Skip to content

Commit

Permalink
Add S2N_NO_PQ Flag to CMake to enable MIPS support (#1609)
Browse files Browse the repository at this point in the history
Add Cppcheck suppression for Run-time check of value known at Compile-time

Add sike_r2 Headers to CMakeLists

Refactor S2N_NO_PQ Flag
  • Loading branch information
JonathanHenson authored Mar 4, 2020
1 parent 27defba commit b7c27f5
Show file tree
Hide file tree
Showing 23 changed files with 174 additions and 32 deletions.
50 changes: 31 additions & 19 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ set(INSTALL_LIB_DIR lib CACHE PATH "Installaction directory for libraries")
set(INSTALL_INCLUDE_DIR include CACHE PATH "installaction directory for header files")
set(INSTALL_CMAKE_DIR lib/cmake CACHE PATH "Installation directory for cmake files")

option(S2N_NO_PQ "Disables all Post Quantum Crypto code. You likely want this for older compilers or uncommon platforms.")
option(S2N_NO_PQ_ASM "Turns off the ASM for PQ Crypto even if it's available for the toolchain. You likely want this on older compilers." OFF)

##header files
Expand All @@ -23,13 +24,6 @@ file(GLOB ERROR_HEADERS
"error/*.h"
)

file(GLOB PQ_HEADERS
"pq-crypto/*.h"
"pq-crypto/bike_r1/*.h"
"pq-crypto/bike_r2/*.h"
"pq-crypto/sike_r1/*.h"
)

file(GLOB STUFFER_HEADERS
"stuffer/*.h"
)
Expand All @@ -51,18 +45,32 @@ file(GLOB ERROR_SRC
"error/*.c"
)

# The SIKE code #includes .c files directly, including all sike_r*/*.c breaks the build due to duplicates
file(GLOB PQ_SRC
"pq-crypto/*.c"
"pq-crypto/bike_r1/*.c"
"pq-crypto/bike_r2/*.c"
"pq-crypto/sike_r1/fp_generic_r1.c"
"pq-crypto/sike_r1/P503_r1.c"
"pq-crypto/sike_r1/sike_r1_kem.c"
"pq-crypto/sike_r1/fips202_r1.c"
"pq-crypto/sike_r2/fips202.c"
"pq-crypto/sike_r2/P434.c"
)
if(S2N_NO_PQ)
message(STATUS "S2N_NO_PQ flag was detected - Disabling Post Quantum Crypto")
# If all Post Quantum Code is disabled, also disable PQ assembly optimized code
set(S2N_NO_PQ_ASM ON)
else()
file(GLOB PQ_HEADERS
"pq-crypto/*.h"
"pq-crypto/bike_r1/*.h"
"pq-crypto/bike_r2/*.h"
"pq-crypto/sike_r1/*.h"
"pq-crypto/sike_r2/*.h"
)

# The SIKE code #includes .c files directly, including all sike_r*/*.c breaks the build due to duplicates
file(GLOB PQ_SRC
"pq-crypto/*.c"
"pq-crypto/bike_r1/*.c"
"pq-crypto/bike_r2/*.c"
"pq-crypto/sike_r1/fp_generic_r1.c"
"pq-crypto/sike_r1/P503_r1.c"
"pq-crypto/sike_r1/sike_r1_kem.c"
"pq-crypto/sike_r1/fips202_r1.c"
"pq-crypto/sike_r2/fips202.c"
"pq-crypto/sike_r2/P434.c"
)
endif()

file(GLOB STUFFER_SRC
"stuffer/*.c"
Expand Down Expand Up @@ -160,6 +168,10 @@ if(S2N_NO_PQ_ASM)
target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_NO_PQ_ASM)
endif()

if(S2N_NO_PQ)
target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_NO_PQ)
endif()

target_compile_options(${PROJECT_NAME} PUBLIC -fPIC)

target_compile_definitions(${PROJECT_NAME} PRIVATE -D_POSIX_C_SOURCE=200809L)
Expand Down
6 changes: 6 additions & 0 deletions tests/unit/s2n_bike_r1_kat_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,17 @@

int main(int argc, char **argv, char **envp) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_kem_with_kat(&s2n_bike1_l1_r1, RSP_FILE));

#endif

END_TEST();
}
7 changes: 6 additions & 1 deletion tests/unit/s2n_bike_r1_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,16 @@

int main(int argc, char **argv)
{
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

unsigned char publicKey[BIKE1_L1_R1_PUBLIC_KEY_BYTES];
unsigned char privateKey[BIKE1_L1_R1_SECRET_KEY_BYTES];
unsigned char clientSharedSecretPlaintext[BIKE1_L1_R1_SHARED_SECRET_BYTES];
unsigned char serverSharedSecretPlaintext[BIKE1_L1_R1_SHARED_SECRET_BYTES];
unsigned char encryptedSecret[BIKE1_L1_R1_CIPHERTEXT_BYTES];

BEGIN_TEST();
if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
Expand All @@ -36,6 +39,8 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(BIKE1_L1_R1_crypto_kem_dec(serverSharedSecretPlaintext, encryptedSecret, privateKey));
EXPECT_BYTEARRAY_EQUAL(serverSharedSecretPlaintext, clientSharedSecretPlaintext, BIKE1_L1_R1_SHARED_SECRET_BYTES);

#endif

END_TEST();
}

6 changes: 6 additions & 0 deletions tests/unit/s2n_bike_r2_kat_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,17 @@

int main(int argc, char **argv, char **envp) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_kem_with_kat(&s2n_bike1_l1_r2, RSP_FILE));

#endif

END_TEST();
}
6 changes: 5 additions & 1 deletion tests/unit/s2n_bike_r2_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,16 @@

int main(int argc, char **argv)
{
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

unsigned char publicKey[BIKE1_L1_R2_PUBLIC_KEY_BYTES];
unsigned char privateKey[BIKE1_L1_R2_SECRET_KEY_BYTES];
unsigned char clientSharedSecretPlaintext[BIKE1_L1_R2_SHARED_SECRET_BYTES];
unsigned char serverSharedSecretPlaintext[BIKE1_L1_R2_SHARED_SECRET_BYTES];
unsigned char encryptedSecret[BIKE1_L1_R2_CIPHERTEXT_BYTES];

BEGIN_TEST();
if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
Expand All @@ -36,6 +39,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(BIKE1_L1_R2_crypto_kem_dec(serverSharedSecretPlaintext, encryptedSecret, privateKey));
EXPECT_BYTEARRAY_EQUAL(serverSharedSecretPlaintext, clientSharedSecretPlaintext, BIKE1_L1_R2_SHARED_SECRET_BYTES);

#endif
END_TEST();
}

19 changes: 19 additions & 0 deletions tests/unit/s2n_cipher_preference_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,12 @@ int main(int argc, char **argv)
EXPECT_TRUE(s2n_ecc_extension_required(preferences));
EXPECT_TRUE(s2n_pq_kem_extension_required(preferences));
EXPECT_EQUAL(4, preferences->kem_count);
#if !defined(S2N_NO_PQ)
EXPECT_NOT_NULL(preferences->kems);
EXPECT_EQUAL(preferences->kems, pq_kems_r2r1);
#else
EXPECT_NULL(preferences->kems);
#endif

preferences = NULL;
EXPECT_SUCCESS(s2n_find_cipher_pref_from_version("KMS-TLS-1-0-2018-10", &preferences));
Expand All @@ -53,6 +57,7 @@ int main(int argc, char **argv)
EXPECT_EQUAL(0, preferences->kem_count);
EXPECT_NULL(preferences->kems);

#if !defined(S2N_NO_PQ)
preferences = NULL;
EXPECT_SUCCESS(s2n_find_cipher_pref_from_version("KMS-PQ-TLS-1-0-2019-06", &preferences));
EXPECT_TRUE(s2n_ecc_extension_required(preferences));
Expand Down Expand Up @@ -84,6 +89,20 @@ int main(int argc, char **argv)
EXPECT_EQUAL(4, preferences->kem_count);
EXPECT_NOT_NULL(preferences->kems);
EXPECT_EQUAL(preferences->kems, pq_kems_r2r1);
#else
preferences = NULL;
EXPECT_FAILURE(s2n_find_cipher_pref_from_version("KMS-PQ-TLS-1-0-2019-06", &preferences));
EXPECT_EQUAL(preferences, NULL);

EXPECT_FAILURE(s2n_find_cipher_pref_from_version("PQ-SIKE-TEST-TLS-1-0-2019-11", &preferences));
EXPECT_EQUAL(preferences, NULL);

EXPECT_FAILURE(s2n_find_cipher_pref_from_version("PQ-SIKE-TEST-TLS-1-0-2020-02", &preferences));
EXPECT_EQUAL(preferences, NULL);

EXPECT_FAILURE(s2n_find_cipher_pref_from_version("KMS-PQ-TLS-1-0-2020-02", &preferences));
EXPECT_EQUAL(preferences, NULL);
#endif

preferences = NULL;
EXPECT_SUCCESS(s2n_find_cipher_pref_from_version("20141001", &preferences));
Expand Down
6 changes: 6 additions & 0 deletions tests/unit/s2n_hybrid_ecdhe_bike_r1_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,18 @@

int main(int argc, char **argv) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_hybrid_ecdhe_kem_with_kat(&s2n_bike1_l1_r1, &s2n_ecdhe_bike_rsa_with_aes_256_gcm_sha384,
"KMS-PQ-TLS-1-0-2019-06", RSP_FILE_NAME, SERVER_KEY_MESSAGE_LENGTH, CLIENT_KEY_MESSAGE_LENGTH));

#endif

END_TEST();
}
6 changes: 6 additions & 0 deletions tests/unit/s2n_hybrid_ecdhe_bike_r2_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,18 @@

int main(int argc, char **argv) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_hybrid_ecdhe_kem_with_kat(&s2n_bike1_l1_r2, &s2n_ecdhe_bike_rsa_with_aes_256_gcm_sha384,
"KMS-PQ-TLS-1-0-2020-02", RSP_FILE_NAME, SERVER_KEY_MESSAGE_LENGTH, CLIENT_KEY_MESSAGE_LENGTH));

#endif

END_TEST();
}
6 changes: 6 additions & 0 deletions tests/unit/s2n_hybrid_ecdhe_sike_r1_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,18 @@

int main(int argc, char **argv) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_hybrid_ecdhe_kem_with_kat(&s2n_sike_p503_r1, &s2n_ecdhe_sike_rsa_with_aes_256_gcm_sha384,
"KMS-PQ-TLS-1-0-2019-06", RSP_FILE_NAME, SERVER_KEY_MESSAGE_LENGTH, CLIENT_KEY_MESSAGE_LENGTH));

#endif

END_TEST();
}
6 changes: 6 additions & 0 deletions tests/unit/s2n_hybrid_ecdhe_sike_r2_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,17 @@

int main(int argc, char **argv) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}
EXPECT_SUCCESS(s2n_test_hybrid_ecdhe_kem_with_kat(&s2n_sike_p434_r2, &s2n_ecdhe_sike_rsa_with_aes_256_gcm_sha384,
"KMS-PQ-TLS-1-0-2020-02", RSP_FILE_NAME, SERVER_KEY_MESSAGE_LENGTH, CLIENT_KEY_MESSAGE_LENGTH));

#endif

END_TEST();
}
4 changes: 4 additions & 0 deletions tests/unit/s2n_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ int main(int argc, char **argv)
END_TEST();
}

#if !defined(S2N_NO_PQ)

{
/* Regression test for network parsing data of expected sizes */
EXPECT_EQUAL(sizeof(kem_extension_size), 2);
Expand Down Expand Up @@ -300,5 +302,7 @@ int main(int argc, char **argv)
EXPECT_EQUAL(compatible_params->kems[1]->kem_extension_id, s2n_sike_p434_r2.kem_extension_id);
}

#endif

END_TEST();
}
5 changes: 5 additions & 0 deletions tests/unit/s2n_kex_with_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,9 @@ static int assert_kex_fips_checks(struct s2n_cipher_suite *cipher_suite, const c
int main(int argc, char **argv)
{
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode. So we verify functions s2n_check_kem() and
* s2n_configure_kem() (in s2n_kex.c) are performing their FIPS checks appropriately. */
Expand Down Expand Up @@ -198,5 +201,7 @@ int main(int argc, char **argv)
S2N_ERR_KEM_UNSUPPORTED_PARAMS);
}

#endif

END_TEST();
}
5 changes: 5 additions & 0 deletions tests/unit/s2n_sike_r1_kat_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,16 @@
int main(int argc, char **argv, char **envp) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_kem_with_kat(&s2n_sike_p503_r1, RSP_FILE));

#endif

END_TEST();
}
8 changes: 6 additions & 2 deletions tests/unit/s2n_sike_r1_kem_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,16 @@

int main(int argc, char **argv)
{
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

unsigned char pub_key[SIKE_P503_R1_PUBLIC_KEY_BYTES] = {0};
unsigned char priv_key[SIKE_P503_R1_SECRET_KEY_BYTES] = {0};
unsigned char c_shared_secret[SIKE_P503_R1_SHARED_SECRET_BYTES];
unsigned char s_shared_secret[SIKE_P503_R1_SHARED_SECRET_BYTES];
unsigned char ciphertext[SIKE_P503_R1_CIPHERTEXT_BYTES];

BEGIN_TEST();

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
Expand All @@ -37,5 +39,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(SIKE_P503_r1_crypto_kem_dec(s_shared_secret, ciphertext, priv_key));
EXPECT_BYTEARRAY_EQUAL(s_shared_secret, c_shared_secret, SIKE_P503_R1_SHARED_SECRET_BYTES);

#endif

END_TEST();
}
5 changes: 5 additions & 0 deletions tests/unit/s2n_sike_r2_kat_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,16 @@
int main(int argc, char **argv, char **envp) {
BEGIN_TEST();

#if !defined(S2N_NO_PQ)

if (s2n_is_in_fips_mode()) {
/* There is no support for PQ KEMs while in FIPS mode */
END_TEST();
}

EXPECT_SUCCESS(s2n_test_kem_with_kat(&s2n_sike_p434_r2, RSP_FILE));

#endif

END_TEST();
}
Loading

0 comments on commit b7c27f5

Please sign in to comment.