mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 11:50:52 +02:00
touch-ups:
- shrink ech interop workflow - x448 macro now unused in hpke WOLFSSL_LOCAL functions - bug fixes in added tests
This commit is contained in:
@@ -3,8 +3,10 @@
|
||||
set -e
|
||||
|
||||
cleanup() {
|
||||
cat "$TMP_LOG"
|
||||
rm -f "$TMP_LOG"
|
||||
if [ -f "$TMP_LOG" ]; then
|
||||
cat "$TMP_LOG"
|
||||
rm -f "$TMP_LOG"
|
||||
fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
|
||||
@@ -37,12 +37,13 @@ jobs:
|
||||
|
||||
# need certs so 'wolfSSL error: wolf root not found' does not show up
|
||||
cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs
|
||||
tar -zcf build-dir.tgz build-dir
|
||||
|
||||
# need the ech script to run tests
|
||||
cp "$GITHUB_WORKSPACE/wolfssl/.github/scripts/openssl-ech.sh" \
|
||||
build-dir/openssl-ech.sh
|
||||
|
||||
tar -zcf build-dir.tgz build-dir
|
||||
|
||||
- name: Upload built wolfSSL
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
@@ -82,8 +83,8 @@ jobs:
|
||||
path: openssl-install.tgz
|
||||
retention-days: 5
|
||||
|
||||
ech_server_interop_test:
|
||||
name: ECH Server Interop Test
|
||||
ech_interop_test:
|
||||
name: ECH Interop Test
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
needs: [build_wolfssl, build_openssl_ech]
|
||||
runs-on: ubuntu-24.04
|
||||
@@ -104,75 +105,7 @@ jobs:
|
||||
tar -xzf build-dir.tgz
|
||||
tar -xzf openssl-install.tgz
|
||||
|
||||
- name: Build wolfssl server example
|
||||
run: |
|
||||
export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
|
||||
export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
|
||||
export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include"
|
||||
export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl"
|
||||
export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH"
|
||||
|
||||
gcc -o "$WOLFSSL_BIN_DIR/server" \
|
||||
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
|
||||
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
|
||||
|
||||
- name: ECH interop - wolfSSL server, OpenSSL client
|
||||
run: |
|
||||
set -e
|
||||
|
||||
export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
|
||||
|
||||
OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
|
||||
WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
|
||||
CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
|
||||
LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
|
||||
|
||||
# need to cd into build-dir so the certs/ dir is available for server
|
||||
cd build-dir
|
||||
|
||||
$OPENSSL version | tee "$LOG_FILE"
|
||||
|
||||
# default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
|
||||
bash ./openssl-ech.sh client &>> "$LOG_FILE"
|
||||
|
||||
# weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
|
||||
bash ./openssl-ech.sh client --suite "18,3,2" &>> "$LOG_FILE"
|
||||
|
||||
# cleanup
|
||||
rm -f "$LOG_FILE"
|
||||
|
||||
- name: Print debug info on failure
|
||||
if: ${{ failure() }}
|
||||
run: |
|
||||
if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then
|
||||
cat "$GITHUB_WORKSPACE/log_file.log"
|
||||
else
|
||||
echo "No log file"
|
||||
fi
|
||||
|
||||
ech_client_interop_test:
|
||||
name: ECH Client Interop Test
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
needs: [build_wolfssl, build_openssl_ech]
|
||||
runs-on: ubuntu-24.04
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- name: Download wolfSSL build
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
name: wolf-install-openssl-ech
|
||||
|
||||
- name: Download OpenSSL build
|
||||
uses: actions/download-artifact@v4
|
||||
with:
|
||||
name: openssl-ech-install
|
||||
|
||||
- name: Extract builds
|
||||
run: |
|
||||
tar -xzf build-dir.tgz
|
||||
tar -xzf openssl-install.tgz
|
||||
|
||||
- name: Build wolfssl client example
|
||||
- name: Build wolfssl client and server examples
|
||||
run: |
|
||||
export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
|
||||
export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
|
||||
@@ -184,27 +117,40 @@ jobs:
|
||||
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/client.c" \
|
||||
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
|
||||
|
||||
- name: ECH interop - wolfSSL client, OpenSSL server
|
||||
gcc -o "$WOLFSSL_BIN_DIR/server" \
|
||||
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
|
||||
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
|
||||
|
||||
- name: Interop test
|
||||
run: |
|
||||
set -e
|
||||
|
||||
export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
|
||||
|
||||
OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
|
||||
WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
|
||||
CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
|
||||
export OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
|
||||
export WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
|
||||
export WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
|
||||
export CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
|
||||
LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
|
||||
|
||||
# need to cd into build-dir so the certs/ dir is available for client
|
||||
# need to cd into build-dir so the certs/ dir is available for server
|
||||
cd build-dir
|
||||
|
||||
$OPENSSL version | tee "$LOG_FILE"
|
||||
|
||||
# default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
|
||||
echo -e "\nTesting default suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
|
||||
bash ./openssl-ech.sh server &>> "$LOG_FILE"
|
||||
|
||||
echo -e "\nTesting default suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
|
||||
bash ./openssl-ech.sh client &>> "$LOG_FILE"
|
||||
|
||||
# weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
|
||||
bash ./openssl-ech.sh server --suite "18,3,2" &>> "$LOG_FILE"
|
||||
echo -e "\nTesting weird suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
|
||||
bash ./openssl-ech.sh server --suite "18,1,2" &>> "$LOG_FILE"
|
||||
|
||||
echo -e "\nTesting weird suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
|
||||
bash ./openssl-ech.sh client --suite "18,1,2" &>> "$LOG_FILE"
|
||||
|
||||
# cleanup
|
||||
rm -f "$LOG_FILE"
|
||||
|
||||
+37
-21
@@ -1120,8 +1120,8 @@ static const char* server_usage_msg[][70] = {
|
||||
"--ech <name> Generate Encrypted Client Hello config with "
|
||||
"public name <name>\n",
|
||||
/* 67 */
|
||||
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config. "
|
||||
"Supplied as 3 integers (e.g., 32,1,3)\n",
|
||||
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config.\n"
|
||||
" Supplied as 3 integers (ex: 32,1,3)\n",
|
||||
/* 68 */
|
||||
#endif
|
||||
"\n"
|
||||
@@ -1338,12 +1338,20 @@ static const char* server_usage_msg[][70] = {
|
||||
#endif
|
||||
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
|
||||
"--crypto-policy <path to crypto policy file>\n", /* 66 */
|
||||
#endif
|
||||
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
|
||||
"--ech <name> Generate Encrypted Client Hello config with "
|
||||
"public name <name>\n",
|
||||
/* 67 */
|
||||
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config.\n"
|
||||
" Supplied as 3 integers (ex: 32,1,3)\n",
|
||||
/* 68 */
|
||||
#endif
|
||||
"\n"
|
||||
"より簡単なwolfSSL TSL クライアントの例については"
|
||||
"下記にアクセスしてください\n"
|
||||
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
|
||||
/* 67 */
|
||||
/* 69 */
|
||||
NULL,
|
||||
},
|
||||
#endif
|
||||
@@ -1712,6 +1720,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
||||
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
|
||||
char* echPublicName = NULL;
|
||||
char* echSuite = NULL;
|
||||
word16 kemId = 0;
|
||||
word16 kdfId = 0;
|
||||
word16 aeadId = 0;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_TRUSTED_CA
|
||||
@@ -2547,6 +2558,29 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
||||
break;
|
||||
case 270:
|
||||
echSuite = myoptarg;
|
||||
|
||||
/* parse alg id's ignoring overflows
|
||||
* commas can be entered with no number to accept the default */
|
||||
if (echSuite != NULL) {
|
||||
kemId = (word16)atoi(echSuite);
|
||||
for (; *echSuite != '\0' && *echSuite != ','; echSuite++);
|
||||
if (*echSuite != ',') {
|
||||
LOG_ERROR("Expected two commas '%s'\n", myoptarg);
|
||||
XEXIT_T(EXIT_FAILURE);
|
||||
}
|
||||
echSuite++;
|
||||
|
||||
kdfId = (word16)atoi(echSuite);
|
||||
for (; *echSuite != '\0' && *echSuite != ','; echSuite++);
|
||||
if (*echSuite != ',') {
|
||||
LOG_ERROR("Expected two commas'%s'\n", myoptarg);
|
||||
XEXIT_T(EXIT_FAILURE);
|
||||
}
|
||||
echSuite++;
|
||||
|
||||
aeadId = (word16)atoi(echSuite);
|
||||
}
|
||||
|
||||
break;
|
||||
#endif
|
||||
|
||||
@@ -3116,24 +3150,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
||||
char echConfigBase64[512];
|
||||
char* echConfigBase64Ptr;
|
||||
word32 echConfigBase64Len = sizeof(echConfigBase64);
|
||||
word16 kemId = 0;
|
||||
word16 kdfId = 0;
|
||||
word16 aeadId = 0;
|
||||
|
||||
/* an optimistic approach to parsing the ciphersuite */
|
||||
if (echSuite != NULL) {
|
||||
const char* s = echSuite;
|
||||
|
||||
kemId = (word16)atoi(s);
|
||||
for (; *s != '\0' && *s != ','; s++);
|
||||
if (*s == ',') s++;
|
||||
|
||||
kdfId = (word16)atoi(s);
|
||||
for (; *s != '\0' && *s != ','; s++);
|
||||
if (*s == ',') s++;
|
||||
|
||||
aeadId = (word16)atoi(s);
|
||||
}
|
||||
|
||||
if (wolfSSL_CTX_GenerateEchConfig(ctx, echPublicName, kemId, kdfId,
|
||||
aeadId) != WOLFSSL_SUCCESS) {
|
||||
|
||||
+1
-1
@@ -35,7 +35,7 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
|
||||
{
|
||||
int ret = 0;
|
||||
WOLFSSL_EchConfig* newConfig;
|
||||
word16 encLen = sizeof(newConfig->receiverPubkey);
|
||||
word16 encLen = HPKE_Npk_MAX;
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
Hpke* hpke = NULL;
|
||||
WC_RNG* rng;
|
||||
|
||||
@@ -13260,6 +13260,10 @@ static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
|
||||
ech->configId = echConfig->configId;
|
||||
/* encLen */
|
||||
ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId);
|
||||
if (ech->encLen == 0) {
|
||||
XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
/* setup hpke */
|
||||
ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
if (ech->hpke == NULL) {
|
||||
|
||||
+1
-1
@@ -14613,7 +14613,7 @@ static int test_wolfSSL_Tls13_ECH_all_algos(void)
|
||||
for (k = 0; k < (int)(sizeof(aeads) / sizeof(*aeads)); k++) {
|
||||
echCbTestAeadID = aeads[k];
|
||||
ExpectIntEQ(test_wolfSSL_Tls13_ECH_all_algos_ex(),
|
||||
WOLFSSL_SUCCESS);
|
||||
TEST_SUCCESS);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1218,6 +1218,8 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* return the encrypted length of the KEM
|
||||
* return 0 otherwise */
|
||||
WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
|
||||
{
|
||||
switch (kemId)
|
||||
@@ -1240,17 +1242,14 @@ WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
|
||||
(defined(WOLFSSL_SHA224) || !defined(NO_SHA256))
|
||||
case DHKEM_X25519_HKDF_SHA256:
|
||||
return DHKEM_X25519_ENC_LEN;
|
||||
#endif
|
||||
#if defined(HAVE_CURVE448) &&\
|
||||
(defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512))
|
||||
case DHKEM_X448_HKDF_SHA512:
|
||||
return DHKEM_X448_ENC_LEN;
|
||||
#endif
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* return true if hpke is compiled with support for the given KEM
|
||||
* return false otherwise */
|
||||
WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
|
||||
{
|
||||
switch (kemId) {
|
||||
@@ -1271,12 +1270,13 @@ WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
|
||||
#endif
|
||||
return 1;
|
||||
|
||||
case DHKEM_X448_HKDF_SHA512:
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* return true if hpke is compiled with support for the given KDF
|
||||
* return false otherwise */
|
||||
WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
|
||||
{
|
||||
switch (kdfId) {
|
||||
@@ -1296,6 +1296,8 @@ WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
|
||||
}
|
||||
}
|
||||
|
||||
/* return true if hpke is compiled with support for the given AEAD
|
||||
* return false otherwise */
|
||||
WOLFSSL_LOCAL int wc_HpkeAeadIsSupported(word16 aeadId)
|
||||
{
|
||||
switch (aeadId) {
|
||||
|
||||
Reference in New Issue
Block a user