refraction-networking
diff --git a/‎ech.go
Copy file name to clipboardExpand all lines: ech.go
+9-1Lines changed: 9 additions & 1 deletion b/‎ech.go
Copy file name to clipboardExpand all lines: ech.go
+9-1Lines changed: 9 additions & 1 deletion
diff --git a/‎handshake_client.go
Copy file name to clipboardExpand all lines: handshake_client.go
+3-3Lines changed: 3 additions & 3 deletions b/‎handshake_client.go
Copy file name to clipboardExpand all lines: handshake_client.go
+3-3Lines changed: 3 additions & 3 deletions
diff --git a/‎handshake_client_tls13.go
Copy file name to clipboardExpand all lines: handshake_client_tls13.go
+13-1Lines changed: 13 additions & 1 deletion b/‎handshake_client_tls13.go
Copy file name to clipboardExpand all lines: handshake_client_tls13.go
+13-1Lines changed: 13 additions & 1 deletion
diff --git a/‎handshake_messages.go
Copy file name to clipboardExpand all lines: handshake_messages.go
+29-11Lines changed: 29 additions & 11 deletions b/‎handshake_messages.go
Copy file name to clipboardExpand all lines: handshake_messages.go
+29-11Lines changed: 29 additions & 11 deletions
diff --git a/‎u_conn.go
Copy file name to clipboardExpand all lines: u_conn.go
+98-4Lines changed: 98 additions & 4 deletions b/‎u_conn.go
Copy file name to clipboardExpand all lines: u_conn.go
+98-4Lines changed: 98 additions & 4 deletions
diff --git a/‎u_handshake_client.go
Copy file name to clipboardExpand all lines: u_handshake_client.go
+4-4Lines changed: 4 additions & 4 deletions b/‎u_handshake_client.go
Copy file name to clipboardExpand all lines: u_handshake_client.go
+4-4Lines changed: 4 additions & 4 deletions
@@ -207,8 +207,16 @@ func pickECHCipherSuite(suites []echCipher) (echCipher, error) {
 	return echCipher{}, errors.New("tls: no supported symmetric ciphersuites for ECH")
 }
 
+// [uTLS SECTION BEGIN]
 func encodeInnerClientHello(inner *clientHelloMsg, maxNameLength int) ([]byte, error) {
-	h, err := inner.marshalMsg(true)
+	return encodeInnerClientHelloReorderOuterExts(inner, maxNameLength, nil)
+}
+
+// [uTLS SECTION END]
+
+// func encodeInnerClientHello(inner *clientHelloMsg, maxNameLength int) ([]byte, error) {
+func encodeInnerClientHelloReorderOuterExts(inner *clientHelloMsg, maxNameLength int, outerExts []uint16) ([]byte, error) { // uTLS
+	h, err := inner.marshalMsgReorderOuterExts(true, outerExts)
 	if err != nil {
 		return nil, err
 	}
 
@@ -214,9 +214,9 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echCli
 
 	var ech *echClientContext
 	if c.config.EncryptedClientHelloConfigList != nil {
-		if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
-			return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
-		}
+		// if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
+		// 	return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
+		// }
 		if c.config.MaxVersion != 0 && c.config.MaxVersion <= VersionTLS12 {
 			return nil, nil, nil, errors.New("tls: MaxVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
 		}
 
@@ -75,9 +75,21 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 
 	if hs.echContext != nil {
 		hs.echContext.innerTranscript = hs.suite.hash.New()
-		if err := transcriptMsg(hs.echContext.innerHello, hs.echContext.innerTranscript); err != nil {
+		// [uTLS SECTION BEGIN]
+		encodedInner, err := encodeInnerClientHelloReorderOuterExts(hs.echContext.innerHello, int(hs.echContext.config.MaxNameLength), hs.uconn.extensionsList())
+		if err != nil {
+			return err
+		}
+
+		decodedInner, err := decodeInnerClientHello(hs.hello, encodedInner)
+		if err != nil {
+			return err
+		}
+
+		if err := transcriptMsg(decodedInner, hs.echContext.innerTranscript); err != nil {
 			return err
 		}
+		// [uTLS SECTION END]
 	}
 
 	if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
 
@@ -105,7 +105,15 @@ type clientHelloMsg struct {
 	nextProtoNeg bool
 }
 
+// [uTLS SECTION BEGIN]
 func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
+	return m.marshalMsgReorderOuterExts(echInner, nil)
+}
+
+// [uTLS SECTION END]
+
+// func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
+func (m *clientHelloMsg) marshalMsgReorderOuterExts(echInner bool, outerExts []uint16) ([]byte, error) { // uTLS
 	var exts cryptobyte.Builder
 	if len(m.serverName) > 0 {
 		// RFC 6066, Section 3
@@ -254,18 +262,14 @@ func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
 	}
 	if len(m.supportedVersions) > 0 {
 		// RFC 8446, Section 4.2.1
-		if echInner {
-			echOuterExts = append(echOuterExts, extensionSupportedVersions)
-		} else {
-			exts.AddUint16(extensionSupportedVersions)
-			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
-				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
-					for _, vers := range m.supportedVersions {
-						exts.AddUint16(vers)
-					}
-				})
+		exts.AddUint16(extensionSupportedVersions)
+		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
+			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
+				for _, vers := range m.supportedVersions {
+					exts.AddUint16(vers)
+				}
 			})
-		}
+		})
 	}
 	if len(m.cookie) > 0 {
 		// RFC 8446, Section 4.2.2
@@ -311,6 +315,20 @@ func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
 			})
 		}
 	}
+	// [uTLS SECTION BEGIN]
+	if echInner && outerExts != nil {
+		echOuterExtsReordered := slices.Collect(func(yield func(uint16) bool) {
+			for _, ext := range outerExts {
+				if slices.Contains(echOuterExts, ext) {
+					if !yield(ext) {
+						return
+					}
+				}
+			}
+		})
+		echOuterExts = echOuterExtsReordered
+	}
+	// [uTLS SECTION END]
 	if len(echOuterExts) > 0 && echInner {
 		exts.AddUint16(extensionECHOuterExtensions)
 		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
 
@@ -14,7 +14,10 @@ import (
 	"fmt"
 	"hash"
 	"net"
+	"slices"
 	"strconv"
+
+	"golang.org/x/crypto/cryptobyte"
 )
 
 type ClientHelloBuildStatus int
@@ -487,15 +490,106 @@ func (uconn *UConn) ApplyConfig() error {
 	return nil
 }
 
+func (uconn *UConn) extensionsList() []uint16 {
+
+	outerExts := []uint16{}
+	for _, ext := range uconn.Extensions {
+		buffer := cryptobyte.String(make([]byte, 2000))
+		ext.Read(buffer)
+		var extension uint16
+		buffer.ReadUint16(&extension)
+		outerExts = append(outerExts, extension)
+	}
+	return outerExts
+}
+
 func (uconn *UConn) MarshalClientHello() error {
-	if len(uconn.config.ECHConfigs) > 0 && uconn.ech != nil {
-		if err := uconn.ech.Configure(uconn.config.ECHConfigs); err != nil {
+	if len(uconn.config.EncryptedClientHelloConfigList) > 0 {
+		inner, _, ech, err := uconn.makeClientHello()
+		if err != nil {
 			return err
 		}
-		return uconn.ech.MarshalClientHello(uconn)
+
+		inner.keyShares = KeyShares(uconn.HandshakeState.Hello.KeyShares).ToPrivate()
+		inner.supportedSignatureAlgorithms = uconn.HandshakeState.Hello.SupportedSignatureAlgorithms
+		inner.sessionId = uconn.HandshakeState.Hello.SessionId
+		inner.supportedCurves = uconn.HandshakeState.Hello.SupportedCurves
+		inner.supportedVersions = []uint16{VersionTLS13}
+
+		ech.innerHello = inner
+
+		encapKey := ech.encapsulatedKey
+
+		encodedInner, err := encodeInnerClientHelloReorderOuterExts(inner, int(ech.config.MaxNameLength), uconn.extensionsList())
+		if err != nil {
+			return err
+		}
+
+		// NOTE: the tag lengths for all of the supported AEADs are the same (16
+		// bytes), so we have hardcoded it here. If we add support for another AEAD
+		// with a different tag length, we will need to change this.
+		encryptedLen := len(encodedInner) + 16 // AEAD tag length
+		outerECHExt, err := generateOuterECHExt(ech.config.ConfigID, ech.kdfID, ech.aeadID, encapKey, make([]byte, encryptedLen))
+		if err != nil {
+			return err
+		}
+
+		sniExtIdex := slices.IndexFunc(uconn.Extensions, func(ext TLSExtension) bool {
+			_, ok := ext.(*SNIExtension)
+			return ok
+		})
+		uconn.Extensions[sniExtIdex] = &SNIExtension{
+			ServerName: string(ech.config.PublicName),
+		}
+
+		echExtIdx := slices.IndexFunc(uconn.Extensions, func(ext TLSExtension) bool {
+			_, ok := ext.(EncryptedClientHelloExtension)
+			return ok
+		})
+		uconn.Extensions[echExtIdx] = &GenericExtension{
+			Id:   extensionEncryptedClientHello,
+			Data: outerECHExt,
+		}
+
+		// uconn.HandshakeState.Hello.Random = make([]byte, 32)
+		// _, err = io.ReadFull(uconn.config.rand(), uconn.HandshakeState.Hello.Random)
+		// if err != nil {
+		// 	return errors.New("tls: short read from Rand: " + err.Error())
+		// }
+
+		if err := uconn.MarshalClientHelloNoECH(); err != nil {
+			return err
+		}
+
+		serializedOuter := uconn.HandshakeState.Hello.Raw
+		serializedOuter = serializedOuter[4:] // strip the four byte prefix
+		encryptedInner, err := ech.hpkeContext.Seal(serializedOuter, encodedInner)
+		if err != nil {
+			return err
+		}
+		outerECHExt, err = generateOuterECHExt(ech.config.ConfigID, ech.kdfID, ech.aeadID, encapKey, encryptedInner)
+		if err != nil {
+			return err
+		}
+		uconn.Extensions[echExtIdx] = &GenericExtension{
+			Id:   extensionEncryptedClientHello,
+			Data: outerECHExt,
+		}
+
+		if err := uconn.MarshalClientHelloNoECH(); err != nil {
+			return err
+		}
+
+		uconn.echCtx = ech
+		return nil
 	}
 
-	return uconn.MarshalClientHelloNoECH() // if no ECH pointer, just marshal normally
+	if err := uconn.MarshalClientHelloNoECH(); err != nil {
+		return err
+	}
+
+	return nil
+
 }
 
 // MarshalClientHelloNoECH marshals ClientHello as if there was no
 
@@ -353,9 +353,9 @@ func (c *Conn) makeClientHelloForApplyPreset() (*clientHelloMsg, *keySharePrivat
 
 	var ech *echClientContext
 	if c.config.EncryptedClientHelloConfigList != nil {
-		if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
-			return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
-		}
+		// if c.config.MinVersion != 0 && c.config.MinVersion < VersionTLS13 {
+		// 	return nil, nil, nil, errors.New("tls: MinVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
+		// }
 		if c.config.MaxVersion != 0 && c.config.MaxVersion <= VersionTLS12 {
 			return nil, nil, nil, errors.New("tls: MaxVersion must be >= VersionTLS13 if EncryptedClientHelloConfigList is populated")
 		}
@@ -483,7 +483,7 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 		}()
 	}
 
-	if ech != nil {
+	if ech != nil && c.clientHelloBuildStatus == BuildByGoTLS {
 		// Split hello into inner and outer
 		ech.innerHello = hello.clone()