Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE
and accessing and logging ``retry_configs``, it seems wolfSSL has neither.
+
+### Testing ECH
+
+We have yet to add a robust test setup for ECH as that requires an ECH-enabled
+test server.
+
+We have added two basic tests though, aiming to ensure that the client sends a
+GREASE or real ECH extension when requested, and reacts correctly to the
+failure of ECH in the latter case. (Given that `stunnel` has no ECH support.)
+
+As with other similar tests, those tests require the `stunnel` tool be
+installed. On Ubuntu `sudo apt install stunnel4` achieves that.
+
+The test cases are:
+
+- data/test4000: GREASE ECH, expected result: connection succeeds
+- data/test4001: real ECH, connection fails with error 101 (ECH required)
return CURLE_OK;
}
- if(data->set.tls_ech & CURLECH_CLA_CFG
- && data->set.str[STRING_ECH_CONFIG]) {
+ if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
const char *b64 = data->set.str[STRING_ECH_CONFIG];
size_t decode_result;
if(!b64) {
goto cleanup;
}
cleanup:
+ /* if we base64 decoded, we can free now */
+ if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
+ free(ech_config);
+ }
if(dns) {
Curl_resolv_unlink(data, &dns);
}
goto out;
}
if(data->set.tls_ech == CURLECH_GREASE) {
- infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
+ infof(data, "ECH: GREASE is done by default by wolfSSL: no need to ask");
}
if(data->set.tls_ech & CURLECH_CLA_CFG
&& data->set.str[STRING_ECH_CONFIG]) {
test3100 test3101 test3102 test3103 test3104 test3105 \
\
test3200 test3201 test3202 test3203 test3204 test3205 test3207 test3208 \
-test3209 test3210 test3211 test3212 test3213
+test3209 test3210 test3211 test3212 test3213 \
+\
+test4000 test4001
EXTRA_DIST = $(TESTCASES) DISABLED
--- /dev/null
+<testcase>
+<info>
+<keywords>
+ECH GREASE
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 7
+
+MooMoo
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+ECH
+</features>
+<server>
+https
+</server>
+<name>
+HTTPS GET with ECH GREASE
+</name>
+# Using '-k' over '--insecure' to also test the short form
+# Add ECH grease
+<command>
+--ech grease -k https://%HOSTIP:%HTTPSPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1\r
+Host: %HOSTIP:%HTTPSPORT\r
+User-Agent: curl/%VERSION\r
+Accept: */*\r
+\r
+</protocol>
+</verify>
+</testcase>
--- /dev/null
+<testcase>
+<info>
+<keywords>
+ECH try real and fail
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+ECH
+</features>
+<server>
+https
+</server>
+<name>
+Make real ECH attempt and fail with "ech required" error (101)
+</name>
+# Using '-k' over '--insecure' to also test the short form
+<command>
+--ech ecl:AEv+DQBHdAAgACCCU49qdxKOUXJPs3wlsM06v/t42sMH5xQOL37MAd3HaAAEAAEAAQAYb3RoZXJwdWJsaWMudGVzdC5kZWZvLmllAAA= -k https://%HOSTIP:%HTTPSPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+%if !wolfssl
+%if !rustls
+101
+%else
+35
+%endif
+%else
+35
+%endif
+</errorcode>
+</verify>
+</testcase>
# Thread-safe init
$feature{"threadsafe"} = $feat =~ /threadsafe/i;
$feature{"HTTPSRR"} = $feat =~ /HTTPSRR/;
+ $feature{"ECH"} = $feat =~ /ECH/;
}
#
# Test harness currently uses a non-stunnel server in order to
projects / thirdparty / curl.git / commitdiff
