move echAccepted to decrypt-time on server

Author: sebastian-carpenter

src/ssl_ech.c

@@ -483,7 +483,6 @@ void wolfSSL_SetEchEnable(WOLFSSL* ssl, byte enable)
 /* Walk the ECHConfigExtension list and check for mandatory extensions.
  * Returns:
  *  0 if all extensions are known/optional,
- *  1 if an unsupported mandatory extension (high bit set) is present,
  *  error otherwise. */
 static int EchConfigCheckExtensions(const byte* exts, word16 extsLen)
 {
@@ -497,7 +496,7 @@ static int EchConfigCheckExtensions(const byte* exts, word16 extsLen)
         if (bytesLeft - 4 < extDataLen)
             return BUFFER_E;
         if (extType & 0x8000)
-            return 1;
+            return UNSUPPORTED_EXTENSION;
         exts += 4 + extDataLen;
         bytesLeft -= 4 + extDataLen;
     }
@@ -707,7 +706,8 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
 
         /* KEM, ciphersuite, or mandatory extension not supported, free this
          * config and then try to parse another */
-        if (ret > 0 || EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
+        if (ret == WC_NO_ERR_TRACE(UNSUPPORTED_EXTENSION) ||
+                EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
             ret = 0;
             unsupportedAlgos = 1;
             XFREE(workingConfig->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);

src/tls.c

@@ -14489,8 +14489,9 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
         }
         /* if we failed to extract/expand */
         if (ret != 0) {
-            WOLFSSL_MSG("Failed to decrypt InnerHello");
-            if (ech->hpkeContext != NULL) {
+            WOLFSSL_MSG("ECH rejected");
+
+            if (ssl->options.echAccepted == 1) {
                 /* on SH2 this is fatal */
                 SendAlert(ssl, alert_fatal, decrypt_error);
                 WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
@@ -14512,11 +14513,20 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
                  * Also, if it exists, copy sessionID from outer hello */
                 ret = TLSX_ECH_ExpandOuterExtensions(ssl, ech, ssl->heap);
             }
+
+            if (ret == 0){
+                WOLFSSL_MSG("ECH accepted");
+                ssl->options.echAccepted = 1;
+            }
+            else {
+                WOLFSSL_MSG("ECH rejected");
+            }
         }
         if (ret != 0) {
             XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
             ech->innerClientHello = NULL;
         }
+
         XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
 

src/tls13.c

@@ -3863,7 +3863,7 @@ static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
     tmpHashes = ssl->hsHashes;
 
     ssl->hsHashes = ssl->hsHashesEch;
-    if (ssl->options.echAccepted == 0 && ssl->hsHashes == NULL) {
+    if (ssl->hsHashes == NULL) {
         ret = InitHandshakeHashes(ssl);
         if (ret == 0) {
             ssl->hsHashesEch = ssl->hsHashes;
@@ -5184,15 +5184,14 @@ static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
             }
         }
         else {
-            WOLFSSL_MSG("ECH rejected");
-
             if (msgType != hello_retry_request && ssl->options.echAccepted) {
                 /* the SH has rejected ECH after the HRR has accepted it
                  * RFC 9849, section 6.1.5 */
                 WOLFSSL_MSG("ECH rejected, but it was previously accepted...");
                 ret = INVALID_PARAMETER;
             }
             else {
+                WOLFSSL_MSG("ECH rejected");
                 ret = 0;
             }
             ssl->options.echAccepted = 0;
@@ -7087,12 +7086,9 @@ static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
             output + acceptOffset);
 
     if (ret == 0) {
-        WOLFSSL_MSG("ECH accepted");
-
         tmpHashes = ssl->hsHashes;
         ssl->hsHashes = ssl->hsHashesEch;
 
-        ssl->options.echAccepted = 1;
         /* after HRR, hsHashesEch must contain:
          * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */
         if (msgType == hello_retry_request) {

tests/api.c

@@ -14878,6 +14878,22 @@ static int test_wolfSSL_Tls13_ECH_HRR(void)
     return test_wolfSSL_ECH_conn_ex(wolfTLSv1_3_server_method,
                 wolfTLSv1_3_client_method, 1);
 }
+
+static int test_wolfSSL_SubTls13_ECH(void)
+{
+    EXPECT_DECLS;
+
+#ifndef WOLFSSL_NO_TLS12
+    ExpectIntNE(test_wolfSSL_ECH_conn_ex(wolfTLSv1_3_server_method,
+        wolfTLSv1_2_client_method, 0), WOLFSSL_SUCCESS);
+    ExpectIntNE(test_wolfSSL_ECH_conn_ex(wolfTLSv1_2_server_method,
+        wolfTLSv1_3_client_method, 0), WOLFSSL_SUCCESS);
+    ExpectIntNE(test_wolfSSL_ECH_conn_ex(wolfSSLv23_server_method,
+        wolfTLSv1_2_client_method, 0), WOLFSSL_SUCCESS);
+#endif
+
+    return EXPECT_RESULT();
+}
 #endif /* HAVE_IO_TESTS_DEPENDENCIES */
 
 #ifdef HAVE_SSL_MEMIO_TESTS_DEPENDENCIES
@@ -16262,6 +16278,7 @@ static int test_wolfSSL_Tls13_ECH_tamper_ex(struct test_ssl_memio_ctx* test_ctx)
     test_ctx->c_cb.ssl_ready = test_ech_client_ssl_ready;
 
     ExpectIntEQ(test_ssl_memio_setup(test_ctx), TEST_SUCCESS);
+
     return EXPECT_RESULT();
 }
 
@@ -38392,6 +38409,7 @@ TEST_CASE testCases[] = {
     /* Uses Assert in handshake callback. */
     TEST_DECL(test_wolfSSL_Tls13_ECH),
     TEST_DECL(test_wolfSSL_Tls13_ECH_HRR),
+    TEST_DECL(test_wolfSSL_SubTls13_ECH),
 #endif
 #if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES)
     TEST_DECL(test_wolfSSL_Tls13_ECH_all_algos),