From: Daniel McCarney Date: Mon, 24 Mar 2025 16:11:54 +0000 (-0400) Subject: rustls: add ECH support w/ string ECH config X-Git-Tag: curl-8_13_0~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1ba919676e6a07c28db07d235a2caf8f8d12bcb;p=thirdparty%2Fcurl.git rustls: add ECH support w/ string ECH config e.g. `curl --tlsv1.3 --ech ecl: ...` Closes #16828 --- diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c index f1a1c897fd..4d2d195a5d 100644 --- a/lib/vtls/rustls.c +++ b/lib/vtls/rustls.c @@ -903,6 +903,8 @@ init_config_builder_ech(struct Curl_easy *data, struct rustls_client_config_builder *builder) { const rustls_hpke *hpke = rustls_supported_hpke(); + unsigned char *ech_config = NULL; + size_t ech_config_len = 0; if(!hpke) { failf(data, @@ -924,6 +926,30 @@ init_config_builder_ech(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } } + else if(data->set.tls_ech & CURLECH_CLA_CFG + && data->set.str[STRING_ECH_CONFIG]) { + const char *b64 = data->set.str[STRING_ECH_CONFIG]; + size_t decode_result; + rustls_result rr; + if(!b64) { + infof(data, "rustls: ECHConfig from command line empty"); + return CURLE_SSL_CONNECT_ERROR; + } + /* rustls-ffi expects the raw TLS encoded ECHConfigList bytes */ + decode_result = Curl_base64_decode(b64, &ech_config, &ech_config_len); + if(decode_result || !ech_config) { + infof(data, "rustls: cannot base64 decode ECHConfig from command line"); + return CURLE_SSL_CONNECT_ERROR; + } + rr = rustls_client_config_builder_enable_ech(builder, + ech_config, + ech_config_len, + hpke); + if(rr != RUSTLS_RESULT_OK) { + rustls_failf(data, rr, "rustls: failed to configure ECH"); + return CURLE_SSL_CONNECT_ERROR; + } + } return CURLE_OK; }