "124304691" + "16615523990495dd3352b374792d591384123c3c7ca81ad42b9f6e856426a" + "82dddd284" + "d2f447df243067af6fe7f73cc4a368cb7cd53240af21d6"), + from_hex("3081880242015a033045a1bf86b3e1017826dd226604d78d129dcfca84f40" + "20063beec" + "03e0b4bedbedacbf1b0d1285ddbd0c7107078ac200be9876577025ffdd898" + "e97f648f7" + "80024201afcf701a73ab224ea5a0b6399fc231da0e7f1a8649df17ef2d517" + "1fc4dc278" + "6923727c2edc4f0ad9e98825750596be312d0109d47888ab6481c688a287b" + "0aac6b0"), + }, + { + Signature::ID::Ed25519, + from_hex( + "923654bbdbacc72ab6c568208719c7cb866c3f89c366914ae90d604ef360c5c8"), + from_hex("dab12589702ff146b4e83b808da4007ff4ea4a358af2f7baa6861f08fb11e" + "d71e338b2" + "fa01c7a68f86daaed5c1f00683bd5a2e511f773ac3e664222692297d7b469" + "fcae561e6" + "1a8127bef87978449ec640883c0ba17d4f1741ed4ec94443b0fa0db1a139a" + "d219ff7a4" + "ac34ced9c7d74e4bf608a1d8f792c0bf28eedbf2536af7"), + from_hex("460396e559547d5faa532503b9a15bdd4d9b7415f3e71327adb1dd1cc21eb" + "905dd9654" + "136772745f5cc9d9ffdf6bed05b9b17491a2ae8309e847bc1c7f4d6e0c"), + }, +#if !defined(WITH_BORINGSSL) + { + Signature::ID::Ed448, + from_hex( + "7d60a1da10701ca4579de441643a545e334fddf18f6159ad2e8d2d914877a82" + "ea95f0b1bdac911dfb2499d3ccf814ebe69b09f9914c6aca000"), + from_hex("074f95d4f746a270af113b5650da98dcb247ef9839e480e99961a2cc99805" + "8e2b98be3" + "f949ceb7b000973127c0f79e54644f3b750763c2e904ac2179aa0a7e03da4" + "e6d848f50" + "8323ff81e4a6d20b4eb89fed06a9117383daa50e13d25e6e1c74069102137" + "9005d140a" + "8e2157744cf7717f95a503d8e3740a081efa27146974c6"), + from_hex( + "902aa0a168a9e7a547a1736fb52b491f857fe8984b9a5a5b2ae50b3c2c3b232" + "894ae055013b256218cea79c4b4055719de3a6fbb2b0be0470062bc9e76f89e" + "4ffc4c08cbd8ce50de80bae8029b78ced07cce09bc75c9b2eedcf402ed0e74c" + "8078326f8ab69960d8062d2294ad1ff63901b00"), + }, +#endif }; for (const auto& tc : cases) { @@ -194,11 +218,15 @@ TEST_CASE("Signature Round-Trip") { ensure_fips_if_required(); - const std::vector ids{ + const std::vector ids + { Signature::ID::P256_SHA256, Signature::ID::P384_SHA384, - Signature::ID::P521_SHA512, Signature::ID::Ed25519, - Signature::ID::Ed448, Signature::ID::RSA_SHA256, - Signature::ID::RSA_SHA384, Signature::ID::RSA_SHA512, + Signature::ID::P521_SHA512, Signature::ID::Ed25519, +#if !defined(WITH_BORINGSSL) + Signature::ID::Ed448, +#endif + Signature::ID::RSA_SHA256, Signature::ID::RSA_SHA384, + Signature::ID::RSA_SHA512, }; const auto data = from_hex("00010203"); diff --git a/lib/mls_vectors/test/CMakeLists.txt b/lib/mls_vectors/test/CMakeLists.txt index 360f03aa..9e640b88 100644 --- a/lib/mls_vectors/test/CMakeLists.txt +++ b/lib/mls_vectors/test/CMakeLists.txt @@ -8,7 +8,7 @@ file(GLOB TEST_SOURCES CONFIGURE_DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp) add_executable(${TEST_APP_NAME} ${TEST_SOURCES}) add_dependencies(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax) -target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest) +target_link_libraries(${TEST_APP_NAME} ${CURRENT_LIB_NAME} bytes tls_syntax doctest::doctest ${OPENSSL_CRYPTO_LIBRARY}) # Enable CTest include(doctest) diff --git a/lib/mls_vectors/test/mls_vectors.cpp b/lib/mls_vectors/test/mls_vectors.cpp index 592b3f7a..4c55e16c 100644 --- a/lib/mls_vectors/test/mls_vectors.cpp +++ b/lib/mls_vectors/test/mls_vectors.cpp @@ -8,9 +8,11 @@ static const std::vector supported_suites{ { mls::CipherSuite::ID::X25519_AES128GCM_SHA256_Ed25519 }, { mls::CipherSuite::ID::P256_AES128GCM_SHA256_P256 }, { mls::CipherSuite::ID::X25519_CHACHA20POLY1305_SHA256_Ed25519 }, - { mls::CipherSuite::ID::X448_AES256GCM_SHA512_Ed448 }, { mls::CipherSuite::ID::P521_AES256GCM_SHA512_P521 }, +#if !defined(WITH_BORINGSSL) + { mls::CipherSuite::ID::X448_AES256GCM_SHA512_Ed448 }, { mls::CipherSuite::ID::X448_CHACHA20POLY1305_SHA512_Ed448 }, +#endif }; TEST_CASE("Tree Math") diff --git a/src/credential.cpp b/src/credential.cpp index 88737f32..301af4fb 100644 --- a/src/credential.cpp +++ b/src/credential.cpp @@ -23,8 +23,10 @@ find_signature(Signature::ID id) return Signature::get(); case Signature::ID::Ed25519: return Signature::get(); +#if !defined(WITH_BORINGSSL) case Signature::ID::Ed448: return Signature::get(); +#endif case Signature::ID::RSA_SHA256: return Signature::get(); default: diff --git a/src/crypto.cpp b/src/crypto.cpp index 3236e026..dedf0442 100644 --- a/src/crypto.cpp +++ b/src/crypto.cpp @@ -25,8 +25,10 @@ tls_signature_scheme(Signature::ID id) return SignatureScheme::ecdsa_secp521r1_sha512; case Signature::ID::Ed25519: return SignatureScheme::ed25519; +#if !defined(WITH_BORINGSSL) case Signature::ID::Ed448: return SignatureScheme::ed448; +#endif case Signature::ID::RSA_SHA256: return SignatureScheme::rsa_pkcs1_sha256; default: @@ -97,18 +99,26 @@ CipherSuite::get() const Signature::get(), }; - static const auto ciphers_X448_AES256GCM_SHA512_Ed448 = CipherSuite::Ciphers{ + static const auto ciphers_P521_AES256GCM_SHA512_P521 = CipherSuite::Ciphers{ HPKE( - KEM::ID::DHKEM_X448_SHA512, KDF::ID::HKDF_SHA512, AEAD::ID::AES_256_GCM), + KEM::ID::DHKEM_P521_SHA512, KDF::ID::HKDF_SHA512, AEAD::ID::AES_256_GCM), Digest::get(), - Signature::get(), + Signature::get(), }; - static const auto ciphers_P521_AES256GCM_SHA512_P521 = CipherSuite::Ciphers{ + static const auto ciphers_P384_AES256GCM_SHA384_P384 = CipherSuite::Ciphers{ HPKE( - KEM::ID::DHKEM_P521_SHA512, KDF::ID::HKDF_SHA512, AEAD::ID::AES_256_GCM), + KEM::ID::DHKEM_P384_SHA384, KDF::ID::HKDF_SHA384, AEAD::ID::AES_256_GCM), + Digest::get(), + Signature::get(), + }; + +#if !defined(WITH_BORINGSSL) + static const auto ciphers_X448_AES256GCM_SHA512_Ed448 = CipherSuite::Ciphers{ + HPKE( + KEM::ID::DHKEM_X448_SHA512, KDF::ID::HKDF_SHA512, AEAD::ID::AES_256_GCM), Digest::get(), - Signature::get(), + Signature::get(), }; static const auto ciphers_X448_CHACHA20POLY1305_SHA512_Ed448 = @@ -119,13 +129,7 @@ CipherSuite::get() const Digest::get(), Signature::get(), }; - - static const auto ciphers_P384_AES256GCM_SHA384_P384 = CipherSuite::Ciphers{ - HPKE( - KEM::ID::DHKEM_P384_SHA384, KDF::ID::HKDF_SHA384, AEAD::ID::AES_256_GCM), - Digest::get(), - Signature::get(), - }; +#endif switch (id) { case ID::unknown: @@ -140,18 +144,20 @@ CipherSuite::get() const case ID::X25519_CHACHA20POLY1305_SHA256_Ed25519: return ciphers_X25519_CHACHA20POLY1305_SHA256_Ed25519; - case ID::X448_AES256GCM_SHA512_Ed448: - return ciphers_X448_AES256GCM_SHA512_Ed448; - case ID::P521_AES256GCM_SHA512_P521: return ciphers_P521_AES256GCM_SHA512_P521; - case ID::X448_CHACHA20POLY1305_SHA512_Ed448: - return ciphers_X448_CHACHA20POLY1305_SHA512_Ed448; - case ID::P384_AES256GCM_SHA384_P384: return ciphers_P384_AES256GCM_SHA384_P384; +#if !defined(WITH_BORINGSSL) + case ID::X448_AES256GCM_SHA512_Ed448: + return ciphers_X448_AES256GCM_SHA512_Ed448; + + case ID::X448_CHACHA20POLY1305_SHA512_Ed448: + return ciphers_X448_CHACHA20POLY1305_SHA512_Ed448; +#endif + default: throw InvalidParameterError("Unsupported ciphersuite"); } @@ -193,15 +199,25 @@ CipherSuite::derive_tree_secret(const bytes& secret, return expand_with_label(secret, label, tls::marshal(generation), length); } +#if WITH_BORINGSSL +const std::array all_supported_suites = { + CipherSuite::ID::X25519_AES128GCM_SHA256_Ed25519, + CipherSuite::ID::P256_AES128GCM_SHA256_P256, + CipherSuite::ID::X25519_CHACHA20POLY1305_SHA256_Ed25519, + CipherSuite::ID::P521_AES256GCM_SHA512_P521, + CipherSuite::ID::P384_AES256GCM_SHA384_P384, +}; +#else const std::array all_supported_suites = { CipherSuite::ID::X25519_AES128GCM_SHA256_Ed25519, CipherSuite::ID::P256_AES128GCM_SHA256_P256, CipherSuite::ID::X25519_CHACHA20POLY1305_SHA256_Ed25519, - CipherSuite::ID::X448_AES256GCM_SHA512_Ed448, CipherSuite::ID::P521_AES256GCM_SHA512_P521, - CipherSuite::ID::X448_CHACHA20POLY1305_SHA512_Ed448, CipherSuite::ID::P384_AES256GCM_SHA384_P384, + CipherSuite::ID::X448_CHACHA20POLY1305_SHA512_Ed448, + CipherSuite::ID::X448_AES256GCM_SHA512_Ed448, }; +#endif // MakeKeyPackageRef(value) = KDF.expand( // KDF.extract("", value), "MLS 1.0 KeyPackage Reference", 16) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index d25d0108..182e2cfc 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -11,7 +11,7 @@ add_dependencies(${TEST_APP_NAME} ${LIB_NAME} bytes tls_syntax mls_vectors) target_include_directories(${TEST_APP_NAME} PRIVATE ${PROJECT_SOURCE_DIR}/src) target_link_libraries(${TEST_APP_NAME} ${LIB_NAME} bytes tls_syntax mls_vectors - doctest::doctest crypto) + doctest::doctest ${OPENSSL_CRYPTO_LIBRARY}) # Enable CTest include(doctest) diff --git a/test/session.cpp b/test/session.cpp index 89c75de9..192634f6 100644 --- a/test/session.cpp +++ b/test/session.cpp @@ -221,6 +221,24 @@ TEST_CASE_FIXTURE(RunningSessionTest, "Full Session Life-Cycle") } } +// XXX(RLB) BoringSSL rejects the leaf certificate here with the following error +// code: +// +// error:0b00008b:X.509 certificate routines:OPENSSL_internal:INVALID_FIELD_FOR_VERSION +// +// I have disabled the test for now, but given that the BoringSSL maintainers +// know what they're doing, there's probably a legitimate issue here and we +// should regenerate the test certificates. +// +// On a quick look, it appears that INVALID_FIELD_FOR_VERSION is returned when +// a field is present in the certificate that requires v2 or v3 according to RFC +// 5280 [1]. And in the decoding of these certificates, it looks like the +// version field is missing, thus v1 by default. (Interesting, given that +// I think we generated these with Go!) So the solution appears to be +// regenerating with an explicit version field set to v3. +// +// [1] https://boringssl.googlesource.com/boringssl.git/+/dd86e75b24dcfd47d4ee6b3e4cdce907389335b2%5E%21/ +#if !defined(WITH_BORINGSSL) TEST_CASE("Session with X509 Credential") { // leaf_cert with p-256 public key @@ -297,3 +315,4 @@ TEST_CASE("Session with X509 Credential") REQUIRE(alice_session.epoch_authenticator() == bob_session.epoch_authenticator()); } +#endif From 18735f99e427b252f95e470d44e935601d2f4a76 Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Tue, 12 Sep 2023 14:22:53 -0400 Subject: [PATCH 03/11] clang-format --- lib/hpke/src/signature.cpp | 11 ++++++----- lib/hpke/src/userinfo_vc.cpp | 17 +++++++++-------- lib/hpke/test/signature.cpp | 7 ++++--- lib/mls_vectors/test/mls_vectors.cpp | 13 +++++++------ test/session.cpp | 6 ++++-- 5 files changed, 30 insertions(+), 24 deletions(-) diff --git a/lib/hpke/src/signature.cpp b/lib/hpke/src/signature.cpp index 73384f3f..8860c18a 100644 --- a/lib/hpke/src/signature.cpp +++ b/lib/hpke/src/signature.cpp @@ -285,13 +285,14 @@ static const Signature& sig_from_jwk(const std::string& jwk_json) { using KeyTypeAndCurve = std::tuple; - static const auto alg_sig_map = std::map{ + static const auto alg_sig_map = std::map + { { { "EC", "P-256" }, Signature::get() }, - { { "EC", "P-384" }, Signature::get() }, - { { "EC", "P-512" }, Signature::get() }, - { { "OKP", "Ed25519" }, Signature::get() }, + { { "EC", "P-384" }, Signature::get() }, + { { "EC", "P-512" }, Signature::get() }, + { { "OKP", "Ed25519" }, Signature::get() }, #if !defined(WITH_BORINGSSL) - { { "OKP", "Ed448" }, Signature::get() }, + { { "OKP", "Ed448" }, Signature::get() }, #endif // TODO(RLB): RSA }; diff --git a/lib/hpke/src/userinfo_vc.cpp b/lib/hpke/src/userinfo_vc.cpp index cbba475a..e8ba105e 100644 --- a/lib/hpke/src/userinfo_vc.cpp +++ b/lib/hpke/src/userinfo_vc.cpp @@ -52,17 +52,18 @@ get_optional(const json& json_object, const std::string& field_name) static const Signature& signature_from_alg(const std::string& alg) { - static const auto alg_sig_map = std::map{ + static const auto alg_sig_map = std::map + { { "ES256", Signature::get() }, - { "ES384", Signature::get() }, - { "ES512", Signature::get() }, - { "Ed25519", Signature::get() }, + { "ES384", Signature::get() }, + { "ES512", Signature::get() }, + { "Ed25519", Signature::get() }, #if !defined(WITH_BORINGSSL) - { "Ed448", Signature::get() }, + { "Ed448", Signature::get() }, #endif - { "RS256", Signature::get() }, - { "RS384", Signature::get() }, - { "RS512", Signature::get() }, + { "RS256", Signature::get() }, + { "RS384", Signature::get() }, + { "RS512", Signature::get() }, }; return alg_sig_map.at(alg); diff --git a/lib/hpke/test/signature.cpp b/lib/hpke/test/signature.cpp index eee3c361..dd8782e3 100644 --- a/lib/hpke/test/signature.cpp +++ b/lib/hpke/test/signature.cpp @@ -273,11 +273,12 @@ TEST_CASE("Signature Round-Trip") TEST_CASE("Signature Key JWK Round-Trip") { ensure_fips_if_required(); - const std::vector ids{ + const std::vector ids + { Signature::ID::P256_SHA256, Signature::ID::P384_SHA384, - Signature::ID::P521_SHA512, Signature::ID::Ed25519, + Signature::ID::P521_SHA512, Signature::ID::Ed25519, #if !defined(WITH_BORINGSSL) - Signature::ID::Ed448, + Signature::ID::Ed448, #endif }; diff --git a/lib/mls_vectors/test/mls_vectors.cpp b/lib/mls_vectors/test/mls_vectors.cpp index 827635c9..7ff741b6 100644 --- a/lib/mls_vectors/test/mls_vectors.cpp +++ b/lib/mls_vectors/test/mls_vectors.cpp @@ -4,14 +4,15 @@ using namespace mls_vectors; -static const std::vector supported_suites{ +static const std::vector supported_suites +{ { MLS_NAMESPACE::CipherSuite::ID::X25519_AES128GCM_SHA256_Ed25519 }, - { MLS_NAMESPACE::CipherSuite::ID::P256_AES128GCM_SHA256_P256 }, - { MLS_NAMESPACE::CipherSuite::ID::X25519_CHACHA20POLY1305_SHA256_Ed25519 }, - { MLS_NAMESPACE::CipherSuite::ID::P521_AES256GCM_SHA512_P521 }, + { MLS_NAMESPACE::CipherSuite::ID::P256_AES128GCM_SHA256_P256 }, + { MLS_NAMESPACE::CipherSuite::ID::X25519_CHACHA20POLY1305_SHA256_Ed25519 }, + { MLS_NAMESPACE::CipherSuite::ID::P521_AES256GCM_SHA512_P521 }, #if !defined(WITH_BORINGSSL) - { MLS_NAMESPACE::CipherSuite::ID::X448_AES256GCM_SHA512_Ed448 }, - { MLS_NAMESPACE::CipherSuite::ID::X448_CHACHA20POLY1305_SHA512_Ed448 }, + { MLS_NAMESPACE::CipherSuite::ID::X448_AES256GCM_SHA512_Ed448 }, + { MLS_NAMESPACE::CipherSuite::ID::X448_CHACHA20POLY1305_SHA512_Ed448 }, #endif }; diff --git a/test/session.cpp b/test/session.cpp index 60b99004..da5df003 100644 --- a/test/session.cpp +++ b/test/session.cpp @@ -224,7 +224,8 @@ TEST_CASE_FIXTURE(RunningSessionTest, "Full Session Life-Cycle") // XXX(RLB) BoringSSL rejects the leaf certificate here with the following error // code: // -// error:0b00008b:X.509 certificate routines:OPENSSL_internal:INVALID_FIELD_FOR_VERSION +// error:0b00008b:X.509 certificate +// routines:OPENSSL_internal:INVALID_FIELD_FOR_VERSION // // I have disabled the test for now, but given that the BoringSSL maintainers // know what they're doing, there's probably a legitimate issue here and we @@ -237,7 +238,8 @@ TEST_CASE_FIXTURE(RunningSessionTest, "Full Session Life-Cycle") // I think we generated these with Go!) So the solution appears to be // regenerating with an explicit version field set to v3. // -// [1] https://boringssl.googlesource.com/boringssl.git/+/dd86e75b24dcfd47d4ee6b3e4cdce907389335b2%5E%21/ +// [1] +// https://boringssl.googlesource.com/boringssl.git/+/dd86e75b24dcfd47d4ee6b3e4cdce907389335b2%5E%21/ #if !defined(WITH_BORINGSSL) TEST_CASE("Session with X509 Credential") { From 084819bbd86b23184a6c723a0aba6abe1cf92cd4 Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Mon, 9 Oct 2023 15:11:49 +0000 Subject: [PATCH 04/11] improved CMake, test workflow add info to readme for BoringSSL/OpenSSL undo spacing changes prepare for vcpkg enabled boringssl add test workflow for boringssl remove the cmake module path remove an extra newline fix a typo remove an extra newline --- .github/workflows/boring.yml | 135 ++++++++++++++++++++++++++ CMakeLists.txt | 52 ++++++---- README.md | 10 +- alternatives/boringssl_1.1/vcpkg.json | 21 ++++ 4 files changed, 197 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/boring.yml create mode 100644 alternatives/boringssl_1.1/vcpkg.json diff --git a/.github/workflows/boring.yml b/.github/workflows/boring.yml new file mode 100644 index 00000000..8175f475 --- /dev/null +++ b/.github/workflows/boring.yml @@ -0,0 +1,135 @@ +name: MLSPP CI (BoringSSL Test) + +on: + pull_request: + branches: + - main + +env: + CTEST_OUTPUT_ON_FAILURE: 1 + CMAKE_BUILD_BORINGSSL_DIR: ${{ github.workspace }}/build_boringssl + CMAKE_TEST_BORINGSSL_DIR: ${{ github.workspace }}/build_boringssl/test + VCPKG_BINARY_SOURCES: files,${{ github.workspace }}/build/cache,readwrite + +jobs: + formatting-check: + name: Formatting Check + runs-on: ubuntu-latest + strategy: + matrix: + path: + - 'include' + - 'src' + - 'test' + - 'cmd' + - 'lib' + steps: + - uses: actions/checkout@v3 + + - name: Run clang-format style check for C/C++ programs + uses: jidicula/clang-format-action@v4.11.0 + with: + clang-format-version: '16' + check-path: ${{ matrix.path }} + fallback-style: 'Mozilla' + + quick-linux-interop-check: + needs: formatting-check + name: Quick Linux Check and Interop + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Dependencies (Ubuntu) + if: ${{ matrix.os == 'ubuntu-latest' }} + run: | + sudo apt-get install -y linux-headers-$(uname -r) + + - name: Restore cache + uses: actions/cache@v3 + with: + path: ${{ github.workspace }}/build/cache + key: VCPKG-BinaryCache-${{ runner.os }} + + - name: Build (BoringSSL 1.1) + run: | + cmake -B "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" -DTESTING=ON -DVCPKG_MANIFEST_DIR="alternatives/boringssl_1.1" -DCMAKE_TOOLCHAIN_FILE="$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" -DREQUIRE_BORINGSSL=1 + cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" + + - name: Unit Test (BoringSSL 1.1) + run: | + cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" --target test + + - name: Build (Interop Harness) + run: | + cd cmd/interop + cmake -B build -DCMAKE_TOOLCHAIN_FILE="$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" + cmake --build build + + - name: Test self-interop + run: | + make -C cmd/interop self-test + + - name: Test interop on test vectors + run: | + make -C cmd/interop interop-test + + - name: Test gRPC live interop with self + run: | + cd cmd/interop + ./grpc-self-test.sh + + platform-sanitizer-tests: + if: github.event.pull_request.draft == false + needs: quick-linux-interop-check + name: Build and test platforms using sanitizers and clang-tidy + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [windows-latest, ubuntu-latest, macos-latest] + include: + - os: windows-latest + vcpkg-cmake-file: "$env:VCPKG_INSTALLATION_ROOT\\scripts\\buildsystems\\vcpkg.cmake" + boring-vcpkg-dir: "alternatives\\boringssl_1.1" + ctest-target: RUN_TESTS + - os: ubuntu-latest + vcpkg-cmake-file: "$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" + boring-vcpkg-dir: "alternatives/boringssl_1.1" + ctest-target: test + - os: macos-latest + vcpkg-cmake-file: "$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" + boring-vcpkg-dir: "alternatives/boringssl_1.1" + ctest-target: test + + steps: + - uses: actions/checkout@v3 + + - name: Dependencies (macOs) + if: ${{ matrix.os == 'macos-latest' }} + run: | + brew install llvm pkg-config + ln -s "/usr/local/opt/llvm/bin/clang-format" "/usr/local/bin/clang-format" + ln -s "/usr/local/opt/llvm/bin/clang-tidy" "/usr/local/bin/clang-tidy" + + - name: Dependencies (Ubuntu) + if: ${{ matrix.os == 'ubuntu-latest' }} + run: | + sudo apt-get install -y linux-headers-$(uname -r) + + - name: Restore cache + uses: actions/cache@v3 + with: + path: ${{ github.workspace }}/build/cache + key: VCPKG-BinaryCache-${{ runner.os }} + + - name: Build (BoringSSL 1.1) + run: | + cmake -B "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" -DTESTING=ON -DCLANG_TIDY=ON -DSANITIZERS=ON -DVCPKG_MANIFEST_DIR="${{ matrix.ossl3-vcpkg-dir }}" -DCMAKE_TOOLCHAIN_FILE="${{ matrix.vcpkg-cmake-file}}" -DREQUIRE_BORINGSSL=1 + cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" + + - name: Unit Test (BoringSSL 1.1) + run: | + cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" --target "${{ matrix.ctest-target}}" + + diff --git a/CMakeLists.txt b/CMakeLists.txt index 2b0d8214..14f10099 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,7 @@ option(TESTING "Build tests" OFF) option(CLANG_TIDY "Perform linting with clang-tidy" OFF) option(SANITIZERS "Enable sanitizers" OFF) option(MLS_NAMESPACE_SUFFIX "Namespace Suffix for CXX and CMake Export") +option(REQUIRE_BORINGSSL "Require BoringSSL instead of OpenSSL" OFF) if(MLS_NAMESPACE_SUFFIX) set(MLS_CXX_NAMESPACE "mls_${MLS_NAMESPACE_SUFFIX}" CACHE STRING "Top-level Namespace for CXX") @@ -91,27 +92,38 @@ endif() ### # External libraries - -set(OPENSSL_ROOT_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/") -set(OPENSSL_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/include") -set(OPENSSL_CRYPTO_LIBRARY "${CMAKE_CURRENT_SOURCE_DIR}/../boringssl/build/crypto/libcrypto.a") find_package(OpenSSL REQUIRED) -add_compile_definitions(WITH_BORINGSSL) -add_compile_options(-Wno-gnu-anonymous-struct -Wno-nested-anon-types) - -#find_package(OpenSSL REQUIRED) -#if ( OPENSSL_FOUND ) -# if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3) -# add_compile_definitions(WITH_OPENSSL3) -# elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1) -# message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") -# endif() -# message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}") -# message(STATUS "OpenSSL Include: ${OPENSSL_INCLUDE_DIR}") -# message(STATUS "OpenSSL Libraries: ${OPENSSL_LIBRARIES}") -#else() -# message(FATAL_ERROR "No OpenSSL library found") -#endif() + +if ( OPENSSL_FOUND ) + find_path(BORINGSSL_INCLUDE_DIR openssl/is_boringssl.h HINTS ${OPENSSL_INCLUDE_DIR} NO_DEFAULT_PATH) + + if (BORINGSSL_INCLUDE_DIR) + message(STATUS "Found OpenSSL includes are for BoringSSL") + + add_compile_definitions(WITH_BORINGSSL) + add_compile_options(-Wno-gnu-anonymous-struct -Wno-nested-anon-types) + + file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/crypto.h" boringssl_version_str + REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_TEXT[\t ]+\"OpenSSL ([0-9])+\\.([0-9])+\\.([0-9])+ .+") + + string(REGEX REPLACE "^.*OPENSSL_VERSION_TEXT[\t ]+\"OpenSSL ([0-9]+\\.[0-9]+\\.[0-9])+ .+$" + "\\1" OPENSSL_VERSION "${boringssl_version_str}") + + elseif (REQUIRE_BORINGSSL) + message(FATAL_ERROR "BoringSSL required but not found") + endif () + + if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3) + add_compile_definitions(WITH_OPENSSL3) + elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1) + message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") + endif() + message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}") + message(STATUS "OpenSSL Include: ${OPENSSL_INCLUDE_DIR}") + message(STATUS "OpenSSL Libraries: ${OPENSSL_LIBRARIES}") +else() + message(FATAL_ERROR "No OpenSSL library found") +endif() # Internal libraries add_subdirectory(lib) diff --git a/README.md b/README.md index c3089d27..9daff2c0 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ MLS++ Implementation of the proposed [Messaging Layer Security](https://github.com/mlswg/mls-protocol/blob/master/draft-ietf-mls-protocol.md) protocol in C++. Depends on C++17, STL for data structures, and -OpenSSL for crypto. +OpenSSL or BoringSSL for crypto. Quickstart ---------- @@ -31,3 +31,11 @@ Conventions * Snake case for variables, functions, members (`derive_epoch_keys`) * Private member variables start with underscore (`_`) * In general, prefer descriptive names + + +OpenSSL / BoringSSL +------------------- + +MLS++ requires OpenSSL of at least version 1.1.1, or BoringSSL compatible with the same requirement. MLS++ is compatible with OpenSSL >= 3.0. + +Pass `OPENSSL_ROOT_DIR` to guide CMake to select a specific OpenSSL/BoringSSL installation. You may also need to specify `OPENSSL_INCLUDE_DIR`, `OPENSSL_CRYPTO_LIBRARY`, and `OPENSSL_SSL_LIBRARY` depending on the file and folder structure of your installation. When manually passing `OPENSSL_*` options one should carefully verify that both the includes and libraries match the expected installation. diff --git a/alternatives/boringssl_1.1/vcpkg.json b/alternatives/boringssl_1.1/vcpkg.json new file mode 100644 index 00000000..1a726f6d --- /dev/null +++ b/alternatives/boringssl_1.1/vcpkg.json @@ -0,0 +1,21 @@ +{ + "name": "mlspp", + "version-string": "0.1", + "description": "Cisco MLS C++ library (BoringSSL 1.1)", + "dependencies": [ + { + "name": "boringssl", + "version>=": "2023-09-25" + }, + "doctest", + "nlohmann-json" + ], + "builtin-baseline": "5908d702d61cea1429b223a0b7a10ab86bad4c78", + "overrides": [ + { + "name": "boringssl", + "version": "2023-09-25" + } + ] +} + \ No newline at end of file From 4cd754f2e3a8cff0853f9ae92d6dcc6e11e6fccc Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Mon, 9 Oct 2023 17:52:50 +0000 Subject: [PATCH 05/11] remove an extra newline --- CMakeLists.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 14f10099..d8b27ce3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -93,7 +93,6 @@ endif() # External libraries find_package(OpenSSL REQUIRED) - if ( OPENSSL_FOUND ) find_path(BORINGSSL_INCLUDE_DIR openssl/is_boringssl.h HINTS ${OPENSSL_INCLUDE_DIR} NO_DEFAULT_PATH) From f19175d488a8e0f259d14d0f29f29c48aef28e31 Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Mon, 9 Oct 2023 17:53:49 +0000 Subject: [PATCH 06/11] fix a couple of CMake spacings --- CMakeLists.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index d8b27ce3..9125d1c4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -113,15 +113,15 @@ if ( OPENSSL_FOUND ) endif () if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3) - add_compile_definitions(WITH_OPENSSL3) + add_compile_definitions(WITH_OPENSSL3) elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1) - message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") + message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required") endif() message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}") message(STATUS "OpenSSL Include: ${OPENSSL_INCLUDE_DIR}") message(STATUS "OpenSSL Libraries: ${OPENSSL_LIBRARIES}") else() - message(FATAL_ERROR "No OpenSSL library found") + message(FATAL_ERROR "No OpenSSL library found") endif() # Internal libraries From b4cc6855d931c02f574a92796f33a92a61d0a8c1 Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Tue, 10 Oct 2023 15:17:32 +0000 Subject: [PATCH 07/11] add nasm to the vcpkg boring alternative --- .github/workflows/boring.yml | 47 +----------------------------------- 1 file changed, 1 insertion(+), 46 deletions(-) diff --git a/.github/workflows/boring.yml b/.github/workflows/boring.yml index 8175f475..4170a895 100644 --- a/.github/workflows/boring.yml +++ b/.github/workflows/boring.yml @@ -33,52 +33,6 @@ jobs: check-path: ${{ matrix.path }} fallback-style: 'Mozilla' - quick-linux-interop-check: - needs: formatting-check - name: Quick Linux Check and Interop - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Dependencies (Ubuntu) - if: ${{ matrix.os == 'ubuntu-latest' }} - run: | - sudo apt-get install -y linux-headers-$(uname -r) - - - name: Restore cache - uses: actions/cache@v3 - with: - path: ${{ github.workspace }}/build/cache - key: VCPKG-BinaryCache-${{ runner.os }} - - - name: Build (BoringSSL 1.1) - run: | - cmake -B "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" -DTESTING=ON -DVCPKG_MANIFEST_DIR="alternatives/boringssl_1.1" -DCMAKE_TOOLCHAIN_FILE="$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" -DREQUIRE_BORINGSSL=1 - cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" - - - name: Unit Test (BoringSSL 1.1) - run: | - cmake --build "${{ env.CMAKE_BUILD_BORINGSSL_DIR }}" --target test - - - name: Build (Interop Harness) - run: | - cd cmd/interop - cmake -B build -DCMAKE_TOOLCHAIN_FILE="$VCPKG_INSTALLATION_ROOT/scripts/buildsystems/vcpkg.cmake" - cmake --build build - - - name: Test self-interop - run: | - make -C cmd/interop self-test - - - name: Test interop on test vectors - run: | - make -C cmd/interop interop-test - - - name: Test gRPC live interop with self - run: | - cd cmd/interop - ./grpc-self-test.sh - platform-sanitizer-tests: if: github.event.pull_request.draft == false needs: quick-linux-interop-check @@ -116,6 +70,7 @@ jobs: if: ${{ matrix.os == 'ubuntu-latest' }} run: | sudo apt-get install -y linux-headers-$(uname -r) + sudo apt-get install nasm - name: Restore cache uses: actions/cache@v3 From e5f84fe3a1169be2a1fd1f3c54dd18e662135c4c Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Tue, 10 Oct 2023 15:22:51 +0000 Subject: [PATCH 08/11] put the nasm install in same line --- .github/workflows/boring.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/boring.yml b/.github/workflows/boring.yml index 4170a895..e726d0e2 100644 --- a/.github/workflows/boring.yml +++ b/.github/workflows/boring.yml @@ -69,8 +69,7 @@ jobs: - name: Dependencies (Ubuntu) if: ${{ matrix.os == 'ubuntu-latest' }} run: | - sudo apt-get install -y linux-headers-$(uname -r) - sudo apt-get install nasm + sudo apt-get install -y linux-headers-$(uname -r) nasm - name: Restore cache uses: actions/cache@v3 From b79639421add2a1781723f61817f2f83dc64cd6a Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Wed, 11 Oct 2023 11:44:02 +0000 Subject: [PATCH 09/11] fix warning for matching switch branches --- lib/hpke/test/common.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/hpke/test/common.cpp b/lib/hpke/test/common.cpp index 0afa36fc..2065ec10 100644 --- a/lib/hpke/test/common.cpp +++ b/lib/hpke/test/common.cpp @@ -101,12 +101,10 @@ supported_kem(KEM::ID id) case KEM::ID::DHKEM_P384_SHA384: case KEM::ID::DHKEM_P521_SHA512: case KEM::ID::DHKEM_X25519_SHA256: - return true; - #if !defined(WITH_BORINGSSL) case KEM::ID::DHKEM_X448_SHA512: - return true; #endif + return true; default: return false; From 8b56220ed3797b2cfbe5961d297ed8b587d63587 Mon Sep 17 00:00:00 2001 From: Stephen Birarda Date: Wed, 11 Oct 2023 12:12:01 +0000 Subject: [PATCH 10/11] add an on push trigger to the boring workflow --- .github/workflows/boring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/boring.yml b/.github/workflows/boring.yml index e726d0e2..f798941c 100644 --- a/.github/workflows/boring.yml +++ b/.github/workflows/boring.yml @@ -1,6 +1,9 @@ name: MLSPP CI (BoringSSL Test) on: + push: + branches: + - main pull_request: branches: - main From 4e1a089009978aa4f72dbe687c7e045a3b4e7d8a Mon Sep 17 00:00:00 2001 From: Richard Barnes Date: Thu, 12 Oct 2023 06:41:12 -0700 Subject: [PATCH 11/11] Remove blockers to running --- .github/workflows/boring.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/boring.yml b/.github/workflows/boring.yml index f798941c..7988d58f 100644 --- a/.github/workflows/boring.yml +++ b/.github/workflows/boring.yml @@ -37,9 +37,7 @@ jobs: fallback-style: 'Mozilla' platform-sanitizer-tests: - if: github.event.pull_request.draft == false - needs: quick-linux-interop-check - name: Build and test platforms using sanitizers and clang-tidy + name: Build and test with BoringSSL runs-on: ${{ matrix.os }} strategy: fail-fast: false