use skip_validation mechanism to turn off lifetime validation

openmls/Cargo.toml

@@ -53,8 +53,6 @@ test-utils = [
   "dep:once_cell",
   "backtrace",
 ]
-test-skip-lifetime-validity-check = [
-] # Skip the check whether a lifetime is valid. Needed for KATs with since-expired key packages.
 backtrace = ["dep:backtrace"]
 libcrux-provider = [
   "dep:openmls_libcrux_crypto",

openmls/src/group/mls_group/tests_and_kats/kats/mod.rs

@@ -1,3 +1,2 @@
-#[cfg(feature = "test-skip-lifetime-validity-check")]
 mod passive_client;
 mod welcome;

openmls/src/group/mls_group/tests_and_kats/kats/passive_client.rs

@@ -99,16 +99,18 @@ pub struct TestProposal(#[serde(with = "hex::serde")] Vec<u8>);
 
 #[test]
 fn test_read_vectors() {
-    for file in TEST_VECTORS_PATH_READ {
-        let scenario: Vec<PassiveClientWelcomeTestVector> = read(file);
-
-        info!("# {file}");
-        for (i, test_vector) in scenario.into_iter().enumerate() {
-            info!("## {i:04} START");
-            run_test_vector(test_vector);
-            info!("## {i:04} END");
+    crate::skip_validation::checks::leaf_node_lifetime::handle().with_disabled(|| {
+        for file in TEST_VECTORS_PATH_READ {
+            let scenario: Vec<PassiveClientWelcomeTestVector> = read(file);
+
+            info!("# {file}");
+            for (i, test_vector) in scenario.into_iter().enumerate() {
+                info!("## {i:04} START");
+                run_test_vector(test_vector);
+                info!("## {i:04} END");
+            }
         }
-    }
+    })
 }
 
 pub fn run_test_vector(test_vector: PassiveClientWelcomeTestVector) {
@@ -181,21 +183,23 @@ pub fn run_test_vector(test_vector: PassiveClientWelcomeTestVector) {
 
 #[test]
 fn test_write_vectors() {
-    let mut tests = Vec::new();
-
-    for _ in 0..NUM_TESTS {
-        for &ciphersuite in OpenMlsRustCrypto::default()
-            .crypto()
-            .supported_ciphersuites()
-            .iter()
-        {
-            let test = generate_test_vector(ciphersuite);
-            tests.push(test);
+    crate::skip_validation::checks::leaf_node_lifetime::handle().with_disabled(|| {
+        let mut tests = Vec::new();
+
+        for _ in 0..NUM_TESTS {
+            for &ciphersuite in OpenMlsRustCrypto::default()
+                .crypto()
+                .supported_ciphersuites()
+                .iter()
+            {
+                let test = generate_test_vector(ciphersuite);
+                tests.push(test);
+            }
         }
-    }
 
-    // TODO(#1279)
-    write(TEST_VECTOR_PATH_WRITE[0], &tests);
+        // TODO(#1279)
+        write(TEST_VECTOR_PATH_WRITE[0], &tests);
+    })
 }
 
 struct PassiveClient {

openmls/src/group/public_group/validation.rs

@@ -29,7 +29,6 @@ use crate::{
     schedule::errors::PskError,
 };
 
-#[cfg(not(feature = "test-skip-lifetime-validity-check"))]
 use crate::treesync::errors::LifetimeError;
 
 impl PublicGroup {
@@ -628,11 +627,13 @@ impl PublicGroup {
         //
         // Some KATs use key packages that are expired by now. In order to run these tests, we
         // provide a way to turn off this check.
-        #[cfg(not(feature = "test-skip-lifetime-validity-check"))]
-        if let Some(lifetime) = leaf_node.life_time() {
-            if !lifetime.is_valid() {
-                log::warn!("offending lifetime: {lifetime:?}");
-                return Err(LeafNodeValidationError::Lifetime(LifetimeError::NotCurrent));
+
+        if !crate::skip_validation::is_disabled::leaf_node_lifetime() {
+            if let Some(lifetime) = leaf_node.life_time() {
+                if !lifetime.is_valid() {
+                    log::warn!("offending lifetime: {lifetime:?}");
+                    return Err(LeafNodeValidationError::Lifetime(LifetimeError::NotCurrent));
+                }
             }
         }
 

openmls/src/skip_validation.rs

@@ -17,6 +17,10 @@ pub(crate) mod is_disabled {
     pub(crate) fn confirmation_tag() -> bool {
         confirmation_tag::FLAG.load(core::sync::atomic::Ordering::Relaxed)
     }
+
+    pub(crate) fn leaf_node_lifetime() -> bool {
+        leaf_node_lifetime::FLAG.load(core::sync::atomic::Ordering::Relaxed)
+    }
 }
 
 #[cfg(test)]
@@ -75,6 +79,48 @@ pub(crate) mod checks {
             }
         }
     }
+
+    /// Disables validation of leaf node lifetimes
+    pub(crate) mod leaf_node_lifetime {
+        use std::sync::atomic::AtomicBool;
+
+        /// A way of disabling verification and validation of leaf node lifetimes.
+        pub(in crate::skip_validation) static FLAG: AtomicBool = AtomicBool::new(false);
+
+        #[cfg(test)]
+        pub(crate) use lock::handle;
+
+        #[cfg(test)]
+        mod lock {
+            use super::FLAG;
+            use crate::skip_validation::SkipValidationHandle;
+            use once_cell::sync::Lazy;
+            use std::sync::{Mutex, MutexGuard};
+
+            /// The name of the check that can be skipped here
+            const NAME: &str = "leaf_node_lifetime";
+
+            /// A mutex needed to run tests that use this flag sequentially
+            static MUTEX: Lazy<Mutex<SkipValidationHandle>> =
+                Lazy::new(|| Mutex::new(SkipValidationHandle::new_leaf_node_lifetime_handle()));
+
+            /// Takes the mutex and returns the control handle to the validation skipper
+            pub(crate) fn handle() -> MutexGuard<'static, SkipValidationHandle> {
+                MUTEX.lock().unwrap_or_else(|e| {
+                    panic!("error taking skip-validation mutex for '{NAME}': {e}")
+                })
+            }
+
+            impl SkipValidationHandle {
+                pub fn new_leaf_node_lifetime_handle() -> Self {
+                    Self {
+                        name: NAME,
+                        flag: &FLAG,
+                    }
+                }
+            }
+        }
+    }
 }
 
 #[cfg(test)]