First cut at DTLS1.3 tracker

Signed-off-by: Michael Baentsch <[email protected]>
open-quantum-safe · Dec 9, 2024 · e38fea8 · e38fea8
1 parent a4cfbc9
commit e38fea8
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 63 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -53,9 +53,9 @@ jobs:
               equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ]
           steps:
             - run:
-                name: Clone and build OpenSSL(3) master
+                name: Clone and build OpenSSL(3) dtls-1.3 feature branch
                 command: |
-                   git clone --branch master https://github.com/openssl/openssl.git openssl &&
+                   git clone --branch feature/dtls-1.3 https://github.com/openssl/openssl.git openssl &&
                    cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd ..
             - run:
                name: Build OQS-OpenSSL provider

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ossl-branch: [openssl-3.3.2, master]
+        ossl-branch: [feature/dtls-1.3]
         libjade-build:
           - "ON" 
           - "OFF"

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -39,7 +39,7 @@ jobs:
           repository: openssl/openssl
           path: openssl
           # TODO: Revert ref tag once openssl master doesn't crash any more
-          ref: openssl-3.3.0
+          ref: feature/dtls-1.3
       - name: checkout liboqs
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:

diff --git a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment
@@ -1,7 +1,7 @@
 {% for kem in config['kems'] %}
-   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {% for hybrid in kem['hybrids'] %}
-   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {%- endfor %}
 {%- endfor %}
 
diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
@@ -35,77 +35,77 @@ typedef struct oqs_group_constants_st {
 static OQS_GROUP_CONSTANTS oqs_group_list[] = {
     // ad-hoc assignments - take from OQS generate data structures
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_START
-    {65024, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {65024, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F00, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F80, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65025, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F00, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F80, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65025, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F01, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F81, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65026, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F01, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F81, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65026, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F02, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F82, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0203, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F02, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F82, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0203, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F03, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F83, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0204, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F03, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F83, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0204, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F04, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0205, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F04, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0205, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F05, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F05, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F39, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F39, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F90, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x6399, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x639A, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F90, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x6399, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x639A, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {512, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {512, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {513, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4B, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB6, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {513, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11ec, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11eb, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {514, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB7, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11ec, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11eb, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {514, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F4E, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0241, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAE, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0242, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F41, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAE, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0242, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F42, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAF, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0243, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F42, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAF, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0243, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F43, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0244, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F43, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0244, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F44, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB0, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0245, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F44, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB0, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0245, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F45, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB1, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0246, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F45, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB1, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0246, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F46, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F46, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_END
 };
 

diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh
@@ -12,6 +12,9 @@
 # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3
 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to
 
+# Track openssl dtls-1.3 feature branch
+OPENSSL_BRANCH="feature/dtls-1.3"
+
 if [[ "$OSTYPE" == "darwin"* ]]; then
    SHLIBEXT="dylib"
    STATLIBEXT="dylib"

diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
@@ -56,10 +56,10 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
         goto err;
 
     SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
-    SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION);
+    SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION);
+    SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION);
+    SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION);
+    SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION);
 
     if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM))
         goto err;