root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

fixup! ECH both sides now

This commit is contained in:
sftcd 2025-07-30 14:25:19 +01:00
parent ded17621f1
commit fa164aab49
2 changed files with 22 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
ssl/ech/ech_internal.c
View File

@ -1779,13 +1779,10 @@ static unsigned char *hpke_decrypt_encch(SSL_CONNECTION *s,
* We may generate externally visible OpenSSL errors
* if decryption fails (which is normal) but we'll
* ignore those as we might be dealing with a GREASEd
* ECH. To do that we need to now ingore some errors
* ECH. To do that we need to now ignore some errors
* so we use ERR_set_mark() then later ERR_pop_to_mark().
*/
if (ERR_set_mark() != 0) {
OPENSSL_free(clear);
return NULL;
}
ERR_set_mark();
/* Use OSSL_HPKE_* APIs */
hctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite, OSSL_HPKE_ROLE_RECEIVER,
NULL, NULL);
@ -1835,8 +1832,7 @@ end:
if (PACKET_buf_init(&innerchpkt, clear, clearlen) != 1) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
OPENSSL_free(clear);
return NULL;
goto paderr;
}
/* reset the offsets, as we move from outer to inner CH */
s->ext.ech.ch_offsets_done = 0;
@ -1845,14 +1841,12 @@ end:
&innerflag, &outersnioffset);
if (rv != 1) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
OPENSSL_free(clear);
return NULL;
goto paderr;
}
/* odd form of check below just for emphasis */
if ((extsoffset + 1) > clearlen) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
OPENSSL_free(clear);
return NULL;
goto paderr;
}
extslen = (unsigned char)(clear[extsoffset]) * 256
+ (unsigned char)(clear[extsoffset + 1]);
@ -1860,8 +1854,7 @@ end:
/* the check below protects us from bogus data */
if (ch_len > clearlen) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
OPENSSL_free(clear);
return NULL;
goto paderr;
}
/*
* The RFC calls for that padding to be all zeros. I'm not so
@ -1873,15 +1866,11 @@ end:
{
size_t zind = 0;
if (*innerlen < ch_len) {
OPENSSL_free(clear);
return NULL;
}
if (*innerlen < ch_len)
goto paderr;
for (zind = ch_len; zind != *innerlen; zind++) {
if (clear[zind] != 0x00) {
OPENSSL_free(clear);
return NULL;
}
if (clear[zind] != 0x00)
goto paderr;
}
}
# endif
@ -1891,6 +1880,7 @@ end:
# endif
return clear;
}
paderr:
OPENSSL_free(clear);
return NULL;
}

28
ssl/statem/statem_srvr.c
View File

@ -2076,30 +2076,24 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s)
goto err;
}
#ifndef OPENSSL_NO_ECH
/*
* Unless ECH has worked or not been configured we won't call
* the session_secret_cb now because we'll need to calculate the
* server random later to include the ECH accept value.
* We can't do it now as we don't yet have the SH encoding.
*/
if (((s->ext.ech.es != NULL && s->ext.ech.success == 1)
|| s->ext.ech.es == NULL)
&& (!s->hit
&& s->version >= TLS1_VERSION
&& !SSL_CONNECTION_IS_TLS13(s)
&& !SSL_CONNECTION_IS_DTLS(s)
&& s->ext.session_secret_cb != NULL)) {
const SSL_CIPHER *pref_cipher = NULL;
#else
if (!s->hit
&& s->version >= TLS1_VERSION
&& !SSL_CONNECTION_IS_TLS13(s)
&& !SSL_CONNECTION_IS_DTLS(s)
&& s->ext.session_secret_cb != NULL) {
const SSL_CIPHER *pref_cipher = NULL;
if (
#ifndef OPENSSL_NO_ECH
((s->ext.ech.es != NULL && s->ext.ech.success == 1)
|| s->ext.ech.es == NULL) &&
#endif
!s->hit
&& s->version >= TLS1_VERSION
&& !SSL_CONNECTION_IS_TLS13(s)
&& !SSL_CONNECTION_IS_DTLS(s)
&& s->ext.session_secret_cb != NULL) {
const SSL_CIPHER *pref_cipher = NULL;
/*
* s->session->master_key_length is a size_t, but this is an int for
* backwards compat reasons