change ECH testing macro to WOLFSSL_TEST_ECH

allow ECH cert verify to be disabled
add WOLFSSL_TEST_ECH to ech interop test

Author: sebastian-carpenter

.github/workflows/openssl-ech.yml

@@ -24,7 +24,9 @@ jobs:
         with:
           path: wolfssl
           configure: >-
-            --enable-ech --enable-sha512 --enable-aes CFLAGS='-DUSE_FLAT_TEST_H'
+            --enable-ech --enable-sha512 --enable-aes
+            CFLAGS='-DUSE_FLAT_TEST_H -DWOLFSSL_TEST_ECH'
+          check: true
           install: true
 
       - name: tar build-dir

src/internal.c

@@ -16866,9 +16866,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 }
             #endif
 
-                if ((!ssl->options.verifyNone ||
-                        domainName != (char*)ssl->buffers.domainName.buffer) &&
-                        domainName) {
+                if (!ssl->options.verifyNone && domainName) {
                 #ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
                     /* Per RFC 5280 section 4.2.1.6, "Whenever such identities
                      * are to be bound into a certificate, the subject

src/tls13.c

@@ -4960,7 +4960,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
     /* encrypt and pack the ech innerClientHello */
     if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
         (ssl->options.echAccepted || args->ech->innerCount == 0)) {
-#if defined(WOLFSSL_TEST)
+#if defined(WOLFSSL_TEST_ECH)
         if (ssl->echInnerHelloCb != NULL) {
             ret = ssl->echInnerHelloCb(args->ech->innerClientHello,
                 args->ech->innerClientHelloLen - args->ech->hpke->Nt);

tests/api.c

@@ -15208,8 +15208,9 @@ static int test_wolfSSL_Tls13_ECH_enable_disable(void)
     return EXPECT_RESULT();
 }
 
-#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && defined(WOLFSSL_TEST) && \
-    defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && !defined(WOLFSSL_NO_TLS12)
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && \
+    defined(WOLFSSL_TEST_ECH) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
+    !defined(WOLFSSL_NO_TLS12)
 static int ech_tamper_seek_extension(byte* innerCh, word16* innerExtLen)
 {
     word16 idx;
@@ -15458,7 +15459,7 @@ static int test_wolfSSL_Tls13_ECH_tamper_client(void)
     test_ssl_memio_cleanup(&test_ctx);
     return EXPECT_RESULT();
 }
-#endif /* WOLFSSL_TLS13 && HAVE_ECH && WOLFSSL_TEST &&
+#endif /* WOLFSSL_TLS13 && HAVE_ECH && WOLFSSL_TEST_ECH &&
         * HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && !WOLFSSL_NO_TLS12 */
 
 #endif /* HAVE_ECH && WOLFSSL_TLS13 */
@@ -35733,7 +35734,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_Tls13_ECH_rejected_cert_valid),
     TEST_DECL(test_wolfSSL_Tls13_ECH_rejected_empty_client_cert),
 #endif
-#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TEST) && \
+#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TEST_ECH) && \
     !defined(WOLFSSL_NO_TLS12)
     TEST_DECL(test_wolfSSL_Tls13_ECH_tamper_client),
 #endif

wolfssl/internal.h

@@ -6483,9 +6483,9 @@ struct WOLFSSL {
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
     WOLFSSL_EchConfig* echConfigs;
 #endif
-#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && defined(WOLFSSL_TEST)
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) && defined(WOLFSSL_TEST_ECH)
     /* Test-only hook: called on the client before ECH encryption, after the
-     * inner ClientHello body is fully constructed.  The callback may modify
+     * inner ClientHello body is fully constructed. The callback may modify
      * innerCh in-place (length stays the same). */
     int (*echInnerHelloCb)(byte* innerCh, word32 innerChLen);
 #endif