Add 'generate-ech' command to bssl tool

The tool generates three files: an ECHConfig, its corresponding private
key, and the ECHConfig wrapped in an ECHConfigList.

For example, the following invocation generates the files:

    bssl generate-ech \
      -out-ech-config-list ech_config_list.data \
      -out-ech-config ech_config.data \
      -out-private-key ech.key \
      -public-name foo.example \
      -config-id 0

Now, we can pass the ECHConfig and private key into the 'server' and
'client' commands:

    bssl server -accept 4430 \
        -ech-config ech_config.data \
        -ech-key    ech.key

    bssl client -connect localhost:4430 \
        -ech-config-list ech_config_list.data

Bug: 275
Change-Id: Id4342855483fb01aa956f9aff356105c4a8ca4f6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48466
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/tool/CMakeLists.txt b/tool/CMakeLists.txt
index e9e387b..a591b7d 100644
--- a/tool/CMakeLists.txt
+++ b/tool/CMakeLists.txt
@@ -10,6 +10,7 @@
   digest.cc
   fd.cc
   file.cc
+  generate_ech.cc
   generate_ed25519.cc
   genrsa.cc
   pkcs12.cc
diff --git a/tool/file.cc b/tool/file.cc
index 9b5ff1b..8d74e63 100644
--- a/tool/file.cc
+++ b/tool/file.cc
@@ -12,7 +12,11 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#include <openssl/bytestring.h>
+
+#include <errno.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <algorithm>
 #include <vector>
@@ -48,3 +52,17 @@
     }
   }
 }
+
+bool WriteToFile(const std::string &path, bssl::Span<const uint8_t> in) {
+  ScopedFILE file(fopen(path.c_str(), "wb"));
+  if (!file) {
+    fprintf(stderr, "Failed to open '%s': %s\n", path.c_str(), strerror(errno));
+    return false;
+  }
+  if (fwrite(in.data(), in.size(), 1, file.get()) != 1) {
+    fprintf(stderr, "Failed to write to '%s': %s\n", path.c_str(),
+            strerror(errno));
+    return false;
+  }
+  return true;
+}
diff --git a/tool/generate_ech.cc b/tool/generate_ech.cc
new file mode 100644
index 0000000..1fe501d
--- /dev/null
+++ b/tool/generate_ech.cc
@@ -0,0 +1,132 @@
+/* Copyright (c) 2021, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+
+#include <vector>
+
+#include <openssl/bytestring.h>
+#include <openssl/hpke.h>
+#include <openssl/span.h>
+#include <openssl/ssl.h>
+
+#include "internal.h"
+
+
+static const struct argument kArguments[] = {
+    {
+        "-out-ech-config-list",
+        kRequiredArgument,
+        "The path where the ECHConfigList should be written.",
+    },
+    {
+        "-out-ech-config",
+        kRequiredArgument,
+        "The path where the ECHConfig should be written.",
+    },
+    {
+        "-out-private-key",
+        kRequiredArgument,
+        "The path where the private key should be written.",
+    },
+    {
+        "-public-name",
+        kRequiredArgument,
+        "The public name for the new ECHConfig.",
+    },
+    {
+        "-config-id",
+        kRequiredArgument,
+        "The config ID for the new ECHConfig, from 0 to 255. Config IDs may be "
+        "reused, but should be unique among active configs on a server for "
+        "performance.",
+    },
+    {
+        "-max-name-length",
+        kOptionalArgument,
+        "The length of the longest name in the anonymity set, to guide client "
+        "padding.",
+    },
+    {
+        "",
+        kOptionalArgument,
+        "",
+    },
+};
+
+bool GenerateECH(const std::vector<std::string> &args) {
+  std::map<std::string, std::string> args_map;
+  if (!ParseKeyValueArguments(&args_map, args, kArguments)) {
+    PrintUsage(kArguments);
+    return false;
+  }
+
+  unsigned config_id;
+  if (!GetUnsigned(&config_id, "-config-id", 0, args_map) ||
+      config_id > std::numeric_limits<uint8_t>::max()) {
+    fprintf(stderr, "Error parsing -config-id argument\n");
+    return false;
+  }
+
+  unsigned max_name_len = 0;
+  if (args_map.count("-max-name-length") != 0 &&
+      !GetUnsigned(&max_name_len, "-max-name-length", 0, args_map)) {
+    fprintf(stderr, "Error parsing -max-name-length argument\n");
+    return false;
+  }
+
+  bssl::ScopedEVP_HPKE_KEY key;
+  uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];
+  uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH];
+  size_t public_key_len, private_key_len;
+  if (!EVP_HPKE_KEY_generate(key.get(), EVP_hpke_x25519_hkdf_sha256()) ||
+      !EVP_HPKE_KEY_public_key(key.get(), public_key, &public_key_len,
+                               sizeof(public_key)) ||
+      !EVP_HPKE_KEY_private_key(key.get(), private_key, &private_key_len,
+                                sizeof(private_key))) {
+    fprintf(stderr, "Failed to generate the HPKE keypair\n");
+    return false;
+  }
+
+  uint8_t *ech_config;
+  size_t ech_config_len;
+  if (!SSL_marshal_ech_config(
+          &ech_config, &ech_config_len, static_cast<uint8_t>(config_id),
+          key.get(), args_map["-public-name"].c_str(), size_t{max_name_len})) {
+    fprintf(stderr, "Failed to serialize the ECHConfigList\n");
+    return false;
+  }
+  bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
+
+  bssl::ScopedCBB cbb;
+  CBB body;
+  if (!CBB_init(cbb.get(), ech_config_len + sizeof(uint16_t)) ||
+      !CBB_add_u16_length_prefixed(cbb.get(), &body) ||
+      !CBB_add_bytes(&body, ech_config, ech_config_len) ||
+      !CBB_flush(cbb.get())) {
+    fprintf(stderr, "Failed to serialize the ECHConfigList\n");
+    return false;
+  }
+  if (!WriteToFile(
+          args_map["-out-ech-config-list"],
+          bssl::MakeConstSpan(CBB_data(cbb.get()), CBB_len(cbb.get()))) ||
+      !WriteToFile(args_map["-out-ech-config"],
+                   bssl::MakeConstSpan(ech_config, ech_config_len)) ||
+      !WriteToFile(args_map["-out-private-key"],
+                   bssl::MakeConstSpan(private_key, private_key_len))) {
+    fprintf(stderr, "Failed to write ECHConfig or private key to file\n");
+    return false;
+  }
+  return true;
+}
diff --git a/tool/generate_ed25519.cc b/tool/generate_ed25519.cc
index 6499dbe..8920099 100644
--- a/tool/generate_ed25519.cc
+++ b/tool/generate_ed25519.cc
@@ -34,21 +34,6 @@
     },
 };
 
-static bool WriteToFile(const std::string &path, const uint8_t *in,
-                        size_t in_len) {
-  ScopedFILE file(fopen(path.c_str(), "wb"));
-  if (!file) {
-    fprintf(stderr, "Failed to open '%s': %s\n", path.c_str(), strerror(errno));
-    return false;
-  }
-  if (fwrite(in, in_len, 1, file.get()) != 1) {
-    fprintf(stderr, "Failed to write to '%s': %s\n", path.c_str(),
-            strerror(errno));
-    return false;
-  }
-  return true;
-}
-
 bool GenerateEd25519Key(const std::vector<std::string> &args) {
   std::map<std::string, std::string> args_map;
 
@@ -60,7 +45,6 @@
   uint8_t public_key[32], private_key[64];
   ED25519_keypair(public_key, private_key);
 
-  return WriteToFile(args_map["-out-public"], public_key, sizeof(public_key)) &&
-         WriteToFile(args_map["-out-private"], private_key,
-                     sizeof(private_key));
+  return WriteToFile(args_map["-out-public"], public_key) &&
+         WriteToFile(args_map["-out-private"], private_key);
 }
diff --git a/tool/internal.h b/tool/internal.h
index eb9e4ba..7f3692a 100644
--- a/tool/internal.h
+++ b/tool/internal.h
@@ -16,6 +16,7 @@
 #define OPENSSL_HEADER_TOOL_INTERNAL_H
 
 #include <openssl/base.h>
+#include <openssl/span.h>
 
 #include <string>
 #include <utility>
@@ -120,10 +121,12 @@
                  const std::map<std::string, std::string> &args);
 
 bool ReadAll(std::vector<uint8_t> *out, FILE *in);
+bool WriteToFile(const std::string &path, bssl::Span<const uint8_t> in);
 
 bool Ciphers(const std::vector<std::string> &args);
 bool Client(const std::vector<std::string> &args);
 bool DoPKCS12(const std::vector<std::string> &args);
+bool GenerateECH(const std::vector<std::string> &args);
 bool GenerateEd25519Key(const std::vector<std::string> &args);
 bool GenerateRSAKey(const std::vector<std::string> &args);
 bool MD5Sum(const std::vector<std::string> &args);
diff --git a/tool/tool.cc b/tool/tool.cc
index d278535..7bec7a2 100644
--- a/tool/tool.cc
+++ b/tool/tool.cc
@@ -45,6 +45,7 @@
   { "ciphers", Ciphers },
   { "client", Client },
   { "isfips", IsFIPS },
+  { "generate-ech", GenerateECH},
   { "generate-ed25519", GenerateEd25519Key },
   { "genrsa", GenerateRSAKey },
   { "md5sum", MD5Sum },