Write ECH last in HRR to promote interop

sebastian-carpenter · sebastian-carpenter · commit 15b8c88bf6a7 · 2026-05-07T10:10:00.000-06:00
diff --git a/.github/scripts/openssl-ech.sh b/.github/scripts/openssl-ech.sh
@@ -15,6 +15,9 @@ usage() {
     exit 1
 }
 
+# --------------------------------------------------------------------------
+# Argument parsing
+# --------------------------------------------------------------------------
 MODE=""
 SUITE=""
 PQC=""
@@ -38,24 +41,21 @@ while [ $# -gt 0 ]; do
             [ -z "$2" ] && { echo "ERROR: --suite requires a value"; exit 1; }
             SUITE="$2"
             shift 2
-            echo ""
-            echo "Using suite: $SUITE"
-            echo ""
             ;;
         --pqc)
             [ -z "$2" ] && { echo "ERROR: --pqc requires a value"; exit 1; }
             PQC="$2"
             shift 2
             ;;
+        --hrr)
+            FORCE_HRR=1
+            shift
+            ;;
         --workspace)
             [ -z "$2" ] && { echo "ERROR: --workspace requires a value"; exit 1; }
             WORKSPACE="$2"
             shift 2
             ;;
-        --hrr)
-            FORCE_HRR=1
-            shift
-            ;;
         *) echo "Unknown argument: $1"; usage ;;
     esac
 done
@@ -65,6 +65,20 @@ if [ "$FORCE_HRR" -ne 0 ] && [ -n "$PQC" ]; then
     exit 1
 fi
 
+# Pick exactly one test variant. The variant decides which -groups go to
+# each side and any extra flags needed to drive the desired handshake.
+#   default - both sides use secp256r1 (no HRR)
+#   pqc     - both sides use the chosen PQC group
+#   hrr     - pin one side to a group the other doesn't keyshare by
+#             default, forcing the server to send HelloRetryRequest
+if [ -n "$PQC" ]; then
+    VARIANT="pqc"
+elif [ "$FORCE_HRR" -ne 0 ]; then
+    VARIANT="hrr"
+else
+    VARIANT="default"
+fi
+
 OPENSSL=${OPENSSL:-"openssl"}
 WOLFSSL_CLIENT=${WOLFSSL_CLIENT:-"$WORKSPACE/examples/client/client"}
 WOLFSSL_SERVER=${WOLFSSL_SERVER:-"$WORKSPACE/examples/server/server"}
@@ -75,30 +89,49 @@ PRIV_NAME="ech-private-name.com"
 PUB_NAME="ech-public-name.com"
 MAX_WAIT=50
 
+# --------------------------------------------------------------------------
+# server mode -- OpenSSL is the server, wolfSSL is the client
+# --------------------------------------------------------------------------
 openssl_server(){
     local ech_file="$WORKSPACE/ech_config.pem"
     local ech_config=""
     local port=""
-    local groups_arg=""
 
-    # restrict group based on arguments
-    if [ "$FORCE_HRR" -eq 0 ]; then
-        groups_arg="-groups secp256r1"
-        if [ -n "$PQC" ]; then
-            groups_arg="-groups ${PQC#--pqc }"
-        fi
-    fi
+    # Per-variant args.
+    #   openssl_groups : -groups passed to OpenSSL s_server
+    #   openssl_suite  : -suite passed to `openssl ech` for key generation
+    #   wolfssl_extra  : extra flags for the wolfSSL client
+    local openssl_groups=""
+    local openssl_suite=""
+    local wolfssl_extra=""
+
+    case "$VARIANT" in
+        default)
+            openssl_groups="-groups secp256r1"
+            ;;
+        pqc)
+            openssl_groups="-groups $PQC"
+            wolfssl_extra="--pqc $PQC"
+            ;;
+        hrr)
+            # wolfSSL client keyshares X25519 by default; pin OpenSSL
+            # server to secp384r1 so it must send HelloRetryRequest.
+            openssl_groups="-groups secp384r1"
+            ;;
+    esac
+    [ -n "$SUITE" ] && openssl_suite="-suite $SUITE"
 
     rm -f "$ech_file"
 
-    $OPENSSL ech -public_name "$PUB_NAME" -out "$ech_file" $SUITE &>> "$TMP_LOG"
+    $OPENSSL ech -public_name "$PUB_NAME" -out "$ech_file" $openssl_suite \
+        &>> "$TMP_LOG"
 
     # parse ECH config from file
     ech_config=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ech_file" | tr -d '\n')
     echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
 
-    # start OpenSSL ECH server with ephemeral port and make sure it is
-    # line-buffered
+    # start OpenSSL ECH server with ephemeral port; line-buffer so the
+    # log can be grepped
     stdbuf -oL $OPENSSL s_server \
         -tls1_3 \
         -cert "$CERT_DIR/server-cert.pem" \
@@ -107,7 +140,7 @@ openssl_server(){
         -key2 "$CERT_DIR/server-key.pem" \
         -ech_key "$ech_file" \
         -servername "$PRIV_NAME" \
-        $groups_arg \
+        $openssl_groups \
         -accept 0 \
         -naccept 1 \
         &>> "$TMP_LOG" <<< "wolfssl!" &
@@ -130,31 +163,61 @@ openssl_server(){
         -p "$port" \
         -S "$PRIV_NAME" \
         --ech "$ech_config" \
-        $PQC \
+        $wolfssl_extra \
         &>> "$TMP_LOG"
 
     rm -f "$ech_file"
 
     grep -q "ech_success=1" "$TMP_LOG"
 }
 
+# --------------------------------------------------------------------------
+# client mode -- wolfSSL is the server, OpenSSL is the client
+# --------------------------------------------------------------------------
 openssl_client(){
     local ready_file="$WORKSPACE/wolfssl_tls13_ready$$"
     local ech_config=""
     local port=0
 
+    # Per-variant args.
+    #   openssl_groups : -groups passed to OpenSSL s_client
+    #   wolfssl_suite  : --ech-suite passed to wolfSSL server for key gen
+    #   wolfssl_extra  : extra flags for the wolfSSL server
+    local openssl_groups=""
+    local wolfssl_suite=""
+    local wolfssl_extra=""
+
+    case "$VARIANT" in
+        default)
+            openssl_groups="-groups secp256r1"
+            ;;
+        pqc)
+            openssl_groups="-groups $PQC"
+            wolfssl_extra="--pqc $PQC"
+            ;;
+        hrr)
+            # Pin wolfSSL server to SECP384R1 only. Have OpenSSL offer
+            # X25519 as keyshare with P-384 in supported_groups: the
+            # mismatched keyshare forces HelloRetryRequest, and P-384 in
+            # supported_groups lets the client answer it.
+            openssl_groups="-groups X25519:P-384"
+            wolfssl_extra="--force-curve SECP384R1"
+            ;;
+    esac
+    [ -n "$SUITE" ] && wolfssl_suite="--ech-suite $SUITE"
+
     rm -f "$ready_file"
 
-    # start server with ephemeral port + ready file
-    # also set server to be line buffered so the log can be grepped
+    # start server with ephemeral port + ready file; line-buffer so the
+    # log can be grepped
     stdbuf -oL $WOLFSSL_SERVER \
                 -v 4 \
                 -R "$ready_file" \
                 -p "$port" \
                 -S "$PRIV_NAME" \
                 --ech "$PUB_NAME" \
-                $SUITE \
-                $PQC \
+                $wolfssl_suite \
+                $wolfssl_extra \
                 &>> "$TMP_LOG" &
 
     # wait for server to be ready, then get port
@@ -185,14 +248,6 @@ openssl_client(){
     done
     echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
 
-    # restrict group based on arguments
-    local groups_arg="-groups secp256r1"
-    if [ -n "$PQC" ]; then
-        groups_arg="-groups ${PQC#--pqc }"
-    elif [ "$FORCE_HRR" -ne 0 ]; then
-        groups_arg=""
-    fi
-
     # test with OpenSSL s_client using ECH
     echo "wolfssl" | $OPENSSL s_client \
         -tls1_3 \
@@ -202,7 +257,7 @@ openssl_client(){
         -CAfile "$CERT_DIR/ca-cert.pem" \
         -servername "$PRIV_NAME" \
         -ech_config_list "$ech_config" \
-        $groups_arg \
+        $openssl_groups \
         &>> "$TMP_LOG"
 
     grep -q "ECH: success: 1" "$TMP_LOG"
@@ -211,25 +266,7 @@ openssl_client(){
 rm -f "$TMP_LOG"
 
 case "$MODE" in
-    server)
-        if [ -n "$SUITE" ]; then
-            SUITE="-suite $SUITE"
-        fi
-        if [ -n "$PQC" ]; then
-            PQC="--pqc $PQC"
-        fi
-        openssl_server
-        ;;
-    client)
-        if [ -n "$SUITE" ]; then
-            SUITE="--ech-suite $SUITE"
-        fi
-        if [ -n "$PQC" ]; then
-            PQC="--pqc $PQC"
-        fi
-        openssl_client
-        ;;
-    *)
-        exit 1
-        ;;
+    server) openssl_server ;;
+    client) openssl_client ;;
+    *)      exit 1 ;;
 esac
diff --git a/src/tls.c b/src/tls.c
@@ -17064,11 +17064,6 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
                 }
         #endif
-#ifdef HAVE_ECH
-                /* send the special confirmation */
-                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
-#endif
-                /* Cookie is written below as last extension. */
                 break;
     #endif
 
@@ -17152,6 +17147,18 @@ int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset
         }
 #endif
 
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+        /* write ECH last to promote interop with other implementations */
+        if (msgType == hello_retry_request) {
+            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
+            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
+            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
+                             msgType, &offset);
+            if (ret != 0)
+                return ret;
+        }
+#endif
+
 #ifdef HAVE_EXTENDED_MASTER
         if (ssl->options.haveEMS && msgType == server_hello &&
                                               !IsAtLeastTLSv1_3(ssl->version)) {
