unless the client offered ECH, reject EE.ECH
diff --git a/lib/picotls.c b/lib/picotls.c
index 9dc360d..4e6294c 100644
--- a/lib/picotls.c
+++ b/lib/picotls.c
@@ -2803,10 +2803,12 @@
ret = PTLS_ALERT_DECODE_ERROR;
goto Exit;
}
- if (ptls_is_ech_handshake(tls)) {
+ /* accept retry_configs only if we offered ECH but rejected */
+ if (tls->client.first_ech.base == NULL || ptls_is_ech_handshake(tls)) {
ret = PTLS_ALERT_UNSUPPORTED_EXTENSION;
goto Exit;
}
+ /* parse retry_config, and if it is applicable, provide that to the application */
if ((ret = decode_ech_config_list(tls->ctx, &decoded, ptls_iovec_init(src, end - src))) != 0)
goto Exit;
if (decoded.kem != NULL && decoded.cipher != NULL && properties != NULL &&