From 05270fa100a840f766ffd0cb72d9e69cbe5ad21d Mon Sep 17 00:00:00 2001
From: Rushil Mehra <rmehra@cloudflare.com>
Date: Wed, 12 Feb 2025 09:18:17 -0800
Subject: [PATCH] Expose SSL_set_enable_ech_grease

---
 boring/src/ssl/mod.rs      | 11 +++++++++++
 boring/src/ssl/test/ech.rs | 12 ++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index 01f9c962..726bc339 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -3708,6 +3708,17 @@ impl SslRef {
     pub fn ech_accepted(&self) -> bool {
         unsafe { ffi::SSL_ech_accepted(self.as_ptr()) != 0 }
     }
+
+    // Whether or not to enable ECH grease on `SSL`.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_set_enable_ech_grease)]
+    pub fn set_enable_ech_grease(&self, enable: bool) {
+        let enable = if enable { 1 } else { 0 };
+
+        unsafe {
+            ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable);
+        }
+    }
 }
 
 /// An SSL stream midway through the handshake process.
diff --git a/boring/src/ssl/test/ech.rs b/boring/src/ssl/test/ech.rs
index 54926524..c94a842d 100644
--- a/boring/src/ssl/test/ech.rs
+++ b/boring/src/ssl/test/ech.rs
@@ -58,3 +58,15 @@ fn ech_rejection() {
     assert!(failed_ssl_stream.ssl().get_ech_retry_configs().is_some());
     assert!(!failed_ssl_stream.ssl().ech_accepted())
 }
+
+#[test]
+fn ech_grease() {
+    let server = Server::builder().build();
+
+    let mut client = server.client_with_root_ca().build().builder();
+    // Verified with a pcap locally that the ECH extension gets sent due to GREASE
+    client.ssl().set_enable_ech_grease(true);
+
+    let ssl_stream = client.connect();
+    assert!(!ssl_stream.ssl().ech_accepted())
+}