new: parse ECH in EncryptedExtensions

2025-04-04 20:47:36 +03:00 · 2023-12-13 16:47:15 -07:00 · 2023-12-13 16:47:15 -07:00 · f5775b9b5a
commit f5775b9b5a
parent af57f8f22d
4 changed files with 34 additions and 0 deletions
--- a/common.go
+++ b/common.go
@ -306,6 +306,11 @@ type ConnectionState struct {

 	// ekm is a closure exposed via ExportKeyingMaterial.
 	ekm func(label string, context []byte, length int) ([]byte, error)
+
+	// ECHRetryConfigs contains the ECH retry configurations sent by the server in
+	// EncryptedExtensions message. It is only populated if the server sent the
+	// ech extension in EncryptedExtensions message.
+	ECHRetryConfigs []ECHConfig // [uTLS]
 }

 // ExportKeyingMaterial returns length bytes of exported key material in a new
--- a/u_conn.go
+++ b/u_conn.go
@ -865,6 +865,7 @@ func (c *Conn) utlsHandshakeMessageType(msgType byte) (handshakeMessage, error)
 // Extending (*Conn).connectionStateLocked()
 func (c *Conn) utlsConnectionStateLocked(state *ConnectionState) {
 	state.PeerApplicationSettings = c.utls.peerApplicationSettings
+	state.ECHRetryConfigs = c.utls.echRetryConfigs
 }

 type utlsConnExtraFields struct {
@ -873,5 +874,8 @@ type utlsConnExtraFields struct {
 	peerApplicationSettings  []byte
 	localApplicationSettings []byte

+	// Encrypted Client Hello (ECH)
+	echRetryConfigs []ECHConfig
+
 	sessionController *sessionController
 }
--- a/u_handshake_client.go
+++ b/u_handshake_client.go
@ -141,6 +141,7 @@ func (hs *clientHandshakeStateTLS13) sendClientEncryptedExtensions() error {
 func (hs *clientHandshakeStateTLS13) utlsReadServerParameters(encryptedExtensions *encryptedExtensionsMsg) error {
 	hs.c.utls.hasApplicationSettings = encryptedExtensions.utls.hasApplicationSettings
 	hs.c.utls.peerApplicationSettings = encryptedExtensions.utls.applicationSettings
+	hs.c.utls.echRetryConfigs = encryptedExtensions.utls.echRetryConfigs

 	if hs.c.utls.hasApplicationSettings {
 		if hs.uconn.vers < VersionTLS13 {
@ -160,6 +161,23 @@ func (hs *clientHandshakeStateTLS13) utlsReadServerParameters(encryptedExtension
 		}
 	}

+	if len(hs.c.utls.echRetryConfigs) > 0 {
+		if hs.uconn.vers < VersionTLS13 {
+			return errors.New("tls: server sent ECH retry configs at invalid version")
+		}
+
+		// find ECH extension in ClientHello
+		var echIncluded bool
+		for _, ext := range hs.uconn.Extensions {
+			if _, ok := ext.(ECHExtension); ok {
+				echIncluded = true
+			}
+		}
+		if !echIncluded {
+			return errors.New("tls: server sent ECH retry configs without client sending ECH extension")
+		}
+	}
+
 	return nil
 }

--- a/u_handshake_messages.go
+++ b/u_handshake_messages.go
@ -56,6 +56,7 @@ func (m *utlsCompressedCertificateMsg) unmarshal(data []byte) bool {
 type utlsEncryptedExtensionsMsgExtraFields struct {
 	hasApplicationSettings bool
 	applicationSettings    []byte
+	echRetryConfigs        []ECHConfig
 	customExtension        []byte
 }

@ -64,6 +65,12 @@ func (m *encryptedExtensionsMsg) utlsUnmarshal(extension uint16, extData cryptob
 	case utlsExtensionApplicationSettings:
 		m.utls.hasApplicationSettings = true
 		m.utls.applicationSettings = []byte(extData)
+	case utlsExtensionECH:
+		var err error
+		m.utls.echRetryConfigs, err = UnmarshalECHConfigs([]byte(extData))
+		if err != nil {
+			return false
+		}
 	}
 	return true // success/unknown extension
 }