crypto/tls: add server-side ECH

Adds support for server-side ECH. We make a couple of implementation decisions that are not completely in-line with the spec. In particular, we don't enforce that the SNI matches the ECHConfig public_name, and we implement a hybrid shared/backend mode (rather than shared or split mode, as described in Section 7). Both of these match the behavior of BoringSSL. The hybrid server mode will either act as a shared mode server, where-in the server accepts "outer" client hellos and unwraps them before processing the "inner" hello, or accepts bare "inner" hellos initially. This lets the server operate either transparently as a shared mode server, or a backend server, in Section 7 terminology. This seems like the best implementation choice for a TLS library. Fixes #68500 Change-Id: Ife69db7c1886610742e95e76b0ca92587e6d7ed4 Reviewed-on: https://go-review.googlesource.com/c/go/+/623576 Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2025-04-04 04:27:36 +03:00 · 2024-10-29 20:22:27 -07:00 · 2024-10-29 20:22:27 -07:00 · 212bbb2c77
commit 212bbb2c77
parent 83cefcdeed
12 changed files with 770 additions and 95 deletions
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@ -39,7 +39,7 @@ type clientHandshakeStateTLS13 struct {
 	masterSecret  *tls13.MasterSecret
 	trafficSecret []byte // client_application_traffic_secret_0

-	echContext *echContext
+	echContext *echClientContext
 }

 // handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and,
@ -105,7 +105,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {

 			if hs.serverHello.encryptedClientHello != nil {
 				c.sendAlert(alertUnsupportedExtension)
-				return errors.New("tls: unexpected encrypted_client_hello extension in server hello despite ECH being accepted")
+				return errors.New("tls: unexpected encrypted client hello extension in server hello despite ECH being accepted")
 			}

 			if hs.hello.serverName == "" && hs.serverHello.serverNameAck {
@ -288,7 +288,7 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 	} else if hs.serverHello.encryptedClientHello != nil {
 		// Unsolicited ECH extension should be rejected
 		c.sendAlert(alertUnsupportedExtension)
-		return errors.New("tls: unexpected ECH extension in serverHello")
+		return errors.New("tls: unexpected encrypted client hello extension in serverHello")
 	}

 	// The only HelloRetryRequest extensions we support are key_share and
@ -604,7 +604,7 @@ func (hs *clientHandshakeStateTLS13) readServerParameters() error {
 	}
 	if hs.echContext != nil && !hs.echContext.echRejected && encryptedExtensions.echRetryConfigs != nil {
 		c.sendAlert(alertUnsupportedExtension)
-		return errors.New("tls: server sent ECH retry configs after accepting ECH")
+		return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
 	}

 	return nil