From c25bcef61f3b97316bef66bd6a5510b2265b4e80 Mon Sep 17 00:00:00 2001
From: yuhan6665 <1588741+yuhan6665@users.noreply.github.com>
Date: Sat, 10 May 2025 15:23:34 -0400
Subject: [PATCH] crypto/tls: send illegal_parameter on invalid
 ECHClientHello.type The spec indicates that if a client sends an invalid
 ECHClientHello.type in ClientHelloOuter, the server will abort the handshake
 with a decode_error alert.

Define errInvalidECHExt for invalid ECHClientHello.type. If parseECHExt
returns an errInvalidECHExt error, Conn now sends an illegal_parameter
alert.

Fixes #71061.

Change-Id: I240241fe8bbe3e77d6ad1af989794647bfa2ff87
GitHub-Last-Rev: 3d6c233
GitHub-Pull-Request: #71062
Reviewed-on: https://go-review.googlesource.com/c/go/+/639235
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
 ech.go | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/ech.go b/ech.go
index 608f21b..83fdc34 100644
--- a/ech.go
+++ b/ech.go
@@ -379,7 +379,7 @@ func decodeInnerClientHello(outer *clientHelloMsg, encoded []byte) (*clientHello
 	}
 
 	if !bytes.Equal(inner.encryptedClientHello, []byte{uint8(innerECHExt)}) {
-		return nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+		return nil, errInvalidECHExt
 	}
 
 	if len(inner.supportedVersions) != 1 || (len(inner.supportedVersions) >= 1 && inner.supportedVersions[0] != VersionTLS13) {
@@ -482,6 +482,7 @@ func (e *ECHRejectionError) Error() string {
 }
 
 var errMalformedECHExt = errors.New("tls: malformed encrypted_client_hello extension")
+var errInvalidECHExt = errors.New("tls: client sent invalid encrypted_client_hello extension")
 
 type echExtType uint8
 
@@ -508,7 +509,7 @@ func parseECHExt(ext []byte) (echType echExtType, cs echCipher, configID uint8,
 		return echType, cs, 0, nil, nil, nil
 	}
 	if echType != outerECHExt {
-		err = errMalformedECHExt
+		err = errInvalidECHExt
 		return
 	}
 	if !s.ReadUint16(&cs.KDFID) {
@@ -550,8 +551,13 @@ func marshalEncryptedClientHelloConfigList(configs []EncryptedClientHelloKey) ([
 func (c *Conn) processECHClientHello(outer *clientHelloMsg) (*clientHelloMsg, *echServerContext, error) {
 	echType, echCiphersuite, configID, encap, payload, err := parseECHExt(outer.encryptedClientHello)
 	if err != nil {
-		c.sendAlert(alertDecodeError)
-		return nil, nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+		if errors.Is(err, errInvalidECHExt) {
+			c.sendAlert(alertIllegalParameter)
+		} else {
+			c.sendAlert(alertDecodeError)
+		}
+
+		return nil, nil, errInvalidECHExt
 	}
 
 	if echType == innerECHExt {
@@ -598,7 +604,7 @@ func (c *Conn) processECHClientHello(outer *clientHelloMsg) (*clientHelloMsg, *e
 		echInner, err := decodeInnerClientHello(outer, encodedInner)
 		if err != nil {
 			c.sendAlert(alertIllegalParameter)
-			return nil, nil, errors.New("tls: client sent invalid encrypted_client_hello extension")
+			return nil, nil, errInvalidECHExt
 		}
 
 		c.echAccepted = true