CI Addition (ECH): Check only the public SNI is visible#10542
CI Addition (ECH): Check only the public SNI is visible#10542sebastian-carpenter wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes a bug in ECH (Encrypted Client Hello) outer ClientHello handling so that the public SNI is always substituted into the outer ClientHello (regardless of echAccepted state or innerCount), preventing leakage of the private SNI on the wire. A corresponding wire-bytes test is added.
Changes:
- Simplify the condition in
TLSX_EchChangeSNIto swap the SNI whenever the ECH extension type isECH_TYPE_OUTER. - Add
test_wolfSSL_Tls13_ECH_wire_snicovering both ECH-accept and ECH-reject paths, forcing a HelloRetryRequest and asserting the public name appears and the private name does not appear on the wire for both CH1 and CH2.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/tls.c | Always swap SNI to the public name when processing the outer ClientHello, removing extra gating conditions. |
| tests/api.c | New ECH wire-SNI test (accept + reject paths with HRR) registered in testCases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
retest this please |
| { | ||
| EXPECT_DECLS; | ||
| test_ssl_memio_ctx test_ctx; | ||
| WOLFSSL_CTX* tempCtx = NULL; |
There was a problem hiding this comment.
Reduce the scope - put declarations down in block where used.
There was a problem hiding this comment.
fixed, moved them down to !accept block.
| WOLFSSL_ERROR_WANT_READ); | ||
|
|
||
| /* CH2 wire bytes: same property must hold */ | ||
| ExpectNotNull(mymemmem(test_ctx.s_buff, test_ctx.s_len, |
There was a problem hiding this comment.
Can we expect echCbTestPublicName to be at a specific location?
There was a problem hiding this comment.
Yes! Removed memmem check and replaced it with ech_find_extension to only perform the check at the SNI extension.
Once more extensions are added to ECH this test should be refactored to check that those are swapped out as well.
sebastian-carpenter
force-pushed
the
public-sni-test
branch
from
34051fc to
5c28127
Compare
|
Rebased to get Added a sanity check at the end of the test to make sure ECH is suceeding or failing as expected. |
|
Jenkins retest this please |
sebastian-carpenter
force-pushed
the
public-sni-test
branch
from
4a3a44a to
7e959ac
Compare
- *_wire_sni test is now more efficient - openssl-ech workflow now does interop with ECH rejection
- *_wire_sni test is now more efficient - openssl-ech workflow now does interop with ECH rejection
- *_wire_sni test is now more efficient - openssl-ech workflow now does interop with ECH rejection
Description
Added a test to check that the SNI in the outer ClientHello is always the public SNI. Other checks exist to verify the inner SNI is correct. Also added additional testing for the ECH rejection path as well.
Corrected
TLSX_EchChangeSNIto always swap the SNI when it is processing the outer hello.Testing
Added
test_wolfSSL_Tls13_ECH_wire_sniwhich forces a HelloRetryRequest with either ech rejection or acceptance.Added interop testing for the ECH rejection path.
Checklist