Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt

Differential Revision: https://phabricator.services.mozilla.com/D140963

1 files changed, 6 insertions, 1 deletions

diff --git a/lib/ssl/tls13ech.c b/lib/ssl/tls13ech.c
index f3f1546ec..76c041a93 100644
--- a/lib/ssl/tls13ech.c
+++ b/lib/ssl/tls13ech.c
@@ -1845,6 +1845,7 @@ tls13_ComputeEchHelloRetryTranscript(sslSocket *ss, const PRUint8 *sh, unsigned
      *  This segment calculates the hash of the Client Hello
      *  TODO(djackson@mozilla.com) - Replace with existing function?
      *  e.g. tls13_ReinjectHandshakeTranscript
+     *  TODO(djackson@mozilla.com) - Replace with streaming version
      */
     if (!ss->ssl3.hs.helloRetry || !ss->sec.isServer) {
         /*
@@ -1912,7 +1913,7 @@ tls13_ComputeEchHelloRetryTranscript(sslSocket *ss, const PRUint8 *sh, unsigned
     }
     PR_ASSERT(tls13_Debug_CheckXtnBegins(sh + absEchOffset - 4, ssl_tls13_encrypted_client_hello_xtn));
     /* The HRR up to the ECH Xtn signal */
-    rv = sslBuffer_Append(out, sh, shLen - absEchOffset);
+    rv = sslBuffer_Append(out, sh, absEchOffset);
     if (rv != SECSuccess) {
         goto loser;
     }
@@ -1926,6 +1927,7 @@ tls13_ComputeEchHelloRetryTranscript(sslSocket *ss, const PRUint8 *sh, unsigned
     if (rv != SECSuccess) {
         goto loser;
     }
+    PR_ASSERT(out->len == tls13_GetHashSize(ss) + 4 + shLen + 4);
     return SECSuccess;
 loser:
     sslBuffer_Clear(out);
@@ -1941,6 +1943,9 @@ tls13_ComputeEchServerHelloTranscript(sslSocket *ss, const PRUint8 *sh, unsigned
                           SSL3_RANDOM_LENGTH - TLS13_ECH_SIGNAL_LEN;
     PORT_Assert(sh && shLen > offset);
     PORT_Assert(TLS13_ECH_SIGNAL_LEN <= SSL3_RANDOM_LENGTH);
+
+    /* TODO(djackson@mozilla.com) - Replace with streaming version */
+
     rv = sslBuffer_AppendBuffer(out, chSource);
     if (rv != SECSuccess) {
         goto loser;