QST-47: Add OpenSSL 3 and oqs-provider to Sandwich.

The following integration tests have been written:

  - `depth_exceeded.rs`:
    - Verify the `max_verify_depth` parameter from the protobuf configuration
    - Make sure that the `pathlen` in `basicConstraints` is honored
    - Make sure `Tunnel::handshake()` returns an `HandshakeError::HANDSHAKEERROR_DEPTH_EXCEEDED`.
  - `expired_certificate.rs`:
    - Verify that an expired certificate leads to an handshake error.
    - Make sure `Tunnel::handshake()` returnas an `HandshakeError::HANDSHAKEERROR_CERTIFICATE_EXPIRED`.
    - Make sure the `allow_expired_certificate` parameter from the X509Verifier
      protobuf configuration works.
  - `mtls.rs`:
    - Verify that mTLS works (both peers issue a CERT_REQ)
    - Verify that `Tunnel::handshake()` returns an error in the case where the
      client does not expose any certificate.
  - `subject_alt_name_dns.rs`:
    - Verify that the SAN configuration is working with a DNS entry.
    - Verify that it works with wildcard entries.
    - Verify that `Tunnel::handshake()` returns an `HandshakeError::HANDSHAKEERROR_INVALID_SERVER_NAME`
      when SAN does not match the expected DNS hostname.
  - `subject_alt_names_email.rs`:
    - Same as `subject_alt_names_dns` but with an email address, and no wildcard.
  - `subject_alt_names_ip_address.rs`:
    - Same as `subject_alt_name_dns.rs` but with IP addresses, both IPv4 and IPv6, no wildcard.
  - `tls_12.rs`:
    - Make sure TLS 1.2 works.
    - Make sure `Tunnel::handshake()` returns an `HandshakeError::HANDSHAKEERROR_UNSUPPORTED_PROTOCOL`
      if the rmeote peer does not support TLS 1.2.
  - `tls_13_ciphersuites.rs`:
    - Verify the TLS 1.3 configuration with ciphersuites.
    - Make sure `Tunnel::handshake()` returns an `HandshakeError::HANDSHAKEERROR_NO_SHARED_CIPHER`
      if no cipher could be negociated between peers.
  - `tls_13_ke.rs`
    - Same as `tls_13_ciphersuites.rs` but with KEs (Key Exchange algorithms).
    - Make sure `Tunnel::handshake()` returns an `HandshakeError::HANDSHAKEERROR_NO_SUITABLE_KEY_SHARE`
      if no cipher could be negociated between peers.
  - `tls_classical.rs`:
    - Make sure TLS 1.3 works with classical cryptographic algorithms (`classical != quantum-resistant`).
    - Make sure read and write works.
  - `tls_quantum_resistant.rs`:
    - Make sure TLS 1.3 works using quantum-resistant cryptographic algorithms (`classical != quantum-resistant`).
    - Make sure read and write works.
    - Make sure the compliance field from the protobuf configuration is honored
      by verifying that the tunnel creation process fails if a classical KE is
      provided when only quantum-resistant algoritms are allowed.
  - `x509_strict.rs`:
    - Make sure we do not allow broken certificates, i.e. intermediate certificates
      that do not have a `keyUsage` X509 extension with at least `keyCertSign`.

GitOrigin-RevId: 251d0c2deebdb1e2341dde123ffed995a93552a2

Cargo.toml

@@ -17,6 +17,7 @@ members = [
     "rust_vendor/boringssl",
     "rust_vendor/build-support",
     "rust_vendor/openssl1_1_1",
+    "rust_vendor/openssl3",
     "rust_vendor/sandwich-api-proto",
     "rust_vendor/sandwich-proto",
     "rust_vendor/testdata",
@@ -28,17 +29,59 @@ path = "rust/lib.rs"
 
 [features]
 boringssl = []
-default = ["openssl1_1_1", "boringssl", "tunnel"]
+default = ["openssl1_1_1", "openssl3", "boringssl", "tunnel"]
 ffi = []
 openssl1_1_1 = []
+openssl3 = []
 tunnel = []
 
 [dependencies]
 boringssl = { path = "rust_vendor/boringssl" }
 openssl1_1_1 = { path = "rust_vendor/openssl1_1_1" }
+openssl3 = { path = "rust_vendor/openssl3" }
 protobuf = "=3.3.0"
 sandwich-api-proto = { path = "rust_vendor/sandwich-api-proto" }
 sandwich-proto = { path = "rust_vendor/sandwich-proto" }
 
 [dev-dependencies]
 testdata = { path = "rust_vendor/testdata" }
+
+[[test]]
+name = "depth-exceeded"
+path = "rust/implementation/openssl3/tunnel/tests/depth_exceeded.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "expired-certificate"
+path = "rust/implementation/openssl3/tunnel/tests/expired_certificate.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "mtls"
+path = "rust/implementation/openssl3/tunnel/tests/mtls.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "subject-alt-names-dns"
+path = "rust/implementation/openssl3/tunnel/tests/subject_alt_names_dns.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "subject-alt-names-email"
+path = "rust/implementation/openssl3/tunnel/tests/subject_alt_names_email.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "subject-alt-names-ip-address"
+path = "rust/implementation/openssl3/tunnel/tests/subject_alt_names_ip_address.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "tls-classical"
+path = "rust/implementation/openssl3/tunnel/tests/tls_classical.rs"
+required-features = ["openssl3", "tunnel"]
+
+[[test]]
+name = "tls-quantum-resistant"
+path = "rust/implementation/openssl3/tunnel/tests/tls_quantum_resistant.rs"
+required-features = ["openssl3", "tunnel"]

bazel/repositories.bzl

@@ -2,8 +2,10 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 load("@bazel_tools//tools/build_defs/repo:utils.bzl", "maybe")
 load("//common/build/flex:repositories.bzl", "flex_repositories")
 load("//vendor/github.com/doxygen/doxygen:BUILD.bzl", "doxygen_fetch_archive")
+load("//vendor/github.com/openssl/openssl:BUILD.bzl", "com_github_openssl_openssl_fetch_archive")
 load("//vendor/github.com/open-quantum-safe/liboqs:BUILD.bzl", "liboqs_fetch_archive")
 load("//vendor/github.com/open-quantum-safe/openssl:BUILD.bzl", "open_quantum_safe_openssl_no_liboqs_fetch_archive")
+load("//vendor/github.com/open-quantum-safe/oqs-provider:BUILD.bzl", "open_quantum_safe_oqs_provider_fetch_archive")
 load("//vendor/github.com/open-quantum-safe/boringssl:BUILD.bzl", "open_quantum_safe_boringssl_fetch_archive")
 load("//vendor/github.com/sandbox-quantum/bartleby:BUILD.bzl", "com_github_sandboxquantum_bartleby_fetch_archive")
 load("//vendor/github.com/protocolbuffers/protobuf:BUILD.bzl", "protocolbuffers_protobuf_pull_git_repo")
@@ -94,7 +96,9 @@ def sandwich_repositories():
     flex_repositories()
     doxygen_fetch_archive()
     liboqs_fetch_archive()
+    com_github_openssl_openssl_fetch_archive()
     open_quantum_safe_openssl_no_liboqs_fetch_archive()
     open_quantum_safe_boringssl_fetch_archive()
+    open_quantum_safe_oqs_provider_fetch_archive()
     com_github_sandboxquantum_bartleby_fetch_archive()
     protocolbuffers_protobuf_pull_git_repo()

common/rules/openssl3/BUILD.bazel

@@ -2,7 +2,6 @@ load(":rules.bzl", "gen_certificate", "gen_csr", "gen_openssl_providers_configur
 load("//common/rules/openssl3/private:gen_openssl_modules_directory.bzl", "gen_openssl_modules_directory")
 load("@bazel_skylib//rules:build_test.bzl", "build_test")
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
-load("@io_bazel_stardoc//stardoc:stardoc.bzl", "stardoc")
 
 gen_openssl_providers_configuration(
     name = "conf",
@@ -102,20 +101,6 @@ bzl_library(
     ],
 )
 
-stardoc(
-    name = "openssl3-providers-docs",
-    out = "openssl3-providers.md",
-    input = "providers.bzl",
-    deps = [":openssl3-rules"],
-)
-
-stardoc(
-    name = "openssl3-rules-docs",
-    out = "openssl3-rules.md",
-    input = "rules.bzl",
-    deps = [":openssl3-rules"],
-)
-
 build_test(
     name = "build_test",
     targets = [
@@ -124,9 +109,7 @@ build_test(
         ":certificate_test",
         ":conf",
         ":modules",
-        ":openssl3-providers-docs",
         ":openssl3-rules",
-        ":openssl3-rules-docs",
         ":private_key_test",
     ],
 )

examples/bazel/main.rs

@@ -38,7 +38,7 @@ fn create_context(sw: &sandwich::Context) -> tunnel::Context {
 }
 
 fn main() {
-    let sw = sandwich::Context;
+    let sw = sandwich::Context::new();
     let _context = create_context(&sw);
     // See `/examples/rust` for a more complete example.
 }

examples/rust/echo_tls_server/echo_tls_server.rs

@@ -121,7 +121,7 @@ pub fn echo_tls_server(cert: PathBuf, key: PathBuf, host: String, port: u16) {
     let server_conf =
         create_server_configuration(cert, key).expect("failed to create the server configuration");
 
-    let sw = sandwich::Context;
+    let sw = sandwich::Context::new();
     let server_ctx =
         Context::try_from(&sw, &server_conf).expect("failed to create a server context");
 
@@ -149,7 +149,7 @@ pub fn echo_tls_server_mpsc(cert: PathBuf, key: PathBuf, host: String, port_w: S
     let server_conf =
         create_server_configuration(cert, key).expect("failed to create the server configuration");
 
-    let sw = sandwich::Context;
+    let sw = sandwich::Context::new();
     let server_ctx =
         Context::try_from(&sw, &server_conf).expect("failed to create a server context");
 

examples/rust/tls_client/main.rs

@@ -36,7 +36,7 @@ fn main() {
     let client_conf = tls_client::create_client_configuration(&args.tls_version)
         .expect("failed to create the Sandwich configuration");
 
-    let sw = sandwich::Context;
+    let sw = sandwich::Context::new();
     let client_ctx = sandwich::tunnel::Context::try_from(&sw, &client_conf)
         .expect("failed to create a Sandwich context");
 

go/generated_error_codes.go

@@ -385,6 +385,7 @@ type SystemError struct {
 var errSystemErrorMap = map[pb.SystemError]string{
   pb.SystemError_SYSTEMERROR_MEMORY: `Memory error (e.g. allocation failed).`,
   pb.SystemError_SYSTEMERROR_INTEGER_OVERFLOW: `Integer overflow.`,
+  pb.SystemError_SYSTEMERROR_BACKEND: `Backend error.`,
 }
 
 func newSystemError(code pb.SystemError, msg string) *SystemError {
@@ -451,6 +452,10 @@ var errHandshakeErrorMap = map[pb.HandshakeError]string{
   pb.HandshakeError_HANDSHAKEERROR_CERTIFICATE_REVOKED: `Certificate was revoked.`,
   pb.HandshakeError_HANDSHAKEERROR_INVALID_CERTIFICATE: `Invalid Certificate.`,
   pb.HandshakeError_HANDSHAKEERROR_CERTIFICATE_SIGNATURE_VERIFICATION_FAILED: `Signature verification error.`,
+  pb.HandshakeError_HANDSHAKEERROR_DEPTH_EXCEEDED: `Certificate chain too long or pathlen exceeded.`,
+  pb.HandshakeError_HANDSHAKEERROR_UNSUPPORTED_PROTOCOL: `Unsupported protocol.`,
+  pb.HandshakeError_HANDSHAKEERROR_NO_SHARED_CIPHER: `No shared cipher.`,
+  pb.HandshakeError_HANDSHAKEERROR_NO_SUITABLE_KEY_SHARE: `No suitable key share.`,
   pb.HandshakeError_HANDSHAKEERROR_UNKNOWN_ERROR: `Unknown handshake error.`,
 }