From 1ae47b91a3458d2fffb7c537277353300d2a1bc7 Mon Sep 17 00:00:00 2001 From: sftcd Date: Wed, 8 Jan 2025 20:08:15 +0000 Subject: [PATCH] ECH: update APIs to those agreed with OpenSSL maintainers Closes #15945 --- .mailmap | 1 + CMakeLists.txt | 5 ++--- configure.ac | 8 +------- lib/curl_config.h.cmake | 3 --- lib/vtls/openssl.c | 28 ++++++++++------------------ 5 files changed, 14 insertions(+), 31 deletions(-) diff --git a/.mailmap b/.mailmap index fe0fa5940ed3..000268adf26b 100644 --- a/.mailmap +++ b/.mailmap @@ -113,3 +113,4 @@ Moritz Buhl Aki Sakurai <75532970+AkiSakurai@users.noreply.github.com> Sinkevich Artem Andrew Kirillov +Stephen Farrell diff --git a/CMakeLists.txt b/CMakeLists.txt index 680b39ef89c9..7e0b8d575a5e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -961,11 +961,10 @@ if(USE_ECH) if(HAVE_BORINGSSL OR HAVE_AWSLC) curl_openssl_check_symbol_exists("SSL_set1_ech_config_list" "openssl/ssl.h" HAVE_SSL_SET1_ECH_CONFIG_LIST) elseif(HAVE_OPENSSL) - curl_openssl_check_symbol_exists("SSL_ech_set1_echconfig" "openssl/ech.h" HAVE_SSL_ECH_SET1_ECHCONFIG) + curl_openssl_check_symbol_exists("SSL_set1_ech_config_list" "openssl/ech.h" HAVE_SSL_SET1_ECH_CONFIG_LIST) endif() if(HAVE_WOLFSSL_CTX_GENERATEECHCONFIG OR - HAVE_SSL_SET1_ECH_CONFIG_LIST OR - HAVE_SSL_ECH_SET1_ECHCONFIG) + HAVE_SSL_SET1_ECH_CONFIG_LIST) set(HAVE_ECH 1) endif() if(NOT HAVE_ECH) diff --git a/configure.ac b/configure.ac index 8c05f70d95b7..fdef527f9174 100644 --- a/configure.ac +++ b/configure.ac @@ -4878,13 +4878,7 @@ if test "x$want_ech" != "xno"; then ECH_ENABLED=0 ECH_SUPPORT='' - dnl check for OpenSSL - if test "x$OPENSSL_ENABLED" = "x1"; then - AC_CHECK_FUNCS(SSL_ech_set1_echconfig, - ECH_SUPPORT="ECH support available via OpenSSL with SSL_ech_set1_echconfig" - ECH_ENABLED=1) - fi - dnl check for BoringSSL equivalent + dnl check for OpenSSL equivalent if test "x$OPENSSL_ENABLED" = "x1"; then AC_CHECK_FUNCS(SSL_set1_ech_config_list, ECH_SUPPORT="ECH support available via BoringSSL with SSL_set1_ech_config_list" diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index f21c74f494c0..778e0733704e 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -850,6 +850,3 @@ ${SIZEOF_TIME_T_CODE} /* Define to 1 if you have the SSL_set1_ech_config_list function. */ #cmakedefine HAVE_SSL_SET1_ECH_CONFIG_LIST - -/* Define to 1 if you have the SSL_ech_set1_echconfig function. */ -#cmakedefine HAVE_SSL_ECH_SET1_ECHCONFIG diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 40c3d956fe2a..be77eeb353c0 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -83,8 +83,7 @@ #include #include -#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) || \ - defined(HAVE_SSL_ECH_SET1_ECHCONFIG) +#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) #define USE_ECH_OPENSSL #endif @@ -4069,7 +4068,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, } if(SSL_set1_ech_config_list(octx->ssl, ech_config, ech_config_len) != 1) { - infof(data, "ECH: SSL_ECH_set1_echconfig failed"); + infof(data, "ECH: SSL_ECH_set1_ech_config_list failed"); if(data->set.tls_ech & CURLECH_HARD) { free(ech_config); return CURLE_SSL_CONNECT_ERROR; @@ -4084,8 +4083,9 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, return CURLE_SSL_CONNECT_ERROR; } ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]); - if(SSL_ech_set1_echconfig(octx->ssl, ech_config, ech_config_len) != 1) { - infof(data, "ECH: SSL_ECH_set1_echconfig failed"); + if(SSL_set1_ech_config_list(octx->ssl, ech_config, + ech_config_len) != 1) { + infof(data, "ECH: SSL_ECH_set1_ech_config_list failed"); if(data->set.tls_ech & CURLECH_HARD) return CURLE_SSL_CONNECT_ERROR; } @@ -4113,19 +4113,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, size_t elen = rinfo->echconfiglist_len; infof(data, "ECH: ECHConfig from DoH HTTPS RR"); -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) - if(SSL_ech_set1_echconfig(octx->ssl, ecl, elen) != 1) { - infof(data, "ECH: SSL_ECH_set1_echconfig failed"); - if(data->set.tls_ech & CURLECH_HARD) - return CURLE_SSL_CONNECT_ERROR; - } -# else if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) { - infof(data, "ECH: SSL_set1_ech_config_list failed (BoringSSL)"); + infof(data, "ECH: SSL_set1_ech_config_list failed"); if(data->set.tls_ech & CURLECH_HARD) return CURLE_SSL_CONNECT_ERROR; } -# endif else { trying_ech_now = 1; infof(data, "ECH: imported ECHConfigList of length %zu", elen); @@ -4148,7 +4140,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, if(trying_ech_now && outername) { infof(data, "ECH: inner: '%s', outer: '%s'", peer->hostname ? peer->hostname : "NULL", outername); - result = SSL_ech_set_server_names(octx->ssl, + result = SSL_ech_set1_server_names(octx->ssl, peer->hostname, outername, 0 /* do send outer */); if(result != 1) { @@ -4287,7 +4279,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, if(!ECH_ENABLED(data)) return; # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) - rv = SSL_ech_get_retry_config(ssl, &rcs, &rcl); + rv = SSL_ech_get1_retry_config(ssl, &rcs, &rcl); # else SSL_get0_ech_retry_configs(ssl, &rcs, &rcl); rv = (int)rcl; @@ -4302,7 +4294,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, infof(data, "ECH: retry_configs %s", b64str); free(b64str); #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) - rv = SSL_ech_get_status(ssl, &inner, &outer); + rv = SSL_ech_get1_status(ssl, &inner, &outer); infof(data, "ECH: retry_configs for %s from %s, %d %d", inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); #else @@ -4510,7 +4502,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, const char *status = NULL; int rv; - rv = SSL_ech_get_status(octx->ssl, &inner, &outer); + rv = SSL_ech_get1_status(octx->ssl, &inner, &outer); switch(rv) { case SSL_ECH_STATUS_SUCCESS: status = "succeeded";