commit 5b7ec8329eca73d79e1b5f5e345b3e1c9054edfe
author David Benjamin <davidben@google.com> Wed Jun 02 11:12:13 2021 -0400
committer Adam Langley <agl@google.com> Thu Jun 03 20:58:29 2021 +0000
tree 1328337c9a760e2ad09bf03fc9f4c8866e1662ef
parent da15f2910d339d81e3125fa85b6d91783a52621d

Reject the ECH extension in TLS 1.2 ServerHello.

The ECH server extension is defined for TLS 1.3 EncryptedExtensions, not
TLS 1.2 ServerHello.

Bug: 275
Change-Id: Ie6e76c238075d70e6a0694ec0192df07da3457d1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47910
Reviewed-by: Adam Langley <agl@google.com>

ssl/t1_lib.cc

diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 44c96e8..3553276 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -688,10 +688,19 @@
 
 static bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
                                       CBS *contents) {
+  SSL *const ssl = hs->ssl;
   if (contents == NULL) {
     return true;
   }
 
+  // The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3
+  // EncryptedExtension.
+  if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
+    *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
+    return false;
+  }
+
   // If the client only sent GREASE, we must check the extension syntactically.
   CBS ech_configs;
   if (!CBS_get_u16_length_prefixed(contents, &ech_configs) ||