TLS ECH fixes [SNI, api.c, server.c, comments]

Author: sebastian-carpenter

examples/server/server.c

@@ -3105,6 +3105,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         byte echConfig[512];
         word32 echConfigLen = sizeof(echConfig);
         char echConfigBase64[512];
+        char* echConfigBase64Ptr;
         word32 echConfigBase64Len = sizeof(echConfigBase64);
 
         if (wolfSSL_CTX_GenerateEchConfig(ctx, echPublicName, 0, 0, 0)
@@ -3116,12 +3117,16 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
             err_sys_ex(runWithErrors, "GetEchConfigs failed");
         }
         if (Base64_Encode_NoNl(echConfig, echConfigLen, (byte*)echConfigBase64,
-                    &echConfigBase64Len) != 0) {
+                &echConfigBase64Len) != 0) {
             err_sys_ex(runWithErrors, "Base64_Encode_NoNl failed");
         }
         else {
-            echConfigBase64[echConfigBase64Len] = '\0';
-            printf("ECH config (base64): %s\n", echConfigBase64);
+            echConfigBase64Ptr = echConfigBase64;
+            printf("ECH config (base64): ");
+            while (echConfigBase64Len-- > 0) {
+                printf("%c", *echConfigBase64Ptr++);
+            }
+            printf("\n");
         }
     }
 #endif

src/tls.c

@@ -2362,7 +2362,8 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
 #endif
 
 #if defined(HAVE_ECH)
-    if (ech != NULL && ech->sniState == ECH_INNER_SNI_ATTEMPT) {
+    if (ech != NULL && ech->sniState == ECH_INNER_SNI_ATTEMPT &&
+            ech->privateName != NULL) {
         matched = cacheOnly || (XSTRLEN(ech->privateName) == size &&
             XSTRNCMP(ech->privateName, (const char*)input + offset, size) == 0);
     }

tests/api.c

@@ -13506,7 +13506,6 @@ static int test_wolfSSL_CTX_add_client_CA(void)
     defined(HAVE_IO_TESTS_DEPENDENCIES)
 static THREAD_RETURN WOLFSSL_THREAD server_task_ech(void* args)
 {
-    EXPECT_DECLS;
     callback_functions* callbacks = ((func_args*)args)->callbacks;
     WOLFSSL_CTX* ctx       = callbacks->ctx;
     WOLFSSL*  ssl   = NULL;
@@ -13536,7 +13535,7 @@ static THREAD_RETURN WOLFSSL_THREAD server_task_ech(void* args)
     if (callbacks->ctx_ready)
         callbacks->ctx_ready(ctx);
 
-    ExpectNotNull(ssl = wolfSSL_new(ctx));
+    AssertNotNull(ssl = wolfSSL_new(ctx));
 
     /* set the sni for the server */
     AssertIntEQ(WOLFSSL_SUCCESS,

wolfssl/internal.h

@@ -2979,9 +2979,9 @@ typedef struct Options Options;
 #define TLSXT_CONNECTION_ID              0x0036
 #define TLSXT_KEY_QUIC_TP_PARAMS         0x0039 /* RFC 9001, ch. 8.2 */
 #define TLSXT_ECH                        0xfe0d /* from */
-                                                /* draft-ietf-tls-esni-13 */
+                                                /* draft-ietf-tls-esni-25 */
 #define TLSXT_ECH_OUTER_EXTENSIONS       0xfd00 /* from
-                                                   draft-ietf-tls-esni-13 */
+                                                   draft-ietf-tls-esni-25 */
 /* The 0xFF section is experimental/custom/personal use */
 #define TLSXT_CKS                        0xff92 /* X9.146 */
 #define TLSXT_RENEGOTIATION_INFO         0xff01