diff options
author | Dan McArdle <dmcardle@google.com> | 2021-07-14 17:19:16 -0400 |
---|---|---|
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2021-07-20 20:07:58 +0000 |
commit | 7a817f48bafee508b2d23ad278f892ee1cb32b91 (patch) | |
tree | e8bd63d365369d48964356eca3899ffbaa6cbd4c /tool | |
parent | e38cf79cdf47606f6768fb85dc066d7ebce304ac (diff) | |
download | boringssl-7a817f48bafee508b2d23ad278f892ee1cb32b91.zip boringssl-7a817f48bafee508b2d23ad278f892ee1cb32b91.tar.gz boringssl-7a817f48bafee508b2d23ad278f892ee1cb32b91.tar.bz2 |
Add 'generate-ech' command to bssl tool
The tool generates three files: an ECHConfig, its corresponding private
key, and the ECHConfig wrapped in an ECHConfigList.
For example, the following invocation generates the files:
bssl generate-ech \
-out-ech-config-list ech_config_list.data \
-out-ech-config ech_config.data \
-out-private-key ech.key \
-public-name foo.example \
-config-id 0
Now, we can pass the ECHConfig and private key into the 'server' and
'client' commands:
bssl server -accept 4430 \
-ech-config ech_config.data \
-ech-key ech.key
bssl client -connect localhost:4430 \
-ech-config-list ech_config_list.data
Bug: 275
Change-Id: Id4342855483fb01aa956f9aff356105c4a8ca4f6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48466
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Diffstat (limited to 'tool')
-rw-r--r-- | tool/CMakeLists.txt | 1 | ||||
-rw-r--r-- | tool/file.cc | 18 | ||||
-rw-r--r-- | tool/generate_ech.cc | 132 | ||||
-rw-r--r-- | tool/generate_ed25519.cc | 20 | ||||
-rw-r--r-- | tool/internal.h | 3 | ||||
-rw-r--r-- | tool/tool.cc | 1 |
6 files changed, 157 insertions, 18 deletions
diff --git a/tool/CMakeLists.txt b/tool/CMakeLists.txt index e9e387b..a591b7d 100644 --- a/tool/CMakeLists.txt +++ b/tool/CMakeLists.txt @@ -10,6 +10,7 @@ add_executable( digest.cc fd.cc file.cc + generate_ech.cc generate_ed25519.cc genrsa.cc pkcs12.cc diff --git a/tool/file.cc b/tool/file.cc index 9b5ff1b..8d74e63 100644 --- a/tool/file.cc +++ b/tool/file.cc @@ -12,7 +12,11 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include <openssl/bytestring.h> + +#include <errno.h> #include <stdio.h> +#include <string.h> #include <algorithm> #include <vector> @@ -48,3 +52,17 @@ bool ReadAll(std::vector<uint8_t> *out, FILE *file) { } } } + +bool WriteToFile(const std::string &path, bssl::Span<const uint8_t> in) { + ScopedFILE file(fopen(path.c_str(), "wb")); + if (!file) { + fprintf(stderr, "Failed to open '%s': %s\n", path.c_str(), strerror(errno)); + return false; + } + if (fwrite(in.data(), in.size(), 1, file.get()) != 1) { + fprintf(stderr, "Failed to write to '%s': %s\n", path.c_str(), + strerror(errno)); + return false; + } + return true; +} diff --git a/tool/generate_ech.cc b/tool/generate_ech.cc new file mode 100644 index 0000000..1fe501d --- /dev/null +++ b/tool/generate_ech.cc @@ -0,0 +1,132 @@ +/* Copyright (c) 2021, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include <stdio.h> + +#include <vector> + +#include <openssl/bytestring.h> +#include <openssl/hpke.h> +#include <openssl/span.h> +#include <openssl/ssl.h> + +#include "internal.h" + + +static const struct argument kArguments[] = { + { + "-out-ech-config-list", + kRequiredArgument, + "The path where the ECHConfigList should be written.", + }, + { + "-out-ech-config", + kRequiredArgument, + "The path where the ECHConfig should be written.", + }, + { + "-out-private-key", + kRequiredArgument, + "The path where the private key should be written.", + }, + { + "-public-name", + kRequiredArgument, + "The public name for the new ECHConfig.", + }, + { + "-config-id", + kRequiredArgument, + "The config ID for the new ECHConfig, from 0 to 255. Config IDs may be " + "reused, but should be unique among active configs on a server for " + "performance.", + }, + { + "-max-name-length", + kOptionalArgument, + "The length of the longest name in the anonymity set, to guide client " + "padding.", + }, + { + "", + kOptionalArgument, + "", + }, +}; + +bool GenerateECH(const std::vector<std::string> &args) { + std::map<std::string, std::string> args_map; + if (!ParseKeyValueArguments(&args_map, args, kArguments)) { + PrintUsage(kArguments); + return false; + } + + unsigned config_id; + if (!GetUnsigned(&config_id, "-config-id", 0, args_map) || + config_id > std::numeric_limits<uint8_t>::max()) { + fprintf(stderr, "Error parsing -config-id argument\n"); + return false; + } + + unsigned max_name_len = 0; + if (args_map.count("-max-name-length") != 0 && + !GetUnsigned(&max_name_len, "-max-name-length", 0, args_map)) { + fprintf(stderr, "Error parsing -max-name-length argument\n"); + return false; + } + + bssl::ScopedEVP_HPKE_KEY key; + uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH]; + uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH]; + size_t public_key_len, private_key_len; + if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) || + !EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len, + sizeof(public_key)) || + !EVP_HPKE_KEY_private_key(key.get(), private_key, &private_key_len, + sizeof(private_key))) { + fprintf(stderr, "Failed to generate the HPKE keypair\n"); + return false; + } + + uint8_t *ech_config; + size_t ech_config_len; + if (!SSL_marshal_ech_config( + &ech_config, &ech_config_len, static_cast<uint8_t>(config_id), + key.get(), args_map["-public-name"].c_str(), size_t{max_name_len})) { + fprintf(stderr, "Failed to serialize the ECHConfigList\n"); + return false; + } + bssl::UniquePtr<uint8_t> free_ech_config(ech_config); + + bssl::ScopedCBB cbb; + CBB body; + if (!CBB_init(cbb.get(), ech_config_len + sizeof(uint16_t)) || + !CBB_add_u16_length_prefixed(cbb.get(), &body) || + !CBB_add_bytes(&body, ech_config, ech_config_len) || + !CBB_flush(cbb.get())) { + fprintf(stderr, "Failed to serialize the ECHConfigList\n"); + return false; + } + if (!WriteToFile( + args_map["-out-ech-config-list"], + bssl::MakeConstSpan(CBB_data(cbb.get()), CBB_len(cbb.get()))) || + !WriteToFile(args_map["-out-ech-config"], + bssl::MakeConstSpan(ech_config, ech_config_len)) || + !WriteToFile(args_map["-out-private-key"], + bssl::MakeConstSpan(private_key, private_key_len))) { + fprintf(stderr, "Failed to write ECHConfig or private key to file\n"); + return false; + } + return true; +} diff --git a/tool/generate_ed25519.cc b/tool/generate_ed25519.cc index 6499dbe..8920099 100644 --- a/tool/generate_ed25519.cc +++ b/tool/generate_ed25519.cc @@ -34,21 +34,6 @@ static const struct argument kArguments[] = { }, }; -static bool WriteToFile(const std::string &path, const uint8_t *in, - size_t in_len) { - ScopedFILE file(fopen(path.c_str(), "wb")); - if (!file) { - fprintf(stderr, "Failed to open '%s': %s\n", path.c_str(), strerror(errno)); - return false; - } - if (fwrite(in, in_len, 1, file.get()) != 1) { - fprintf(stderr, "Failed to write to '%s': %s\n", path.c_str(), - strerror(errno)); - return false; - } - return true; -} - bool GenerateEd25519Key(const std::vector<std::string> &args) { std::map<std::string, std::string> args_map; @@ -60,7 +45,6 @@ bool GenerateEd25519Key(const std::vector<std::string> &args) { uint8_t public_key[32], private_key[64]; ED25519_keypair(public_key, private_key); - return WriteToFile(args_map["-out-public"], public_key, sizeof(public_key)) && - WriteToFile(args_map["-out-private"], private_key, - sizeof(private_key)); + return WriteToFile(args_map["-out-public"], public_key) && + WriteToFile(args_map["-out-private"], private_key); } diff --git a/tool/internal.h b/tool/internal.h index eb9e4ba..7f3692a 100644 --- a/tool/internal.h +++ b/tool/internal.h @@ -16,6 +16,7 @@ #define OPENSSL_HEADER_TOOL_INTERNAL_H #include <openssl/base.h> +#include <openssl/span.h> #include <string> #include <utility> @@ -120,10 +121,12 @@ bool GetUnsigned(unsigned *out, const std::string &arg_name, const std::map<std::string, std::string> &args); bool ReadAll(std::vector<uint8_t> *out, FILE *in); +bool WriteToFile(const std::string &path, bssl::Span<const uint8_t> in); bool Ciphers(const std::vector<std::string> &args); bool Client(const std::vector<std::string> &args); bool DoPKCS12(const std::vector<std::string> &args); +bool GenerateECH(const std::vector<std::string> &args); bool GenerateEd25519Key(const std::vector<std::string> &args); bool GenerateRSAKey(const std::vector<std::string> &args); bool MD5Sum(const std::vector<std::string> &args); diff --git a/tool/tool.cc b/tool/tool.cc index d278535..7bec7a2 100644 --- a/tool/tool.cc +++ b/tool/tool.cc @@ -45,6 +45,7 @@ static const Tool kTools[] = { { "ciphers", Ciphers }, { "client", Client }, { "isfips", IsFIPS }, + { "generate-ech", GenerateECH}, { "generate-ed25519", GenerateEd25519Key }, { "genrsa", GenerateRSAKey }, { "md5sum", MD5Sum }, |