Skip to content

Commit 335714d

Browse files
API to get ECH connection status
1 parent e349c68 commit 335714d

4 files changed

Lines changed: 153 additions & 33 deletions

File tree

src/ssl_ech.c

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -498,6 +498,62 @@ void wolfSSL_SetEchEnableTrialDecrypt(WOLFSSL* ssl, byte enable)
498498
ssl->options.enableEchTrialDecrypt = (enable != 0);
499499
}
500500

501+
/* Return the status of the ECH connection. Possible return values:
502+
* WOLFSSL_ECH_STATUS_NOT_OFFERED:
503+
* server - client did not send ECH or it is not setup
504+
* client - ECH is not setup
505+
* pending - connection has not been initiated
506+
*
507+
* WOLFSSL_ECH_STATUS_GREASE:
508+
* client - GREASE ECH extension sent
509+
*
510+
* WOLFSSL_ECH_STATUS_REJECTED:
511+
* server - ECH was not accepted (decryption of inner ClientHello failed)
512+
* client - ECH was offered but the server rejected it
513+
*
514+
* In both cases the connection fell back to the outer transcript.
515+
*
516+
* WOLFSSL_ECH_STATUS_ACCEPTED:
517+
* Decryption of the inner ClientHello was successful and the inner
518+
* transcript was used.
519+
*
520+
* Returns BAD_FUNC_ARG if ssl is NULL. */
521+
int wolfSSL_GetEchStatus(const WOLFSSL* ssl)
522+
{
523+
if (ssl == NULL)
524+
return BAD_FUNC_ARG;
525+
526+
if (ssl->options.disableECH)
527+
return WOLFSSL_ECH_STATUS_NOT_OFFERED;
528+
if (ssl->options.echAccepted)
529+
return WOLFSSL_ECH_STATUS_ACCEPTED;
530+
531+
if (ssl->options.side == WOLFSSL_SERVER_END) {
532+
TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
533+
WOLFSSL_ECH* ech;
534+
535+
if (echX == NULL || echX->data == NULL)
536+
return WOLFSSL_ECH_STATUS_NOT_OFFERED;
537+
538+
/* state stays at ECH_WRITE_NONE and innerClientHello stays NULL when
539+
* the client did not send an ECH extension */
540+
ech = (WOLFSSL_ECH*)echX->data;
541+
if (ech->state == ECH_WRITE_NONE && ech->innerClientHello == NULL)
542+
return WOLFSSL_ECH_STATUS_NOT_OFFERED;
543+
544+
return WOLFSSL_ECH_STATUS_REJECTED;
545+
}
546+
547+
/* client */
548+
if (ssl->options.connectState < CLIENT_HELLO_SENT)
549+
return WOLFSSL_ECH_STATUS_NOT_OFFERED;
550+
551+
if (ssl->echConfigs == NULL)
552+
return WOLFSSL_ECH_STATUS_GREASE;
553+
554+
return WOLFSSL_ECH_STATUS_REJECTED;
555+
}
556+
501557
/* Walk the ECHConfigExtension list and check for mandatory extensions.
502558
* Returns:
503559
* 0 if all extensions are known/optional,

src/tls.c

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14551,20 +14551,15 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
1455114551
}
1455214552
}
1455314553
else {
14554+
WOLFSSL_MSG("ECH accepted");
14555+
ssl->options.echAccepted = 1;
14556+
1455414557
ret = TLSX_ECH_CheckInnerPadding(ssl, ech);
1455514558
if (ret == 0) {
1455614559
/* expand EchOuterExtensions if present.
1455714560
* Also, if it exists, copy sessionID from outer hello */
1455814561
ret = TLSX_ECH_ExpandOuterExtensions(ssl, ech, ssl->heap);
1455914562
}
14560-
14561-
if (ret == 0){
14562-
WOLFSSL_MSG("ECH accepted");
14563-
ssl->options.echAccepted = 1;
14564-
}
14565-
else {
14566-
WOLFSSL_MSG("ECH rejected");
14567-
}
1456814563
}
1456914564
if (ret != 0) {
1457014565
XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);

tests/api.c

Lines changed: 88 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -14976,7 +14976,7 @@ static int test_wolfSSL_ECH_conn_ex(method_provider serverMeth,
1497614976
/* connect like normal */
1497714977
ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS);
1497814978
ExpectIntEQ(wolfSSL_connect(ssl), WOLFSSL_SUCCESS);
14979-
ExpectIntEQ(ssl->options.echAccepted, 1);
14979+
ExpectIntEQ(wolfSSL_GetEchStatus(ssl), WOLFSSL_ECH_STATUS_ACCEPTED);
1498014980
ExpectIntEQ(wolfSSL_write(ssl, privateName, privateNameLen),
1498114981
privateNameLen);
1498214982
ExpectIntGT((replyLen = wolfSSL_read(ssl, reply, sizeof(reply))), 0);
@@ -15137,7 +15137,10 @@ static int test_wolfSSL_Tls13_ECH_all_algos_ex(void)
1513715137
ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS);
1513815138

1513915139
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15140-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 1);
15140+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15141+
WOLFSSL_ECH_STATUS_ACCEPTED);
15142+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15143+
WOLFSSL_ECH_STATUS_ACCEPTED);
1514115144

1514215145
if (echCbTestKemID != 0 && echCbTestKdfID != 0 && echCbTestAeadID != 0) {
1514315146
TLSX* echX = TLSX_Find(test_ctx.c_ssl->extensions, TLSX_ECH);
@@ -15250,7 +15253,10 @@ static int test_wolfSSL_Tls13_ECH_no_private_name(void)
1525015253
ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS);
1525115254

1525215255
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15253-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 1);
15256+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15257+
WOLFSSL_ECH_STATUS_ACCEPTED);
15258+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15259+
WOLFSSL_ECH_STATUS_ACCEPTED);
1525415260

1525515261
test_ssl_memio_cleanup(&test_ctx);
1525615262

@@ -15270,7 +15276,10 @@ static int test_wolfSSL_Tls13_ECH_no_private_name(void)
1527015276
echCbTestConfigsLen), WOLFSSL_SUCCESS);
1527115277

1527215278
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15273-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15279+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15280+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
15281+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15282+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1527415283

1527515284
test_ssl_memio_cleanup(&test_ctx);
1527615285

@@ -15289,7 +15298,10 @@ static int test_wolfSSL_Tls13_ECH_no_private_name(void)
1528915298
echCbTestConfigsLen), WOLFSSL_SUCCESS);
1529015299

1529115300
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15292-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15301+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15302+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
15303+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15304+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1529315305

1529415306
test_ssl_memio_cleanup(&test_ctx);
1529515307

@@ -15348,7 +15360,10 @@ static int test_wolfSSL_Tls13_ECH_bad_configs_ex(int hrr, int sniCb)
1534815360
}
1534915361

1535015362
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15351-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15363+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15364+
WOLFSSL_ECH_STATUS_REJECTED);
15365+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15366+
WOLFSSL_ECH_STATUS_REJECTED);
1535215367

1535315368
test_ssl_memio_cleanup(&test_ctx);
1535415369

@@ -15384,7 +15399,12 @@ static int test_wolfSSL_Tls13_ECH_bad_configs_ex(int hrr, int sniCb)
1538415399
}
1538515400

1538615401
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15387-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15402+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15403+
WOLFSSL_ECH_STATUS_REJECTED);
15404+
/* server decrypts inner successfully but rejects SNI, thus the client does
15405+
* not receive the acceptance signal */
15406+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15407+
WOLFSSL_ECH_STATUS_ACCEPTED);
1538815408

1538915409
test_ssl_memio_cleanup(&test_ctx);
1539015410

@@ -15445,7 +15465,10 @@ static int test_wolfSSL_Tls13_ECH_retry_configs_ex(int hrr)
1544515465

1544615466
/* ECH must fail and retry configs must be present */
1544715467
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15448-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15468+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15469+
WOLFSSL_ECH_STATUS_REJECTED);
15470+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15471+
WOLFSSL_ECH_STATUS_REJECTED);
1544915472
ExpectIntEQ(wolfSSL_get_error(test_ctx.c_ssl, 0),
1545015473
WC_NO_ERR_TRACE(ECH_REQUIRED_E));
1545115474

@@ -15483,7 +15506,10 @@ static int test_wolfSSL_Tls13_ECH_retry_configs_ex(int hrr)
1548315506

1548415507
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL),
1548515508
TEST_SUCCESS);
15486-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 1);
15509+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15510+
WOLFSSL_ECH_STATUS_ACCEPTED);
15511+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15512+
WOLFSSL_ECH_STATUS_ACCEPTED);
1548715513

1548815514
wolfSSL_CTX_free(test_ctx.s_ctx);
1548915515
test_ctx.s_ctx = NULL;
@@ -15605,7 +15631,10 @@ static int test_wolfSSL_Tls13_ECH_retry_configs_bad(void)
1560515631
/* bad retry configs are discarded - failure must be ECH_REQUIRED_E,
1560615632
* not a retry-config parse error */
1560715633
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15608-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15634+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15635+
WOLFSSL_ECH_STATUS_REJECTED);
15636+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15637+
WOLFSSL_ECH_STATUS_REJECTED);
1560915638
ExpectIntEQ(wolfSSL_get_error(test_ctx.c_ssl, 0),
1561015639
WC_NO_ERR_TRACE(ECH_REQUIRED_E));
1561115640

@@ -15690,7 +15719,10 @@ static int test_wolfSSL_Tls13_ECH_new_config(void)
1569015719
WOLFSSL_SUCCESS);
1569115720

1569215721
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15693-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 1);
15722+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15723+
WOLFSSL_ECH_STATUS_ACCEPTED);
15724+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15725+
WOLFSSL_ECH_STATUS_ACCEPTED);
1569415726

1569515727
test_ssl_memio_cleanup(&test_ctx);
1569615728

@@ -15736,7 +15768,10 @@ static int test_wolfSSL_Tls13_ECH_trial_decrypt(void)
1573615768
}
1573715769

1573815770
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15739-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15771+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15772+
WOLFSSL_ECH_STATUS_REJECTED);
15773+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15774+
WOLFSSL_ECH_STATUS_REJECTED);
1574015775
ExpectIntEQ(wolfSSL_get_error(test_ctx.c_ssl, 0),
1574115776
WC_NO_ERR_TRACE(ECH_REQUIRED_E));
1574215777

@@ -15768,7 +15803,10 @@ static int test_wolfSSL_Tls13_ECH_trial_decrypt(void)
1576815803
}
1576915804

1577015805
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
15771-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 1);
15806+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15807+
WOLFSSL_ECH_STATUS_ACCEPTED);
15808+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15809+
WOLFSSL_ECH_STATUS_ACCEPTED);
1577215810

1577315811
test_ssl_memio_cleanup(&test_ctx);
1577415812

@@ -15810,9 +15848,11 @@ static int test_wolfSSL_Tls13_ECH_GREASE(void)
1581015848
/* handshake should succeed - server ignores the GREASE ECH extension */
1581115849
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
1581215850

15813-
/* ECH should NOT be accepted since this was GREASE */
15814-
ExpectIntEQ(test_ctx.s_ssl->options.echAccepted, 0);
15815-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15851+
/* server has no configs and client did not offer real ECH */
15852+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15853+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
15854+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15855+
WOLFSSL_ECH_STATUS_GREASE);
1581615856
/* verify no ECH configs are received */
1581715857
ExpectNull(test_ctx.c_ssl->echConfigs);
1581815858
/* retry configs must not be saved */
@@ -15848,9 +15888,12 @@ static int test_wolfSSL_Tls13_ECH_GREASE(void)
1584815888
/* handshake should succeed - server responds to the GREASE ECH extension */
1584915889
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
1585015890

15851-
/* ECH should NOT be accepted since this was GREASE */
15852-
ExpectIntEQ(test_ctx.s_ssl->options.echAccepted, 0);
15853-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15891+
/* server was unable to decrypt the ECH extension's payload
15892+
* client never offered real ECH */
15893+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15894+
WOLFSSL_ECH_STATUS_REJECTED);
15895+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15896+
WOLFSSL_ECH_STATUS_GREASE);
1585415897
/* verify no ECH configs are received */
1585515898
ExpectNull(test_ctx.c_ssl->echConfigs);
1585615899
/* retry configs must not be saved */
@@ -15895,15 +15938,20 @@ static int test_wolfSSL_Tls13_ECH_disable_conn_ex(int enableServer,
1589515938
* normally but ECH is not accepted */
1589615939
ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL),
1589715940
TEST_SUCCESS);
15941+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15942+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1589815943
}
1589915944
else if (!enableServer) {
1590015945
/* client sends ECH but server can't process it: server has no ECH
1590115946
* keys so it processes the outer ClientHello, client detects ECH
1590215947
* rejection and aborts the handshake */
1590315948
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL),
1590415949
TEST_SUCCESS);
15950+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
15951+
WOLFSSL_ECH_STATUS_REJECTED);
1590515952
}
15906-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
15953+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
15954+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1590715955

1590815956
test_ssl_memio_cleanup(&test_ctx);
1590915957

@@ -16008,7 +16056,10 @@ static int test_wolfSSL_Tls13_ECH_HRR_rejection(void)
1600816056

1600916057
/* Handshake must fail: client aborts with ech_required */
1601016058
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
16011-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
16059+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
16060+
WOLFSSL_ECH_STATUS_REJECTED);
16061+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
16062+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1601216063
/* hsHashesEch must have been freed by the HRR rejection code path */
1601316064
ExpectNull(test_ctx.c_ssl->hsHashesEch);
1601416065
ExpectIntEQ(wolfSSL_get_error(test_ctx.c_ssl, 0),
@@ -16046,7 +16097,10 @@ static int test_wolfSSL_Tls13_ECH_ch2_no_ech(void)
1604616097
/* server must have committed to ECH acceptance in the HRR */
1604716098
ExpectIntEQ(test_ctx.s_ssl->options.serverState,
1604816099
SERVER_HELLO_RETRY_REQUEST_COMPLETE);
16049-
ExpectIntEQ(test_ctx.s_ssl->options.echAccepted, 1);
16100+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
16101+
WOLFSSL_ECH_STATUS_REJECTED);
16102+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
16103+
WOLFSSL_ECH_STATUS_ACCEPTED);
1605016104

1605116105
/* disable ECH on the client so CH2 omits the ECH extension entirely */
1605216106
wolfSSL_SetEchEnable(test_ctx.c_ssl, 0);
@@ -16088,7 +16142,10 @@ static int test_wolfSSL_Tls13_ECH_ch2_decrypt_error(void)
1608816142

1608916143
ExpectIntEQ(test_ctx.s_ssl->options.serverState,
1609016144
SERVER_HELLO_RETRY_REQUEST_COMPLETE);
16091-
ExpectIntEQ(test_ctx.s_ssl->options.echAccepted, 1);
16145+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
16146+
WOLFSSL_ECH_STATUS_REJECTED);
16147+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
16148+
WOLFSSL_ECH_STATUS_ACCEPTED);
1609216149

1609316150
if (EXPECT_SUCCESS()) {
1609416151
/* Client reads HRR and writes CH2 into s_buff */
@@ -16166,7 +16223,10 @@ static int test_wolfSSL_Tls13_ECH_rejected_cert_valid_ex(const char* publicName,
1616616223
/* client sends ECH but server can't process it, however it is possible to
1616716224
* fall back to the outer handshake */
1616816225
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
16169-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
16226+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
16227+
WOLFSSL_ECH_STATUS_REJECTED);
16228+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
16229+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1617016230

1617116231
if (validName) {
1617216232
/* the server should see the handshake as successful
@@ -16244,7 +16304,10 @@ static int test_wolfSSL_Tls13_ECH_rejected_empty_client_cert(void)
1624416304
publicName, (word16)XSTRLEN(publicName)), WOLFSSL_SUCCESS);
1624516305

1624616306
ExpectIntNE(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
16247-
ExpectIntEQ(test_ctx.c_ssl->options.echAccepted, 0);
16307+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.c_ssl),
16308+
WOLFSSL_ECH_STATUS_REJECTED);
16309+
ExpectIntEQ(wolfSSL_GetEchStatus(test_ctx.s_ssl),
16310+
WOLFSSL_ECH_STATUS_NOT_OFFERED);
1624816311

1624916312
/* Server cert is valid for public_name, cert check passes, ech_required
1625016313
* is sent on the client side. */

wolfssl/ssl.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1261,6 +1261,12 @@ WOLFSSL_API int wolfSSL_GetEchRetryConfigs(WOLFSSL* ssl, byte* echConfigs,
12611261
WOLFSSL_API void wolfSSL_SetEchEnable(WOLFSSL* ssl, byte enable);
12621262

12631263
WOLFSSL_API void wolfSSL_SetEchEnableTrialDecrypt(WOLFSSL* ssl, byte enable);
1264+
1265+
#define WOLFSSL_ECH_STATUS_NOT_OFFERED 0
1266+
#define WOLFSSL_ECH_STATUS_GREASE 1
1267+
#define WOLFSSL_ECH_STATUS_REJECTED 2
1268+
#define WOLFSSL_ECH_STATUS_ACCEPTED 3
1269+
WOLFSSL_API int wolfSSL_GetEchStatus(const WOLFSSL* ssl);
12641270
#endif /* WOLFSSL_TLS13 && HAVE_ECH */
12651271

12661272
#ifdef HAVE_POLY1305

0 commit comments

Comments
 (0)