skip ECH decrypt when ECH was rejected

sebastian-carpenter · sebastian-carpenter · commit 04bd3a7b3882 · 2026-04-17T11:34:10.000-06:00
diff --git a/src/internal.c b/src/internal.c
@@ -16909,7 +16909,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
                 domainName = (char*)ssl->buffers.domainName.buffer;
             #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_ECH)
-                /* RFC 9849 s6.1.7: ECH was offered but rejected by the server..
+                /* RFC 9849 s6.1.7: ECH offered but rejected by the server...
                  * verify cert is valid for ECHConfig.public_name */
                 if (ssl->options.side == WOLFSSL_CLIENT_END &&
                         ssl->echConfigs != NULL &&
diff --git a/src/tls.c b/src/tls.c
@@ -14082,7 +14082,7 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
     int foundEchOuter = 0;
     word16 numOuterRefs = 0;
     const byte* outerRefTypes = NULL;
-    word32 extraSize;
+    word32 extraSize = 0;
     byte* newInnerCh = NULL;
     byte* newInnerChRef;
     word32 newInnerChLen;
@@ -14408,6 +14408,14 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
             return BAD_FUNC_ARG;
         ech = (WOLFSSL_ECH*)echX->data;
 
+        /* if the first ECH was rejected or CH1 did not have ECH then there is
+         * no need to decrypt this one */
+        if (!ssl->options.echAccepted && ssl->options.serverState ==
+                SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
+            ech->state = ECH_WRITE_RETRY_CONFIGS;
+            return 0;
+        }
+
         /* read the ech parameters before the payload */
         ech->type = *readBuf_p;
         readBuf_p++;
diff --git a/src/tls13.c b/src/tls13.c
@@ -5778,7 +5778,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         }
         else {
 #if defined(HAVE_ECH)
-            /* do not resume when outerHandshake will be negotiated  */
+            /* do not resume when outerHandshake will be negotiated */
             if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
                     !ssl->options.echAccepted) {
                 WOLFSSL_MSG("ECH rejected but server negotiated PSK");
diff --git a/tests/api.c b/tests/api.c
@@ -15141,9 +15141,9 @@ static int test_wolfSSL_Tls13_ECH_retry_configs_auth_fail(void)
     EXPECT_DECLS;
 
     ExpectIntEQ(test_wolfSSL_Tls13_ECH_retry_configs_auth_fail_ex(0),
-        WOLFSSL_SUCCESS);
+        TEST_SUCCESS);
     ExpectIntEQ(test_wolfSSL_Tls13_ECH_retry_configs_auth_fail_ex(1),
-        WOLFSSL_SUCCESS);
+        TEST_SUCCESS);
 
     return EXPECT_RESULT();
 }

Original file line number	Diff line number	Diff line change
`@@ -5778,7 +5778,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,`
`5778`	`5778`	`}`
`5779`	`5779`	`else {`
`5780`	`5780`	`#if defined(HAVE_ECH)`
`5781`		`- /* do not resume when outerHandshake will be negotiated */`
	`5781`	`+ /* do not resume when outerHandshake will be negotiated */`
`5782`	`5782`	`if (ssl->echConfigs != NULL && !ssl->options.disableECH &&`
`5783`	`5783`	`!ssl->options.echAccepted) {`
`5784`	`5784`	`WOLFSSL_MSG("ECH rejected but server negotiated PSK");`