NGFW-14480: Backend changes for ECH block

[AristaKB]

Summary Of Implementation:

Due to the current behavior of browsers, we are not receiving any ECH (Encrypted Client Hello) packets that contain an encrypted SNI (Server Name Indication). As a result, this feature has not been fully tested in scenarios where the SNI is actually encrypted and not coming as plain text.
The current implementation is designed to handle cases where we receive an ECH record, but the hostname remains unencrypted. In these cases, the request is allowed to pass through, ensuring that the web filter and other filtering applications continue to function as expected.
However, if in the future no SNI is provided with an encrypted Client Hello packet, the request will be blocked according to the current implementation, and the client will see a web filter block page.

This implementation uses dual buffer processing because the positions of extension types vary across different browsers. Since the position of the SERVER_NAME and ENCRYPTED_CLIENT_HELLO extensions is not fixed, attempting to fetch both extensions in a single process can result in exception and cause a timeout error on the client side while processing the request. Hence created new method checkEchExtension to fetch ENCRYPTED_CLIENT_HELLO extentsion from dublicate buffer.

https://awakesecurity.atlassian.net/wiki/spaces/ngfw/pages/2704277528/Blocking+Support+for+ECH+in+Filter+Apps

NOTE: Actual feature can't be tested fully as SNI is always coming under client hello packet, whether ECH enable or disable.

Current Testing Steps:

Regression Testing:(Firefox and chrome)

    1. Create rule on webfilter to block any site.(example --- > goal.com)
    2.  On client hit the same site you will see the site is blocked.
    3. Hit any site for which no rule has been written it should not be blocked.

Testing:(Firefox and chrome)

Prerequisite:
ECH must be enabled on browsers to test this feature. Below are the steps to enable ECH.
CHROME:

1. enable secure DNS by checking settings --> privacy and Security --> security --> Advance --> Use secure DNS set any DNS server name from drop down.
2. Enable TLS 1.3 by enabling below flags.
   
3. if you are using linux system create a json file policies.json under /etc/opt/chrome/policies/managed and write below content
   
4. Relaunch the browser and hut https://tls-ech.dev. You can see the page confirming you are using ECH.

FIREFOX:

1. enable secure DNS by checking settings --> privacy and Security --> security --> Advance --> Enable DNS over HTTPS using---> Max protection , set any DNS server name from drop down.
2. Enable TLS 1.3 by enabling below flags.
   
3. To enable ECH update flags as given in below SS.
   
4. Relaunch the browser and hut https://tls-ech.dev. You can see the page confirming you are using ECH.

On current version of firefox and chrome ECH is by default enabled. You can test it by hitting https://tls-ech.dev.

  1. Enable the ECH block by checking  webFilter-->Advance-->Block encrypted client hello
  4. Hit any site it should not block the request if getting unencrypted SNI name in client hello packets.
  5. Now hit the goal.com the blocked site, it should block the request.
  6. Somehow if you get the ECH packet with no SNI. the call should be blocked by web-filter.