testing improvements (from #10542):

sebastian-carpenter · sebastian-carpenter · commit 4eef82dda157 · 2026-06-09T22:50:04.000-06:00
- *_wire_sni test is now more efficient
- openssl-ech workflow now does interop with ECH rejection

extra improvements:
- tested TLSX_EchSwapExtensions
- added ctx level SNI to padding calculation
diff --git a/.github/scripts/openssl-ech.sh b/.github/scripts/openssl-ech.sh
@@ -11,7 +11,7 @@ cleanup() {
 trap cleanup EXIT
 
 usage() {
-    echo "Usage: $0 <client|server> [--suite <KEM,KDF,AEAD>] [--pqc <group>] [--hrr] [--workspace <path>]"
+    echo "Usage: $0 <client|server> [--suite <KEM,KDF,AEAD>] [--pqc <group>] [--hrr] [--reject] [--workspace <path>]"
     exit 1
 }
 
@@ -22,6 +22,7 @@ MODE=""
 SUITE=""
 PQC=""
 FORCE_HRR=0
+REJECT=0
 
 WORKSPACE=${GITHUB_WORKSPACE:-"."}
 
@@ -51,6 +52,10 @@ while [ $# -gt 0 ]; do
             FORCE_HRR=1
             shift
             ;;
+        --reject)
+            REJECT=1
+            shift
+            ;;
         --workspace)
             [ -z "$2" ] && { echo "ERROR: --workspace requires a value"; exit 1; }
             WORKSPACE="$2"
@@ -84,9 +89,12 @@ WOLFSSL_CLIENT=${WOLFSSL_CLIENT:-"$WORKSPACE/examples/client/client"}
 WOLFSSL_SERVER=${WOLFSSL_SERVER:-"$WORKSPACE/examples/server/server"}
 CERT_DIR=${CERT_DIR:-"$WORKSPACE/certs"}
 
+# correct ECH config, but it's old, ECH will be rejected
+REJECT_ECH_CONFIG="AD7+DQA6rAAgACCATZdDlHed6GlDeiYsu3r7sdWUkLVHZuTa3lbOf+hIbAAEAAEAAQALZXhhbXBsZS5jb20AAA=="
+
 TMP_LOG="$WORKSPACE/tmp_file.log"
 PRIV_NAME="ech-private-name.com"
-PUB_NAME="ech-public-name.com"
+PUB_NAME="example.com"
 MAX_WAIT=50
 
 # --------------------------------------------------------------------------
@@ -128,6 +136,8 @@ openssl_server(){
 
     # parse ECH config from file
     ech_config=$(sed -n '/BEGIN ECHCONFIG/,/END ECHCONFIG/{/BEGIN ECHCONFIG\|END ECHCONFIG/d;p}' "$ech_file" | tr -d '\n')
+    # reject overrides the config the client connects with
+    [ "$REJECT" -ne 0 ] && ech_config="$REJECT_ECH_CONFIG"
     echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
 
     # start OpenSSL ECH server with ephemeral port; line-buffer so the
@@ -158,17 +168,29 @@ openssl_server(){
     done
     echo "parsed port: $port" &>> "$TMP_LOG"
 
-    # test with wolfssl client
-    $WOLFSSL_CLIENT -v 4 \
-        -p "$port" \
-        -S "$PRIV_NAME" \
-        --ech "$ech_config" \
-        $wolfssl_extra \
-        &>> "$TMP_LOG"
-
     rm -f "$ech_file"
 
-    grep -q "ech_success=1" "$TMP_LOG"
+    # test with wolfssl client
+    if [ "$REJECT" -ne 0 ]; then
+        $WOLFSSL_CLIENT -v 4 \
+            -p "$port" \
+            -S "$PRIV_NAME" \
+            --ech "$ech_config" \
+            $wolfssl_extra \
+            &>> "$TMP_LOG" || true
+
+        grep -q "ECH offered but rejected by server" "$TMP_LOG"
+        grep -q "ech_success=0" "$TMP_LOG"
+    else
+        $WOLFSSL_CLIENT -v 4 \
+            -p "$port" \
+            -S "$PRIV_NAME" \
+            --ech "$ech_config" \
+            $wolfssl_extra \
+            &>> "$TMP_LOG"
+
+        grep -q "ech_success=1" "$TMP_LOG"
+    fi
 }
 
 # --------------------------------------------------------------------------
@@ -246,21 +268,39 @@ openssl_client(){
             exit 1
         fi
     done
+    # reject overrides the config the client connects with
+    [ "$REJECT" -ne 0 ] && ech_config="$REJECT_ECH_CONFIG"
     echo "parsed ech config: $ech_config" &>> "$TMP_LOG"
 
-    # test with OpenSSL s_client using ECH
-    echo "wolfssl" | $OPENSSL s_client \
-        -tls1_3 \
-        -connect "localhost:$port" \
-        -cert "$CERT_DIR/client-cert.pem" \
-        -key "$CERT_DIR/client-key.pem" \
-        -CAfile "$CERT_DIR/ca-cert.pem" \
-        -servername "$PRIV_NAME" \
-        -ech_config_list "$ech_config" \
-        $openssl_groups \
-        &>> "$TMP_LOG"
-
-    grep -q "ECH: success: 1" "$TMP_LOG"
+    if [ "$REJECT" -ne 0 ]; then
+        # test with OpenSSL s_client using ECH
+        echo "wolfssl" | $OPENSSL s_client \
+            -tls1_3 \
+            -connect "localhost:$port" \
+            -cert "$CERT_DIR/client-cert.pem" \
+            -key "$CERT_DIR/client-key.pem" \
+            -CAfile "$CERT_DIR/ca-cert.pem" \
+            -servername "$PRIV_NAME" \
+            -ech_config_list "$ech_config" \
+            $openssl_groups \
+            &>> "$TMP_LOG" || true
+
+        grep -q "ECH: Got 1 retry-configs" "$TMP_LOG"
+    else
+        # test with OpenSSL s_client using ECH
+        echo "wolfssl" | $OPENSSL s_client \
+            -tls1_3 \
+            -connect "localhost:$port" \
+            -cert "$CERT_DIR/client-cert.pem" \
+            -key "$CERT_DIR/client-key.pem" \
+            -CAfile "$CERT_DIR/ca-cert.pem" \
+            -servername "$PRIV_NAME" \
+            -ech_config_list "$ech_config" \
+            $openssl_groups \
+            &>> "$TMP_LOG"
+
+        grep -q "ECH: success: 1" "$TMP_LOG"
+    fi
 }
 
 rm -f "$TMP_LOG"
diff --git a/.github/workflows/openssl-ech.yml b/.github/workflows/openssl-ech.yml
@@ -167,6 +167,12 @@ jobs:
           echo -e "\nTesting weird suite with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
           bash ./openssl-ech.sh client --suite "18,1,2" &>> "$LOG_FILE"
 
+          echo -e "\nTesting rejection with OpenSSL server and wolfSSL client\n" &>> "$LOG_FILE"
+          bash ./openssl-ech.sh server --reject &>> "$LOG_FILE"
+
+          echo -e "\nTesting rejection with OpenSSL client and wolfSSL server\n" &>> "$LOG_FILE"
+          bash ./openssl-ech.sh client --reject &>> "$LOG_FILE"
+
           # cleanup
           rm -f "$LOG_FILE"
 
diff --git a/src/tls.c b/src/tls.c
@@ -2384,8 +2384,8 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     word16 size = 0;
     word16 offset = 0;
     int cacheOnly = 0;
-    SNI *sni = NULL;
-    const char *hostName = NULL;
+    SNI* sni = NULL;
+    const char* hostName = NULL;
     byte type;
     byte matched;
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
@@ -2548,6 +2548,8 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
         TLSX_SNI_SetStatus(*writeList, type, (byte)matchStat);
 
         if (!cacheOnly) {
+            /* This is just a reimplementation of TLSX_SetResponse to accept a
+             * TLSX* instead */
             extension = TLSX_Find(*writeList, TLSX_SERVER_NAME);
 
             if (extension)
@@ -2672,8 +2674,8 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size,
     return WOLFSSL_SUCCESS;
 }
 
-#ifndef NO_WOLFSSL_SERVER
-
+/* client-side needs this function when ECH is enabled */
+#if !defined(NO_WOLFSSL_SERVER) || defined(HAVE_ECH)
 /** Tells the SNI requested by the client. */
 word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data,
         byte ignoreStatus)
@@ -2693,7 +2695,9 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data,
 
     return 0;
 }
+#endif
 
+#ifndef NO_WOLFSSL_SERVER
 /** Sets the options for a SNI object. */
 void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
 {
@@ -14904,7 +14908,6 @@ static void TLSX_ECH_Free(WOLFSSL_ECH* ech, void* heap)
         ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext));
         XFREE(ech->hpkeContext, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
-    TLSX_FreeAll(ech->extensions, heap);
 
     XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
     (void)heap;
@@ -15013,6 +15016,9 @@ int TLSX_FinalizeEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, byte* aad, word32 aadLen)
 void TLSX_FreeAll(TLSX* list, void* heap)
 {
     TLSX* extension;
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+    TLSX* echList = NULL;
+#endif
 
     while ((extension = list)) {
         list = extension->next;
@@ -15184,6 +15190,7 @@ void TLSX_FreeAll(TLSX* list, void* heap)
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
             case TLSX_ECH:
                 WOLFSSL_MSG("ECH extension free");
+                echList = ((WOLFSSL_ECH*)extension->data)->extensions;
                 ECH_FREE((WOLFSSL_ECH*)extension->data, heap);
                 break;
 #endif
@@ -15198,6 +15205,15 @@ void TLSX_FreeAll(TLSX* list, void* heap)
         }
 
         XFREE(extension, heap, DYNAMIC_TYPE_TLSX);
+
+#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
+        /* free ECH extensions here rather than in TLSX_ECH_Free to prevent
+         * flagging a recursive call chain */
+        if (list == NULL) {
+            list = echList;
+            echList = NULL;
+        }
+#endif
     }
 
     (void)heap;
@@ -16654,9 +16670,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
 /* Returns 1 if the extensions should be hidden for this write */
 static int TLSX_EchShouldHideInner(WOLFSSL_ECH* ech)
 {
-    if (ech == NULL || ech->type != ECH_TYPE_OUTER)
-        return 0;
-    return 1;
+    return ech != NULL && ech->type == ECH_TYPE_OUTER;
 }
 
 /* Swap matching extension types between *sslExts and *echExts.
@@ -16668,7 +16682,7 @@ static int TLSX_EchShouldHideInner(WOLFSSL_ECH* ech)
  * popCount extensions are 'reversed' off the list.
  *
  * Returns a count of extensions prepended to sslExts. */
-static word16 TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts,
+WOLFSSL_TEST_VIS word16 TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts,
     word16 popCount)
 {
     TLSX* chunk = NULL;
diff --git a/src/tls13.c b/src/tls13.c
@@ -4843,7 +4843,11 @@ int SendTls13ClientHello(WOLFSSL* ssl)
             /* calculate padding (RFC 9849, section 6.1.3) */
             nameLen = TLSX_SNI_GetRequest(ssl->extensions,
                 WOLFSSL_SNI_HOST_NAME, &hostName, 1);
-            if (hostName != NULL) {
+            if (nameLen == 0 && ssl->ctx != NULL)
+                nameLen = TLSX_SNI_GetRequest(ssl->ctx->extensions,
+                    WOLFSSL_SNI_HOST_NAME, &hostName, 1);
+
+            if (nameLen != 0) {
                 if (nameLen > args->ech->echConfig->maxNameLen)
                     args->ech->paddingLen = 0;
                 else
diff --git a/tests/api.c b/tests/api.c
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
