• Kevin Jacobs's avatar
    Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt · 4516d102
    Kevin Jacobs authored
    This patch adds support for Encrypted Client Hello (draft-ietf-tls-esni-08), replacing the existing ESNI (draft -02) support.
    
    There are five new experimental functions to enable this:
    
      - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters.
      - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption.
      - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received.
      - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection.
      - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft.
    
    The following ESNI experimental functions are deprecated by this update:
    
      - SSL_EncodeESNIKeys
      - SSL_EnableESNI
      - SSL_SetESNIKeyPair
    
    
    In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined.
    
    Differential Revision: https://phabricator.services.mozilla.com/D86106
    
    --HG--
    rename : gtests/ssl_gtest/tls_esni_unittest.cc => gtests/ssl_gtest/tls_ech_unittest.cc
    rename : lib/ssl/tls13esni.c => lib/ssl/tls13ech.c
    rename : lib/ssl/tls13esni.h => lib/ssl/tls13ech.h
    extra : moz-landing-system : lando
    4516d102
Name
Last commit
Last update
..
.clang-format Loading commit data...
Makefile Loading commit data...
README Loading commit data...
cpputil.gyp Loading commit data...
cpputil.h Loading commit data...
databuffer.cc Loading commit data...
databuffer.h Loading commit data...
dummy_io.cc Loading commit data...
dummy_io.h Loading commit data...
dummy_io_fwd.cc Loading commit data...
freebl_scoped_ptrs.h Loading commit data...
manifest.mn Loading commit data...
nss_scoped_ptrs.h Loading commit data...
scoped_ptrs_smime.h Loading commit data...
scoped_ptrs_ssl.h Loading commit data...
scoped_ptrs_util.h Loading commit data...
tls_parser.cc Loading commit data...
tls_parser.h Loading commit data...