moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 05:58:01 -05:00
Code Issues Releases Wiki Activity

ECH: renamed from ESNI in docs and configure

Browse Source 
Encrypted Client Hello (ECH) is the current name.

Closes #6022
This commit is contained in:
Daniel Stenberg 2020-09-29 10:13:18 +02:00
parent 83c6493296
commit cbe7fad20d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 74 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
configure.ac
View File

@ -49,7 +49,7 @@ CURL_CHECK_OPTION_CURLDEBUG
CURL_CHECK_OPTION_SYMBOL_HIDING CURL_CHECK_OPTION_SYMBOL_HIDING
CURL_CHECK_OPTION_ARES CURL_CHECK_OPTION_ARES
CURL_CHECK_OPTION_RT CURL_CHECK_OPTION_RT
CURL_CHECK_OPTION_ESNI CURL_CHECK_OPTION_ECH
XC_CHECK_PATH_SEPARATOR XC_CHECK_PATH_SEPARATOR
@ -4873,32 +4873,32 @@ if test "$enable_altsvc" = "yes"; then
fi fi
dnl ************************************************************* dnl *************************************************************
dnl check whether ESNI support, if desired, is actually available dnl check whether ECH support, if desired, is actually available
dnl dnl
if test "x$want_esni" != "xno"; then if test "x$want_ech" != "xno"; then
AC_MSG_CHECKING([whether ESNI support is available]) AC_MSG_CHECKING([whether ECH support is available])
dnl assume NOT and look for sufficient condition dnl assume NOT and look for sufficient condition
ESNI_ENABLED=0 ECH_ENABLED=0
ESNI_SUPPORT='' ECH_SUPPORT=''
dnl OpenSSL with a chosen ESNI function should be enough dnl OpenSSL with a chosen ECH function should be enough
dnl so more exhaustive checking seems unnecessary for now dnl so more exhaustive checking seems unnecessary for now
if test "x$OPENSSL_ENABLED" = "x1"; then if test "x$OPENSSL_ENABLED" = "x1"; then
AC_CHECK_FUNCS(SSL_get_esni_status, AC_CHECK_FUNCS(SSL_get_ech_status,
ESNI_SUPPORT="ESNI support available (OpenSSL with SSL_get_esni_status)" ECH_SUPPORT="ECH support available (OpenSSL with SSL_get_ech_status)"
ESNI_ENABLED=1) ECH_ENABLED=1)
dnl add 'elif' chain here for additional implementations dnl add 'elif' chain here for additional implementations
fi fi
dnl now deal with whatever we found dnl now deal with whatever we found
if test "x$ESNI_ENABLED" = "x1"; then if test "x$ECH_ENABLED" = "x1"; then
AC_DEFINE(USE_ESNI, 1, [if ESNI support is available]) AC_DEFINE(USE_ECH, 1, [if ECH support is available])
AC_MSG_RESULT($ESNI_SUPPORT) AC_MSG_RESULT($ECH_SUPPORT)
experimental="$experimental ESNI" experimental="$experimental ECH"
else else
AC_MSG_ERROR([--enable-esni ignored: No ESNI support found]) AC_MSG_ERROR([--enable-ech ignored: No ECH support found])
fi fi
fi fi
@ -5034,8 +5034,8 @@ if test "x$OPENSSL_ENABLED" = "x1" -o "x$GNUTLS_ENABLED" = "x1" \
SUPPORT_FEATURES="$SUPPORT_FEATURES HTTPS-proxy" SUPPORT_FEATURES="$SUPPORT_FEATURES HTTPS-proxy"
fi fi
if test "x$ESNI_ENABLED" = "x1"; then if test "x$ECH_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES ESNI" SUPPORT_FEATURES="$SUPPORT_FEATURES ECH"
fi fi
dnl replace spaces with newlines dnl replace spaces with newlines
@ -5233,7 +5233,7 @@ AC_MSG_NOTICE([Configured to build curl/libcurl:
Alt-svc: ${curl_altsvc_msg} Alt-svc: ${curl_altsvc_msg}
HTTP2: ${curl_h2_msg} HTTP2: ${curl_h2_msg}
HTTP3: ${curl_h3_msg} HTTP3: ${curl_h3_msg}
ESNI: ${curl_esni_msg} ECH: ${curl_ech_msg}
Protocols: ${SUPPORT_PROTOCOLS} Protocols: ${SUPPORT_PROTOCOLS}
Features: ${SUPPORT_FEATURES} Features: ${SUPPORT_FEATURES}
]) ])

74
docs/ESNI.md → docs/ECH.md
View File

@ -1,24 +1,23 @@
# TLS: ESNI support in curl and libcurl # TLS: ECH support in curl and libcurl
## Summary ## Summary
**ESNI** means **Encrypted Server Name Indication**, a TLS 1.3 **ECH** means **Encrypted Client Hello**, a TLS 1.3 extension which is
extension which is currently the subject of an currently the subject of an [IETF Draft][tlsesni]. (ECH was formerly known as
[IETF Draft][tlsesni]. ESNI).
This file is intended to show the latest current state of ESNI support This file is intended to show the latest current state of ECH support
in **curl** and **libcurl**. in **curl** and **libcurl**.
At end of August 2019, an [experimental fork of curl][niallorcurl], At end of August 2019, an [experimental fork of curl][niallorcurl], built
built using an [experimental fork of OpenSSL][sftcdopenssl], which in using an [experimental fork of OpenSSL][sftcdopenssl], which in turn provided
turn provided an implementation of ESNI, was demonstrated an implementation of ECH, was demonstrated interoperating with a server
interoperating with a server belonging to the [DEfO belonging to the [DEfO Project][defoproj].
Project][defoproj].
Further sections here describe Further sections here describe
- resources needed for building and demonstrating **curl** support - resources needed for building and demonstrating **curl** support
for ESNI, for ECH,
- progress to date, - progress to date,
@ -28,18 +27,18 @@ Further sections here describe
## Resources needed ## Resources needed
To build and demonstrate ESNI support in **curl** and/or **libcurl**, To build and demonstrate ECH support in **curl** and/or **libcurl**,
you will need you will need
- a TLS library, supported by **libcurl**, which implements ESNI; - a TLS library, supported by **libcurl**, which implements ECH;
- an edition of **curl** and/or **libcurl** which supports the ESNI - an edition of **curl** and/or **libcurl** which supports the ECH
implementation of the chosen TLS library; implementation of the chosen TLS library;
- an environment for building and running **curl**, and at least - an environment for building and running **curl**, and at least
building **OpenSSL**; building **OpenSSL**;
- a server, supporting ESNI, against which to run a demonstration - a server, supporting ECH, against which to run a demonstration
and perhaps a specific target URL; and perhaps a specific target URL;
- some instructions. - some instructions.
@ -58,52 +57,49 @@ The following set of resources is currently known to be available.
- Details [below](#pr4011); - Details [below](#pr4011);
- New **curl** feature: `CURL_VERSION_ESNI`; - New configuration option: `--enable-ech`;
- New configuration option: `--enable-esni`; - Build-time check for availability of resources needed for ECH
- Build-time check for availability of resources needed for ESNI
support; support;
- Pre-processor symbol `USE_ESNI` for conditional compilation of - Pre-processor symbol `USE_ECH` for conditional compilation of
ESNI support code, subject to configuration option and ECH support code, subject to configuration option and
availability of needed resources. availability of needed resources.
## TODO ## TODO
- (next PR) Add libcurl options to set ESNI parameters. - (next PR) Add libcurl options to set ECH parameters.
- (next PR) Add curl tool command line options to set ESNI parameters. - (next PR) Add curl tool command line options to set ECH parameters.
- (WIP) Extend DoH functions so that published ESNI parameters can be - (WIP) Extend DoH functions so that published ECH parameters can be
retrieved from DNS instead of being required as options. retrieved from DNS instead of being required as options.
- (WIP) Work with OpenSSL community to finalize ESNI API. - (WIP) Work with OpenSSL community to finalize ECH API.
- Track OpenSSL ESNI API in libcurl - Track OpenSSL ECH API in libcurl
- Identify and implement any changes needed for CMake. - Identify and implement any changes needed for CMake.
- Optimize build-time checking of available resources. - Optimize build-time checking of available resources.
- Encourage ESNI support work on other TLS/SSL backends. - Encourage ECH support work on other TLS/SSL backends.
## Additional detail ## Additional detail
### PR 4011 ### PR 4011
**TLS: Provide ESNI support framework for curl and libcurl** **TLS: Provide ECH support framework for curl and libcurl**
The proposed change provides a framework to facilitate work to The proposed change provides a framework to facilitate work to implement ECH
implement ESNI support in curl and libcurl. It is not intended support in curl and libcurl. It is not intended either to provide ECH
either to provide ESNI functionality or to favour any particular functionality or to favour any particular TLS-providing backend. Specifically,
TLS-providing backend. Specifically, the change reserves a the change reserves a feature bit for ECH support (symbol
feature bit for ESNI support (symbol `CURL_VERSION_ESNI`), `CURL_VERSION_ECH`), implements setting and reporting of this bit, includes
implements setting and reporting of this bit, includes dummy dummy book-keeping for the symbol, adds a build-time configuration option
book-keeping for the symbol, adds a build-time configuration (`--enable-ech`), provides an extensible check for resources available to
option (`--enable-esni`), provides an extensible check for provide ECH support, and defines a compiler pre-processor symbol (`USE_ECH`)
resources available to provide ESNI support, and defines a accordingly.
compiler pre-processor symbol (`USE_ESNI`) accordingly.
Proposed-by: @niallor (Niall O'Reilly)\ Proposed-by: @niallor (Niall O'Reilly)\
Encouraged-by: @sftcd (Stephen Farrell)\ Encouraged-by: @sftcd (Stephen Farrell)\
@ -117,7 +113,7 @@ Limitations:
- Check for available resources, although extensible, refers only to - Check for available resources, although extensible, refers only to
specific work in progress ([described specific work in progress ([described
here](https://github.com/sftcd/openssl/tree/master/esnistuff)) to here](https://github.com/sftcd/openssl/tree/master/esnistuff)) to
implement ESNI for OpenSSL, as this is the immediate motivation implement ECH for OpenSSL, as this is the immediate motivation
for the proposed change. for the proposed change.
## References ## References

2
docs/Makefile.am
View File

@ -56,7 +56,7 @@ EXTRA_DIST = \
CURL-DISABLE.md \ CURL-DISABLE.md \
DEPRECATE.md \ DEPRECATE.md \
DYNBUF.md \ DYNBUF.md \
ESNI.md \ ECH.md \
EXPERIMENTAL.md \ EXPERIMENTAL.md \
FAQ \ FAQ \
FEATURES \ FEATURES \

40
m4/curl-confopts.m4
View File

@ -649,37 +649,37 @@ AC_DEFUN([CURL_CHECK_NTLM_WB], [
fi fi
]) ])
dnl CURL_CHECK_OPTION_ESNI dnl CURL_CHECK_OPTION_ECH
dnl ----------------------------------------------------- dnl -----------------------------------------------------
dnl Verify whether configure has been invoked with option dnl Verify whether configure has been invoked with option
dnl --enable-esni or --disable-esni, and set dnl --enable-ech or --disable-ech, and set
dnl shell variable want_esni as appropriate. dnl shell variable want_ech as appropriate.
AC_DEFUN([CURL_CHECK_OPTION_ESNI], [ AC_DEFUN([CURL_CHECK_OPTION_ECH], [
AC_MSG_CHECKING([whether to enable ESNI support]) AC_MSG_CHECKING([whether to enable ECH support])
OPT_ESNI="default" OPT_ECH="default"
AC_ARG_ENABLE(esni, AC_ARG_ENABLE(ech,
AC_HELP_STRING([--enable-esni],[Enable ESNI support]) AC_HELP_STRING([--enable-ech],[Enable ECH support])
AC_HELP_STRING([--disable-esni],[Disable ESNI support]), AC_HELP_STRING([--disable-ech],[Disable ECH support]),
OPT_ESNI=$enableval) OPT_ECH=$enableval)
case "$OPT_ESNI" in case "$OPT_ECH" in
no) no)
dnl --disable-esni option used dnl --disable-ech option used
want_esni="no" want_ech="no"
curl_esni_msg="no (--enable-esni)" curl_ech_msg="no (--enable-ech)"
AC_MSG_RESULT([no]) AC_MSG_RESULT([no])
;; ;;
default) default)
dnl configure option not specified dnl configure option not specified
want_esni="no" want_ech="no"
curl_esni_msg="no (--enable-esni)" curl_ech_msg="no (--enable-ech)"
AC_MSG_RESULT([no]) AC_MSG_RESULT([no])
;; ;;
*) *)
dnl --enable-esni option used dnl --enable-ech option used
want_esni="yes" want_ech="yes"
curl_esni_msg="enabled (--disable-esni)" curl_ech_msg="enabled (--disable-ech)"
experimental="esni" experimental="ech"
AC_MSG_RESULT([yes]) AC_MSG_RESULT([yes])
;; ;;
esac esac