tests: add basic ECH tests

Test 4000 and 4001 Closes #17192
2026-04-11 12:01:42 +08:00 · 2025-04-25 18:26:04 +01:00 · 2025-04-25 18:26:04 +01:00 · 460ead61b6
commit 460ead61b6
parent e2a23d5d0d
7 changed files with 124 additions and 6 deletions
--- a/docs/ECH.md
+++ b/docs/ECH.md
@ -476,3 +476,20 @@ and then reuse that in another invocation.

 Both our OpenSSL fork and BoringSSL/AWS-LC have APIs for both controlling GREASE
 and accessing and logging ``retry_configs``, it seems wolfSSL has neither.
+
+### Testing ECH
+
+We have yet to add a robust test setup for ECH as that requires an ECH-enabled
+test server.
+
+We have added two basic tests though, aiming to ensure that the client sends a
+GREASE or real ECH extension when requested, and reacts correctly to the
+failure of ECH in the latter case. (Given that `stunnel` has no ECH support.)
+
+As with other similar tests, those tests require the `stunnel` tool be
+installed. On Ubuntu `sudo apt install stunnel4` achieves that.
+
+The test cases are:
+
+- data/test4000: GREASE ECH, expected result: connection succeeds
+- data/test4001: real ECH, connection fails with error 101 (ECH required)
--- a/lib/vtls/rustls.c
+++ b/lib/vtls/rustls.c
@ -961,8 +961,7 @@ init_config_builder_ech(struct Curl_easy *data,
    return CURLE_OK;
  }

-  if(data->set.tls_ech & CURLECH_CLA_CFG
-       && data->set.str[STRING_ECH_CONFIG]) {
+  if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
    const char *b64 = data->set.str[STRING_ECH_CONFIG];
    size_t decode_result;
    if(!b64) {
@ -1008,6 +1007,10 @@ init_config_builder_ech(struct Curl_easy *data,
    goto cleanup;
  }
 cleanup:
+  /* if we base64 decoded, we can free now */
+  if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
+    free(ech_config);
+  }
  if(dns) {
    Curl_resolv_unlink(data, &dns);
  }
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@ -1352,9 +1352,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
      goto out;
    }
    if(data->set.tls_ech == CURLECH_GREASE) {
-      infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL");
-      result = CURLE_SSL_CONNECT_ERROR;
-      goto out;
+      infof(data, "ECH: GREASE is done by default by wolfSSL: no need to ask");
    }
    if(data->set.tls_ech & CURLECH_CLA_CFG
       && data->set.str[STRING_ECH_CONFIG]) {
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -276,6 +276,8 @@ test3032 \
 test3100 test3101 test3102 test3103 test3104 test3105 \
 \
 test3200 test3201 test3202 test3203 test3204 test3205 test3207 test3208 \
-test3209 test3210 test3211 test3212 test3213
+test3209 test3210 test3211 test3212 test3213 \
+\
+test4000 test4001

 EXTRA_DIST = $(TESTCASES) DISABLED
--- a/tests/data/test4000
+++ b/tests/data/test4000
@ -0,0 +1,51 @@
+<testcase>
+<info>
+<keywords>
+ECH GREASE
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 7
+
+MooMoo
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+ECH
+</features>
+<server>
+https
+</server>
+<name>
+HTTPS GET with ECH GREASE
+</name>
+# Using '-k' over '--insecure' to also test the short form
+# Add ECH grease
+<command>
+--ech grease -k https://%HOSTIP:%HTTPSPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPSPORT
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test4001
+++ b/tests/data/test4001
@ -0,0 +1,46 @@
+<testcase>
+<info>
+<keywords>
+ECH try real and fail
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+ECH
+</features>
+<server>
+https
+</server>
+<name>
+Make real ECH attempt and fail with "ech required" error (101)
+</name>
+# Using '-k' over '--insecure' to also test the short form
+<command>
+--ech ecl:AEv+DQBHdAAgACCCU49qdxKOUXJPs3wlsM06v/t42sMH5xQOL37MAd3HaAAEAAEAAQAYb3RoZXJwdWJsaWMudGVzdC5kZWZvLmllAAA= -k https://%HOSTIP:%HTTPSPORT/%TESTNUMBER
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+%if !wolfssl
+%if !rustls
+101
+%else
+35
+%endif
+%else
+35
+%endif
+</errorcode>
+</verify>
+</testcase>
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@ -716,6 +716,7 @@ sub checksystemfeatures {
            # Thread-safe init
            $feature{"threadsafe"} = $feat =~ /threadsafe/i;
            $feature{"HTTPSRR"} = $feat =~ /HTTPSRR/;
+            $feature{"ECH"} = $feat =~ /ECH/;
        }
        #
        # Test harness currently uses a non-stunnel server in order to