testing + bug fixes for TLS ECH

Author: sebastian-carpenter

.github/workflows/openssl-ech.yml

@@ -0,0 +1,191 @@
+name: OpenSSL ECH Interop Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-ech CFLAGS='-DUSE_FLAT_TEST_H'
+          install: true
+
+      - name: tar build-dir
+        run: |
+          # need server.h which is not installed normally
+          cp "$GITHUB_WORKSPACE/wolfssl/examples/server/server.h" \
+            build-dir/share/doc/wolfssl/example/server.h
+          # need certs so 'wolfSSL error: wolf root not found' does not show up
+          cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs
+          tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built wolfSSL
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-openssl-ech
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_openssl_ech:
+    name: Build OpenSSL (feature/ech)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - name: Checkout OpenSSL feature/ech branch
+        uses: actions/checkout@v4
+        with:
+          repository: openssl/openssl
+          ref: feature/ech
+          path: openssl
+
+      - name: Build OpenSSL
+        working-directory: openssl
+        run: |
+          ./Configure --prefix=$GITHUB_WORKSPACE/openssl-install \
+            --openssldir=$GITHUB_WORKSPACE/openssl-install/ssl \
+            enable-ech no-docs
+          make -j$(nproc)
+          make install_sw
+
+      - name: tar openssl-install
+        run: tar -zcf openssl-install.tgz openssl-install
+
+      - name: Upload built OpenSSL
+        uses: actions/upload-artifact@v4
+        with:
+          name: openssl-ech-install
+          path: openssl-install.tgz
+          retention-days: 5
+
+  ech_interop_test:
+    name: ECH Interop Test
+    if: github.repository_owner == 'wolfssl'
+    needs: [build_wolfssl, build_openssl_ech]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - name: Download wolfSSL build
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-openssl-ech
+
+      - name: Download OpenSSL build
+        uses: actions/download-artifact@v4
+        with:
+          name: openssl-ech-install
+
+      - name: Extract builds
+        run: |
+          tar -xzf build-dir.tgz
+          tar -xzf openssl-install.tgz
+
+      - name: Build wolfssl server example
+        run: |
+          export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
+          export WOLFSSL_BIN_DIR="$GITHUB_WORKSPACE/build-dir/bin"
+          export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include"
+          export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl"
+          export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/lib/:$LD_LIBRARY_PATH"
+
+          gcc -o "$WOLFSSL_BIN_DIR/server" \
+                "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
+                $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
+
+      - name: ECH interop - wolfSSL server, OpenSSL client
+        run: |
+          set -e
+
+          export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
+
+          OPENSSL=$GITHUB_WORKSPACE/openssl-install/bin/openssl
+          WOLFSSL_SERVER=$GITHUB_WORKSPACE/build-dir/bin/server
+
+          CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
+          READY_FILE="$GITHUB_WORKSPACE/wolfssl_tls13_ready$$"
+          LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
+          PRIV_NAME="ech-private-name.com"
+          PUB_NAME="ech-public-name.com"
+          ECH_CONFIG=""
+          PORT=0
+
+          rm -f "$READY_FILE"
+          rm -f "$LOG_FILE"
+
+          # need to cd into build-dir so the certs/ dir is available for server
+          cd build-dir
+
+          $OPENSSL version
+
+          # start server with ephemeral port + ready file
+          # also set server to be line buffered so the log can be grepped
+          stdbuf -oL $WOLFSSL_SERVER -v 4 -R "$READY_FILE" -p "$PORT" \
+                        -S "$PRIV_NAME" --ech "$PUB_NAME" &> "$LOG_FILE" &
+          SERVER_PID=$!
+
+          # wait for server to be ready, then get port
+          counter=0
+          while [ ! -s "$READY_FILE" ]; do
+              sleep 0.1
+              counter=$((counter + 1))
+              if [ "$counter" -gt 50 ]; then
+                  echo "ERROR: no ready file" &>> "$LOG_FILE"
+                  exit 1
+              fi
+          done
+          PORT="$(cat "$READY_FILE")"
+
+          # get ECH config from server
+          counter=0
+          while [ -z "$ECH_CONFIG" ]; do
+              ECH_CONFIG=$(grep -m1 "ECH config (base64): " "$LOG_FILE" \
+                  2>/dev/null | sed 's/ECH config (base64): //g')
+              sleep 0.1
+              counter=$((counter + 1))
+              if [ "$counter" -gt 50 ]; then
+                  echo "ERROR: no ECH configs" &>> "$LOG_FILE"
+                  exit 1
+              fi
+          done
+
+          # Test with OpenSSL s_client using ECH
+          echo "wolfssl" | $OPENSSL s_client \
+              -tls1_3 \
+              -connect "localhost:$PORT" \
+              -cert "$CERT_DIR/client-cert.pem" \
+              -key "$CERT_DIR/client-key.pem" \
+              -CAfile "$CERT_DIR/ca-cert.pem" \
+              -servername "$PRIV_NAME" \
+              -ech_config_list "$ECH_CONFIG" \
+              &>> "$LOG_FILE"
+
+          grep "ECH: success: 1" "$LOG_FILE"
+
+          # cleanup
+          rm -f "$READY_FILE"
+          kill $SERVER_PID 2>/dev/null
+
+      - name: Print debug info on failure
+        if: ${{ failure() }}
+        run: |
+          if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then
+            cat "$GITHUB_WORKSPACE/log_file.log"
+          else
+            echo "No log file"
+          fi

examples/client/client.c

@@ -1171,7 +1171,7 @@ static int ClientWriteRead(WOLFSSL* ssl, const char* msg, int msgSz,
 /*  4. add the same message into Japanese section         */
 /*     (will be translated later)                         */
 /*  5. add printf() into suitable position of Usage()     */
-static const char* client_usage_msg[][79] = {
+static const char* client_usage_msg[][80] = {
     /* English */
     {
         " NOTE: All files relative to wolfSSL home dir\n",          /* 0 */
@@ -1425,10 +1425,15 @@ static const char* client_usage_msg[][79] = {
 #endif
 #ifdef HAVE_ECC_BRAINPOOL
         "--bpKs  Use Brainpool ECC group for key share\n",             /* 77 */
+#endif
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+        "--ech <base64>  Use Encrypted Client Hello with base64 encoded "
+            "ECH configs\n",
+                                                                        /* 78 */
 #endif
         "\n"
            "For simpler wolfSSL TLS client examples, visit\n"
-           "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 78 */
+           "https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n", /* 79 */
         NULL,
     },
 #ifndef NO_MULTIBYTE_PRINT
@@ -1931,6 +1936,9 @@ static void Usage(void)
 #endif
 #ifdef HAVE_ECC_BRAINPOOL
     printf("%s", msg[++msgid]); /* --bpKs */
+#endif
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+    printf("%s", msg[++msgid]); /* --ech */
 #endif
     printf("%s", msg[++msgid]); /* --files-are-der */
     printf("%s", msg[++msgid]); /* Documentation Hint */
@@ -2119,6 +2127,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #endif /* WOLFSSL_SYS_CRYPTO_POLICY */
 #ifdef HAVE_ECC_BRAINPOOL
         { "bpKs", 0, 270 },
+#endif
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+        { "ech", 1, 271 },
 #endif
         { 0, 0, 0 }
     };
@@ -2187,6 +2198,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 #ifdef HAVE_SNI
     char*  sniHostName = NULL;
 #endif
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+    char*  echConfigs64 = NULL;
+#endif
 #ifdef HAVE_TRUSTED_CA
     int trustedCaKeyId = 0;
 #endif
@@ -3013,6 +3027,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
             #endif
                 break;
 #endif
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+            case 271:
+                echConfigs64 = myoptarg;
+                break;
+#endif
 
             default:
                 Usage();
@@ -3878,6 +3897,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         err_sys("unable to get SSL object");
     }
 
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+    if (echConfigs64 != NULL) {
+        if (wolfSSL_SetEchConfigsBase64(ssl, echConfigs64,
+                (word32)XSTRLEN(echConfigs64)) != WOLFSSL_SUCCESS) {
+            wolfSSL_CTX_free(ctx); ctx = NULL;
+            err_sys("SetEchConfigsBase64 failed");
+        }
+    }
+#endif
+
 #ifdef WOLFSSL_DUAL_ALG_CERTS
     if (!wolfSSL_UseCKS(ssl, cks_order, sizeof(cks_order))) {
         wolfSSL_CTX_free(ctx); ctx = NULL;