Skip to content

Commit c309f5e

Browse files
sebastian-carpentersebastian-carpenter
committed
better errors when setting ech configs
1 parent 79e783b commit c309f5e

File tree

3 files changed

+23
-7
lines changed

3 files changed

+23
-7
lines changed

src/ssl_ech.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -513,6 +513,7 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
513513
const byte* echConfigs, word32 echConfigsLen)
514514
{
515515
int ret = 0;
516+
int unsupportedAlgos = 0;
516517
word32 configIdx;
517518
word32 idx;
518519
int j;
@@ -704,6 +705,7 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
704705
* config and then try to parse another */
705706
if (ret > 0 || EchConfigGetSupportedCipherSuite(workingConfig) < 0) {
706707
ret = 0;
708+
unsupportedAlgos = 1;
707709
XFREE(workingConfig->cipherSuites, heap, DYNAMIC_TYPE_TMP_BUFFER);
708710
XFREE(workingConfig->publicName, heap, DYNAMIC_TYPE_TMP_BUFFER);
709711
XFREE(workingConfig->raw, heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -739,8 +741,11 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
739741
XFREE(lastConfig, heap, DYNAMIC_TYPE_TMP_BUFFER);
740742
}
741743

744+
/* syntactically correct but configs are not supported */
745+
if (ret == 0 && unsupportedAlgos)
746+
return UNSUPPORTED_SUITE;
742747
if (ret == 0)
743-
return WOLFSSL_FATAL_ERROR;
748+
return UNSUPPORTED_PROTO_VERSION;
744749

745750
return ret;
746751
}

src/tls.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14281,6 +14281,10 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
1428114281
}
1428214282

1428314283
ret = SetRetryConfigs(ssl, readBuf, (word32)size);
14284+
if (ret == UNSUPPORTED_SUITE || ret == UNSUPPORTED_PROTO_VERSION) {
14285+
WOLFSSL_ERROR_VERBOSE(ret);
14286+
ret = 0;
14287+
}
1428414288

1428514289
if (ssl->echConfigs == NULL) {
1428614290
/* on GREASE connection configs must be checked syntactically and
@@ -16182,8 +16186,7 @@ static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType,
1618216186
WC_ALLOC_VAR_EX(serverName, char, WOLFSSL_HOST_NAME_MAX, NULL,
1618316187
DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
1618416188
r = TLSX_EchChangeSNI(ssl, &echX, serverName, &serverNameX, &extensions);
16185-
/* If ECH won't be written (mirrors guard in TLSX_WriteWithEch), exclude it
16186-
* from the size calculation to avoid a size/write mismatch */
16189+
/* If ECH won't be written exclude it from the size calculation */
1618716190
if (r == 0 && echX != NULL &&
1618816191
!ssl->options.echAccepted &&
1618916192
((WOLFSSL_ECH*)echX->data)->innerCount != 0) {

tests/api.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14369,6 +14369,8 @@ static int test_wolfSSL_Tls13_ECH_params_b64(void)
1436914369
#if !defined(NO_WOLFSSL_CLIENT)
1437014370
/* base64 ech configs from cloudflare-ech.com (these are good configs) */
1437114371
const char* b64Valid = "AEX+DQBBFAAgACBuAoQI8+liEVYQbXKBDeVgTmF2rfXuKO2knhwrN7jgTgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=";
14372+
/* ech configs with bad version */
14373+
const char* b64BadVers = "AEX+/gBBFAAgACBuAoQI8+liEVYQbXKBDeVgTmF2rfXuKO2knhwrN7jgTgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=";
1437214374
/* ech configs with bad/unsupported algorithm */
1437314375
const char* b64BadAlgo = "AEX+DQBBFP7+ACBuAoQI8+liEVYQbXKBDeVgTmF2rfXuKO2knhwrN7jgTgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=";
1437414376
/* ech configs with bad/unsupported ciphersuite */
@@ -14406,16 +14408,22 @@ static int test_wolfSSL_Tls13_ECH_params_b64(void)
1440614408
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl,
1440714409
b64Valid, 0));
1440814410

14411+
/* bad version */
14412+
ExpectIntEQ(UNSUPPORTED_PROTO_VERSION, wolfSSL_CTX_SetEchConfigsBase64(ctx,
14413+
b64BadVers, (word32)XSTRLEN(b64BadVers)));
14414+
ExpectIntEQ(UNSUPPORTED_PROTO_VERSION, wolfSSL_SetEchConfigsBase64(ssl,
14415+
b64BadVers, (word32)XSTRLEN(b64BadVers)));
14416+
1440914417
/* bad algorithm */
14410-
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx,
14418+
ExpectIntEQ(UNSUPPORTED_SUITE, wolfSSL_CTX_SetEchConfigsBase64(ctx,
1441114419
b64BadAlgo, (word32)XSTRLEN(b64BadAlgo)));
14412-
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl,
14420+
ExpectIntEQ(UNSUPPORTED_SUITE, wolfSSL_SetEchConfigsBase64(ssl,
1441314421
b64BadAlgo, (word32)XSTRLEN(b64BadAlgo)));
1441414422

1441514423
/* bad ciphersuite */
14416-
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_CTX_SetEchConfigsBase64(ctx,
14424+
ExpectIntEQ(UNSUPPORTED_SUITE, wolfSSL_CTX_SetEchConfigsBase64(ctx,
1441714425
b64BadCiph, (word32)XSTRLEN(b64BadCiph)));
14418-
ExpectIntNE(WOLFSSL_SUCCESS, wolfSSL_SetEchConfigsBase64(ssl,
14426+
ExpectIntEQ(UNSUPPORTED_SUITE, wolfSSL_SetEchConfigsBase64(ssl,
1441914427
b64BadCiph, (word32)XSTRLEN(b64BadCiph)));
1442014428

1442114429
/* unrecognized mandatory extension */

0 commit comments

Comments
 (0)