crypto/tls: reject 0xFFFF AEAD ID in pickECHConfig

From the previous call-site:
git show 9eeb627f60:src/crypto/internal/hpke/hpke.go | grep -A 10 "var SupportedAEADs"
git show 9eeb627f60 | grep -n -B 10 -A 5 "SupportedAEADs"

Change-Id: I7afcd01d3cbffa00d5714642cb8c8278f0cff445
Reviewed-on: https://go-review.googlesource.com/c/go/+/769280
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Auto-Submit: Neal Patel <nealpatel@google.com>
Commit-Queue: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>

src/crypto/tls/ech.go

@@ -184,6 +184,11 @@ func pickECHConfig(list []echConfig) (*echConfig, hpke.PublicKey, hpke.KDF, hpke
 			if err != nil {
 				continue
 			}
+			// 0xFFFF is an export-only AEAD that cannot seal/open, making
+			// it an invalid choice for encrypting ClientHelloInner.
+			if cs.AEADID == 0xFFFF {
+				continue
+			}
 			aead, err := hpke.NewAEAD(cs.AEADID)
 			if err != nil {
 				continue

src/crypto/tls/ech_test.go

@@ -5,6 +5,7 @@
 package tls
 
 import (
+	"bytes"
 	"encoding/hex"
 	"strings"
 	"testing"
@@ -48,6 +49,21 @@ func TestSkipBadConfigs(t *testing.T) {
 	}
 }
 
+func TestPickECHConfigWithInvalidAEADID(t *testing.T) {
+	b, err := hex.DecodeString("0045fe0d0041590020002092a01233db2218518ccbbbbc24df20686af417b37388de6460e94011974777090004000100010012636c6f7564666c6172652d6563682e636f6d0000")
+	if err != nil {
+		t.Fatal(err)
+	}
+	buf := bytes.Replace(b, []byte{0x00, 0x01, 0x00, 0x01}, []byte{0x00, 0x01, 0xFF, 0xFF}, 1)
+	configs, err := parseECHConfigList(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if config, _, _, _ := pickECHConfig(configs); config != nil {
+		t.Fatalf("got %v, want nil", config)
+	}
+}
+
 func TestECHPadding(t *testing.T) {
 	const maxNameLength = 64
 	for _, tc := range []struct {