crypto/tls: send illegal_parameter on invalid ECHClientHello.type

The spec indicates that if a client sends an invalid ECHClientHello.type in ClientHelloOuter, the server will abort the handshake with a decode_error alert. Define errInvalidECHExt for invalid ECHClientHello.type. If parseECHExt returns an errInvalidECHExt error, Conn now sends an illegal_parameter alert. Fixes #71061. Change-Id: I240241fe8bbe3e77d6ad1af989794647bfa2ff87 GitHub-Last-Rev: 3d6c233 GitHub-Pull-Request: #71062 Reviewed-on: https://go-review.googlesource.com/c/go/+/639235 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-08-22 14:38:35 +00:00 · 2025-05-10 15:23:34 -04:00 · 2025-05-10 15:23:34 -04:00 · c25bcef61f
commit c25bcef61f
parent 84d21a0006
1 changed files with 11 additions and 5 deletions
--- a/ech.go
+++ b/ech.go
@ -379,7 +379,7 @@ func decodeInnerClientHello(outer *clientHelloMsg, encoded []byte) (*clientHello
 	}

 	if !bytes.Equal(inner.encryptedClientHello, []byte{uint8(innerECHExt)}) {
-		return nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+		return nil, errInvalidECHExt
 	}

 	if len(inner.supportedVersions) != 1 || (len(inner.supportedVersions) >= 1 && inner.supportedVersions[0] != VersionTLS13) {
@ -482,6 +482,7 @@ func (e *ECHRejectionError) Error() string {
 }

 var errMalformedECHExt = errors.New("tls: malformed encrypted_client_hello extension")
+var errInvalidECHExt = errors.New("tls: client sent invalid encrypted_client_hello extension")

 type echExtType uint8

@ -508,7 +509,7 @@ func parseECHExt(ext []byte) (echType echExtType, cs echCipher, configID uint8,
 		return echType, cs, 0, nil, nil, nil
 	}
 	if echType != outerECHExt {
-		err = errMalformedECHExt
+		err = errInvalidECHExt
 		return
 	}
 	if !s.ReadUint16(&cs.KDFID) {
@ -550,8 +551,13 @@ func marshalEncryptedClientHelloConfigList(configs []EncryptedClientHelloKey) ([
 func (c *Conn) processECHClientHello(outer *clientHelloMsg) (*clientHelloMsg, *echServerContext, error) {
 	echType, echCiphersuite, configID, encap, payload, err := parseECHExt(outer.encryptedClientHello)
 	if err != nil {
-		c.sendAlert(alertDecodeError)
-		return nil, nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+		if errors.Is(err, errInvalidECHExt) {
+			c.sendAlert(alertIllegalParameter)
+		} else {
+			c.sendAlert(alertDecodeError)
+		}
+
+		return nil, nil, errInvalidECHExt
 	}

 	if echType == innerECHExt {
@ -598,7 +604,7 @@ func (c *Conn) processECHClientHello(outer *clientHelloMsg) (*clientHelloMsg, *e
 		echInner, err := decodeInnerClientHello(outer, encodedInner)
 		if err != nil {
 			c.sendAlert(alertIllegalParameter)
-			return nil, nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+			return nil, nil, errInvalidECHExt
 		}

 		c.echAccepted = true