Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt

This patch adds support for Encrypted Client Hello (draft-ietf-tls-esni-08), replacing the existing ESNI (draft -02) support.

There are five new experimental functions to enable this:

  - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters.
  - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption.
  - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received.
  - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection.
  - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft.

The following ESNI experimental functions are deprecated by this update:

  - SSL_EncodeESNIKeys
  - SSL_EnableESNI
  - SSL_SetESNIKeyPair


In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined.

Differential Revision: https://phabricator.services.mozilla.com/D86106

1 files changed, 1 insertions, 0 deletions

diff --git a/cpputil/tls_parser.h b/cpputil/tls_parser.h
index 6636b3c6a..41d760ed0 100644
--- a/cpputil/tls_parser.h
+++ b/cpputil/tls_parser.h
@@ -56,6 +56,7 @@ const uint8_t kTlsAlertUnsupportedExtension = 110;
 const uint8_t kTlsAlertUnrecognizedName = 112;
 const uint8_t kTlsAlertCertificateRequired = 116;
 const uint8_t kTlsAlertNoApplicationProtocol = 120;
+const uint8_t kTlsAlertEchRequired = 121;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
     ssl_ct_change_cipher_spec,  // Type