feat: add GREASEEncryptedClientHelloExtension (#266)

* dicttls: update ECH-related entries

* wip: GREASE ECH extension

* new: GREASE ECH extension

* fix: GREASE ECH Read must succeed with io.EOF

* new: GREASE ECH multiple payload len

* new: parse ECH in EncryptedExtensions

* fix: ECHConfig Length always 0

* new: GREASE ECH parrots

* new: (*Config).ECHConfigs

Add (*Config).ECHConfigs for future full ECH extension.

* new: add GREASE ECH example

Add an incomplete example of using GREASE ECH extension (Chrome 120 parrot).

* fix: invalid httpGetOverConn call

fix a problem in old example where httpGetOverConn was called with uTlsConn.HandshakeState.ServerHello.AlpnProtocol, which will not be populated in case TLS 1.3 is used.

* new: possible InnerClientHello length

u_handshake_client.go

@@ -141,6 +141,7 @@ func (hs *clientHandshakeStateTLS13) sendClientEncryptedExtensions() error {
 func (hs *clientHandshakeStateTLS13) utlsReadServerParameters(encryptedExtensions *encryptedExtensionsMsg) error {
 	hs.c.utls.hasApplicationSettings = encryptedExtensions.utls.hasApplicationSettings
 	hs.c.utls.peerApplicationSettings = encryptedExtensions.utls.applicationSettings
+	hs.c.utls.echRetryConfigs = encryptedExtensions.utls.echRetryConfigs
 
 	if hs.c.utls.hasApplicationSettings {
 		if hs.uconn.vers < VersionTLS13 {
@@ -160,6 +161,23 @@ func (hs *clientHandshakeStateTLS13) utlsReadServerParameters(encryptedExtension
 		}
 	}
 
+	if len(hs.c.utls.echRetryConfigs) > 0 {
+		if hs.uconn.vers < VersionTLS13 {
+			return errors.New("tls: server sent ECH retry configs at invalid version")
+		}
+
+		// find ECH extension in ClientHello
+		var echIncluded bool
+		for _, ext := range hs.uconn.Extensions {
+			if _, ok := ext.(ECHExtension); ok {
+				echIncluded = true
+			}
+		}
+		if !echIncluded {
+			return errors.New("tls: server sent ECH retry configs without client sending ECH extension")
+		}
+	}
+
 	return nil
 }