Added --echgrease command-line argument

ameshkov · ameshkov · commit 9f4730e8464a · 2025-04-02T14:59:23.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,11 @@ adheres to [Semantic Versioning][semver].
 
 ## [Unreleased]
 
+### Added
+
+* Added support for `--echgrease` command-line argument. This option is used to
+  enable ECH Grease for TLS ClientHello.
+
 [unreleased]: https://github.com/ameshkov/gocurl/compare/v1.4.6...HEAD
 
 ## [1.4.6] - 2025-03-21
diff --git a/README.md b/README.md
@@ -262,39 +262,58 @@ Usage:
   gocurl [OPTIONS]
 
 Application Options:
-      --url=<URL>                                           URL the request will be made to. Can be specified without any flags.
+      --url=<URL>                                           URL the request will be made to. Can be specified
+                                                            without any flags.
   -X, --request=<method>                                    HTTP method. GET by default.
-  -d, --data=<data>                                         Sends the specified data to the HTTP server using content type application/x-www-form-urlencoded.
-  -H, --header=                                             Extra header to include in the request. Can be specified multiple times.
-  -x, --proxy=[protocol://username:password@]host[:port]    Use the specified proxy. The proxy string can be specified with a protocol:// prefix.
-      --connect-to=<HOST1:PORT1:HOST2:PORT2>                For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead. Can be specified
-                                                            multiple times.
+  -d, --data=<data>                                         Sends the specified data to the HTTP server using
+                                                            content type application/x-www-form-urlencoded.
+  -H, --header=                                             Extra header to include in the request. Can be
+                                                            specified multiple times.
+  -x, --proxy=[protocol://username:password@]host[:port]    Use the specified proxy. The proxy string can be
+                                                            specified with a protocol:// prefix.
+      --connect-to=<HOST1:PORT1:HOST2:PORT2>                For a request to the given HOST1:PORT1 pair, connect
+                                                            to HOST2:PORT2 instead. Can be specified multiple
+                                                            times.
   -I, --head                                                Fetch the headers only.
   -k, --insecure                                            Disables TLS verification of the connection.
       --tlsv1.3                                             Forces gocurl to use TLS v1.3 or newer.
       --tlsv1.2                                             Forces gocurl to use TLS v1.2 or newer.
-      --tls-max=<VERSION>                                   (TLS) VERSION defines maximum supported TLS version. Can be 1.2 or 1.3. The minimum acceptable
-                                                            version is set by tlsv1.2 or tlsv1.3.
+      --tls-max=<VERSION>                                   (TLS) VERSION defines maximum supported TLS version.
+                                                            Can be 1.2 or 1.3. The minimum acceptable version is
+                                                            set by tlsv1.2 or tlsv1.3.
       --ciphers=<space-separated list of ciphers>           Specifies which ciphers to use in the connection, see
-                                                            https://go.dev/src/crypto/tls/cipher_suites.go for the full list of available ciphers.
-      --tls-servername=<HOSTNAME>                           Specifies the server name that will be sent in TLS ClientHello
+                                                            https://go.dev/src/crypto/tls/cipher_suites.go for the
+                                                            full list of available ciphers.
+      --tls-servername=<HOSTNAME>                           Specifies the server name that will be sent in TLS
+                                                            ClientHello
       --http1.1                                             Forces gocurl to use HTTP v1.1.
       --http2                                               Forces gocurl to use HTTP v2.
       --http3                                               Forces gocurl to use HTTP v3.
       --ech                                                 Enables ECH support for the request.
-      --echconfig=<base64-encoded data>                     ECH configuration to use for this request. Implicitly enables --ech when specified.
-  -4, --ipv4                                                This option tells gocurl to use IPv4 addresses only when resolving host names.
-  -6, --ipv6                                                This option tells gocurl to use IPv6 addresses only when resolving host names.
-      --dns-servers=<DNSADDR1,DNSADDR2>                     DNS servers to use when making the request. Supports encrypted DNS: tls://, https://, quic://,
-                                                            sdns://
-      --resolve=<[+]host:port:addr[,addr]...>               Provide a custom address for a specific host. port is ignored by gocurl. '*' can be used instead of
-                                                            the host name. Can be specified multiple times.
-      --tls-split-hello=<CHUNKSIZE:DELAY>                   An option that allows splitting TLS ClientHello in two parts in order to avoid common DPI systems
-                                                            detecting TLS. CHUNKSIZE is the size of the first bytes before ClientHello is split, DELAY is delay
-                                                            in milliseconds before sending the second part.
-      --json-output                                         Makes gocurl write machine-readable output in JSON format.
-  -o, --output=<file>                                       Defines where to write the received data. If not set, gocurl will write everything to stdout.
-      --experiment=<name[:value]>                           Allows enabling experimental options. See the documentation for available options. Can be specified
+      --echgrease                                           Forces sending ECH grease in the ClientHello, but does
+                                                            not try to resolve the ECH configuration.
+      --echconfig=<base64-encoded data>                     ECH configuration to use for this request. Implicitly
+                                                            enables --ech when specified.
+  -4, --ipv4                                                This option tells gocurl to use IPv4 addresses only
+                                                            when resolving host names.
+  -6, --ipv6                                                This option tells gocurl to use IPv6 addresses only
+                                                            when resolving host names.
+      --dns-servers=<DNSADDR1,DNSADDR2>                     DNS servers to use when making the request. Supports
+                                                            encrypted DNS: tls://, https://, quic://, sdns://
+      --resolve=<[+]host:port:addr[,addr]...>               Provide a custom address for a specific host. port is
+                                                            ignored by gocurl. '*' can be used instead of the host
+                                                            name. Can be specified multiple times.
+      --tls-split-hello=<CHUNKSIZE:DELAY>                   An option that allows splitting TLS ClientHello in two
+                                                            parts in order to avoid common DPI systems detecting
+                                                            TLS. CHUNKSIZE is the size of the first bytes before
+                                                            ClientHello is split, DELAY is delay in milliseconds
+                                                            before sending the second part.
+      --json-output                                         Makes gocurl write machine-readable output in JSON
+                                                            format.
+  -o, --output=<file>                                       Defines where to write the received data. If not set,
+                                                            gocurl will write everything to stdout.
+      --experiment=<name[:value]>                           Allows enabling experimental options. See the
+                                                            documentation for available options. Can be specified
                                                             multiple times.
   -v, --verbose                                             Verbose output (optional).
 
diff --git a/internal/client/cfcrypto/cfcrypto.go b/internal/client/cfcrypto/cfcrypto.go
@@ -87,7 +87,7 @@ func Handshake(
 		conf.NextProtos = []string{"http/1.1"}
 	}
 
-	if cfg.ECH {
+	if cfg.ECH || cfg.ECHGrease {
 		conf.ECHEnabled = true
 	}
 
@@ -104,6 +104,9 @@ func Handshake(
 	}
 
 	c := ctls.Client(conn, conf)
+
+	out.Debug("Starting TLS handshake")
+
 	err = c.Handshake()
 
 	if err != nil {
diff --git a/internal/client/clientdialer.go b/internal/client/clientdialer.go
@@ -66,7 +66,7 @@ func (d *clientDialer) DialTLSContext(_ context.Context, network, addr string) (
 	}
 
 	_, postQuantum := d.cfg.Experiments[config.ExpPostQuantum]
-	if d.cfg.ECH || postQuantum {
+	if d.cfg.ECH || d.cfg.ECHGrease || postQuantum {
 		d.conn, err = d.handshakeCTLS(conn)
 	} else {
 		d.conn, err = d.handshakeTLS(conn)
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -72,6 +72,11 @@ type Config struct {
 	// received from the DNS settings.
 	ECH bool
 
+	// ECHGrease forces sending ECH grease in the ClientHello.  This option
+	// does not try to resolve the ECH configuration and is only used for
+	// testing ECH grease.
+	ECHGrease bool
+
 	// ECHConfigs is a set of ECH configurations that will be used when opening
 	// an encrypted connection.
 	ECHConfigs []ctls.ECHConfig
@@ -169,6 +174,7 @@ func ParseConfig() (cfg *Config, err error) {
 		ForceHTTP2:    opts.HTTPv2,
 		ForceHTTP3:    opts.HTTPv3,
 		ECH:           opts.ECH,
+		ECHGrease:     opts.ECHGrease,
 		IPv4:          opts.IPv4,
 		IPv6:          opts.IPv6,
 		TLSServerName: opts.TLSServerName,
diff --git a/internal/config/options.go b/internal/config/options.go
@@ -70,6 +70,11 @@ type Options struct {
 	// received from the DNS settings.
 	ECH bool `long:"ech" description:"Enables ECH support for the request." optional:"yes" optional-value:"true"`
 
+	// ECHGrease forces sending ECH grease in the ClientHello.  This option
+	// does not try to resolve the ECH configuration and is only used for
+	// testing ECH grease.
+	ECHGrease bool `long:"echgrease" description:"Forces sending ECH grease in the ClientHello, but does not try to resolve the ECH configuration." optional:"yes" optional-value:"true"`
+
 	// ECHConfig is a custom ECH configuration to use for this request.  If this
 	// option is specified, there will be no attempt to discover the ECH
 	// configuration using DNS.

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ func Handshake(`
`87`	`87`	`conf.NextProtos = []string{"http/1.1"}`
`88`	`88`	`}`
`89`	`89`
`90`		`- if cfg.ECH {`
	`90`	`+ if cfg.ECH \|\| cfg.ECHGrease {`
`91`	`91`	`conf.ECHEnabled = true`
`92`	`92`	`}`
`93`	`93`
`@@ -104,6 +104,9 @@ func Handshake(`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`c := ctls.Client(conn, conf)`
	`107`	`+`
	`108`	`+ out.Debug("Starting TLS handshake")`
	`109`	`+`
`107`	`110`	`err = c.Handshake()`
`108`	`111`
`109`	`112`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func (d *clientDialer) DialTLSContext(_ context.Context, network, addr string) (`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`_, postQuantum := d.cfg.Experiments[config.ExpPostQuantum]`
`69`		`- if d.cfg.ECH \|\| postQuantum {`
	`69`	`+ if d.cfg.ECH \|\| d.cfg.ECHGrease \|\| postQuantum {`
`70`	`70`	`d.conn, err = d.handshakeCTLS(conn)`
`71`	`71`	`} else {`
`72`	`72`	`d.conn, err = d.handshakeTLS(conn)`