Skip to content

Fixes: for GH #10068 #10094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sebastian-carpenter wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Fixes: for GH #10068 #10094

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b9ca065
increase TLS ECH inner hello lengths to word32
sebastian-carpenter Mar 27, 2026
48a0d41
improve GetMsgHash error checks
sebastian-carpenter Mar 27, 2026
690b086
add null check
sebastian-carpenter Mar 27, 2026
cae12b7
mirror arg requirements from wc_HpkeContextSealBase
sebastian-carpenter Mar 27, 2026
c887dc4
fixing bad state for ech->type
sebastian-carpenter Mar 27, 2026
38a6d75
faster key length validation when setting configs
sebastian-carpenter Mar 27, 2026
c8fff0a
hpke testing - broke api testing into a different function
sebastian-carpenter Mar 30, 2026
b9e1faf
key cannot be 0 length
sebastian-carpenter Apr 7, 2026
e69639c
small fixes:
sebastian-carpenter Apr 10, 2026
ed02201
hpke testing:
sebastian-carpenter Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/ssl_ech.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -547,8 +547,9 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
ato16(echConfig, &hpkePubkeyLen);
echConfig += 2;

/* hpke public_key */
if (hpkePubkeyLen > HPKE_Npk_MAX || hpkePubkeyLen == 0) {
/* hpke public_key
* KEM support will be checked along with the ciphersuites */
if (hpkePubkeyLen != wc_HpkeKemGetEncLen(workingConfig->kemId)) {
ret = BUFFER_E;
break;
}
Expand Down
8 changes: 5 additions & 3 deletions src/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13696,7 +13696,7 @@ static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
writeBuf_p += ech->encLen;
}
/* innerClientHelloLen */
c16toa(ech->innerClientHelloLen, writeBuf_p);
c16toa((word16)ech->innerClientHelloLen, writeBuf_p);
writeBuf_p += 2;
/* set payload offset for when we finalize */
ech->outerClientPayload = writeBuf_p;
Expand Down Expand Up @@ -14155,7 +14155,7 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
if (ret == 0) {
XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
ech->innerClientHello = newInnerCh;
ech->innerClientHelloLen = (word16)newInnerChLen;
ech->innerClientHelloLen = newInnerChLen;
newInnerCh = NULL;
}

Expand Down Expand Up @@ -14269,6 +14269,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
word32 offset = 0;
word16 len;
word16 tmpVal16;
word16 lenCh;

WOLFSSL_MSG("TLSX_ECH_Parse");
if (ssl->options.disableECH) {
Expand Down Expand Up @@ -14385,7 +14386,8 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
readBuf_p += len;
offset += len;
/* read payload (encrypted CH) len */
ato16(readBuf_p, &ech->innerClientHelloLen);
ato16(readBuf_p, &lenCh);
ech->innerClientHelloLen = lenCh;
readBuf_p += 2;
offset += 2;
/* Check payload is no bigger than remaining bytes. */
Expand Down
41 changes: 31 additions & 10 deletions src/tls13.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3801,6 +3801,7 @@ int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
int i = 0;

if (!wc_HpkeKemIsSupported(config->kemId)) {
WOLFSSL_MSG("ECH config: KEM not supported");
return WOLFSSL_FATAL_ERROR;
}

Expand All @@ -3811,6 +3812,7 @@ int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
}
}

WOLFSSL_MSG("ECH config: KDF or AEAD not supported");
return WOLFSSL_FATAL_ERROR;
}

Expand Down Expand Up @@ -3933,10 +3935,14 @@ static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,

if (isHrr) {
/* the transcript hash of ClientHelloInner1 */
hashSz = GetMsgHash(ssl, clientHelloInnerHash);
if (hashSz > 0) {
ret = GetMsgHash(ssl, clientHelloInnerHash);
if (ret > 0) {
hashSz = ret;
ret = 0;
}
else if (ret == 0) {
ret = HASH_TYPE_E;
}

/* restart ECH transcript hash, similar to RestartHandshakeHash but
* don't add a cookie */
Expand Down Expand Up @@ -3976,6 +3982,9 @@ static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
if (ret > 0) {
ret = 0;
}
else if (ret == 0) {
ret = HASH_TYPE_E;
}
}

/* pick the right type and size based on mac_algorithm */
Expand Down Expand Up @@ -4752,15 +4761,18 @@ int SendTls13ClientHello(WOLFSSL* ssl)

/* get size for inner */
ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);

/* set the type to outer */
args->ech->type = ECH_TYPE_OUTER;
if (ret != 0)
return ret;

/* set the type to outer */
args->ech->type = 0;
/* set innerClientHelloLen to ClientHelloInner + padding + tag */
args->ech->paddingLen = 31 - ((args->length - 1) % 32);
args->ech->innerClientHelloLen = (word16)(args->length +
args->ech->paddingLen + args->ech->hpke->Nt);
args->ech->innerClientHelloLen = args->length +
args->ech->paddingLen + args->ech->hpke->Nt;
if (args->ech->innerClientHelloLen > 0xFFFF)
return BUFFER_E;
/* set the length back to before we computed ClientHelloInner size */
args->length = (word32)args->preXLength;
}
Expand Down Expand Up @@ -4902,8 +4914,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
args->ech->innerClientHello =
(byte*)XMALLOC(args->ech->innerClientHelloLen - args->ech->hpke->Nt,
ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (args->ech->innerClientHello == NULL)
if (args->ech->innerClientHello == NULL) {
args->ech->type = ECH_TYPE_OUTER;
return MEMORY_E;
}
/* set the padding bytes to 0 */
XMEMSET(args->ech->innerClientHello + args->ech->innerClientHelloLen -
args->ech->hpke->Nt - args->ech->paddingLen, 0,
Expand All @@ -4926,8 +4940,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
/* change the outer client random */
ret = wc_RNG_GenerateBlock(ssl->rng, args->output +
args->clientRandomOffset, RAN_LEN);
if (ret != 0)
if (ret != 0) {
args->ech->type = ECH_TYPE_OUTER;
return ret;
}
/* copy the new client random */
XMEMCPY(ssl->arrays->clientRandom, args->output +
args->clientRandomOffset, RAN_LEN);
Expand All @@ -4936,10 +4952,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
ret = TLSX_WriteRequest(ssl, args->ech->innerClientHello + args->idx -
(RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ), client_hello,
&args->length);
/* set the type to outer */
args->ech->type = ECH_TYPE_OUTER;
if (ret != 0)
return ret;
/* set the type to outer */
args->ech->type = 0;
}
#endif

Expand Down Expand Up @@ -5694,6 +5710,9 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* check for acceptConfirmation */
if (ssl->echConfigs != NULL && !ssl->options.disableECH) {
args->echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (args->echX == NULL || args->echX->data == NULL)
return WOLFSSL_FATAL_ERROR;

/* account for hrr extension instead of server random */
if (args->extMsgType == hello_retry_request) {
args->acceptOffset =
Expand Down Expand Up @@ -8648,6 +8667,8 @@ int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
ret = GetMsgHash(ssl, &sigData[idx]);
if (ret < 0)
return ret;
if (ret == 0)
return HASH_TYPE_E;

*sigDataSz = (word16)(idx + ret);
ret = 0;
Expand Down
9 changes: 5 additions & 4 deletions wolfcrypt/src/hpke.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -917,7 +917,7 @@ int wc_HpkeInitSealContext(Hpke* hpke, HpkeBaseContext* context,
void* ephemeralKey, void* receiverKey, byte* info, word32 infoSz)
{
if (hpke == NULL || context == NULL || ephemeralKey == NULL ||
receiverKey == NULL || (info == NULL && infoSz > 0)) {
receiverKey == NULL || (info == NULL && infoSz != 0)) {
return BAD_FUNC_ARG;
}

Expand All @@ -935,7 +935,7 @@ int wc_HpkeContextSealBase(Hpke* hpke, HpkeBaseContext* context,
int ret;
byte nonce[HPKE_Nn_MAX];
WC_DECLARE_VAR(aes, Aes, 1, 0);
if (hpke == NULL || context == NULL || (aad == NULL && aadSz > 0) ||
if (hpke == NULL || context == NULL || (aad == NULL && aadSz != 0) ||
plaintext == NULL || out == NULL) {
return BAD_FUNC_ARG;
}
Expand Down Expand Up @@ -1160,7 +1160,7 @@ int wc_HpkeInitOpenContext(Hpke* hpke, HpkeBaseContext* context,
word32 infoSz)
{
if (hpke == NULL || context == NULL || receiverKey == NULL || pubKey == NULL
|| (info == NULL && infoSz > 0)) {
|| (info == NULL && infoSz != 0)) {
return BAD_FUNC_ARG;
}

Expand All @@ -1175,7 +1175,8 @@ int wc_HpkeContextOpenBase(Hpke* hpke, HpkeBaseContext* context, byte* aad,
int ret;
byte nonce[HPKE_Nn_MAX];
WC_DECLARE_VAR(aes, Aes, 1, 0);
if (hpke == NULL || context == NULL || ciphertext == NULL || out == NULL) {
if (hpke == NULL || context == NULL || (aad == NULL && aadSz != 0) ||
ciphertext == NULL || out == NULL) {
return BAD_FUNC_ARG;
}

Expand Down
Loading
Loading