crypto/tls: fix ECH SNI encoded length

https://datatracker.ietf.org/doc/html/rfc9849#section-6.1.3

Change-Id: Ifccf7b92f69ddb9ae288991763111bd1f00e61de
Reviewed-on: https://go-review.googlesource.com/c/go/+/765446
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

2 files changed, 55 insertions, 1 deletions

diff --git a/src/crypto/tls/ech.go b/src/crypto/tls/ech.go
index adeff9e050..7b0f4a0974 100644
--- a/src/crypto/tls/ech.go
+++ b/src/crypto/tls/ech.go
@@ -207,7 +207,7 @@ func encodeInnerClientHello(inner *clientHelloMsg, maxNameLength int) ([]byte, e
 	} else {
 		paddingLen = maxNameLength + 9
 	}
-	paddingLen = 31 - ((len(h) + paddingLen - 1) % 32)
+	paddingLen += 31 - ((len(h) + paddingLen - 1) % 32)
 
 	return append(h, make([]byte, paddingLen)...), nil
 }
diff --git a/src/crypto/tls/ech_test.go b/src/crypto/tls/ech_test.go
index 5adbb0293d..472ab55519 100644
--- a/src/crypto/tls/ech_test.go
+++ b/src/crypto/tls/ech_test.go
@@ -6,6 +6,7 @@ package tls
 
 import (
 	"encoding/hex"
+	"strings"
 	"testing"
 )
 
@@ -46,3 +47,56 @@ func TestSkipBadConfigs(t *testing.T) {
 		t.Fatal("pickECHConfig picked an invalid config")
 	}
 }
+
+func TestECHPadding(t *testing.T) {
+	const maxNameLength = 64
+	for _, tc := range []struct {
+		name       string
+		serverName string
+	}{
+		{"Short", "a.test"},
+		{"Medium", strings.Repeat("a", 30) + ".test"},
+		{"MaxLength", strings.Repeat("a", maxNameLength) + ".test"},
+		{"NoSNI", ""},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			inner := &clientHelloMsg{
+				vers:               VersionTLS13,
+				random:             make([]byte, 32),
+				serverName:         tc.serverName,
+				cipherSuites:       []uint16{TLS_AES_128_GCM_SHA256},
+				compressionMethods: []uint8{0},
+				supportedVersions:  []uint16{VersionTLS13},
+			}
+			encoded, err := encodeInnerClientHello(inner, maxNameLength)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if len(encoded)%32 != 0 {
+				t.Errorf("got %d, want multiple of 32", len(encoded))
+			}
+		})
+	}
+
+	t.Run("SetSizeReduction", func(t *testing.T) {
+		sizes := make(map[int]struct{})
+		for sniLen := 1; sniLen <= maxNameLength; sniLen++ {
+			inner := &clientHelloMsg{
+				vers:               VersionTLS13,
+				random:             make([]byte, 32),
+				serverName:         strings.Repeat("a", sniLen) + ".test",
+				cipherSuites:       []uint16{TLS_AES_128_GCM_SHA256},
+				compressionMethods: []uint8{0},
+				supportedVersions:  []uint16{VersionTLS13},
+			}
+			encoded, err := encodeInnerClientHello(inner, maxNameLength)
+			if err != nil {
+				t.Fatal(err)
+			}
+			sizes[len(encoded)] = struct{}{}
+		}
+		if len(sizes) > 4 {
+			t.Errorf("got %d distinct encoded sizes for SNI lengths 1..%d, want <= 4", len(sizes), maxNameLength)
+		}
+	})
+}