(outer *clientHelloMsg, echKeys []EncryptedClientHelloKey)
| 580 | } |
| 581 | |
| 582 | func (c *Conn) processECHClientHello(outer *clientHelloMsg, echKeys []EncryptedClientHelloKey) (*clientHelloMsg, *echServerContext, error) { |
| 583 | echType, echCiphersuite, configID, encap, payload, err := parseECHExt(outer.encryptedClientHello) |
| 584 | if err != nil { |
| 585 | if errors.Is(err, errInvalidECHExt) { |
| 586 | c.sendAlert(alertIllegalParameter) |
| 587 | } else { |
| 588 | c.sendAlert(alertDecodeError) |
| 589 | } |
| 590 | |
| 591 | return nil, nil, errInvalidECHExt |
| 592 | } |
| 593 | |
| 594 | if echType == innerECHExt { |
| 595 | return outer, &echServerContext{inner: true}, nil |
| 596 | } |
| 597 | |
| 598 | if len(echKeys) == 0 { |
| 599 | return outer, nil, nil |
| 600 | } |
| 601 | |
| 602 | for _, echKey := range echKeys { |
| 603 | skip, config, err := parseECHConfig(echKey.Config) |
| 604 | if err != nil || skip { |
| 605 | c.sendAlert(alertInternalError) |
| 606 | return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKeys Config: %s", err) |
| 607 | } |
| 608 | if skip { |
| 609 | continue |
| 610 | } |
| 611 | echPriv, err := hpke.ParseHPKEPrivateKey(config.KemID, echKey.PrivateKey) |
| 612 | if err != nil { |
| 613 | c.sendAlert(alertInternalError) |
| 614 | return nil, nil, fmt.Errorf("tls: invalid EncryptedClientHelloKeys PrivateKey: %s", err) |
| 615 | } |
| 616 | info := append([]byte("tls ech\x00"), echKey.Config...) |
| 617 | hpkeContext, err := hpke.SetupRecipient(hpke.DHKEM_X25519_HKDF_SHA256, echCiphersuite.KDFID, echCiphersuite.AEADID, echPriv, info, encap) |
| 618 | if err != nil { |
| 619 | // attempt next trial decryption |
| 620 | continue |
| 621 | } |
| 622 | |
| 623 | encodedInner, err := decryptECHPayload(hpkeContext, outer.original, payload) |
| 624 | if err != nil { |
| 625 | // attempt next trial decryption |
| 626 | continue |
| 627 | } |
| 628 | |
| 629 | // NOTE: we do not enforce that the sent server_name matches the ECH |
| 630 | // configs PublicName, since this is not particularly important, and |
| 631 | // the client already had to know what it was in order to properly |
| 632 | // encrypt the payload. This is only a MAY in the spec, so we're not |
| 633 | // doing anything revolutionary. |
| 634 | |
| 635 | echInner, err := decodeInnerClientHello(outer, encodedInner) |
| 636 | if err != nil { |
| 637 | c.sendAlert(alertIllegalParameter) |
| 638 | return nil, nil, errInvalidECHExt |
| 639 | } |
no test coverage detected