ECH: update APIs to those agreed with OpenSSL maintainers

author sftcd <stephen.farrell@cs.tcd.ie>

Wed, 8 Jan 2025 20:08:15 +0000 (20:08 +0000)

committer Daniel Stenberg <daniel@haxx.se>

Fri, 10 Jan 2025 07:36:25 +0000 (08:36 +0100)
author sftcd <stephen.farrell@cs.tcd.ie>
Wed, 8 Jan 2025 20:08:15 +0000 (20:08 +0000)
committer Daniel Stenberg <daniel@haxx.se>
Fri, 10 Jan 2025 07:36:25 +0000 (08:36 +0100)
diff --git a/.mailmap b/.mailmap

index fe0fa5940ed356627fa2777c928c95d7d9437561..000268adf26ba9a8c65e1e79bfa209da3fae7f96 100644 (file)
--- a/.mailmap
+++ b/.mailmap
@@ -113,3 +113,4 @@ Moritz Buhl <git@moritzbuhl.de>
  Aki Sakurai <75532970+AkiSakurai@users.noreply.github.com>
  Sinkevich Artem <artsin666@gmail.com>
  Andrew Kirillov <akirillo@uk.ibm.com>
+Stephen Farrell <stephen.farrell@cs.tcd.ie>
diff --git a/CMakeLists.txt b/CMakeLists.txt

index 680b39ef89c91a658e2a512e4c6d89569158d1dd..7e0b8d575a5e32c57bbbcedb3fbbe60ce9a6dc5d 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -961,11 +961,10 @@ if(USE_ECH)
      if(HAVE_BORINGSSL OR HAVE_AWSLC)
        curl_openssl_check_symbol_exists("SSL_set1_ech_config_list" "openssl/ssl.h" HAVE_SSL_SET1_ECH_CONFIG_LIST)
      elseif(HAVE_OPENSSL)
-      curl_openssl_check_symbol_exists("SSL_ech_set1_echconfig" "openssl/ech.h" HAVE_SSL_ECH_SET1_ECHCONFIG)
+      curl_openssl_check_symbol_exists("SSL_set1_ech_config_list" "openssl/ech.h" HAVE_SSL_SET1_ECH_CONFIG_LIST)
      endif()
      if(HAVE_WOLFSSL_CTX_GENERATEECHCONFIG OR
-       HAVE_SSL_SET1_ECH_CONFIG_LIST OR
-       HAVE_SSL_ECH_SET1_ECHCONFIG)
+       HAVE_SSL_SET1_ECH_CONFIG_LIST)
        set(HAVE_ECH 1)
      endif()
      if(NOT HAVE_ECH)
diff --git a/configure.ac b/configure.ac

index 8c05f70d95b77ab6aacc9d1ebb01740c7e397314..fdef527f91745cb45fd877a458cb28c51836d0e9 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -4878,13 +4878,7 @@ if test "x$want_ech" != "xno"; then
    ECH_ENABLED=0
    ECH_SUPPORT=''
  
-  dnl check for OpenSSL
-  if test "x$OPENSSL_ENABLED" = "x1"; then
-    AC_CHECK_FUNCS(SSL_ech_set1_echconfig,
-      ECH_SUPPORT="ECH support available via OpenSSL with SSL_ech_set1_echconfig"
-      ECH_ENABLED=1)
-  fi
-  dnl check for BoringSSL equivalent
+  dnl check for OpenSSL equivalent
    if test "x$OPENSSL_ENABLED" = "x1"; then
      AC_CHECK_FUNCS(SSL_set1_ech_config_list,
        ECH_SUPPORT="ECH support available via BoringSSL with SSL_set1_ech_config_list"
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake

index f21c74f494c0e5f81ca37fe364ffa2b5cdeb4951..778e0733704eb1c15e909c5364352e7949e52cb8 100644 (file)
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -850,6 +850,3 @@ ${SIZEOF_TIME_T_CODE}
  
  /* Define to 1 if you have the SSL_set1_ech_config_list function. */
  #cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST
-
-/* Define to 1 if you have the SSL_ech_set1_echconfig function. */
-#cmakedefine HAVE_SSL_ECH_SET1_ECHCONFIG
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index 40c3d956fe2ac92423c23260173835eeb597af5c..be77eeb353c0d31214c4b9538c06b224a5eacff5 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -83,8 +83,7 @@
  #include <openssl/tls1.h>
  #include <openssl/evp.h>
  
-#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) || \
-    defined(HAVE_SSL_ECH_SET1_ECHCONFIG)
+#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST)
  #define USE_ECH_OPENSSL
  #endif
  
@@ -4069,7 +4068,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
        }
        if(SSL_set1_ech_config_list(octx->ssl, ech_config,
                                    ech_config_len) != 1) {
-        infof(data, "ECH: SSL_ECH_set1_echconfig failed");
+        infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
          if(data->set.tls_ech & CURLECH_HARD) {
            free(ech_config);
            return CURLE_SSL_CONNECT_ERROR;
@@ -4084,8 +4083,9 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
          return CURLE_SSL_CONNECT_ERROR;
        }
        ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]);
-      if(SSL_ech_set1_echconfig(octx->ssl, ech_config, ech_config_len) != 1) {
-        infof(data, "ECH: SSL_ECH_set1_echconfig failed");
+      if(SSL_set1_ech_config_list(octx->ssl, ech_config,
+                                  ech_config_len) != 1) {
+        infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
          if(data->set.tls_ech & CURLECH_HARD)
            return CURLE_SSL_CONNECT_ERROR;
        }
@@ -4113,19 +4113,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
            size_t elen = rinfo->echconfiglist_len;
  
            infof(data, "ECH: ECHConfig from DoH HTTPS RR");
-# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
-          if(SSL_ech_set1_echconfig(octx->ssl, ecl, elen) != 1) {
-            infof(data, "ECH: SSL_ECH_set1_echconfig failed");
-            if(data->set.tls_ech & CURLECH_HARD)
-              return CURLE_SSL_CONNECT_ERROR;
-          }
-# else
            if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) {
-            infof(data, "ECH: SSL_set1_ech_config_list failed (BoringSSL)");
+            infof(data, "ECH: SSL_set1_ech_config_list failed");
              if(data->set.tls_ech & CURLECH_HARD)
                return CURLE_SSL_CONNECT_ERROR;
            }
-# endif
            else {
              trying_ech_now = 1;
              infof(data, "ECH: imported ECHConfigList of length %zu", elen);
@@ -4148,7 +4140,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
      if(trying_ech_now && outername) {
        infof(data, "ECH: inner: '%s', outer: '%s'",
              peer->hostname ? peer->hostname : "NULL", outername);
-      result = SSL_ech_set_server_names(octx->ssl,
+      result = SSL_ech_set1_server_names(octx->ssl,
                                          peer->hostname, outername,
                                          0 /* do send outer */);
        if(result != 1) {
@@ -4287,7 +4279,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl,
    if(!ECH_ENABLED(data))
      return;
  # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
-  rv = SSL_ech_get_retry_config(ssl, &rcs, &rcl);
+  rv = SSL_ech_get1_retry_config(ssl, &rcs, &rcl);
  # else
    SSL_get0_ech_retry_configs(ssl, &rcs, &rcl);
    rv = (int)rcl;
@@ -4302,7 +4294,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl,
        infof(data, "ECH: retry_configs %s", b64str);
        free(b64str);
  #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
-      rv = SSL_ech_get_status(ssl, &inner, &outer);
+      rv = SSL_ech_get1_status(ssl, &inner, &outer);
        infof(data, "ECH: retry_configs for %s from %s, %d %d",
              inner ? inner : "NULL", outer ? outer : "NULL", reason, rv);
  #else
@@ -4510,7 +4502,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
        const char *status = NULL;
        int rv;
  
-      rv = SSL_ech_get_status(octx->ssl, &inner, &outer);
+      rv = SSL_ech_get1_status(octx->ssl, &inner, &outer);
        switch(rv) {
        case SSL_ECH_STATUS_SUCCESS:
          status = "succeeded";
author	sftcd <stephen.farrell@cs.tcd.ie>
	Wed, 8 Jan 2025 20:08:15 +0000 (20:08 +0000)
committer	Daniel Stenberg <daniel@haxx.se>
	Fri, 10 Jan 2025 07:36:25 +0000 (08:36 +0100)
.mailmap		patch \| blob \| blame \| history
CMakeLists.txt		patch \| blob \| blame \| history
configure.ac		patch \| blob \| blame \| history
lib/curl_config.h.cmake		patch \| blob \| blame \| history
lib/vtls/openssl.c		patch \| blob \| blame \| history