Skip to content

Commit f6bc398

Browse files
sebastian-carpentersebastian-carpenter
committed
tls ech padding improvements
1 parent 7d1516f commit f6bc398

5 files changed

Lines changed: 40 additions & 10 deletions

File tree

src/ssl_ech.c

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,15 @@
3232
/* create the hpke key and ech config to send to clients */
3333
int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
3434
word16 kemId, word16 kdfId, word16 aeadId)
35+
{
36+
return wolfSSL_CTX_GenerateEchConfigEx(ctx, publicName, kemId, kdfId,
37+
aeadId, 0);
38+
}
39+
40+
/* create the hpke key and ech config to send to clients
41+
* maximum_name_length may also be set for a more stable padding length */
42+
int wolfSSL_CTX_GenerateEchConfigEx(WOLFSSL_CTX* ctx, const char* publicName,
43+
word16 kemId, word16 kdfId, word16 aeadId, byte maxNameLen)
3544
{
3645
int ret = 0;
3746
WOLFSSL_EchConfig* newConfig;
@@ -129,8 +138,8 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
129138
ret = MEMORY_E;
130139
}
131140
else {
132-
XMEMCPY(newConfig->publicName, publicName,
133-
XSTRLEN(publicName) + 1);
141+
XMEMCPY(newConfig->publicName, publicName, XSTRLEN(publicName) + 1);
142+
newConfig->maxNameLen = maxNameLen;
134143
}
135144
}
136145

@@ -418,8 +427,8 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
418427
output += 2;
419428
}
420429

421-
/* set maximum name length to 0 */
422-
*output = 0;
430+
/* maximum name len */
431+
*output = config->maxNameLen;
423432
output++;
424433

425434
/* publicName len */
@@ -430,7 +439,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
430439
XMEMCPY(output, config->publicName, publicNameLen);
431440
output += publicNameLen;
432441

433-
/* terminating zeros */
442+
/* no extensions, print zeros */
434443
c16toa(0, output);
435444
/* output += 2; */
436445

@@ -656,11 +665,12 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
656665
idx += 4;
657666
}
658667

659-
/* ignore maximum name length */
668+
/* maxNameLen */
660669
if (idx + 1 > length) {
661670
ret = BUFFER_E;
662671
break;
663672
}
673+
workingConfig->maxNameLen = echConfig[idx];
664674
idx += 1;
665675

666676
/* publicName */
@@ -701,7 +711,7 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
701711
}
702712

703713
ret = EchConfigCheckExtensions(echConfig + idx, extensionsLen);
704-
if (ret < 0)
714+
if (ret < 0 && ret != WC_NO_ERR_TRACE(UNSUPPORTED_EXTENSION))
705715
break;
706716

707717
/* KEM, ciphersuite, or mandatory extension not supported, free this

src/tls13.c

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4817,9 +4817,23 @@ int SendTls13ClientHello(WOLFSSL* ssl)
48174817
if (ret != 0)
48184818
return ret;
48194819

4820+
/* calculate padding (RFC 9849, section 6.1.3) */
4821+
if (args->ech->privateName != NULL) {
4822+
word16 nameLen = (word16)XSTRLEN(args->ech->privateName);
4823+
if (nameLen > args->ech->echConfig->maxNameLen)
4824+
args->ech->paddingLen = 0;
4825+
else
4826+
args->ech->paddingLen =
4827+
(word16)args->ech->echConfig->maxNameLen - nameLen;
4828+
}
4829+
else {
4830+
args->ech->paddingLen = args->ech->echConfig->maxNameLen + 9;
4831+
}
4832+
48204833
/* innerClientHelloLen and padding are based on the
48214834
* encoded (sealed) inner */
4822-
args->ech->paddingLen = 31 - ((encodedLen - 1) % 32);
4835+
args->ech->paddingLen += 31 -
4836+
((encodedLen + args->ech->paddingLen - 1) % 32);
48234837
args->ech->innerClientHelloLen = encodedLen +
48244838
args->ech->paddingLen + args->ech->hpke->Nt;
48254839

tests/api.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15066,8 +15066,10 @@ static int test_ech_server_ctx_ready(WOLFSSL_CTX* ctx)
1506615066
{
1506715067
int ret;
1506815068

15069-
ret = wolfSSL_CTX_GenerateEchConfig(ctx, echCbTestPublicName,
15070-
echCbTestKemID, echCbTestKdfID, echCbTestAeadID);
15069+
/* +20 for this isn't significant, it just exercises the padding code */
15070+
ret = wolfSSL_CTX_GenerateEchConfigEx(ctx, echCbTestPublicName,
15071+
echCbTestKemID, echCbTestKdfID, echCbTestAeadID,
15072+
XSTRLEN(echCbTestPublicName) + 20);
1507115073
if (ret != WOLFSSL_SUCCESS)
1507215074
return TEST_FAIL;
1507315075

wolfssl/internal.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3147,6 +3147,7 @@ typedef struct WOLFSSL_EchConfig {
31473147
byte configId;
31483148
byte numCipherSuites;
31493149
byte receiverPubkey[HPKE_Npk_MAX];
3150+
byte maxNameLen;
31503151
} WOLFSSL_EchConfig;
31513152

31523153
typedef struct WOLFSSL_ECH {

wolfssl/ssl.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1231,6 +1231,9 @@ WOLFSSL_API WOLFSSL_METHOD *wolfSSLv23_method(void);
12311231
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
12321232
WOLFSSL_API int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx,
12331233
const char* publicName, word16 kemId, word16 kdfId, word16 aeadId);
1234+
WOLFSSL_API int wolfSSL_CTX_GenerateEchConfigEx(WOLFSSL_CTX* ctx,
1235+
const char* publicName, word16 kemId, word16 kdfId, word16 aeadId,
1236+
byte maxNameLen);
12341237

12351238
WOLFSSL_API int wolfSSL_CTX_SetEchConfigsBase64(WOLFSSL_CTX* ctx,
12361239
const char* echConfigs64, word32 echConfigs64Len);

0 commit comments

Comments
 (0)