TLS ECH fixes [SNI, api.c, server.c, comments]

Author: sebastian-carpenter

examples/server/server.c

@@ -3105,6 +3105,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         byte echConfig[512];
         word32 echConfigLen = sizeof(echConfig);
         char echConfigBase64[512];
+        char* echConfigBase64Ptr;
         word32 echConfigBase64Len = sizeof(echConfigBase64);
 
         if (wolfSSL_CTX_GenerateEchConfig(ctx, echPublicName, 0, 0, 0)
@@ -3116,12 +3117,16 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
             err_sys_ex(runWithErrors, "GetEchConfigs failed");
         }
         if (Base64_Encode_NoNl(echConfig, echConfigLen, (byte*)echConfigBase64,
-                    &echConfigBase64Len) != 0) {
+                &echConfigBase64Len) != 0) {
             err_sys_ex(runWithErrors, "Base64_Encode_NoNl failed");
         }
         else {
-            echConfigBase64[echConfigBase64Len] = '\0';
-            printf("ECH config (base64): %s\n", echConfigBase64);
+            echConfigBase64Ptr = echConfigBase64;
+            printf("ECH config (base64): ");
+            while (echConfigBase64Len-- > 0) {
+                printf("%c", *echConfigBase64Ptr++);
+            }
+            printf("\n");
         }
     }
 #endif

src/ssl_ech.c

@@ -67,8 +67,6 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
         XMEMSET(newConfig, 0, sizeof(WOLFSSL_EchConfig));
 
     /* set random configId */
-    /* TODO: if an equal configId is found should the old config be removed from
-     * the LL? Prevents growth beyond 255+ items */
     if (ret == 0)
         ret = wc_RNG_GenerateByte(rng, &newConfig->configId);
 

src/tls.c

@@ -2381,12 +2381,13 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     /* Don't process the second ClientHello SNI extension if there
      * was problems with the first.
      */
-    if (!cacheOnly && sni->status != WOLFSSL_SNI_NO_MATCH)
+    if (!cacheOnly && sni != NULL && sni->status != WOLFSSL_SNI_NO_MATCH)
         return 0;
 #endif
 
 #if defined(HAVE_ECH)
-    if (ech != NULL && ech->sniState == ECH_INNER_SNI_ATTEMPT) {
+    if (ech != NULL && ech->sniState == ECH_INNER_SNI_ATTEMPT &&
+            ech->privateName != NULL) {
         matched = cacheOnly || (XSTRLEN(ech->privateName) == size &&
             XSTRNCMP(ech->privateName, (const char*)input + offset, size) == 0);
     }

tests/api.c

@@ -13790,7 +13790,6 @@ static int test_wolfSSL_CTX_add_client_CA(void)
     defined(HAVE_IO_TESTS_DEPENDENCIES)
 static THREAD_RETURN WOLFSSL_THREAD server_task_ech(void* args)
 {
-    EXPECT_DECLS;
     callback_functions* callbacks = ((func_args*)args)->callbacks;
     WOLFSSL_CTX* ctx       = callbacks->ctx;
     WOLFSSL*  ssl   = NULL;
@@ -13820,7 +13819,7 @@ static THREAD_RETURN WOLFSSL_THREAD server_task_ech(void* args)
     if (callbacks->ctx_ready)
         callbacks->ctx_ready(ctx);
 
-    ExpectNotNull(ssl = wolfSSL_new(ctx));
+    AssertNotNull(ssl = wolfSSL_new(ctx));
 
     /* set the sni for the server */
     AssertIntEQ(WOLFSSL_SUCCESS,

wolfssl/internal.h

@@ -2972,10 +2972,8 @@ typedef struct Options Options;
 #define TLSXT_KEY_SHARE                  0x0033
 #define TLSXT_CONNECTION_ID              0x0036
 #define TLSXT_KEY_QUIC_TP_PARAMS         0x0039 /* RFC 9001, ch. 8.2 */
-#define TLSXT_ECH                        0xfe0d /* from */
-                                                /* draft-ietf-tls-esni-13 */
-#define TLSXT_ECH_OUTER_EXTENSIONS       0xfd00 /* from
-                                                   draft-ietf-tls-esni-13 */
+#define TLSXT_ECH                        0xfe0d /* RFC 9849 */
+#define TLSXT_ECH_OUTER_EXTENSIONS       0xfd00 /* RFC 9849 */
 /* The 0xFF section is experimental/custom/personal use */
 #define TLSXT_CKS                        0xff92 /* X9.146 */
 #define TLSXT_RENEGOTIATION_INFO         0xff01