Skip to content

TLS ECH Compliance Fixes #10141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sebastian-carpenter wants to merge 15 commits into
base: master
Choose a base branch
from
Open

TLS ECH Compliance Fixes #10141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
2835f8d
callback for testing TLS ECH: client side hook
sebastian-carpenter Mar 25, 2026
fda5538
add ech_required abort
sebastian-carpenter Mar 27, 2026
957153f
fix return value
sebastian-carpenter Mar 31, 2026
9067d1e
reject configs on grease connection
sebastian-carpenter Mar 31, 2026
220c5a9
error when missing ECH extension after HRR
sebastian-carpenter Mar 31, 2026
0dca292
more compliance fixes for ECH
sebastian-carpenter Apr 1, 2026
6bc64ab
return empty cert
sebastian-carpenter Apr 2, 2026
85fb7e4
remove server ech testing callback
sebastian-carpenter Apr 2, 2026
c9cc6e7
prevent client inner from offering downgrade
sebastian-carpenter Apr 3, 2026
2ec8355
parse ech config extensions
sebastian-carpenter Apr 3, 2026
6711f0e
verify ech config on grease, ignore session ticket
sebastian-carpenter Apr 3, 2026
b02ae9c
allow ech rejection through hrr
sebastian-carpenter Apr 3, 2026
f131764
do not resume in outer hello
sebastian-carpenter Apr 3, 2026
4a65cf3
cert authentication on echConfig publicName
sebastian-carpenter Apr 6, 2026
6563b56
no ech_outer_extensions in inner or outer hello
sebastian-carpenter Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 39 additions & 15 deletions src/internal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15660,6 +15660,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
byte* subjectHash = NULL;
int alreadySigner = 0;

char* domainName = NULL;

#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
int addToPendingCAs = 0;
#endif
Expand Down Expand Up @@ -16848,17 +16850,33 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
#endif

if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
domainName = (char*)ssl->buffers.domainName.buffer;
#if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_ECH)
/* RFC 9849 s6.1.7: ECH was offered but rejected by the server..
* verify cert is valid for ECHConfig.public_name */
if (ssl->options.side == WOLFSSL_CLIENT_END &&
ssl->echConfigs != NULL &&
!ssl->options.echAccepted) {
TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX != NULL) {
WOLFSSL_ECH* ech = (WOLFSSL_ECH*)echX->data;
domainName = ech->echConfig ?
ech->echConfig->publicName : NULL;
}
}
#endif

if ((!ssl->options.verifyNone ||
domainName != (char*)ssl->buffers.domainName.buffer) &&
domainName) {
#ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
/* Per RFC 5280 section 4.2.1.6, "Whenever such identities
* are to be bound into a certificate, the subject
* alternative name extension MUST be used." */
if (args->dCert->altNames) {
if (CheckForAltNames(args->dCert,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(
(const char *)ssl->buffers.domainName.buffer)),
domainName, (domainName == NULL ? 0 :
(word32)XSTRLEN((const char *)domainName)),
NULL, 0, 0) != 1) {
WOLFSSL_MSG("DomainName match on alt names failed");
/* try to get peer key still */
Expand All @@ -16871,10 +16889,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (MatchDomainName(
args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(
(const char *)ssl->buffers.domainName.buffer)
domainName, (domainName == NULL ? 0 :
(word32)XSTRLEN((const char *)domainName)
), 0) == 0)
#endif
{
Expand All @@ -16888,15 +16904,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
if (MatchDomainName(args->dCert->subjectCN,
args->dCert->subjectCNLen,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(ssl->buffers.domainName.buffer)), 0) == 0)
domainName, (domainName == NULL ? 0 :
(word32)XSTRLEN(domainName)), 0) == 0)
#endif
{
if (CheckForAltNames(args->dCert,
(char*)ssl->buffers.domainName.buffer,
(ssl->buffers.domainName.buffer == NULL ? 0 :
(word32)XSTRLEN(ssl->buffers.domainName.buffer)),
domainName, (domainName == NULL ? 0 :
(word32)XSTRLEN(domainName)),
NULL, 0, 0) != 1) {
WOLFSSL_MSG("DomainName match failed");
/* try to get peer key still */
Expand Down Expand Up @@ -22098,6 +22112,13 @@ const char* AlertTypeToString(int type)
return no_application_protocol_str;
}

case ech_required:
{
static const char ech_required_str[] =
"ech_required";
return ech_required_str;
}

default:
WOLFSSL_MSG("Unknown Alert");
return NULL;
Expand Down Expand Up @@ -27710,6 +27731,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)

case SESSION_TICKET_NONCE_OVERFLOW:
return "Session ticket nonce overflow";

case ECH_REQUIRED_E:
return "ECH offered but rejected by server";
}

return "unknown error number";
Expand Down
Loading
Loading