MCPcopy
hub / github.com/XTLS/REALITY / processECHClientHello

Method processECHClientHello

ech.go:582–651  ·  view source on GitHub ↗
(outer *clientHelloMsg, echKeys []EncryptedClientHelloKey)

Source from the content-addressed store, hash-verified

580}
581
582func (c *Conn) processECHClientHello(outer *clientHelloMsg, echKeys []EncryptedClientHelloKey) (*clientHelloMsg, *echServerContext, error) {
583 echType, echCiphersuite, configID, encap, payload, err := parseECHExt(outer.encryptedClientHello)
584 if err != nil {
585 if errors.Is(err, errInvalidECHExt) {
586 c.sendAlert(alertIllegalParameter)
587 } else {
588 c.sendAlert(alertDecodeError)
589 }
590
591 return nil, nil, errInvalidECHExt
592 }
593
594 if echType == innerECHExt {
595 return outer, &echServerContext{inner: true}, nil
596 }
597
598 if len(echKeys) == 0 {
599 return outer, nil, nil
600 }
601
602 for _, echKey := range echKeys {
603 skip, config, err := parseECHConfig(echKey.Config)
604 if err != nil || skip {
605 c.sendAlert(alertInternalError)
606 return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKeys Config: %s", err)
607 }
608 if skip {
609 continue
610 }
611 echPriv, err := hpke.ParseHPKEPrivateKey(config.KemID, echKey.PrivateKey)
612 if err != nil {
613 c.sendAlert(alertInternalError)
614 return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKeys PrivateKey: %s", err)
615 }
616 info := append([]byte("tls ech\x00"), echKey.Config...)
617 hpkeContext, err := hpke.SetupRecipient(hpke.DHKEM_X25519_HKDF_SHA256, echCiphersuite.KDFID, echCiphersuite.AEADID, echPriv, info, encap)
618 if err != nil {
619 // attempt next trial decryption
620 continue
621 }
622
623 encodedInner, err := decryptECHPayload(hpkeContext, outer.original, payload)
624 if err != nil {
625 // attempt next trial decryption
626 continue
627 }
628
629 // NOTE: we do not enforce that the sent server_name matches the ECH
630 // configs PublicName, since this is not particularly important, and
631 // the client already had to know what it was in order to properly
632 // encrypt the payload. This is only a MAY in the spec, so we're not
633 // doing anything revolutionary.
634
635 echInner, err := decodeInnerClientHello(outer, encodedInner)
636 if err != nil {
637 c.sendAlert(alertIllegalParameter)
638 return nil, nil, errInvalidECHExt
639 }

Callers 1

readClientHelloMethod · 0.95

Calls 7

sendAlertMethod · 0.95
ParseHPKEPrivateKeyFunction · 0.92
SetupRecipientFunction · 0.92
parseECHExtFunction · 0.85
parseECHConfigFunction · 0.85
decryptECHPayloadFunction · 0.85
decodeInnerClientHelloFunction · 0.85

Tested by

no test coverage detected