From ade44c2ba65d2723b8d27e31e169e6bc74ac7a01 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 30 Dec 2024 10:36:55 -0800
Subject: [PATCH] crypto/tls: properly return ECH retry configs

When ECH is rejected, properly take retry configs from the encrypted
extensions message. Also fix the bogo shim to properly test for this
behavior.

We should properly map the full BoringSSL -> Go errors so that we don't
run into a similar failure in the future, but this is left for a follow
up CL.

Fixes #70915

Change-Id: Icc1878ff6f87df059e7b83e0a431f50f1fea833c
Reviewed-on: https://go-review.googlesource.com/c/go/+/638583
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 bogo_config.json          |  5 ++++-
 handshake_client.go       |  1 +
 handshake_client_tls13.go | 16 ++++++++--------
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/bogo_config.json b/bogo_config.json
index 1c313ec..32969a3 100644
--- a/bogo_config.json
+++ b/bogo_config.json
@@ -246,5 +246,8 @@
         25,
         29,
         4588
-    ]
+    ],
+    "ErrorMap": {
+        ":ECH_REJECTED:": "tls: server rejected ECH"
+    }
 }
diff --git a/handshake_client.go b/handshake_client.go
index 3bf703e..38bd417 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -260,6 +260,7 @@ type echClientContext struct {
 	kdfID           uint16
 	aeadID          uint16
 	echRejected     bool
+	retryConfigs    []byte
 }
 
 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go
index 38c6025..c0396e7 100644
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@@ -85,7 +85,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 		}
 	}
 
-	var echRetryConfigList []byte
 	if hs.echContext != nil {
 		confTranscript := cloneHash(hs.echContext.innerTranscript, hs.suite.hash)
 		confTranscript.Write(hs.serverHello.original[:30])
@@ -114,9 +113,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 			}
 		} else {
 			hs.echContext.echRejected = true
-			// If the server sent us retry configs, we'll return these to
-			// the user so they can update their Config.
-			echRetryConfigList = hs.serverHello.encryptedClientHello
 		}
 	}
 
@@ -155,7 +151,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 
 	if hs.echContext != nil && hs.echContext.echRejected {
 		c.sendAlert(alertECHRequired)
-		return &ECHRejectionError{echRetryConfigList}
+		return &ECHRejectionError{hs.echContext.retryConfigs}
 	}
 
 	c.isHandshakeComplete.Store(true)
@@ -601,9 +597,13 @@ func (hs *clientHandshakeStateTLS13) readServerParameters() error {
 			return errors.New("tls: server accepted 0-RTT with the wrong ALPN")
 		}
 	}
-	if hs.echContext != nil && !hs.echContext.echRejected && encryptedExtensions.echRetryConfigs != nil {
-		c.sendAlert(alertUnsupportedExtension)
-		return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+	if hs.echContext != nil {
+		if hs.echContext.echRejected {
+			hs.echContext.retryConfigs = encryptedExtensions.echRetryConfigs
+		} else if encryptedExtensions.echRetryConfigs != nil {
+			c.sendAlert(alertUnsupportedExtension)
+			return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+		}
 	}
 
 	return nil