From 6c613fa9b33d999c0c8cac380b4d0e8223768ad1 Mon Sep 17 00:00:00 2001 From: Chocka Chidambaram Date: Mon, 3 Feb 2025 15:03:12 -0500 Subject: [PATCH] Cross library PQ interop test with s2n-tls (#2138) ### Description of changes: Adding cross library PQ interop test with s2n-tls By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --------- Co-authored-by: Chocka Chidambaram --- .../github_ci_integration_omnibus.yaml | 10 +++ .../ci/integration/run_pq_tls_integration.sh | 65 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100755 tests/ci/integration/run_pq_tls_integration.sh diff --git a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml index ce5c38d2aa..5af3d89741 100644 --- a/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml +++ b/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml @@ -250,3 +250,13 @@ batch: image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest variables: AWS_LC_CI_TARGET: "tests/ci/integration/run_ntp_integration.sh" + + - identifier: pq_tls_integration_x86_64 + buildspec: tests/ci/codebuild/common/run_simple_target.yml + env: + type: LINUX_CONTAINER + privileged-mode: false + compute-type: BUILD_GENERAL1_SMALL + image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-22.04_gcc-12x_latest + variables: + AWS_LC_CI_TARGET: "tests/ci/integration/run_pq_tls_integration.sh" diff --git a/tests/ci/integration/run_pq_tls_integration.sh b/tests/ci/integration/run_pq_tls_integration.sh new file mode 100755 index 0000000000..b44425c70e --- /dev/null +++ b/tests/ci/integration/run_pq_tls_integration.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 OR ISC +set -ex + +source tests/ci/common_posix_setup.sh + +SCRATCH_FOLDER=${SYS_ROOT}/"pq-tls-scratch" + +AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build" +AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install" + +S2N_URL='https://github.com/aws/s2n-tls.git' +S2N_BRANCH='main' +S2N_TLS_SRC_FOLDER="${SCRATCH_FOLDER}/s2n-tls" +S2N_TLS_BUILD_FOLDER="${SCRATCH_FOLDER}/s2n-tls-build" + +rm -rf "${SCRATCH_FOLDER:?}" +mkdir -p "$SCRATCH_FOLDER" + +echo "build and install aws-lc" +aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_TESTING=OFF + +echo "clone s2n_tls" +git clone --depth 1 --branch "$S2N_BRANCH" "$S2N_URL" "$S2N_TLS_SRC_FOLDER" + +echo "build s2n_tls with aws-lc" +cd "$S2N_TLS_SRC_FOLDER" +cmake . "-B$S2N_TLS_BUILD_FOLDER" -GNinja \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_PREFIX_PATH="$AWS_LC_INSTALL_FOLDER" +ninja -C "$S2N_TLS_BUILD_FOLDER" -j "$NUM_CPU_THREADS" + +for GROUP in X25519MLKEM768 SecP256r1MLKEM768; do + echo "TLS Handshake: aws-lc server (bssl) with s2n-tls client (s2nc) for group $GROUP" + "$AWS_LC_BUILD_FOLDER"/tool/bssl s_server -curves $GROUP -accept 45000 -debug \ + &> "$AWS_LC_BUILD_FOLDER"/s_server_out & + sleep 2 # to allow for the server to startup in the background thread + S_PID=$! + # Relying on s2nc behavior that it exits after the first handshake + "$S2N_TLS_BUILD_FOLDER"/bin/s2nc -c default_pq -i localhost 45000 &> "$S2N_TLS_BUILD_FOLDER"/s2nc_out + wait $S_PID || true + cat "$AWS_LC_BUILD_FOLDER"/s_server_out + cat "$S2N_TLS_BUILD_FOLDER"/s2nc_out + grep "libcrypto" "$S2N_TLS_BUILD_FOLDER"/s2nc_out | grep "AWS-LC" + grep "CONNECTED" "$S2N_TLS_BUILD_FOLDER"/s2nc_out + grep "KEM Group" "$S2N_TLS_BUILD_FOLDER"/s2nc_out | grep "$GROUP" + + echo "TLS Handshake: s2n-tls server (s2nd) with aws-lc client (bssl) for group $GROUP" + "$S2N_TLS_BUILD_FOLDER"/bin/s2nd -c default_pq -i localhost 45000 &> "$S2N_TLS_BUILD_FOLDER"/s2nd_out & + sleep 2 # to allow for the server to startup in the background thread + S_PID=$! + # bssl s_client normally does not exit after a handshake, but when run as a background process + # seems to exit by closing the connection after the first handshake. Relying on that behavior here. + "$AWS_LC_BUILD_FOLDER"/tool/bssl s_client -curves $GROUP -connect localhost:45000 -debug \ + &> "$AWS_LC_BUILD_FOLDER"/s_client_out & + wait $S_PID || true + cat "$S2N_TLS_BUILD_FOLDER"/s2nd_out + cat "$AWS_LC_BUILD_FOLDER"/s_client_out + grep "libcrypto" "$S2N_TLS_BUILD_FOLDER"/s2nd_out | grep "AWS-LC" + grep "CONNECTED" "$S2N_TLS_BUILD_FOLDER"/s2nd_out + grep "KEM Group" "$S2N_TLS_BUILD_FOLDER"/s2nd_out | grep "$GROUP" +done + +rm -rf "${SCRATCH_FOLDER:?}"