Bug 1681585 - Update ECH to Draft-09. r=mt

This patch updates ECH implementation to draft-09. Changes of note are:

- Acceptance signal derivation is now based on the handshake secret.
- `config_id` hint changes from 32B to 8B, trial decryption added on the server.
- Duplicate code in HRR cookie handling has been consolidated into `tls13_HandleHrrCookie`.
- `ech_is_inner` extension is added, which causes a server to indicate ECH acceptance.
- Per the above, support signaling ECH acceptance when acting as a backend server in split-mode
  (i.e. when there is no other local Encrypted Client Hello state).

Differential Revision: https://phabricator.services.mozilla.com/D101049

1 files changed, 11 insertions, 0 deletions

diff --git a/automation/abi-check/expected-report-libssl3.so.txt b/automation/abi-check/expected-report-libssl3.so.txt
index e69de29bb..15e1f47da 100644
--- a/automation/abi-check/expected-report-libssl3.so.txt
+++ b/automation/abi-check/expected-report-libssl3.so.txt
@@ -0,0 +1,11 @@
+
+1 function with some indirect sub-type change:
+
+  [C] 'function SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc*, SSLExtensionType, PRBool*)' at sslreveal.c:72:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SSLExtensionType' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at sslt.h:519:1 changed:
+        type size hasn't changed
+        1 enumerator insertion:
+          '__anonymous_enum__::ssl_tls13_ech_is_inner_xtn' value '55817'
+        1 enumerator change:
+          '__anonymous_enum__::ssl_tls13_encrypted_client_hello_xtn' from value '65032' to '65033' at sslt.h:519:1