Merge pull request #10094 from sebastian-carpenter/GH-10068

Fixes: for GH #10068

Author: JacobBarthelmeh

src/ssl_ech.c

@@ -547,8 +547,9 @@ int SetEchConfigsEx(WOLFSSL_EchConfig** outputConfigs, void* heap,
         ato16(echConfig, &hpkePubkeyLen);
         echConfig += 2;
 
-        /* hpke public_key */
-        if (hpkePubkeyLen > HPKE_Npk_MAX || hpkePubkeyLen == 0) {
+        /* hpke public_key
+         * KEM support will be checked along with the ciphersuites */
+        if (hpkePubkeyLen != wc_HpkeKemGetEncLen(workingConfig->kemId)) {
             ret = BUFFER_E;
             break;
         }

src/tls.c

@@ -13800,7 +13800,7 @@ static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
                 writeBuf_p += ech->encLen;
             }
             /* innerClientHelloLen */
-            c16toa(ech->innerClientHelloLen, writeBuf_p);
+            c16toa((word16)ech->innerClientHelloLen, writeBuf_p);
             writeBuf_p += 2;
             /* set payload offset for when we finalize */
             ech->outerClientPayload = writeBuf_p;
@@ -14195,6 +14195,9 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
 
     newInnerChLen = innerChLen - echOuterExtLen + extraSize - sessionIdLen +
                         ssl->session->sessionIDSz;
+    if (newInnerChLen > 0xFFFF) {
+        return BUFFER_E;
+    }
 
     if (!foundEchOuter && sessionIdLen == ssl->session->sessionIDSz) {
         /* no extensions + no sessionID to copy */
@@ -14259,7 +14262,7 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
     if (ret == 0) {
         XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
         ech->innerClientHello = newInnerCh;
-        ech->innerClientHelloLen = (word16)newInnerChLen;
+        ech->innerClientHelloLen = newInnerChLen;
         newInnerCh = NULL;
     }
 
@@ -14373,6 +14376,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
     word32 offset = 0;
     word16 len;
     word16 tmpVal16;
+    word16 lenCh;
 
     WOLFSSL_MSG("TLSX_ECH_Parse");
     if (ssl->options.disableECH) {
@@ -14489,7 +14493,8 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
         readBuf_p += len;
         offset += len;
         /* read payload (encrypted CH) len */
-        ato16(readBuf_p, &ech->innerClientHelloLen);
+        ato16(readBuf_p, &lenCh);
+        ech->innerClientHelloLen = lenCh;
         readBuf_p += 2;
         offset += 2;
         /* Check payload is no bigger than remaining bytes. */

src/tls13.c

@@ -3805,6 +3805,7 @@ int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
     int i = 0;
 
     if (!wc_HpkeKemIsSupported(config->kemId)) {
+        WOLFSSL_MSG("ECH config: KEM not supported");
         return WOLFSSL_FATAL_ERROR;
     }
 
@@ -3815,6 +3816,7 @@ int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
         }
     }
 
+    WOLFSSL_MSG("ECH config: KDF or AEAD not supported");
     return WOLFSSL_FATAL_ERROR;
 }
 
@@ -3937,10 +3939,14 @@ static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
 
     if (isHrr) {
         /* the transcript hash of ClientHelloInner1 */
-        hashSz = GetMsgHash(ssl, clientHelloInnerHash);
-        if (hashSz > 0) {
+        ret = GetMsgHash(ssl, clientHelloInnerHash);
+        if (ret > 0) {
+            hashSz = ret;
             ret = 0;
         }
+        else if (ret == 0) {
+            ret = HASH_TYPE_E;
+        }
 
         /* restart ECH transcript hash, similar to RestartHandshakeHash but
          * don't add a cookie */
@@ -3980,6 +3986,9 @@ static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
         if (ret > 0) {
             ret = 0;
         }
+        else if (ret == 0) {
+            ret = HASH_TYPE_E;
+        }
     }
 
     /* pick the right type and size based on mac_algorithm */
@@ -4765,15 +4774,18 @@ int SendTls13ClientHello(WOLFSSL* ssl)
 
             /* get size for inner */
             ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
+
+            /* set the type to outer */
+            args->ech->type = ECH_TYPE_OUTER;
             if (ret != 0)
                 return ret;
 
-            /* set the type to outer */
-            args->ech->type = 0;
             /* set innerClientHelloLen to ClientHelloInner + padding + tag */
             args->ech->paddingLen = 31 - ((args->length - 1) % 32);
-            args->ech->innerClientHelloLen = (word16)(args->length +
-                args->ech->paddingLen + args->ech->hpke->Nt);
+            args->ech->innerClientHelloLen = args->length +
+                args->ech->paddingLen + args->ech->hpke->Nt;
+            if (args->ech->innerClientHelloLen > 0xFFFF)
+                return BUFFER_E;
             /* set the length back to before we computed ClientHelloInner size */
             args->length = (word32)args->preXLength;
         }
@@ -4915,8 +4927,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
         args->ech->innerClientHello =
             (byte*)XMALLOC(args->ech->innerClientHelloLen - args->ech->hpke->Nt,
             ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        if (args->ech->innerClientHello == NULL)
+        if (args->ech->innerClientHello == NULL) {
+            args->ech->type = ECH_TYPE_OUTER;
             return MEMORY_E;
+        }
         /* set the padding bytes to 0 */
         XMEMSET(args->ech->innerClientHello + args->ech->innerClientHelloLen -
             args->ech->hpke->Nt - args->ech->paddingLen, 0,
@@ -4939,8 +4953,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
         /* change the outer client random */
         ret = wc_RNG_GenerateBlock(ssl->rng, args->output +
             args->clientRandomOffset, RAN_LEN);
-        if (ret != 0)
+        if (ret != 0) {
+            args->ech->type = ECH_TYPE_OUTER;
             return ret;
+        }
         /* copy the new client random */
         XMEMCPY(ssl->arrays->clientRandom, args->output +
             args->clientRandomOffset, RAN_LEN);
@@ -4949,10 +4965,10 @@ int SendTls13ClientHello(WOLFSSL* ssl)
         ret = TLSX_WriteRequest(ssl, args->ech->innerClientHello + args->idx -
             (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ), client_hello,
             &args->length);
+        /* set the type to outer */
+        args->ech->type = ECH_TYPE_OUTER;
         if (ret != 0)
             return ret;
-        /* set the type to outer */
-        args->ech->type = 0;
     }
 #endif
 
@@ -5707,6 +5723,9 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     /* check for acceptConfirmation */
     if (ssl->echConfigs != NULL && !ssl->options.disableECH) {
         args->echX = TLSX_Find(ssl->extensions, TLSX_ECH);
+        if (args->echX == NULL || args->echX->data == NULL)
+            return WOLFSSL_FATAL_ERROR;
+
         /* account for hrr extension instead of server random */
         if (args->extMsgType == hello_retry_request) {
             args->acceptOffset =
@@ -8815,6 +8834,8 @@ int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
     ret = GetMsgHash(ssl, &sigData[idx]);
     if (ret < 0)
         return ret;
+    if (ret == 0)
+        return HASH_TYPE_E;
 
     *sigDataSz = (word16)(idx + ret);
     ret = 0;

wolfcrypt/src/hpke.c

@@ -917,7 +917,7 @@ int wc_HpkeInitSealContext(Hpke* hpke, HpkeBaseContext* context,
     void* ephemeralKey, void* receiverKey, byte* info, word32 infoSz)
 {
     if (hpke == NULL || context == NULL || ephemeralKey == NULL ||
-        receiverKey == NULL || (info == NULL && infoSz > 0)) {
+        receiverKey == NULL || (info == NULL && infoSz != 0)) {
         return BAD_FUNC_ARG;
     }
 
@@ -935,7 +935,7 @@ int wc_HpkeContextSealBase(Hpke* hpke, HpkeBaseContext* context,
     int ret;
     byte nonce[HPKE_Nn_MAX];
     WC_DECLARE_VAR(aes, Aes, 1, 0);
-    if (hpke == NULL || context == NULL || (aad == NULL && aadSz > 0) ||
+    if (hpke == NULL || context == NULL || (aad == NULL && aadSz != 0) ||
         plaintext == NULL || out == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -1160,7 +1160,7 @@ int wc_HpkeInitOpenContext(Hpke* hpke, HpkeBaseContext* context,
     word32 infoSz)
 {
     if (hpke == NULL || context == NULL || receiverKey == NULL || pubKey == NULL
-        || (info == NULL && infoSz > 0)) {
+        || (info == NULL && infoSz != 0)) {
         return BAD_FUNC_ARG;
     }
 
@@ -1175,7 +1175,8 @@ int wc_HpkeContextOpenBase(Hpke* hpke, HpkeBaseContext* context, byte* aad,
     int ret;
     byte nonce[HPKE_Nn_MAX];
     WC_DECLARE_VAR(aes, Aes, 1, 0);
-    if (hpke == NULL || context == NULL || ciphertext == NULL || out == NULL) {
+    if (hpke == NULL || context == NULL || (aad == NULL && aadSz != 0) ||
+        ciphertext == NULL || out == NULL) {
         return BAD_FUNC_ARG;
     }