@@ -2362,6 +2362,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
23622362 word16 offset = 0;
23632363 int cacheOnly = 0;
23642364 SNI *sni = NULL;
2365+ const char *hostName = NULL;
23652366 byte type;
23662367 byte matched;
23672368#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
@@ -2464,14 +2465,14 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
24642465 return 0;
24652466#endif
24662467
2467- {
2468- const char* hostName = (sni != NULL) ? sni->data.host_name : NULL;
2469- matched = cacheOnly || (hostName != NULL &&
2470- XSTRLEN(hostName) == size &&
2471- XSTRNCMP(hostName, (const char*)input + offset, size) == 0);
2472- }
2468+ hostName = (sni != NULL) ? sni->data.host_name : NULL;
2469+ matched = (hostName != NULL &&
2470+ XSTRLEN(hostName) == size &&
2471+ XSTRNCMP(hostName, (const char*)input + offset, size) == 0);
24732472
24742473#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2474+ /* While parsing the outer CH accept a match against any
2475+ * echConfig publicName */
24752476 if (!matched && ech != NULL && !ssl->options.echProcessingInner) {
24762477 workingConfig = ech->echConfig;
24772478 while (workingConfig != NULL) {
@@ -2482,9 +2483,17 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
24822483 break;
24832484 workingConfig = workingConfig->next;
24842485 }
2486+
2487+ /* If a publicName is matched then this SNI is not something that should
2488+ * be forcibly cached */
2489+ if (matched)
2490+ cacheOnly = 0;
24852491 }
24862492#endif
24872493
2494+ if (!matched)
2495+ matched = cacheOnly;
2496+
24882497 if (matched ||
24892498 (sni != NULL && (sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH))) {
24902499 int matchStat;
@@ -13703,6 +13712,7 @@ static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
1370313712 XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
1370413713 return MEMORY_E;
1370513714 }
13715+ ForceZero(ech->hpke, sizeof(Hpke));
1370613716 ret = wc_HpkeInit(ech->hpke, ech->kemId, ech->cipherSuite.kdfId,
1370713717 ech->cipherSuite.aeadId, heap);
1370813718 /* setup the ephemeralKey */
@@ -16417,11 +16427,11 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
1641716427
1641816428#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
1641916429/* Returns 1 if the extensions should be hidden for this write */
16420- static int TLSX_EchShouldHideInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
16430+ static int TLSX_EchShouldHideInner(WOLFSSL_ECH* ech)
1642116431{
1642216432 if (ech == NULL || ech->type != ECH_TYPE_OUTER)
1642316433 return 0;
16424- return ssl->options.echAccepted || ech->innerCount == 0 ;
16434+ return 1 ;
1642516435}
1642616436
1642716437/* Swap matching extension types between *sslExts and *echExts.
@@ -16442,7 +16452,7 @@ static word16 TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts,
1644216452 TLSX* inner;
1644316453 TLSX** outerLink;
1644416454 TLSX** innerLink;
16445- word16 appended = 0;
16455+ word16 prepended = 0;
1644616456
1644716457 /* unhook popCount nodes off *sslExts head into chunk.
1644816458 * Head-prepend undoes the reversal caused by appending onto sslExts. */
@@ -16477,19 +16487,19 @@ static word16 TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts,
1647716487 *outerLink = outer->next;
1647816488 outer->next = *sslExts;
1647916489 *sslExts = outer;
16480- appended ++;
16490+ prepended ++;
1648116491 }
1648216492 }
1648316493
1648416494 /* outerLink is at the tail of *echExts; append the chunk */
1648516495 *outerLink = chunk;
1648616496
16487- return appended ;
16497+ return prepended ;
1648816498}
1648916499
1649016500/* If ECH is accepted, delete ech->extensions
16491- * If rejected, replace matching ssl->extensions with ech->extensions, appending
16492- * to head if necessary */
16501+ * If rejected, replace matching ssl->extensions with ech->extensions,
16502+ * prepending to head if necessary */
1649316503void TLSX_EchReplaceExtensions(WOLFSSL* ssl, byte accepted)
1649416504{
1649516505 TLSX* echX;
@@ -16618,25 +16628,20 @@ static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType,
1661816628 TLSX* echX = NULL;
1661916629 WOLFSSL_ECH* ech = NULL;
1662016630 word16 count = 0;
16621- word16 appended = 0;
16631+ word16 prepended = 0;
1662216632 byte installed = 0;
1662316633
1662416634 if (ssl->extensions)
1662516635 echX = TLSX_Find(ssl->extensions, TLSX_ECH);
16626- if (echX == NULL && ssl->ctx && ssl->ctx->extensions)
16627- echX = TLSX_Find(ssl->ctx->extensions, TLSX_ECH);
1662816636 if (echX != NULL)
1662916637 ech = (WOLFSSL_ECH*)echX->data;
1663016638
16631- if (TLSX_EchShouldHideInner(ssl, ech)) {
16632- appended = TLSX_EchSwapExtensions(&ssl->extensions,
16639+ if (TLSX_EchShouldHideInner(ech)) {
16640+ prepended = TLSX_EchSwapExtensions(&ssl->extensions,
1663316641 &ech->extensions, 0);
1663416642 installed = 1;
1663516643 }
1663616644
16637- if (echX != NULL)
16638- ech = (WOLFSSL_ECH*)echX->data;
16639-
1664016645 /* If ECH won't be written exclude it from the size calculation */
1664116646 if (!ssl->options.echAccepted && ech != NULL && ech->innerCount != 0) {
1664216647 TURN_ON(semaphore, TLSX_ToSemaphore(echX->type));
@@ -16653,9 +16658,13 @@ static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType,
1665316658 if (ret == 0 && ssl->ctx && ssl->ctx->extensions)
1665416659 ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType, pLength);
1665516660
16656- if (installed)
16657- (void)TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16658- appended);
16661+ if (installed) {
16662+ prepended = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16663+ prepended);
16664+ if (ret == 0 && prepended != 0) {
16665+ ret = BAD_STATE_E;
16666+ }
16667+ }
1665916668 return ret;
1666016669}
1666116670#endif
@@ -16789,18 +16798,16 @@ static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore,
1678916798 int ret = 0;
1679016799 TLSX* echX = NULL;
1679116800 WOLFSSL_ECH* ech = NULL;
16792- word16 appended = 0;
16801+ word16 prepended = 0;
1679316802 byte installed = 0;
1679416803
1679516804 if (ssl->extensions)
1679616805 echX = TLSX_Find(ssl->extensions, TLSX_ECH);
16797- if (echX == NULL && ssl->ctx && ssl->ctx->extensions)
16798- echX = TLSX_Find(ssl->ctx->extensions, TLSX_ECH);
1679916806 if (echX != NULL)
1680016807 ech = (WOLFSSL_ECH*)echX->data;
1680116808
16802- if (TLSX_EchShouldHideInner(ssl, ech)) {
16803- appended = TLSX_EchSwapExtensions(&ssl->extensions,
16809+ if (TLSX_EchShouldHideInner(ech)) {
16810+ prepended = TLSX_EchSwapExtensions(&ssl->extensions,
1680416811 &ech->extensions, 0);
1680516812 installed = 1;
1680616813 }
@@ -16853,7 +16860,7 @@ static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore,
1685316860 }
1685416861
1685516862 /* only write ECH if there is a shot at acceptance */
16856- if (ret == 0 && echX != NULL &&
16863+ if (ret == 0 && ech != NULL &&
1685716864 (ssl->options.echAccepted || ech->innerCount == 0)) {
1685816865 /* turn off and write it last */
1685916866 TURN_OFF(semaphore, TLSX_ToSemaphore(echX->type));
@@ -16869,9 +16876,13 @@ static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore,
1686916876 }
1687016877 }
1687116878
16872- if (installed)
16873- (void)TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16874- appended);
16879+ if (installed) {
16880+ prepended = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16881+ prepended);
16882+ if (ret == 0 && prepended != 0) {
16883+ ret = BAD_STATE_E;
16884+ }
16885+ }
1687516886 return ret;
1687616887}
1687716888#endif
0 commit comments