Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross library PQ interop test with s2n-tls #2138

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+82 −0
Open

Cross library PQ interop test with s2n-tls #2138

Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a1f19ed
Add cross library PQ interop test with s2n-tls
Jan 24, 2025
88b28c8
wait on background server process to finish
Jan 24, 2025
4911902
Merge branch 'aws:main' into main
chockalingamc Jan 29, 2025
b5f9df5
Merge remote-tracking branch 'upstream/main'
Jan 30, 2025
d2b8124
refactoring based on PR discussions
Jan 30, 2025
cf1df0c
improve s2n build performance with ninja and parallel threads
Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions tests/ci/run_s2n_interop_test.sh
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename this to be more generic across PQ-TLS implementations. e.g. run_pq_tls_interop_test.sh.

Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/usr/bin/env bash
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 OR ISC
set -ex

source tests/ci/common_posix_setup.sh

scratch_folder=${SYS_ROOT}/"s2n-scratch"
s2n_url='https://github.com/aws/s2n-tls.git'
s2n_branch='main'
lc_url='https://github.com/aws/aws-lc.git'
lc_branch='main'

mkdir -p "${scratch_folder}"
rm -rf "${scratch_folder:?}"/*

# clone s2n-tls
git clone --depth 1 --branch "${s2n_branch}" "${s2n_url}" "${scratch_folder}/s2n-tls"

# clone aws-lc
git clone --depth 1 --branch "${lc_branch}" "${lc_url}" "${scratch_folder}/s2n-tls/aws-lc"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't need to clone AWS-LC since it will already be there when run locally or run in codebuild.


# build aws-lc
echo "building aws-lc"
cd "${scratch_folder}/s2n-tls/aws-lc"
cmake -GNinja -B build
ninja -C build
cmake --install build --prefix install
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the run_build function to build AWS-LC from the source corresponding to the request and put the relevant artifacts in the conventional locations.


# build s2n-tls with aws-lc
echo "building s2n_tls"
cd "${scratch_folder}/s2n-tls"
cmake . -Bbuild-with-lc \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_PREFIX_PATH=aws-lc/install
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update this to use the correct LC location after making the change to how it gets built.

cmake --build build-with-lc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refactor this to loop across different TLS groups to cut down on the repetition.

for group in X25519MLKEM768 SecP256r1MLKEM768; do 
  # lc to s2n
  # s2n to lc
done

# handshake test 1 - aws-lc bssl server with s2n-tls s2nc client for X25519MLKEM768:X25519
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment explaining how all this works. It's not immediately apparent what all these workarounds do. e.g. the sleep is there to allow the server time to listen on the socket.

cd "${scratch_folder}/s2n-tls"
./aws-lc/build/tool/bssl s_server -curves X25519MLKEM768:X25519 -accept 45000 -debug &> s_server_out &
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't test against the purely classical x25519 group.

sleep 2
S_PID=$!
./build-with-lc/bin/s2nc -c default_pq -i localhost 45000 &> s2nc_out
wait $S_PID || true
grep "libcrypto" s2nc_out | grep "AWS-LC"
grep "CONNECTED" s2nc_out

# handshake test 2 - s2n-tls s2nd server with aws-lc bssl client for X25519MLKEM768:X25519
cd "${scratch_folder}/s2n-tls"
./build-with-lc/bin/s2nd -c default_pq -i localhost 45000 &> s2nd_out &
sleep 2
S_PID=$!
./aws-lc/build/tool/bssl s_client -curves X25519MLKEM768:X25519 -connect localhost:45000 -debug &> s_client_out &
wait $S_PID || true
grep "libcrypto" s2nd_out | grep "AWS-LC"
grep "CONNECTED" s2nd_out

# handshake test 3 - aws-lc bssl server with s2n-tls s2nc client for SecP256r1MLKEM768
cd "${scratch_folder}/s2n-tls"
./aws-lc/build/tool/bssl s_server -curves SecP256r1MLKEM768 -accept 45000 -debug &> s_server_out &
sleep 2
S_PID=$!
./build-with-lc/bin/s2nc -c default_pq -i localhost 45000 &> s2nc_out
wait $S_PID || true
grep "libcrypto" s2nc_out | grep "AWS-LC"
grep "CONNECTED" s2nc_out

# handshake test 4 - s2n-tls s2nd server with aws-lc bssl client for SecP256r1MLKEM768
cd "${scratch_folder}/s2n-tls"
./build-with-lc/bin/s2nd -c default_pq -i localhost 45000 &> s2nd_out &
sleep 2
S_PID=$!
./aws-lc/build/tool/bssl s_client -curves SecP256r1MLKEM768 -connect localhost:45000 -debug &> s_client_out &
wait $S_PID || true
grep "libcrypto" s2nd_out | grep "AWS-LC"
grep "CONNECTED" s2nd_out

rm -rf "${scratch_folder:?}"/*
Loading