crypto/tls: properly return ECH retry configs

When ECH is rejected, properly take retry configs from the encrypted
extensions message. Also fix the bogo shim to properly test for this
behavior.

We should properly map the full BoringSSL -> Go errors so that we don't
run into a similar failure in the future, but this is left for a follow
up CL.

Fixes #70915

Change-Id: Icc1878ff6f87df059e7b83e0a431f50f1fea833c
Reviewed-on: https://go-review.googlesource.com/c/go/+/638583
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json
index 1c313ec81e160fb78294bd04bf0b0890c855b6b6..32969a3fb5a865b90771d6ae24de562bc137070d 100644 (file)
--- a/src/crypto/tls/bogo_config.json
+++ b/src/crypto/tls/bogo_config.json
@@ -246,5 +246,8 @@
         25,
         29,
         4588
-    ]
+    ],
+    "ErrorMap": {
+        ":ECH_REJECTED:": "tls: server rejected ECH"
+    }
 }

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 3bf703e4b93b222d385d6a82505cb193d573ff36..38bd417a0dca7258c923cd454479b28b53a6d3f1 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -260,6 +260,7 @@ type echClientContext struct {
        kdfID           uint16
        aeadID          uint16
        echRejected     bool
+       retryConfigs    []byte
 }
 
 func (c *Conn) clientHandshake(ctx context.Context) (err error) {

diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
index 38c6025db74ee87211303e6e6a5e7278b06da17f..c0396e75796add3b66d87dc5129bad258f155052 100644 (file)
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@@ -85,7 +85,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
                }
        }
 
-       var echRetryConfigList []byte
        if hs.echContext != nil {
                confTranscript := cloneHash(hs.echContext.innerTranscript, hs.suite.hash)
                confTranscript.Write(hs.serverHello.original[:30])
@@ -114,9 +113,6 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
                        }
                } else {
                        hs.echContext.echRejected = true
-                       // If the server sent us retry configs, we'll return these to
-                       // the user so they can update their Config.
-                       echRetryConfigList = hs.serverHello.encryptedClientHello
                }
        }
 
@@ -155,7 +151,7 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 
        if hs.echContext != nil && hs.echContext.echRejected {
                c.sendAlert(alertECHRequired)
-               return &ECHRejectionError{echRetryConfigList}
+               return &ECHRejectionError{hs.echContext.retryConfigs}
        }
 
        c.isHandshakeComplete.Store(true)
@@ -601,9 +597,13 @@ func (hs *clientHandshakeStateTLS13) readServerParameters() error {
                        return errors.New("tls: server accepted 0-RTT with the wrong ALPN")
                }
        }
-       if hs.echContext != nil && !hs.echContext.echRejected && encryptedExtensions.echRetryConfigs != nil {
-               c.sendAlert(alertUnsupportedExtension)
-               return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+       if hs.echContext != nil {
+               if hs.echContext.echRejected {
+                       hs.echContext.retryConfigs = encryptedExtensions.echRetryConfigs
+               } else if encryptedExtensions.echRetryConfigs != nil {
+                       c.sendAlert(alertUnsupportedExtension)
+                       return errors.New("tls: server sent encrypted client hello retry configs after accepting encrypted client hello")
+               }
        }
 
        return nil