tls ech padding improvements

This commit is contained in:
sebastian-carpenter
2026-04-27 11:39:27 -06:00
parent 7d1516f4db
commit f6bc39881b
5 changed files with 40 additions and 10 deletions
+17 -7
View File
@@ -32,6 +32,15 @@
/* create the hpke key and ech config to send to clients */
int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
word16 kemId, word16 kdfId, word16 aeadId)
{
return wolfSSL_CTX_GenerateEchConfigEx(ctx, publicName, kemId, kdfId,
aeadId, 0);
}
/* create the hpke key and ech config to send to clients
* maximum_name_length may also be set for a more stable padding length */
int wolfSSL_CTX_GenerateEchConfigEx(WOLFSSL_CTX* ctx, const char* publicName,
word16 kemId, word16 kdfId, word16 aeadId, byte maxNameLen)
{
int ret = 0;
WOLFSSL_EchConfig* newConfig;
@@ -129,8 +138,8 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
ret = MEMORY_E;
}
else {
XMEMCPY(newConfig->publicName, publicName,
XSTRLEN(publicName) + 1);
XMEMCPY(newConfig->publicName, publicName, XSTRLEN(publicName) + 1);
newConfig->maxNameLen = maxNameLen;
}
}
@@ -418,8 +427,8 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
output += 2;
}
/* set maximum name length to 0 */
*output = 0;
/* maximum name len */
*output = config->maxNameLen;
output++;
/* publicName len */
@@ -430,7 +439,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
XMEMCPY(output, config->publicName, publicNameLen);
output += publicNameLen;
/* terminating zeros */
/* no extensions, print zeros */
c16toa(0, output);
/* output += 2; */
@@ -656,11 +665,12 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
idx += 4;
}
/* ignore maximum name length */
/* maxNameLen */
if (idx + 1 > length) {
ret = BUFFER_E;
break;
}
workingConfig->maxNameLen = echConfig[idx];
idx += 1;
/* publicName */
@@ -701,7 +711,7 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
}
ret = EchConfigCheckExtensions(echConfig + idx, extensionsLen);
if (ret < 0)
if (ret < 0 && ret != WC_NO_ERR_TRACE(UNSUPPORTED_EXTENSION))
break;
/* KEM, ciphersuite, or mandatory extension not supported, free this
+15 -1
View File
@@ -4817,9 +4817,23 @@ int SendTls13ClientHello(WOLFSSL* ssl)
if (ret != 0)
return ret;
/* calculate padding (RFC 9849, section 6.1.3) */
if (args->ech->privateName != NULL) {
word16 nameLen = (word16)XSTRLEN(args->ech->privateName);
if (nameLen > args->ech->echConfig->maxNameLen)
args->ech->paddingLen = 0;
else
args->ech->paddingLen =
(word16)args->ech->echConfig->maxNameLen - nameLen;
}
else {
args->ech->paddingLen = args->ech->echConfig->maxNameLen + 9;
}
/* innerClientHelloLen and padding are based on the
* encoded (sealed) inner */
args->ech->paddingLen = 31 - ((encodedLen - 1) % 32);
args->ech->paddingLen += 31 -
((encodedLen + args->ech->paddingLen - 1) % 32);
args->ech->innerClientHelloLen = encodedLen +
args->ech->paddingLen + args->ech->hpke->Nt;
+4 -2
View File
@@ -15066,8 +15066,10 @@ static int test_ech_server_ctx_ready(WOLFSSL_CTX* ctx)
{
int ret;
ret = wolfSSL_CTX_GenerateEchConfig(ctx, echCbTestPublicName,
echCbTestKemID, echCbTestKdfID, echCbTestAeadID);
/* +20 for this isn't significant, it just exercises the padding code */
ret = wolfSSL_CTX_GenerateEchConfigEx(ctx, echCbTestPublicName,
echCbTestKemID, echCbTestKdfID, echCbTestAeadID,
XSTRLEN(echCbTestPublicName) + 20);
if (ret != WOLFSSL_SUCCESS)
return TEST_FAIL;
+1
View File
@@ -3147,6 +3147,7 @@ typedef struct WOLFSSL_EchConfig {
byte configId;
byte numCipherSuites;
byte receiverPubkey[HPKE_Npk_MAX];
byte maxNameLen;
} WOLFSSL_EchConfig;
typedef struct WOLFSSL_ECH {
+3
View File
@@ -1231,6 +1231,9 @@ WOLFSSL_API WOLFSSL_METHOD *wolfSSLv23_method(void);
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
WOLFSSL_API int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx,
const char* publicName, word16 kemId, word16 kdfId, word16 aeadId);
WOLFSSL_API int wolfSSL_CTX_GenerateEchConfigEx(WOLFSSL_CTX* ctx,
const char* publicName, word16 kemId, word16 kdfId, word16 aeadId,
byte maxNameLen);
WOLFSSL_API int wolfSSL_CTX_SetEchConfigsBase64(WOLFSSL_CTX* ctx,
const char* echConfigs64, word32 echConfigs64Len);