added external ECH test with boringssl client

esnistuff/README.md

@@ -22,6 +22,22 @@ Most recent first...
 
 DON'T DEPLOY ECH YET!!! It's still work-in-progress code.
 
+- 20240119: adding a boringssl-based external test that uses the 
+  ECH-enabled bssl client to test an ECH-enabled OpenSSL server.
+  Useful for interop, but also to create a server-only ECH-PR
+  that's smaller than the whole thing. To try that, you have to
+  make with external tests enabled:
+
+            ./config enable-external-tests
+
+  and then:
+
+            make test TESTS=test_external_ech_bssl V=1
+
+  Note that the overall ``make test`` with that build will fail
+  due to external test fails for gost and liboqs - at least that
+  happens for me. The ECH one works though.
+
 - 20240119: rebased openssl again
 
 - 20240113: Rebased curl

test/README-external.md

@@ -118,6 +118,14 @@ algorithms to be skipped, e.g. as follows:
 The names of all supported quantum-safe algorithms are available at
 <https://github.com/open-quantum-safe/oqs-provider#algorithms>
 
+Encrypted Client Hello (ECH) external tests
+===========================================
+
+In order to be able to test an ECH-enabled build that only has server-side
+changes (to reduce the size of the ECH-PR), we use boringssl to test that
+the server code interoperates. That's also a useful interop test in any
+case.
+
 Updating test suites
 ====================
 

test/recipes/95-test_external_ech_bssl.t

@@ -0,0 +1,28 @@
+#! /usr/bin/env perl
+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT data_file bldtop_dir srctop_dir cmdstr/;
+
+setup("test_external_ech_bssl");
+
+plan skip_all => "No external tests in this configuration"
+    if disabled("external-tests");
+plan skip_all => "External ECH tests not available on Windows or VMS"
+    if $^O =~ /^(VMS|MSWin32)$/;
+plan skip_all => "External ECH tests only available in a shared build"
+    if disabled("shared");
+plan skip_all => "External ECH tests not supported in out of tree builds"
+    if bldtop_dir() ne srctop_dir();
+
+plan tests => 1;
+
+ok(run(cmd(["sh", data_file("ech_bssl_external.sh")])),
+   "running ECH external tests");

test/recipes/95-test_external_ech_bssl_data/ech_bssl_external.sh

@@ -0,0 +1,105 @@
+#!/bin/sh
+
+set -x 
+
+#
+# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+#
+# OpenSSL ECH external testing using boringssl
+#
+# set -e
+
+PWD="$(pwd)"
+
+SRCTOP="$(cd $SRCTOP; pwd)"
+BLDTOP="$(cd $BLDTOP; pwd)"
+
+if [ "$SRCTOP" != "$BLDTOP" ] ; then
+    echo "Out of tree builds not supported with ECH external test!"
+    exit 1
+fi
+
+O_EXE="$BLDTOP/apps"
+O_BINC="$BLDTOP/include"
+O_SINC="$SRCTOP/include"
+O_LIB="$BLDTOP"
+
+unset OPENSSL_CONF
+
+export PATH="$O_EXE:$PATH"
+export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH"
+export OPENSSL_ROOT_DIR="$O_LIB"
+
+# Check/Set openssl version
+OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '`
+ECHCONFIGFILE=$SRCTOP/test/certs/echconfig.pem
+httphost=server.example
+httpreq="GET /stats HTTP/1.1\\r\\nConnection: close\\r\\nHost: $httphost\\r\\n\\r\\n"
+BTOOL=$SRCTOP/boringssl/.local/bin
+
+echo "------------------------------------------------------------------"
+echo "Testing OpenSSL using ECH-enabled boringssl:"
+echo "   CWD:                $PWD"
+echo "   SRCTOP:             $SRCTOP"
+echo "   BLDTOP:             $BLDTOP"
+echo "   OPENSSL_ROOT_DIR:   $OPENSSL_ROOT_DIR"
+echo "   OpenSSL version:    $OPENSSL_VERSION"
+echo "   PEM ECH Config file:$ECHCONFIGFILE"
+
+echo "------------------------------------------------------------------"
+
+if [ ! -d $SRCTOP/boringssl ]; then
+    mkdir -p $SRCTOP/boringssl
+fi
+if [ ! -d $SRCTOP/boringssl/.local ]; then
+(
+       cd $SRCTOP \
+           && git clone https://boringssl.googlesource.com/boringssl \
+           && cd boringssl \
+           && mkdir build \
+           && cd build \
+           && cmake -DOPENSSL_ROOT_DIR=$OPENSSL_ROOT_DIR -DCMAKE_INSTALL_PREFIX=$SRCTOP/boringssl/.local .. \
+           && make \
+           && make install
+   )
+fi
+
+echo "   CWD:                $PWD"
+
+# Start an openssl s_server
+$SRCTOP/apps/openssl s_server \
+    -key $SRCTOP/test/certs/echserver.key -cert $SRCTOP/test/certs/echserver.pem \
+    -key2 $SRCTOP/test/certs/echserver.key -cert2 $SRCTOP/test/certs/echserver.pem \
+    -CAfile $SRCTOP/test/certs/rootcert.pem \
+    -ech_key $ECHCONFIGFILE \
+    -port 8443  -tls1_3 -WWW \
+    -ign_eof -servername server.example &
+pids=`ps -ef | grep s_server | grep -v grep | awk '{print $2}'`
+if [ -z "$pids" ]
+then
+    echo "No sign of s_server - exiting (before client)"
+    exit 88
+fi
+bechfile=`mktemp`
+resfile=`mktemp`
+# to ensure we detect a fail, use the wrong ECHConfig ...
+# ECHCONFIGFILE=$SRCTOP/esnistuff/d13.pem
+cat $ECHCONFIGFILE | tail -2 | head -1 | base64 -d >$bechfile
+echo "Running bssl s_client against localhost"
+(echo -e $httpreq ; sleep 2) | \
+    $BTOOL/bssl s_client -connect localhost:8443 \
+        -ech-config-list $bechfile \
+        -server-name $httphost \
+        -root-certs $SRCTOP/test/certs/rootcert.pem > $resfile 2>&1
+rm -f $bechfile
+success=`grep -c "Encrypted ClientHello: yes" $resfile`
+rm -f $resfile 
+kill $pids
+# bssl returns 1 if ok, we want to exit with 0 for a PASS
+exit $((success != 1))