|
| 1 | +name: OpenSSL ECH Interop Test |
| 2 | + |
| 3 | +# START OF COMMON SECTION |
| 4 | +on: |
| 5 | + push: |
| 6 | + branches: [ 'master', 'main', 'release/**' ] |
| 7 | + pull_request: |
| 8 | + branches: [ '*' ] |
| 9 | + |
| 10 | +concurrency: |
| 11 | + group: ${{ github.workflow }}-${{ github.ref }} |
| 12 | + cancel-in-progress: true |
| 13 | +# END OF COMMON SECTION |
| 14 | + |
| 15 | +jobs: |
| 16 | + build_wolfssl: |
| 17 | + name: Build wolfSSL |
| 18 | + if: github.repository_owner == 'wolfssl' |
| 19 | + runs-on: ubuntu-24.04 |
| 20 | + timeout-minutes: 4 |
| 21 | + steps: |
| 22 | + - name: Build wolfSSL |
| 23 | + uses: wolfSSL/actions-build-autotools-project@v1 |
| 24 | + with: |
| 25 | + path: wolfssl |
| 26 | + configure: --enable-ech CFLAGS='-DUSE_FLAT_TEST_H' |
| 27 | + install: true |
| 28 | + |
| 29 | + - name: tar build-dir |
| 30 | + run: | |
| 31 | + # need server.h and client.h which are not installed normally |
| 32 | + cp "$GITHUB_WORKSPACE/wolfssl/examples/server/server.h" \ |
| 33 | + build-dir/share/doc/wolfssl/example/server.h |
| 34 | + cp "$GITHUB_WORKSPACE/wolfssl/examples/client/client.h" \ |
| 35 | + build-dir/share/doc/wolfssl/example/client.h |
| 36 | +
|
| 37 | + # need certs so 'wolfSSL error: wolf root not found' does not show up |
| 38 | + cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs |
| 39 | + tar -zcf build-dir.tgz build-dir |
| 40 | +
|
| 41 | + - name: Upload built wolfSSL |
| 42 | + uses: actions/upload-artifact@v4 |
| 43 | + with: |
| 44 | + name: wolf-install-openssl-ech |
| 45 | + path: build-dir.tgz |
| 46 | + retention-days: 5 |
| 47 | + |
| 48 | + build_openssl_ech: |
| 49 | + name: Build OpenSSL (feature/ech) |
| 50 | + if: github.repository_owner == 'wolfssl' |
| 51 | + runs-on: ubuntu-24.04 |
| 52 | + timeout-minutes: 10 |
| 53 | + steps: |
| 54 | + - name: Checkout OpenSSL feature/ech branch |
| 55 | + uses: actions/checkout@v4 |
| 56 | + with: |
| 57 | + repository: openssl/openssl |
| 58 | + ref: feature/ech |
| 59 | + path: openssl |
| 60 | + |
| 61 | + - name: Build OpenSSL |
| 62 | + working-directory: openssl |
| 63 | + run: | |
| 64 | + ./Configure --prefix=$GITHUB_WORKSPACE/openssl-install \ |
| 65 | + --openssldir=$GITHUB_WORKSPACE/openssl-install/ssl \ |
| 66 | + enable-ech no-docs |
| 67 | + make -j$(nproc) |
| 68 | + make install_sw |
| 69 | +
|
| 70 | + - name: tar openssl-install |
| 71 | + run: tar -zcf openssl-install.tgz openssl-install |
| 72 | + |
| 73 | + - name: Upload built OpenSSL |
| 74 | + uses: actions/upload-artifact@v4 |
| 75 | + with: |
| 76 | + name: openssl-ech-install |
| 77 | + path: openssl-install.tgz |
| 78 | + retention-days: 5 |
| 79 | + |
| 80 | + ech_server_interop_test: |
| 81 | + name: ECH Server Interop Test |
| 82 | + if: github.repository_owner == 'wolfssl' |
| 83 | + needs: [build_wolfssl, build_openssl_ech] |
| 84 | + runs-on: ubuntu-24.04 |
| 85 | + timeout-minutes: 10 |
| 86 | + steps: |
| 87 | + - name: Download wolfSSL build |
| 88 | + uses: actions/download-artifact@v4 |
| 89 | + with: |
| 90 | + name: wolf-install-openssl-ech |
| 91 | + |
| 92 | + - name: Download OpenSSL build |
| 93 | + uses: actions/download-artifact@v4 |
| 94 | + with: |
| 95 | + name: openssl-ech-install |
| 96 | + |
| 97 | + - name: Extract builds |
| 98 | + run: | |
| 99 | + tar -xzf build-dir.tgz |
| 100 | + tar -xzf openssl-install.tgz |
| 101 | +
|
| 102 | + - name: Build wolfssl server example |
| 103 | + run: | |
| 104 | + export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir" |
| 105 | + export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin" |
| 106 | + export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include" |
| 107 | + export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl" |
| 108 | + export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH" |
| 109 | +
|
| 110 | + gcc -o "$WOLFSSL_BIN_DIR/server" \ |
| 111 | + "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \ |
| 112 | + $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example" |
| 113 | +
|
| 114 | + - name: ECH interop - wolfSSL server, OpenSSL client |
| 115 | + run: | |
| 116 | + set -e |
| 117 | +
|
| 118 | + export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH" |
| 119 | +
|
| 120 | + OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl |
| 121 | + WOLFSSL_SERVER=$GITHUB_WORKSPACE/build-dir/bin/server |
| 122 | +
|
| 123 | + CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs" |
| 124 | + READY_FILE="$GITHUB_WORKSPACE/wolfssl_tls13_ready$$" |
| 125 | + LOG_FILE="$GITHUB_WORKSPACE/log_file.log" |
| 126 | + PRIV_NAME="ech-private-name.com" |
| 127 | + PUB_NAME="ech-public-name.com" |
| 128 | + ECH_CONFIG="" |
| 129 | + PORT=0 |
| 130 | +
|
| 131 | + rm -f "$READY_FILE" |
| 132 | +
|
| 133 | + # need to cd into build-dir so the certs/ dir is available for server |
| 134 | + cd build-dir |
| 135 | +
|
| 136 | + $OPENSSL version | tee "$LOG_FILE" |
| 137 | +
|
| 138 | + # start server with ephemeral port + ready file |
| 139 | + # also set server to be line buffered so the log can be grepped |
| 140 | + stdbuf -oL $WOLFSSL_SERVER \ |
| 141 | + -v 4 \ |
| 142 | + -R "$READY_FILE" \ |
| 143 | + -p "$PORT" \ |
| 144 | + -S "$PRIV_NAME" \ |
| 145 | + --ech "$PUB_NAME" \ |
| 146 | + &>> "$LOG_FILE" & |
| 147 | +
|
| 148 | + # wait for server to be ready, then get port |
| 149 | + counter=0 |
| 150 | + while [ ! -s "$READY_FILE" ]; do |
| 151 | + sleep 0.1 |
| 152 | + counter=$((counter + 1)) |
| 153 | + if [ "$counter" -gt 50 ]; then |
| 154 | + echo "ERROR: no ready file" &>> "$LOG_FILE" |
| 155 | + exit 1 |
| 156 | + fi |
| 157 | + done |
| 158 | + PORT="$(cat "$READY_FILE")" |
| 159 | + echo "parsed port: $PORT" &>> "$LOG_FILE" |
| 160 | +
|
| 161 | + # get ECH config from server |
| 162 | + counter=0 |
| 163 | + while [ -z "$ECH_CONFIG" ]; do |
| 164 | + ECH_CONFIG=$(grep -m1 "ECH config (base64): " "$LOG_FILE" \ |
| 165 | + 2>/dev/null | sed 's/ECH config (base64): //g') |
| 166 | + sleep 0.1 |
| 167 | + counter=$((counter + 1)) |
| 168 | + if [ "$counter" -gt 50 ]; then |
| 169 | + echo "ERROR: no ECH configs" &>> "$LOG_FILE" |
| 170 | + exit 1 |
| 171 | + fi |
| 172 | + done |
| 173 | + echo "parsed ech config: $ECH_CONFIG" &>> "$LOG_FILE" |
| 174 | +
|
| 175 | + # Test with OpenSSL s_client using ECH |
| 176 | + echo "wolfssl" | $OPENSSL s_client \ |
| 177 | + -tls1_3 \ |
| 178 | + -connect "localhost:$PORT" \ |
| 179 | + -cert "$CERT_DIR/client-cert.pem" \ |
| 180 | + -key "$CERT_DIR/client-key.pem" \ |
| 181 | + -CAfile "$CERT_DIR/ca-cert.pem" \ |
| 182 | + -servername "$PRIV_NAME" \ |
| 183 | + -ech_config_list "$ECH_CONFIG" \ |
| 184 | + &>> "$LOG_FILE" |
| 185 | +
|
| 186 | + grep "ECH: success: 1" "$LOG_FILE" |
| 187 | +
|
| 188 | + # cleanup |
| 189 | + rm -f "$READY_FILE" |
| 190 | + rm -f "$LOG_FILE" |
| 191 | +
|
| 192 | + - name: Print debug info on failure |
| 193 | + if: ${{ failure() }} |
| 194 | + run: | |
| 195 | + if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then |
| 196 | + cat "$GITHUB_WORKSPACE/log_file.log" |
| 197 | + else |
| 198 | + echo "No log file" |
| 199 | + fi |
| 200 | +
|
| 201 | + ech_client_interop_test: |
| 202 | + name: ECH Client Interop Test |
| 203 | + if: github.repository_owner == 'wolfssl' |
| 204 | + needs: [build_wolfssl, build_openssl_ech] |
| 205 | + runs-on: ubuntu-24.04 |
| 206 | + timeout-minutes: 10 |
| 207 | + steps: |
| 208 | + - name: Download wolfSSL build |
| 209 | + uses: actions/download-artifact@v4 |
| 210 | + with: |
| 211 | + name: wolf-install-openssl-ech |
| 212 | + |
| 213 | + - name: Download OpenSSL build |
| 214 | + uses: actions/download-artifact@v4 |
| 215 | + with: |
| 216 | + name: openssl-ech-install |
| 217 | + |
| 218 | + - name: Extract builds |
| 219 | + run: | |
| 220 | + tar -xzf build-dir.tgz |
| 221 | + tar -xzf openssl-install.tgz |
| 222 | +
|
| 223 | + - name: Build wolfssl client example |
| 224 | + run: | |
| 225 | + export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir" |
| 226 | + export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin" |
| 227 | + export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include" |
| 228 | + export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl" |
| 229 | + export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH" |
| 230 | +
|
| 231 | + gcc -o "$WOLFSSL_BIN_DIR/client" \ |
| 232 | + "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/client.c" \ |
| 233 | + $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example" |
| 234 | +
|
| 235 | + - name: ECH interop - wolfSSL client, OpenSSL server |
| 236 | + run: | |
| 237 | + set -e |
| 238 | +
|
| 239 | + export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH" |
| 240 | +
|
| 241 | + OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl |
| 242 | + WOLFSSL_CLIENT=$GITHUB_WORKSPACE/build-dir/bin/client |
| 243 | +
|
| 244 | + CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs" |
| 245 | + LOG_FILE="$GITHUB_WORKSPACE/log_file.log" |
| 246 | + ECH_FILE="$GITHUB_WORKSPACE/ech_config.pem" |
| 247 | + PRIV_NAME="ech-private-name.com" |
| 248 | + PUB_NAME="ech-public-name.com" |
| 249 | + PORT="" |
| 250 | + ECH_CONFIG="" |
| 251 | +
|
| 252 | + rm -f "$ECH_FILE" |
| 253 | +
|
| 254 | + # need to cd into build-dir so the certs/ dir is available for client |
| 255 | + cd build-dir |
| 256 | +
|
| 257 | + $OPENSSL version | tee "$LOG_FILE" |
| 258 | +
|
| 259 | + $OPENSSL ech -public_name "$PUB_NAME" -out "$ECH_FILE" &>> "$LOG_FILE" |
| 260 | +
|
| 261 | + # parse ECH config from file |
| 262 | + ECH_CONFIG=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ECH_FILE" | tr -d '\n') |
| 263 | + echo "parsed ech config: $ECH_CONFIG" &>> "$LOG_FILE" |
| 264 | +
|
| 265 | + # start OpenSSL ECH server with ephemeral port and make sure it is |
| 266 | + # line-buffered |
| 267 | + stdbuf -oL $OPENSSL s_server \ |
| 268 | + -tls1_3 \ |
| 269 | + -cert "$CERT_DIR/server-cert.pem" \ |
| 270 | + -key "$CERT_DIR/server-key.pem" \ |
| 271 | + -cert2 "$CERT_DIR/server-cert.pem" \ |
| 272 | + -key2 "$CERT_DIR/server-key.pem" \ |
| 273 | + -ech_key "$ECH_FILE" \ |
| 274 | + -servername "$PRIV_NAME" \ |
| 275 | + -accept 0 \ |
| 276 | + -naccept 1 \ |
| 277 | + &>> "$LOG_FILE" <<< "wolfssl!" & |
| 278 | +
|
| 279 | + # wait for server port to be ready and capture it |
| 280 | + counter=0 |
| 281 | + while [ -z "$PORT" ]; do |
| 282 | + PORT=$(grep -m1 "ACCEPT" "$LOG_FILE" | sed 's/.*:\([0-9]*\)$/\1/') |
| 283 | + sleep 0.1 |
| 284 | + counter=$((counter + 1)) |
| 285 | + if [ "$counter" -gt 50 ]; then |
| 286 | + echo "ERROR: server port not found" &>> "$LOG_FILE" |
| 287 | + exit 1 |
| 288 | + fi |
| 289 | + done |
| 290 | + echo "parsed port: $PORT" &>> "$LOG_FILE" |
| 291 | +
|
| 292 | + # test with wolfssl client |
| 293 | + $WOLFSSL_CLIENT -v 4 \ |
| 294 | + -p "$PORT" \ |
| 295 | + -S "$PRIV_NAME" \ |
| 296 | + --ech "$ECH_CONFIG" \ |
| 297 | + &>> "$LOG_FILE" |
| 298 | +
|
| 299 | + grep "ech_success=1" "$LOG_FILE" |
| 300 | +
|
| 301 | + # cleanup |
| 302 | + rm -f "$LOG_FILE" |
| 303 | + rm -f "$ECH_FILE" |
| 304 | +
|
| 305 | + - name: Print debug info on failure |
| 306 | + if: ${{ failure() }} |
| 307 | + run: | |
| 308 | + if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then |
| 309 | + cat "$GITHUB_WORKSPACE/log_file.log" |
| 310 | + else |
| 311 | + echo "No log file" |
| 312 | + fi |
0 commit comments