touch-ups:

- shrink ech interop workflow
- x448 macro now unused in hpke WOLFSSL_LOCAL functions
- bug fixes in added tests
This commit is contained in:
sebastian-carpenter
2026-03-18 10:30:27 -06:00
parent 7e9f9dc140
commit fcedc91d38
7 changed files with 79 additions and 109 deletions
+4 -2
View File
@@ -3,8 +3,10 @@
set -e
cleanup() {
cat "$TMP_LOG"
rm -f "$TMP_LOG"
if [ -f "$TMP_LOG" ]; then
cat "$TMP_LOG"
rm -f "$TMP_LOG"
fi
}
trap cleanup EXIT
+24 -78
View File
@@ -37,12 +37,13 @@ jobs:
# need certs so 'wolfSSL error: wolf root not found' does not show up
cp -r "$GITHUB_WORKSPACE/wolfssl/certs" build-dir/certs
tar -zcf build-dir.tgz build-dir
# need the ech script to run tests
cp "$GITHUB_WORKSPACE/wolfssl/.github/scripts/openssl-ech.sh" \
build-dir/openssl-ech.sh
tar -zcf build-dir.tgz build-dir
- name: Upload built wolfSSL
uses: actions/upload-artifact@v4
with:
@@ -82,8 +83,8 @@ jobs:
path: openssl-install.tgz
retention-days: 5
ech_server_interop_test:
name: ECH Server Interop Test
ech_interop_test:
name: ECH Interop Test
if: github.repository_owner == 'wolfssl'
needs: [build_wolfssl, build_openssl_ech]
runs-on: ubuntu-24.04
@@ -104,75 +105,7 @@ jobs:
tar -xzf build-dir.tgz
tar -xzf openssl-install.tgz
- name: Build wolfssl server example
run: |
export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
export CFLAGS="-Wall -I$WOLFSSL_INSTALL_DIR/include"
export LIBS="-L$WOLFSSL_INSTALL_DIR/lib -lm -lwolfssl"
export LD_LIBRARY_PATH="$WOLFSSL_INSTALL_DIR/lib/:$LD_LIBRARY_PATH"
gcc -o "$WOLFSSL_BIN_DIR/server" \
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
- name: ECH interop - wolfSSL server, OpenSSL client
run: |
set -e
export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
# need to cd into build-dir so the certs/ dir is available for server
cd build-dir
$OPENSSL version | tee "$LOG_FILE"
# default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
bash ./openssl-ech.sh client &>> "$LOG_FILE"
# weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
bash ./openssl-ech.sh client --suite "18,3,2" &>> "$LOG_FILE"
# cleanup
rm -f "$LOG_FILE"
- name: Print debug info on failure
if: ${{ failure() }}
run: |
if [ -s "$GITHUB_WORKSPACE/log_file.log" ]; then
cat "$GITHUB_WORKSPACE/log_file.log"
else
echo "No log file"
fi
ech_client_interop_test:
name: ECH Client Interop Test
if: github.repository_owner == 'wolfssl'
needs: [build_wolfssl, build_openssl_ech]
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- name: Download wolfSSL build
uses: actions/download-artifact@v4
with:
name: wolf-install-openssl-ech
- name: Download OpenSSL build
uses: actions/download-artifact@v4
with:
name: openssl-ech-install
- name: Extract builds
run: |
tar -xzf build-dir.tgz
tar -xzf openssl-install.tgz
- name: Build wolfssl client example
- name: Build wolfssl client and server examples
run: |
export WOLFSSL_INSTALL_DIR="$GITHUB_WORKSPACE/build-dir"
export WOLFSSL_BIN_DIR="$WOLFSSL_INSTALL_DIR/bin"
@@ -184,27 +117,40 @@ jobs:
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/client.c" \
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
- name: ECH interop - wolfSSL client, OpenSSL server
gcc -o "$WOLFSSL_BIN_DIR/server" \
"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example/server.c" \
$CFLAGS $LIBS -I"$WOLFSSL_INSTALL_DIR/share/doc/wolfssl/example"
- name: Interop test
run: |
set -e
export LD_LIBRARY_PATH="$GITHUB_WORKSPACE/openssl-install/lib64:$GITHUB_WORKSPACE/openssl-install/lib:$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH"
OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
export OPENSSL="$GITHUB_WORKSPACE/openssl-install/bin/openssl"
export WOLFSSL_CLIENT="$GITHUB_WORKSPACE/build-dir/bin/client"
export WOLFSSL_SERVER="$GITHUB_WORKSPACE/build-dir/bin/server"
export CERT_DIR="$GITHUB_WORKSPACE/build-dir/certs"
LOG_FILE="$GITHUB_WORKSPACE/log_file.log"
# need to cd into build-dir so the certs/ dir is available for client
# need to cd into build-dir so the certs/ dir is available for server
cd build-dir
$OPENSSL version | tee "$LOG_FILE"
# default suite (DHKEM_X25519_HKDF_SHA256, HKDF_SHA256, HPKE_AES_128_GCM)
echo -e "\nTesting default suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
bash ./openssl-ech.sh server &>> "$LOG_FILE"
echo -e "\nTesting default suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
bash ./openssl-ech.sh client &>> "$LOG_FILE"
# weird suite (DHKEM_P521_HKDF_SHA512, HKDF_SHA256, HPKE_AES_256_GCM)
bash ./openssl-ech.sh server --suite "18,3,2" &>> "$LOG_FILE"
echo -e "\nTesting weird suite with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
bash ./openssl-ech.sh server --suite "18,1,2" &>> "$LOG_FILE"
echo -e "\nTesting weird suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
bash ./openssl-ech.sh client --suite "18,1,2" &>> "$LOG_FILE"
# cleanup
rm -f "$LOG_FILE"
+37 -21
View File
@@ -1120,8 +1120,8 @@ static const char* server_usage_msg[][70] = {
"--ech <name> Generate Encrypted Client Hello config with "
"public name <name>\n",
/* 67 */
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config. "
"Supplied as 3 integers (e.g., 32,1,3)\n",
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config.\n"
" Supplied as 3 integers (ex: 32,1,3)\n",
/* 68 */
#endif
"\n"
@@ -1338,12 +1338,20 @@ static const char* server_usage_msg[][70] = {
#endif
#ifdef WOLFSSL_SYS_CRYPTO_POLICY
"--crypto-policy <path to crypto policy file>\n", /* 66 */
#endif
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
"--ech <name> Generate Encrypted Client Hello config with "
"public name <name>\n",
/* 67 */
"--ech-suite <KEM,KDF,AEAD> HPKE suite to use for ech config.\n"
" Supplied as 3 integers (ex: 32,1,3)\n",
/* 68 */
#endif
"\n"
"より簡単なwolfSSL TSL クライアントの例については"
"下記にアクセスしてください\n"
"https://github.com/wolfSSL/wolfssl-examples/tree/master/tls\n",
/* 67 */
/* 69 */
NULL,
},
#endif
@@ -1712,6 +1720,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
char* echPublicName = NULL;
char* echSuite = NULL;
word16 kemId = 0;
word16 kdfId = 0;
word16 aeadId = 0;
#endif
#ifdef HAVE_TRUSTED_CA
@@ -2547,6 +2558,29 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
break;
case 270:
echSuite = myoptarg;
/* parse alg id's ignoring overflows
* commas can be entered with no number to accept the default */
if (echSuite != NULL) {
kemId = (word16)atoi(echSuite);
for (; *echSuite != '\0' && *echSuite != ','; echSuite++);
if (*echSuite != ',') {
LOG_ERROR("Expected two commas '%s'\n", myoptarg);
XEXIT_T(EXIT_FAILURE);
}
echSuite++;
kdfId = (word16)atoi(echSuite);
for (; *echSuite != '\0' && *echSuite != ','; echSuite++);
if (*echSuite != ',') {
LOG_ERROR("Expected two commas'%s'\n", myoptarg);
XEXIT_T(EXIT_FAILURE);
}
echSuite++;
aeadId = (word16)atoi(echSuite);
}
break;
#endif
@@ -3116,24 +3150,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
char echConfigBase64[512];
char* echConfigBase64Ptr;
word32 echConfigBase64Len = sizeof(echConfigBase64);
word16 kemId = 0;
word16 kdfId = 0;
word16 aeadId = 0;
/* an optimistic approach to parsing the ciphersuite */
if (echSuite != NULL) {
const char* s = echSuite;
kemId = (word16)atoi(s);
for (; *s != '\0' && *s != ','; s++);
if (*s == ',') s++;
kdfId = (word16)atoi(s);
for (; *s != '\0' && *s != ','; s++);
if (*s == ',') s++;
aeadId = (word16)atoi(s);
}
if (wolfSSL_CTX_GenerateEchConfig(ctx, echPublicName, kemId, kdfId,
aeadId) != WOLFSSL_SUCCESS) {
+1 -1
View File
@@ -35,7 +35,7 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
{
int ret = 0;
WOLFSSL_EchConfig* newConfig;
word16 encLen = sizeof(newConfig->receiverPubkey);
word16 encLen = HPKE_Npk_MAX;
#ifdef WOLFSSL_SMALL_STACK
Hpke* hpke = NULL;
WC_RNG* rng;
+4
View File
@@ -13260,6 +13260,10 @@ static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
ech->configId = echConfig->configId;
/* encLen */
ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId);
if (ech->encLen == 0) {
XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
return BAD_FUNC_ARG;
}
/* setup hpke */
ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER);
if (ech->hpke == NULL) {
+1 -1
View File
@@ -14613,7 +14613,7 @@ static int test_wolfSSL_Tls13_ECH_all_algos(void)
for (k = 0; k < (int)(sizeof(aeads) / sizeof(*aeads)); k++) {
echCbTestAeadID = aeads[k];
ExpectIntEQ(test_wolfSSL_Tls13_ECH_all_algos_ex(),
WOLFSSL_SUCCESS);
TEST_SUCCESS);
}
}
}
+8 -6
View File
@@ -1218,6 +1218,8 @@ int wc_HpkeOpenBase(Hpke* hpke, void* receiverKey, const byte* pubKey,
return ret;
}
/* return the encrypted length of the KEM
* return 0 otherwise */
WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
{
switch (kemId)
@@ -1240,17 +1242,14 @@ WOLFSSL_LOCAL word16 wc_HpkeKemGetEncLen(word16 kemId)
(defined(WOLFSSL_SHA224) || !defined(NO_SHA256))
case DHKEM_X25519_HKDF_SHA256:
return DHKEM_X25519_ENC_LEN;
#endif
#if defined(HAVE_CURVE448) &&\
(defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512))
case DHKEM_X448_HKDF_SHA512:
return DHKEM_X448_ENC_LEN;
#endif
default:
return 0;
}
}
/* return true if hpke is compiled with support for the given KEM
* return false otherwise */
WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
{
switch (kemId) {
@@ -1271,12 +1270,13 @@ WOLFSSL_LOCAL int wc_HpkeKemIsSupported(word16 kemId)
#endif
return 1;
case DHKEM_X448_HKDF_SHA512:
default:
return 0;
}
}
/* return true if hpke is compiled with support for the given KDF
* return false otherwise */
WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
{
switch (kdfId) {
@@ -1296,6 +1296,8 @@ WOLFSSL_LOCAL int wc_HpkeKdfIsSupported(word16 kdfId)
}
}
/* return true if hpke is compiled with support for the given AEAD
* return false otherwise */
WOLFSSL_LOCAL int wc_HpkeAeadIsSupported(word16 aeadId)
{
switch (aeadId) {