refactor openssl-ech workflow + add suite testing

Author: sebastian-carpenter

.github/scripts/openssl-ech.sh

@@ -0,0 +1,190 @@
+#!/bin/bash
+
+set -e
+
+cleanup() {
+    cat "$TMP_LOG"
+    rm -f "$TMP_LOG"
+}
+trap cleanup EXIT
+
+usage() {
+    echo "Usage: $0 <client|server> [--suite <KEM,KDF,AEAD>] [--workspace <path>]"
+    exit 1
+}
+
+MODE=""
+SUITE=""
+
+WORKSPACE=${GITHUB_WORKSPACE:-"."}
+
+if [ $# -lt 1 ]; then
+    usage
+fi
+
+case "$1" in
+    client|server) MODE="$1" ;;
+    *) usage ;;
+esac
+shift
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        --suite)
+            [ -z "$2" ] && { echo "ERROR: --suite requires a value"; exit 1; }
+            SUITE="$2"
+            shift 2
+            echo ""
+            echo "Using suite: $SUITE"
+            echo ""
+            ;;
+        --workspace)
+            [ -z "$2" ] && { echo "ERROR: --workspace requires a value"; exit 1; }
+            WORKSPACE="$2"
+            shift 2
+            ;;
+        *) echo "Unknown argument: $1"; usage ;;
+    esac
+done
+
+OPENSSL=${OPENSSL:-"openssl"}
+WOLFSSL_CLIENT=${WOLFSSL_CLIENT:-"$WORKSPACE/examples/client/client"}
+WOLFSSL_SERVER=${WOLFSSL_SERVER:-"$WORKSPACE/examples/server/server"}
+CERT_DIR=${CERT_DIR:-"$WORKSPACE/certs"}
+
+TMP_LOG="$WORKSPACE/tmp_file.log"
+PRIV_NAME="ech-private-name.com"
+PUB_NAME="ech-public-name.com"
+MAX_WAIT=50
+
+openssl_server(){
+    local ech_file="$WORKSPACE/ech_config.pem"
+    local ech_config=""
+    local port=""
+
+    rm -f "$ech_file"
+
+    $OPENSSL ech -public_name "$PUB_NAME" -out "$ech_file" $SUITE &>> "$TMP_LOG"
+
+    # parse ECH config from file
+    ech_config=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ech_file" | tr -d '\n')
+    echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
+
+    # start OpenSSL ECH server with ephemeral port and make sure it is
+    # line-buffered
+    stdbuf -oL $OPENSSL s_server \
+        -tls1_3 \
+        -cert "$CERT_DIR/server-cert.pem" \
+        -key "$CERT_DIR/server-key.pem" \
+        -cert2 "$CERT_DIR/server-cert.pem" \
+        -key2 "$CERT_DIR/server-key.pem" \
+        -ech_key "$ech_file" \
+        -servername "$PRIV_NAME" \
+        -accept 0 \
+        -naccept 1 \
+        &>> "$TMP_LOG" <<< "wolfssl!" &
+
+    # wait for server port to be ready and capture it
+    counter=0
+    while [ -z "$port" ]; do
+        port=$(grep -m1 "ACCEPT" "$TMP_LOG" | sed 's/.*:\([0-9]*\)$/\1/')
+        sleep 0.1
+        counter=$((counter + 1))
+        if [ "$counter" -gt "$MAX_WAIT" ]; then
+            echo "ERROR: server port not found" &>> "$TMP_LOG"
+            exit 1
+        fi
+    done
+    echo "parsed port: $port" &>> "$TMP_LOG"
+
+    # test with wolfssl client
+    $WOLFSSL_CLIENT -v 4 \
+        -p "$port" \
+        -S "$PRIV_NAME" \
+        --ech "$ech_config" \
+        &>> "$TMP_LOG"
+
+    rm -f "$ech_file"
+
+    grep -q "ech_success=1" "$TMP_LOG"
+}
+
+openssl_client(){
+    local ready_file="$WORKSPACE/wolfssl_tls13_ready$$"
+    local ech_config=""
+    local port=0
+
+    rm -f "$ready_file"
+
+    # start server with ephemeral port + ready file
+    # also set server to be line buffered so the log can be grepped
+    stdbuf -oL $WOLFSSL_SERVER \
+                -v 4 \
+                -R "$ready_file" \
+                -p "$port" \
+                -S "$PRIV_NAME" \
+                --ech "$PUB_NAME" \
+                $SUITE \
+                &>> "$TMP_LOG" &
+
+    # wait for server to be ready, then get port
+    counter=0
+    while [ ! -s "$ready_file" ]; do
+        sleep 0.1
+        counter=$((counter + 1))
+        if [ "$counter" -gt "$MAX_WAIT" ]; then
+            echo "ERROR: no ready file" &>> "$TMP_LOG"
+            exit 1
+        fi
+    done
+    port="$(cat "$ready_file")"
+    rm -f "$ready_file"
+    echo "parsed port: $port" &>> "$TMP_LOG"
+
+    # get ECH config from server
+    counter=0
+    while [ -z "$ech_config" ]; do
+        ech_config=$(grep -m1 "ECH config (base64): " "$TMP_LOG" \
+            2>/dev/null | sed 's/ECH config (base64): //g')
+        sleep 0.1
+        counter=$((counter + 1))
+        if [ "$counter" -gt "$MAX_WAIT" ]; then
+            echo "ERROR: no ECH configs" &>> "$TMP_LOG"
+            exit 1
+        fi
+    done
+    echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
+
+    # Test with OpenSSL s_client using ECH
+    echo "wolfssl" | $OPENSSL s_client \
+        -tls1_3 \
+        -connect "localhost:$port" \
+        -cert "$CERT_DIR/client-cert.pem" \
+        -key "$CERT_DIR/client-key.pem" \
+        -CAfile "$CERT_DIR/ca-cert.pem" \
+        -servername "$PRIV_NAME" \
+        -ech_config_list "$ech_config" \
+        &>> "$TMP_LOG"
+
+    grep -q "ECH: success: 1" "$TMP_LOG"
+}
+
+rm -f "$TMP_LOG"
+
+case "$MODE" in
+    server)
+        if [ -n "$SUITE" ]; then
+            SUITE="-suite $SUITE"
+        fi
+        openssl_server
+        ;;
+    client)
+        if [ -n "$SUITE" ]; then
+            SUITE="--ech-suite $SUITE"
+        fi
+        openssl_client
+        ;;
+    *)
+        exit 1
+        ;;
+esac

.github/workflows/openssl-ech.yml

@@ -23,7 +23,8 @@ jobs:
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           path: wolfssl
-          configure: --enable-ech CFLAGS='-DUSE_FLAT_TEST_H'
+          configure: >-
+            --enable-ech --enable-sha512 --enable-aes CFLAGS='-DUSE_FLAT_TEST_H'
           install: true
 
       - name: tar build-dir
@@ -38,6 +39,10 @@ jobs:
           cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs
           tar -zcf build-dir.tgz build-dir
 
+          # need the ech script to run tests
+          cp "$GITHUB_WORKSPACE/wolfssl/.github/scripts/openssl-ech.sh" \
+            build-dir/openssl-ech.sh
+
       - name: Upload built wolfSSL
         uses: actions/upload-artifact@v4
         with:
@@ -117,76 +122,23 @@ jobs:
 
           export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
 
-          OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl
-          WOLFSSL_SERVER=$GITHUB_WORKSPACE/build-dir/bin/server
-
+          OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
+          WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
           CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
-          READY_FILE="$GITHUB_WORKSPACE/wolfssl_tls13_ready$$"
           LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
-          PRIV_NAME="ech-private-name.com"
-          PUB_NAME="ech-public-name.com"
-          ECH_CONFIG=""
-          PORT=0
-
-          rm -f "$READY_FILE"
 
           # need to cd into build-dir so the certs/ dir is available for server
           cd build-dir
 
           $OPENSSL version | tee "$LOG_FILE"
 
-          # start server with ephemeral port + ready file
-          # also set server to be line buffered so the log can be grepped
-          stdbuf -oL $WOLFSSL_SERVER \
-                        -v 4 \
-                        -R "$READY_FILE" \
-                        -p "$PORT" \
-                        -S "$PRIV_NAME" \
-                        --ech "$PUB_NAME" \
-                        &>> "$LOG_FILE" &
-
-          # wait for server to be ready, then get port
-          counter=0
-          while [ ! -s "$READY_FILE" ]; do
-              sleep 0.1
-              counter=$((counter + 1))
-              if [ "$counter" -gt 50 ]; then
-                  echo "ERROR: no ready file" &>> "$LOG_FILE"
-                  exit 1
-              fi
-          done
-          PORT="$(cat "$READY_FILE")"
-          echo "parsed port: $PORT" &>> "$LOG_FILE"
-
-          # get ECH config from server
-          counter=0
-          while [ -z "$ECH_CONFIG" ]; do
-              ECH_CONFIG=$(grep -m1 "ECH config (base64): " "$LOG_FILE" \
-                  2>/dev/null | sed 's/ECH config (base64): //g')
-              sleep 0.1
-              counter=$((counter + 1))
-              if [ "$counter" -gt 50 ]; then
-                  echo "ERROR: no ECH configs" &>> "$LOG_FILE"
-                  exit 1
-              fi
-          done
-          echo "parsed ech config: $ECH_CONFIG" &>> "$LOG_FILE"
-
-          # Test with OpenSSL s_client using ECH
-          echo "wolfssl" | $OPENSSL s_client \
-              -tls1_3 \
-              -connect "localhost:$PORT" \
-              -cert "$CERT_DIR/client-cert.pem" \
-              -key "$CERT_DIR/client-key.pem" \
-              -CAfile "$CERT_DIR/ca-cert.pem" \
-              -servername "$PRIV_NAME" \
-              -ech_config_list "$ECH_CONFIG" \
-              &>> "$LOG_FILE"
-
-          grep "ECH: success: 1" "$LOG_FILE"
+          # default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
+          bash ./openssl-ech.sh client &>> "$LOG_FILE"
+
+          # weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
+          bash ./openssl-ech.sh client --suite "18,3,2" &>> "$LOG_FILE"
 
           # cleanup
-          rm -f "$READY_FILE"
           rm -f "$LOG_FILE"
 
       - name: Print debug info on failure
@@ -238,69 +190,24 @@ jobs:
 
           export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
 
-          OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl
-          WOLFSSL_CLIENT=$GITHUB_WORKSPACE/build-dir/bin/client
-
+          OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
+          WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
           CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
           LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
-          ECH_FILE="$GITHUB_WORKSPACE/ech_config.pem"
-          PRIV_NAME="ech-private-name.com"
-          PUB_NAME="ech-public-name.com"
-          PORT=""
-          ECH_CONFIG=""
-
-          rm -f "$ECH_FILE"
 
           # need to cd into build-dir so the certs/ dir is available for client
           cd build-dir
 
           $OPENSSL version | tee "$LOG_FILE"
 
-          $OPENSSL ech -public_name "$PUB_NAME" -out "$ECH_FILE" &>> "$LOG_FILE"
-
-          # parse ECH config from file
-          ECH_CONFIG=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ECH_FILE" | tr -d '\n')
-          echo "parsed ech config: $ECH_CONFIG" &>> "$LOG_FILE"
-
-          # start OpenSSL ECH server with ephemeral port and make sure it is
-          # line-buffered
-          stdbuf -oL $OPENSSL s_server \
-              -tls1_3 \
-              -cert "$CERT_DIR/server-cert.pem" \
-              -key "$CERT_DIR/server-key.pem" \
-              -cert2 "$CERT_DIR/server-cert.pem" \
-              -key2 "$CERT_DIR/server-key.pem" \
-              -ech_key "$ECH_FILE" \
-              -servername "$PRIV_NAME" \
-              -accept 0 \
-              -naccept 1 \
-              &>> "$LOG_FILE" <<< "wolfssl!" &
-
-          # wait for server port to be ready and capture it
-          counter=0
-          while [ -z "$PORT" ]; do
-              PORT=$(grep -m1 "ACCEPT" "$LOG_FILE" | sed 's/.*:\([0-9]*\)$/\1/')
-              sleep 0.1
-              counter=$((counter + 1))
-              if [ "$counter" -gt 50 ]; then
-                  echo "ERROR: server port not found" &>> "$LOG_FILE"
-                  exit 1
-              fi
-          done
-          echo "parsed port: $PORT" &>> "$LOG_FILE"
-
-          # test with wolfssl client
-          $WOLFSSL_CLIENT -v 4 \
-              -p "$PORT" \
-              -S "$PRIV_NAME" \
-              --ech "$ECH_CONFIG" \
-              &>> "$LOG_FILE"
-
-          grep "ech_success=1" "$LOG_FILE"
+          # default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
+          bash ./openssl-ech.sh server &>> "$LOG_FILE"
+
+          # weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
+          bash ./openssl-ech.sh server --suite "18,3,2" &>> "$LOG_FILE"
 
           # cleanup
           rm -f "$LOG_FILE"
-          rm -f "$ECH_FILE"
 
       - name: Print debug info on failure
         if: ${{ failure() }}