Add dockerfile for generation of a quic interop container

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)

diff --git a/interop/quic-openssl-docker/Dockerfile b/interop/quic-openssl-docker/Dockerfile
new file mode 100644 (file)
index 0000000..c35c0f8
--- /dev/null
+++ b/interop/quic-openssl-docker/Dockerfile
@@ -0,0 +1,43 @@
+FROM martenseemann/quic-network-simulator-endpoint:latest
+
+# Make sure curl picks up the new openssl
+ENV PKG_CONFIG_LIBDIR=/usr/lib64/pkgconfig:/usr/lib/pkgconfig:/usr/lib/x86_64-linux-gnu/pkgconfig/:$PKG_CONFIG_LIBDIR
+# Set the environment variable LD_LIBRARY_PATH to ensure we get the right libraries
+ENV LD_LIBRARY_PATH=/usr/lib64:/usr/lib:/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
+
+# Install needed tools
+RUN apt-get update && apt-get install -y \
+    git make gcc perl cmake build-essential \
+    autoconf libtool pkg-config libpsl-dev
+
+# build nghttp3
+RUN git clone https://github.com/ngtcp2/nghttp3.git && \
+    cd nghttp3 && \
+    git submodule update --init && \
+    autoreconf -i && \
+    ./configure --prefix=/usr && \
+    make -j check && \
+    make install && \
+    rm -rf nghttp3
+
+# download and build openssl 
+RUN git clone https://github.com/openssl/openssl.git && \
+    cd openssl && \
+    ./Configure enable-fips no-docs --prefix=/usr --openssldir=/etc/pki/tls && \
+    make -j && make install && \
+    rm -rf openssl
+
+# Build curl
+RUN git clone https://github.com/curl/curl.git && \
+    cd curl && \
+    autoreconf -fi && ./configure --with-openssl-quic --with-openssl --with-nghttp3 --prefix=/usr && \
+    make -j && \
+    make install && \
+    rm -rf /curl
+
+# copy run script and run it
+COPY run_endpoint.sh .
+RUN chmod +x run_endpoint.sh
+RUN apt-get clean
+ENTRYPOINT [ "./run_endpoint.sh" ]
+

diff --git a/interop/quic-openssl-docker/README.md b/interop/quic-openssl-docker/README.md
new file mode 100644 (file)
index 0000000..ff5a558
--- /dev/null
+++ b/interop/quic-openssl-docker/README.md
@@ -0,0 +1,23 @@
+quic-openssl-docker
+===================
+
+Dockerfile for quic working group interop testing
+
+Overview
+--------
+
+This Dockerfile builds a container for use with the
+[QUIC working group interop testing facility](https://interop.seemann.io/?run=2024-08-05T08:30)
+It can also be used locally to test QUIC interoperability via the
+[QUIC interop runner](https://github.com/quic-interop/quic-interop-runner)
+Please see instructions there for running local interop testing
+
+Building the container
+----------------------
+
+From this directory:
+`docker build -t quay.io/openssl-ci/openssl-quic-interop:latest .`
+
+Note the tag name is important, as the interop runner knows the container
+by this name.  If you build locally with changes, the interop runner project
+will pick up the container from your local registry rather than downloading it

diff --git a/interop/quic-openssl-docker/run_endpoint.sh b/interop/quic-openssl-docker/run_endpoint.sh
new file mode 100644 (file)
index 0000000..c9ecd66
--- /dev/null
+++ b/interop/quic-openssl-docker/run_endpoint.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+
+CURLRC=~/testcase_curlrc
+
+# Set up the routing needed for the simulation
+/setup.sh
+
+# The following variables are available for use:
+# - ROLE contains the role of this execution context, client or server
+# - SERVER_PARAMS contains user-supplied command line parameters
+# - CLIENT_PARAMS contains user-supplied command line parameters
+
+generate_outputs_http3() {
+    for i in $REQUESTS
+    do
+        OUTFILE=$(basename $i)
+        echo -e "--http3-only\n-o /downloads/$OUTFILE\n--url $i" >> $CURLRC
+        echo "--next" >> $CURLRC
+    done
+    # Remove the last --next
+    head -n -1 $CURLRC > $CURLRC.tmp
+    mv $CURLRC.tmp $CURLRC 
+}
+
+dump_curlrc() {
+    echo "Using curlrc:"
+    cat $CURLRC
+}
+
+if [ "$ROLE" == "client" ]; then
+    # Wait for the simulator to start up.
+    echo "Waiting for simulator"
+    /wait-for-it.sh sim:57832 -s -t 30
+    echo "TESTCASE is $TESTCASE"
+    rm -f $CURLRC 
+
+    case "$TESTCASE" in
+    "http3"|"transfer")
+    echo -e "--verbose\n--parallel" >> $CURLRC
+    generate_outputs_http3
+    dump_curlrc
+        SSL_CERT_FILE=/certs/ca.pem curl --config $CURLRC 
+        if [ $? -ne 0 ]
+        then
+            exit 1
+        fi
+        exit 0
+        ;;
+    "handshake")
+       OUTFILE=$(basename $REQUESTS)
+       echo -e "--verbose\n--http3\n-H \"Connection: close\"\n-o /downloads/$OUTFILE\n--url $REQUESTS" >> $CURLRC
+       dump_curlrc
+       SSL_CERT_FILE=/certs/ca.pem curl --config $CURLRC 
+       if [ $? -ne 0 ]
+       then
+           exit 1
+       fi
+       exit 0
+       ;; 
+    "retry")
+       OUTFILE=$(basename $REQUESTS)
+       SSL_CERT_FILE=/certs/ca.pem curl --verbose --http3 -o /downloads/$OUTFILE $REQUESTS
+       if [ $? -ne 0 ]
+       then
+           exit 1
+       fi
+       exit 0
+       ;; 
+    "chacha20")
+       OUTFILE=$(basename $REQUESTS)
+       SSL_CERT_FILE=/certs/ca.pem curl --verbose --tlsv1.3 --tls13-ciphers TLS_CHACHA20_POLY1305_SHA256 --http3 -o /downloads/$OUTFILE $REQUESTS
+       if [ $? -ne 0 ]
+       then
+           exit 1
+       fi
+       exit 0
+       ;; 
+    *)
+        echo "UNSUPPORTED TESTCASE $TESTCASE"
+        exit 127
+        ;;
+    esac
+elif [ "$ROLE" == "server" ]; then
+    echo "UNSUPPORTED"
+    exit 127
+fi
+