skip ECH grease when client.ech.configs has NULL base

kazuho · claude · kazuho · commit a83ce982630e · 2026-04-20T08:29:04.000+09:00
The header documented that {NULL, 0} disables ECH, but the client-side
implementation took the grease branch whenever configs.len was zero --
including the zero-initialized {NULL, 0} default. That forced grease on
any handshake that supplied handshake_properties for unrelated reasons
(e.g., QUIC additional extensions), even though the context's ECH setup
wasn't meant to apply. Gate the grease branch on configs.base != NULL to
match the documented API, and expand the comment in picotls.h to cover
all three states explicitly.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/include/picotls.h b/include/picotls.h
@@ -1123,8 +1123,9 @@ typedef struct st_ptls_handshake_properties_t {
              */
             struct {
                 /**
-                 * Config offered by server e.g., by HTTPS RR. If config.base is non-NULL but config.len is zero, a grease ECH will
-                 * be sent, assuming that X25519-SHA256 KEM and SHA256-AES-128-GCM HPKE cipher is available.
+                 * An ECH config offered by server e.g., by HTTPS RR. If config.len is zero and .base is non-NULL, a grease ECH will
+                 * be sent, assuming that X25519-SHA256 KEM and SHA256-AES-128-GCM HPKE cipher is available. If .base is also NULL,
+                 * ECH will not be used at all, even if the context provided the ECH ciphers.
                  */
                 ptls_iovec_t configs;
                 /**
diff --git a/lib/picotls.c b/lib/picotls.c
@@ -2400,8 +2400,8 @@ static int send_client_hello(ptls_t *tls, ptls_message_emitter_t *emitter, ptls_
                     if ((ret = client_setup_ech(&tls->ech, &decoded, tls->ctx->random_bytes)) != 0)
                         goto Exit;
                 }
-            } else {
-                /* zero-length config indicates ECH greasing */
+            } else if (properties->client.ech.configs.base != NULL) {
+                /* zero-length config with non-NULL base indicates ECH greasing; NULL base means no ECH */
                 client_setup_ech_grease(&tls->ech, tls->ctx->random_bytes, tls->ctx->ech.client.kems, tls->ctx->ech.client.ciphers,
                                         sni_name);
                 tls->ech.state = PTLS_ECH_STATE_GREASE;
