diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f0ad4bc17..7f40ae893d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -277,6 +277,8 @@ jobs: run: make test TESTS="test_external_krb5" - name: test external_tlsfuzzer run: make test TESTS="test_external_tlsfuzzer" + - name: test external oqs-provider + run: make test TESTS="test_external_oqsprovider" external-test-pyca: runs-on: ubuntu-latest diff --git a/.gitmodules b/.gitmodules index 1d4c6c9da7..6531705b2a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "tlslite-ng"] path = tlslite-ng url = https://github.com/tlsfuzzer/tlslite-ng +[submodule "oqs-provider"] + path = oqs-provider + url = https://github.com/open-quantum-safe/oqs-provider.git diff --git a/oqs-provider b/oqs-provider new file mode 160000 index 0000000000..e422884c23 --- /dev/null +++ b/oqs-provider @@ -0,0 +1 @@ +Subproject commit e422884c2387006f68f4c192b3dcb6be3160e7d1 diff --git a/test/README-external.md b/test/README-external.md index 3e10526b85..e1f4819fae 100644 --- a/test/README-external.md +++ b/test/README-external.md @@ -87,6 +87,39 @@ explicitly run (with more debugging): $ make test VERBOSE=1 TESTS=test_external_gost_engine +OQSprovider test suite +====================== + +Much like the PYCA/Cryptography test suite, this builds and runs the OQS +(OpenQuantumSafe -- www.openquantumsafe.org) provider tests against the +local OpenSSL build. + +You will need a git checkout of oqsprovider at the top level: + + $ git submodule update --init + +Then configure/build OpenSSL enabling external tests: + + $ ./config shared enable-external-tests + $ make + +oqsprovider requires CMake for the build process. + +OQSprovider tests will then be run as part of the rest of the suite, or can be +explicitly run (with more debugging): + + $ make test VERBOSE=1 TESTS=test_external_oqsprovider + +The environment variable `OQS_SKIP_TESTS` can be set to select tests and +algorithms to be skipped. If not set, the "rainbow" algorithm set as well as +the (OQS-)OpenSSL1.1.1 compatibility tests will not be executed. So, for +example to exclude the "mceliece" and "kyber" algorithms execute + + OQS_SKIP_TESTS=mceliece,kyber make test TESTS=test_external_oqsprovider + +The names of all supported quantum-safe algorithms are available at + + Updating test suites ==================== diff --git a/test/recipes/95-test_external_oqsprovider.t b/test/recipes/95-test_external_oqsprovider.t new file mode 100644 index 0000000000..66b584f384 --- /dev/null +++ b/test/recipes/95-test_external_oqsprovider.t @@ -0,0 +1,28 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT data_file bldtop_dir srctop_dir cmdstr/; + +setup("test_external_oqsprovider"); + +plan skip_all => "No external tests in this configuration" + if disabled("external-tests"); +plan skip_all => "oqsprovider tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "oqsprovider tests only available in a shared build" + if disabled("shared"); +plan skip_all => "oqsprovider tests not supported in out of tree builds" + if bldtop_dir() ne srctop_dir(); + +plan tests => 1; + +ok(run(cmd(["sh", data_file("oqsprovider.sh")])), + "running oqsprovider tests"); diff --git a/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh new file mode 100755 index 0000000000..fb4635dc08 --- /dev/null +++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh @@ -0,0 +1,77 @@ +#!/bin/sh +# +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# OpenSSL external testing using the OQS provider +# +set -e + +PWD="$(pwd)" + +SRCTOP="$(cd $SRCTOP; pwd)" +BLDTOP="$(cd $BLDTOP; pwd)" + +if [ "$SRCTOP" != "$BLDTOP" ] ; then + echo "Out of tree builds not supported with oqsprovider test!" + exit 1 +fi + +O_EXE="$BLDTOP/apps" +O_BINC="$BLDTOP/include" +O_SINC="$SRCTOP/include" +O_LIB="$BLDTOP" + +unset OPENSSL_CONF + +export PATH="$O_EXE:$PATH" +export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH" +export OPENSSL_ROOT_DIR="$O_LIB" + +# Check/Set openssl version +OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '` + +echo "------------------------------------------------------------------" +echo "Testing OpenSSL using oqsprovider:" +echo " CWD: $PWD" +echo " SRCTOP: $SRCTOP" +echo " BLDTOP: $BLDTOP" +echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR" +echo " OpenSSL version: $OPENSSL_VERSION" +echo "------------------------------------------------------------------" + +if [ ! -d $SRCTOP/oqs-provider/oqs ]; then +# disable rainbow family by default; all further config options listed at +# https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs +( + cd $SRCTOP/oqs-provider \ + && git clone --depth 1 --branch main https://github.com/open-quantum-safe/liboqs.git \ + && cd liboqs \ + && mkdir build \ + && cd build \ + && cmake -DOQS_ENABLE_SIG_RAINBOW=OFF -DCMAKE_INSTALL_PREFIX=$SRCTOP/oqs-provider/oqs .. \ + && make \ + && make install + ) +fi + +if [ ! -f $SRCTOP/oqs-provider/test/ssltestlib.c ]; then + ( cd $SRCTOP/oqs-provider && OPENSSL_BLDTOP=$BLDTOP ./scripts/preptests.sh ) +fi + +echo " CWD: $PWD" +cmake $SRCTOP/oqs-provider -DCMAKE_INCLUDE_PATH=$SRCTOP/oqs-provider/oqs -DCMAKE_PREFIX_PATH=$SRCTOP/oqs-provider/oqs -DOPENSSL_ROOT_DIR="$OPENSSL_ROOT_DIR" -DOPENSSL_BLDTOP=$BLDTOP -B _build && cmake --build _build +export CTEST_OUTPUT_ON_FAILURE=1 +export HARNESS_OSSL_PREFIX='' +export OPENSSL_APP="$O_EXE/openssl" +if [ -z "$OQS_SKIP_TESTS" ]; then + export OQS_SKIP_TESTS="rainbow,111" +fi +export OPENSSL_MODULES=$PWD/_build/oqsprov +export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider +$SRCTOP/oqs-provider/scripts/runtests.sh