Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ech hello retry request #6805

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Ech hello retry request #6805

wants to merge 20 commits into from
+673 −440

Conversation

jpbland1
Copy link
Contributor

Description

Refactor Hpke to allow multiple uses of a context instead of just one shot mode. Refactor ECH to handle hello retry request with a different ech acceptance scheme and to re-use the hpke context after a hello retry request when sending the second client hello

Fixes #6802

Testing

Tested the regular ECH through unit tests, need to figure out how to trigger an HRR

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@jpbland1 jpbland1 requested a review from dgarske September 25, 2023 05:53
@jpbland1 jpbland1 marked this pull request as ready for review September 25, 2023 05:53
dgarske
dgarske previously approved these changes Sep 25, 2023
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Would like to see customer feedback. Assigned to PR cap wolfssl-bot.

@JacobBarthelmeh
Copy link
Contributor

AArch64 test failed, possibly from network hiccup? Retest this please Jenkins

mutex    test passed!
memcb    test passed!
Test complete

wolfSSL error: tcp connect failed: Connection refused

Running simple test
SSL version is TLSv1.2
SSL cipher suite is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL curve name is SECP256R1

@jpbland1 jpbland1 requested a review from dgarske September 26, 2023 17:26
@JacobBarthelmeh
Copy link
Contributor

Looks like CI is flagging a valgrind test. Please also rebase onto master rather than merge in, seems like github has issues when merging in the master branch as seen here with lots of extra commits showing.

@jpbland1
add functions for using an hpke context multiple times
34d7229
@jpbland1
update ech to use multi use hpke context, still doesn' handle HRR
83d7225
@jpbland1
refactor ECH code to handle hrr with special confirmation
037c446
@jpbland1
fix unitialized variable
dfb45bc
@jpbland1
fix implicit cast
000c42e
@jpbland1
don't mix declaration with code to satisfy compiler
167c702
@jpbland1
fix writing empty string when sending enc in response
bc77f9f 
to an hrr, fix bad getSize for hrr ech, fix using the wrong transcript hash for hrr ech, add new hrr test for ech to api.c
@jpbland1
fix memory leaks
4c63ec3
@jpbland1
only copy the hsHashes if the server is actually using ech
a23edb8
@jpbland1
stop double-populating the ech extension since that
c0b49ce 
blows away the ech and it's current hpke context, causing the hrr handling to fail
@jpbland1
free the innerClientHello since it may be previously
a5963b4 
allocated if an hrr happened
@jpbland1
fix ech config parsing to handle 1 byte public name len
36623f0
@jpbland1
update ech to use separate hsHashes for the ech log
f6555fd 
which are not restarted and the inner hsHashes which are restared on HRR. also send empty string with 0 encLen when sending clientHelloInner2. setup works wolfssl->wolfssl but fails to match acceptance for first HRR message when talking to an openssl server, does still work without HRR when talking to cloudflare's server without HRR.
@jpbland1
copy full inner hashes to hsHashesEch so that it has
b62f582 
the unmodified hrr and sh in the digest
@jpbland1
clean up some post-rebase issues
36c89cc
@dgarske
Copy link
Contributor

dgarske commented Sep 23, 2024

@jpbland1 please resolve merge conflicts.

@dgarske dgarske removed their request for review September 23, 2024 18:38
@dgarske dgarske removed the request for review from JacobBarthelmeh September 23, 2024 18:38
@dgarske dgarske assigned jpbland1 and unassigned jpbland1 Nov 15, 2024
@jpbland1 jpbland1 requested a review from dgarske March 10, 2025 15:48
@jpbland1 jpbland1 requested review from SparkiDev and removed request for dgarske March 10, 2025 17:36
SparkiDev
SparkiDev requested changes Mar 10, 2025
View reviewed changes
src/internal.c
@@ -8435,6 +8435,13 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
}
FreeSuites(ssl);
FreeHandshakeHashes(ssl);
#ifdef HAVE_ECH
/* try to free the ech hashes in case we errored out */
ssl->hsHashes = ssl->hsHashesEch;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assigning to be freed seems silly.
Make a function that takes a HsHashes* and frees it.
Either name it FreeHanshakeHashes and change callers or have FreeHanshakeHashes call the new function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SparkiDev SparkiDev SparkiDev requested changes

@dgarske dgarske dgarske left review comments

Requested changes must be addressed to merge this pull request.

Assignees

@SparkiDev SparkiDev

@jpbland1 jpbland1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: ECH with HelloRetryRequest (HRR) not working?
5 participants
@jpbland1 @JacobBarthelmeh @dgarske @SparkiDev @wolfSSL-Bot