Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pq-tls interop test with BoringSSL #2199

Merged
merged 3 commits into from
Feb 19, 2025
Merged

Add pq-tls interop test with BoringSSL #2199

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75b559b
Add pq-tls integration test with BoringSSL
Feb 17, 2025
75ed6aa
fix boring-ssl build failure
Feb 18, 2025
71ed17d
Updated build type, and suppressed build stdout
Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 52 additions & 2 deletions tests/ci/integration/run_pq_tls_integration.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,21 @@ S2N_BRANCH='main'
S2N_TLS_SRC_FOLDER="${SCRATCH_FOLDER}/s2n-tls"
S2N_TLS_BUILD_FOLDER="${SCRATCH_FOLDER}/s2n-tls-build"

BSSL_URL='https://github.com/google/boringssl.git'
BSSL_BRANCH='main'
BSSL_SRC_FOLDER="${SCRATCH_FOLDER}/boring-ssl"
BSSL_BUILD_FOLDER="${SCRATCH_FOLDER}/boring-ssl-build"

rm -rf "${SCRATCH_FOLDER:?}"
mkdir -p "$SCRATCH_FOLDER"

echo "build and install aws-lc"
aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_TESTING=OFF

echo "clone s2n_tls"
echo "clone s2n-tls"
git clone --depth 1 --branch "$S2N_BRANCH" "$S2N_URL" "$S2N_TLS_SRC_FOLDER"

echo "build s2n_tls with aws-lc"
echo "build s2n-tls with aws-lc"
cd "$S2N_TLS_SRC_FOLDER"
cmake . "-B$S2N_TLS_BUILD_FOLDER" -GNinja \
-DCMAKE_BUILD_TYPE=Release \
Expand Down Expand Up @@ -62,4 +67,49 @@ for GROUP in X25519MLKEM768 SecP256r1MLKEM768; do
grep "KEM Group" "$S2N_TLS_BUILD_FOLDER"/s2nd_out | grep "$GROUP"
done

echo "clone boring-ssl"
git clone --depth 1 --branch "$BSSL_BRANCH" "$BSSL_URL" "$BSSL_SRC_FOLDER"

echo "build boring-ssl with aws-lc"
cd "$BSSL_SRC_FOLDER"
cmake . "-B$BSSL_BUILD_FOLDER" -GNinja \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_PREFIX_PATH="$AWS_LC_INSTALL_FOLDER"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why build BoringSSL with AWS-LC, shouldn't they be independent? This looks like you're trying to build BoringSSL with AWS-LC's headers/libraries which doesn't make sense.

Copy link
Contributor Author

@chockalingamc chockalingamc Feb 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching. It was a copy over from s2n-tls build. Verified that CMAKE_PREFIX_PATH is a no-op for boring SSL builds as it doesn't have to find headers or libraries using that parameter like s2n-tls does. Will remove it.

ninja -C "$BSSL_BUILD_FOLDER" -j "$NUM_CPU_THREADS"

# BoringSSL supports only X25519MLKEM768 but not SecP256r1MLKEM768 for key exchange
for GROUP in X25519MLKEM768; do
echo "TLS Handshake: aws-lc server (bssl) with boring-ssl client (bssl) for group $GROUP"
"$AWS_LC_BUILD_FOLDER"/tool/bssl s_server -curves $GROUP -accept 45000 -debug \
&> "$AWS_LC_BUILD_FOLDER"/s_server_out &
sleep 2 # to allow for the server to startup in the background thread
S_PID=$!
"$BSSL_BUILD_FOLDER"/tool/bssl s_client -curves $GROUP -connect localhost:45000 -debug \
&> "$BSSL_BUILD_FOLDER"/s_client_out &
wait $S_PID || true
cat "$AWS_LC_BUILD_FOLDER"/s_server_out
cat "$BSSL_BUILD_FOLDER"/s_client_out
grep "Connected" "$AWS_LC_BUILD_FOLDER"/s_server_out
grep "ECDHE group" "$AWS_LC_BUILD_FOLDER"/s_server_out | grep "$GROUP"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Why'd you switch to calling this an ECDHE group here? Earlier you used KEM groups. More generally, we should use the more generic "TLS group" terminology.

Copy link
Contributor Author

@chockalingamc chockalingamc Feb 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test is just validating what the tool prints in its server/client logs.
s2n-tls tool used the term KEM group. bssl tool uses ECDHE group. If either tool is updated to use the generic term, we need to update the test at that time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reg log output, we could perhaps not log the build output (suppress stdout while keeping stderr logs).
The current output is around 3K lines most of which is the lc/s2n/bssl build stdout logs.

grep "Connected" "$BSSL_BUILD_FOLDER"/s_client_out
grep "ECDHE group" "$BSSL_BUILD_FOLDER"/s_client_out | grep "$GROUP"
grep "subject" "$BSSL_BUILD_FOLDER"/s_client_out | grep "BoringSSL"

echo "TLS Handshake: boring-ssl server (bssl) with aws-lc client (bssl) for group $GROUP"
"$BSSL_BUILD_FOLDER"/tool/bssl s_server -curves $GROUP -accept 45000 -debug \
&> "$BSSL_BUILD_FOLDER"/s_server_out &
sleep 2 # to allow for the server to startup in the background thread
S_PID=$!
"$AWS_LC_BUILD_FOLDER"/tool/bssl s_client -curves $GROUP -connect localhost:45000 -debug \
&> "$AWS_LC_BUILD_FOLDER"/s_client_out &
wait $S_PID || true
cat "$BSSL_BUILD_FOLDER"/s_server_out
cat "$AWS_LC_BUILD_FOLDER"/s_client_out
grep "Connected" "$BSSL_BUILD_FOLDER"/s_server_out
grep "ECDHE group" "$BSSL_BUILD_FOLDER"/s_server_out | grep "$GROUP"
grep "Connected" "$AWS_LC_BUILD_FOLDER"/s_client_out
grep "ECDHE group" "$AWS_LC_BUILD_FOLDER"/s_client_out | grep "$GROUP"
grep "subject" "$AWS_LC_BUILD_FOLDER"/s_client_out | grep "BoringSSL"
done

rm -rf "${SCRATCH_FOLDER:?}"
Loading