TLS ECH confirmation fix and OuterExtension addition

[sebastian-carpenter]

Description

Original issue stems from wolfssl-examples/tls/client-ech not working. This issue was a confirmation value mismatch between Cloudflare and our ECH client implementation. The confirmation value is present in the HelloRetryRequest's encrypted_client_hello extension.

• Confirmation mismatch was resolved by refactoring most of the transcript code for ECH.
  • Managed to remove a transcript hash that seemed unecessary. (hsHashesEchInner)
  • Merged most of the client and server calculation for ECH transcript into similar functions.
  • Random value only copied into client hello inner once now
• Fixed segfault when server does not respond with a confirmation value
• Added OuterExtensions extension support to the server to allow testing against openssl s_client (second confirmation that transcript hash is now correct)
  • OuterExtensions will copy extensions from the outer hello into the inner hello

Issues fixed when writing tests:

• ssl->options.useEch got out of sync with whether echConfigs is actually a NULL pointer. Removed it.
  • This option was not always combined with echDisabled too, so updated relevant areas.
• When generating a config the item is appended to the end of the LL of ech Configs. Seems inefficient so changed it to insert at the beginning.
• Private SNI was never verified and, in fact, the server's private SNI was replaced by the public SNI. Added field in WOLFSSL_ECH struct to store the private SNI and a counter to keep track of when to verify the public vs the private SNI.
• A wolfssl server with ECH enabled and echConfigs generated would expect ECH connections. Therefore, a client connecting without ECH would fail.
• Some tests were not checking all return values or did not test for distinct problems.

Based fixes off of esni draft 25 (https://www.ietf.org/archive/id/draft-ietf-tls-esni-25.html)

Addresses github issue #6925

Testing

With ECH enabled OpenSSL:

openssl s_client -connect 127.0.0.1:11111 -servername ech-private-name.com -CAfile ../wolfssl-examples/certs/ca-cert.pem -tls1_3 -ech_config_list AEb+DQBCKwAgACARYidanwtcQUp0EfBd0qll0hpqgXpDlNj+iVAIUO5tDAAEAAEAAQATZWNoLXB1YmxpYy1uYW1lLmNvbQAA

This is run against the wolfssl-examples repo ./tls/server-ech-local example.

Also ran ./tls/client-ech-local against the example server and the updated ./tls/client-ech part of a wolfssl-example PR (wolfSSL/wolfssl-examples#556)

Added extra tests to more strenuously test ECH:

• test_wolfSSL_SubTls13_ECH
  • Verify that ECH does not work below TLS 1.3
• test_wolfSSL_Tls13_ECH_bad_configs
  • Make sure neither server nor client will connect when ech configs are incorrect. Mainly a check that SNI's match.
• test_wolfSSL_Tls13_ECH_new_config
  • Check that the server tries more than just the first config.
• test_wolfSSL_Tls13_ECH_GREASE
  • End to end test of GREASE ECH: checks that a server supports ECH / retrieves ECH configs from a server
• test_wolfSSL_Tls13_ECH_disable_conn
  • Test if a mismatch in ECH support between server / client does not cause failures. Additionally, that ECH can even be turned off. It also tests public/private SNI verification through a callback.
• test_wolfSSL_Tls13_ECH_enable_disable
  • Stress the enable/disable API for ECH

Checklist

• [X ] added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

Code looks good. I'd like this PR to include testing as well. I don't see any. Thanks

[sebastian-carpenter]

Code looks good. I'd like this PR to include testing as well. I don't see any. Thanks

I've added testing in api.c. Let me know if there's any tests you disagree with or which I should add.

I'll be making the github workflow to test against ECH enabled openssl s_client in the meantime.