Cross library PQ interop test with s2n-tls #2138
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2138 +/- ##
=======================================
Coverage 78.95% 78.96%
=======================================
Files 611 611
Lines 105522 105522
Branches 14946 14943 -3
=======================================
+ Hits 83317 83323 +6
+ Misses 21553 21547 -6
Partials 652 652 ☔ View full report in Codecov by Sentry. |
|
a s2n-tls integration script exists: https://github.com/aws/aws-lc/blob/main/tests/ci/integration/run_s2n_integration.sh |
The intent of this work was to add a test that can test PQ-TLS interop between AWS-LC's libssl and different PQ-TLS providers of which S2N is one of several. That said, the naming of the script in this PR should be renamed to reflect that generic intent. |
tests/ci/run_s2n_interop_test.sh
Outdated
| # clone aws-lc | ||
| git clone --depth 1 --branch "${lc_branch}" "${lc_url}" "${scratch_folder}/s2n-tls/aws-lc" | ||
|
|
||
| # build aws-lc | ||
| echo "building aws-lc" | ||
| cd "${scratch_folder}/s2n-tls/aws-lc" | ||
| cmake -GNinja -B build | ||
| ninja -C build | ||
| cmake --install build --prefix install |
There was a problem hiding this comment.
Use the run_build function to build AWS-LC from the source corresponding to the request and put the relevant artifacts in the conventional locations.
tests/ci/run_s2n_interop_test.sh
Outdated
| cd "${scratch_folder}/s2n-tls" | ||
| cmake . -Bbuild-with-lc \ | ||
| -DCMAKE_BUILD_TYPE=Release \ | ||
| -DCMAKE_PREFIX_PATH=aws-lc/install |
There was a problem hiding this comment.
Update this to use the correct LC location after making the change to how it gets built.
tests/ci/run_s2n_interop_test.sh
Outdated
There was a problem hiding this comment.
Rename this to be more generic across PQ-TLS implementations. e.g. run_pq_tls_interop_test.sh.
tests/ci/run_s2n_interop_test.sh
Outdated
| -DCMAKE_BUILD_TYPE=Release \ | ||
| -DCMAKE_PREFIX_PATH=aws-lc/install | ||
| cmake --build build-with-lc | ||
|
|
There was a problem hiding this comment.
Please refactor this to loop across different TLS groups to cut down on the repetition.
for group in X25519MLKEM768 SecP256r1MLKEM768; do
# lc to s2n
# s2n to lc
done
tests/ci/run_s2n_interop_test.sh
Outdated
|
|
||
| # handshake test 1 - aws-lc bssl server with s2n-tls s2nc client for X25519MLKEM768:X25519 | ||
| cd "${scratch_folder}/s2n-tls" | ||
| ./aws-lc/build/tool/bssl s_server -curves X25519MLKEM768:X25519 -accept 45000 -debug &> s_server_out & |
There was a problem hiding this comment.
Don't test against the purely classical x25519 group.
tests/ci/run_s2n_interop_test.sh
Outdated
| -DCMAKE_PREFIX_PATH=aws-lc/install | ||
| cmake --build build-with-lc | ||
|
|
||
| # handshake test 1 - aws-lc bssl server with s2n-tls s2nc client for X25519MLKEM768:X25519 |
There was a problem hiding this comment.
Add a comment explaining how all this works. It's not immediately apparent what all these workarounds do. e.g. the sleep is there to allow the server time to listen on the socket.
Our preference is to put this in the codebuild integration target like https://github.com/aws/aws-lc/blob/main/tests/ci/cdk/cdk/codebuild/github_ci_integration_omnibus.yaml#L9-L17 |
tests/ci/run_s2n_interop_test.sh
Outdated
| git clone --depth 1 --branch "${s2n_branch}" "${s2n_url}" "${scratch_folder}/s2n-tls" | ||
|
|
||
| # clone aws-lc | ||
| git clone --depth 1 --branch "${lc_branch}" "${lc_url}" "${scratch_folder}/s2n-tls/aws-lc" |
There was a problem hiding this comment.
This shouldn't need to clone AWS-LC since it will already be there when run locally or run in codebuild.
All targets in that yaml file are for |
I'd argue an interop test is an integration test and we could move the bash file. Either way this shouldn't run in the GitHub actions and should move to CodeBuild general or CodeBuild integration target. |
| variables: | ||
| AWS_LC_CI_TARGET: "tests/ci/integration/run_pq_tls_integration.sh" | ||
|
|
||
| - identifier: pq_tls_integration_aarch |
There was a problem hiding this comment.
I'll defer to the LC team, but I don't think we need to cover both ARM and Intel for this test. This is purely application layer stuff so the CPU arch really doesn't matter.
There was a problem hiding this comment.
Agreed, we're a bit inconsistent about that for other projects but just one platform is fine.
| S2N_TLS_SRC_FOLDER="${SCRATCH_FOLDER}/s2n-tls" | ||
| S2N_TLS_BUILD_FOLDER="${SCRATCH_FOLDER}/s2n-tls-build" | ||
|
|
||
| # init setup |
| cd "$S2N_TLS_BUILD_FOLDER" | ||
| ./bin/s2nc -c default_pq -i localhost 45000 &> s2nc_out | ||
| wait $S_PID || true | ||
| grep "libcrypto" s2nc_out | grep "AWS-LC" |
There was a problem hiding this comment.
I trust the greps but it would be nice to see the output here and down below:
| grep "libcrypto" s2nc_out | grep "AWS-LC" | |
| echo $s_server_out | |
| echo $s2nc_out | |
| grep "libcrypto" s2nc_out | grep "AWS-LC" |
| variables: | ||
| AWS_LC_CI_TARGET: "tests/ci/integration/run_pq_tls_integration.sh" | ||
|
|
||
| - identifier: pq_tls_integration_aarch |
There was a problem hiding this comment.
Agreed, we're a bit inconsistent about that for other projects but just one platform is fine.
Description of changes:
Adding cross library PQ interop test with s2n-tls
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.