Expose SSL_set_enable_ech_grease

cloudflare · Feb 13, 2025 · 05270fa · 05270fa
1 parent 24003a0
commit 05270fa
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
@@ -3708,6 +3708,17 @@ impl SslRef {
     pub fn ech_accepted(&self) -> bool {
         unsafe { ffi::SSL_ech_accepted(self.as_ptr()) != 0 }
     }
+
+    // Whether or not to enable ECH grease on `SSL`.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_set_enable_ech_grease)]
+    pub fn set_enable_ech_grease(&self, enable: bool) {
+        let enable = if enable { 1 } else { 0 };
+
+        unsafe {
+            ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable);
+        }
+    }
 }
 
 /// An SSL stream midway through the handshake process.

diff --git a/boring/src/ssl/test/ech.rs b/boring/src/ssl/test/ech.rs
@@ -58,3 +58,15 @@ fn ech_rejection() {
     assert!(failed_ssl_stream.ssl().get_ech_retry_configs().is_some());
     assert!(!failed_ssl_stream.ssl().ech_accepted())
 }
+
+#[test]
+fn ech_grease() {
+    let server = Server::builder().build();
+
+    let mut client = server.client_with_root_ca().build().builder();
+    // Verified with a pcap locally that the ECH extension gets sent due to GREASE
+    client.ssl().set_enable_ech_grease(true);
+
+    let ssl_stream = client.connect();
+    assert!(!ssl_stream.ssl().ech_accepted())
+}