touch-ups:

- shrink ech interop workflow
- x448 macro now unused in hpke WOLFSSL_LOCAL functions
- bug fixes in added tests

Author: sebastian-carpenter

.github/scripts/openssl-ech.sh

@@ -3,8 +3,10 @@
 set -e
 
 cleanup() {
-    cat "$TMP_LOG"
-    rm -f "$TMP_LOG"
+    if [ -f "$TMP_LOG" ]; then
+        cat "$TMP_LOG"
+        rm -f "$TMP_LOG"
+    fi
 }
 trap cleanup EXIT
 

.github/workflows/openssl-ech.yml

@@ -37,12 +37,13 @@ jobs:
 
           # need certs so 'wolfSSL error: wolf root not found' does not show up
           cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs
-          tar -zcf build-dir.tgz build-dir
 
           # need the ech script to run tests
           cp "$GITHUB_WORKSPACE/wolfssl/.github/scripts/openssl-ech.sh" \
             build-dir/openssl-ech.sh
 
+          tar -zcf build-dir.tgz build-dir
+
       - name: Upload built wolfSSL
         uses: actions/upload-artifact@v4
         with:
@@ -82,8 +83,8 @@ jobs:
           path: openssl-install.tgz
           retention-days: 5
 
-  ech_server_interop_test:
-    name: ECH Server Interop Test
+  ech_interop_test:
+    name: ECH Interop Test
     if: github.repository_owner == 'wolfssl'
     needs: [build_wolfssl, build_openssl_ech]
     runs-on: ubuntu-24.04
@@ -104,27 +105,32 @@ jobs:
           tar -xzf build-dir.tgz
           tar -xzf openssl-install.tgz
 
-      - name: Build wolfssl server example
+      - name: Build wolfssl client and server examples
         run: |
           export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
           export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
           export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include"
           export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl"
           export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH"
 
+          gcc -o "$WOLFSSL_BIN_DIR/client" \
+                "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/client.c" \
+                $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
+
           gcc -o "$WOLFSSL_BIN_DIR/server" \
                 "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
                 $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
 
-      - name: ECH interop - wolfSSL server, OpenSSL client
+      - name: Interop test
         run: |
           set -e
 
           export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
 
-          OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
-          WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
-          CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
+          export OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
+          export WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
+          export WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
+          export CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
           LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
 
           # need to cd into build-dir so the certs/ dir is available for server
@@ -133,78 +139,18 @@ jobs:
           $OPENSSL version | tee "$LOG_FILE"
 
           # default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
+          echo -e "\nTesting default suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
+          bash ./openssl-ech.sh server &>> "$LOG_FILE"
+
+          echo -e "\nTesting default suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
           bash ./openssl-ech.sh client &>> "$LOG_FILE"
 
           # weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
-          bash ./openssl-ech.sh client --suite "18,3,2" &>> "$LOG_FILE"
-
-          # cleanup
-          rm -f "$LOG_FILE"
-
-      - name: Print debug info on failure
-        if: ${{ failure() }}
-        run: |
-          if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then
-            cat "$GITHUB_WORKSPACE/log_file.log"
-          else
-            echo "No log file"
-          fi
+          echo -e "\nTesting weird suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
+          bash ./openssl-ech.sh server --suite "18,1,2" &>> "$LOG_FILE"
 
-  ech_client_interop_test:
-    name: ECH Client Interop Test
-    if: github.repository_owner == 'wolfssl'
-    needs: [build_wolfssl, build_openssl_ech]
-    runs-on: ubuntu-24.04
-    timeout-minutes: 10
-    steps:
-      - name: Download wolfSSL build
-        uses: actions/download-artifact@v4
-        with:
-          name: wolf-install-openssl-ech
-
-      - name: Download OpenSSL build
-        uses: actions/download-artifact@v4
-        with:
-          name: openssl-ech-install
-
-      - name: Extract builds
-        run: |
-          tar -xzf build-dir.tgz
-          tar -xzf openssl-install.tgz
-
-      - name: Build wolfssl client example
-        run: |
-          export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
-          export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
-          export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include"
-          export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl"
-          export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH"
-
-          gcc -o "$WOLFSSL_BIN_DIR/client" \
-                "$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/client.c" \
-                $CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
-
-      - name: ECH interop - wolfSSL client, OpenSSL server
-        run: |
-          set -e
-
-          export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
-
-          OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
-          WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
-          CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
-          LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
-
-          # need to cd into build-dir so the certs/ dir is available for client
-          cd build-dir
-
-          $OPENSSL version | tee "$LOG_FILE"
-
-          # default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
-          bash ./openssl-ech.sh server &>> "$LOG_FILE"
-
-          # weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
-          bash ./openssl-ech.sh server --suite "18,3,2" &>> "$LOG_FILE"
+          echo -e "\nTesting weird suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
+          bash ./openssl-ech.sh client --suite "18,1,2" &>> "$LOG_FILE"
 
           # cleanup
           rm -f "$LOG_FILE"

src/ssl_ech.c

@@ -35,7 +35,7 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
 {
     int ret = 0;
     WOLFSSL_EchConfig* newConfig;
-    word16 encLen = sizeof(newConfig->receiverPubkey);
+    word16 encLen = HPKE_Npk_MAX;
 #ifdef WOLFSSL_SMALL_STACK
     Hpke* hpke = NULL;
     WC_RNG* rng;

tests/api.c

@@ -14613,7 +14613,7 @@ static int test_wolfSSL_Tls13_ECH_all_algos(void)
             for (k = 0; k < (int)(sizeof(aeads) / sizeof(*aeads)); k++) {
                 echCbTestAeadID = aeads[k];
                 ExpectIntEQ(test_wolfSSL_Tls13_ECH_all_algos_ex(),
-                    WOLFSSL_SUCCESS);
+                    TEST_SUCCESS);
             }
         }
     }

wolfcrypt/src/hpke.c

@@ -1218,6 +1218,8 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
     return ret;
 }
 
+/* return the encrypted length of the KEM
+ * return 0 otherwise */
 WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
 {
     switch (kemId)
@@ -1240,17 +1242,14 @@ WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
     (defined(WOLFSSL_SHA224) || !defined(NO_SHA256))
     case DHKEM_X25519_HKDF_SHA256:
         return DHKEM_X25519_ENC_LEN;
-#endif
-#if defined(HAVE_CURVE448) &&\
-    (defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512))
-    case DHKEM_X448_HKDF_SHA512:
-        return DHKEM_X448_ENC_LEN;
 #endif
     default:
         return 0;
     }
 }
 
+/* return true if hpke is compiled with support for the given KEM
+ * return false otherwise */
 WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
 {
     switch (kemId) {
@@ -1271,12 +1270,13 @@ WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
 #endif
         return 1;
 
-    case DHKEM_X448_HKDF_SHA512:
     default:
         return 0;
     }
 }
 
+/* return true if hpke is compiled with support for the given KDF
+ * return false otherwise */
 WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
 {
     switch (kdfId) {
@@ -1296,6 +1296,8 @@ WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
     }
 }
 
+/* return true if hpke is compiled with support for the given AEAD
+ * return false otherwise */
 WOLFSSL_LOCAL int wc_HpkeAeadIsSupported(word16 aeadId)
 {
     switch (aeadId) {