Expose SSL_set_enable_ech_grease

2025-02-12 09:18:17 -08:00 · 2025-02-12 09:18:17 -08:00 · 05270fa100
parent 24003a04e8
commit 05270fa100
2 changed files with 23 additions and 0 deletions
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@ -3708,6 +3708,17 @@ impl SslRef {
    pub fn ech_accepted(&self) -> bool {
        unsafe { ffi::SSL_ech_accepted(self.as_ptr()) != 0 }
    }
+
+    // Whether or not to enable ECH grease on `SSL`.
+    #[cfg(not(feature = "fips"))]
+    #[corresponds(SSL_set_enable_ech_grease)]
+    pub fn set_enable_ech_grease(&self, enable: bool) {
+        let enable = if enable { 1 } else { 0 };
+
+        unsafe {
+            ffi::SSL_set_enable_ech_grease(self.as_ptr(), enable);
+        }
+    }
 }

 /// An SSL stream midway through the handshake process.
--- a/boring/src/ssl/test/ech.rs
+++ b/boring/src/ssl/test/ech.rs
@ -58,3 +58,15 @@ fn ech_rejection() {
    assert!(failed_ssl_stream.ssl().get_ech_retry_configs().is_some());
    assert!(!failed_ssl_stream.ssl().ech_accepted())
 }
+
+#[test]
+fn ech_grease() {
+    let server = Server::builder().build();
+
+    let mut client = server.client_with_root_ca().build().builder();
+    // Verified with a pcap locally that the ECH extension gets sent due to GREASE
+    client.ssl().set_enable_ech_grease(true);
+
+    let ssl_stream = client.connect();
+    assert!(!ssl_stream.ssl().ech_accepted())
+}