1 files changed, 70 insertions, 2 deletions

diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
index bd32a6e18..47efa2e4d 100644
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -9,9 +9,10 @@
 #ifndef __sslt_h_
 #define __sslt_h_
 
+#include "certt.h"
+#include "keyhi.h"
 #include "prtypes.h"
 #include "secitem.h"
-#include "certt.h"
 
 typedef enum {
     ssl_hs_hello_request = 0,
@@ -43,6 +44,11 @@ typedef enum {
     ssl_ct_ack = 25
 } SSLContentType;
 
+typedef enum {
+    ssl_secret_read = 1,
+    ssl_secret_write = 2,
+} SSLSecretDirection;
+
 typedef struct SSL3StatisticsStr {
     /* statistics from ssl3_SendClientHello (sch) */
     long sch_sid_cache_hits;
@@ -262,6 +268,26 @@ typedef struct SSLExtraServerCertDataStr {
     /* A serialized sign_certificate_timestamp extension, used to answer
      * requests from clients for this data. */
     const SECItem* signedCertTimestamps;
+
+    /* Delegated credentials.
+     *
+     * A serialized delegated credential (DC) to use for authentication to peers
+     * who indicate support for this extension (ietf-drafts-tls-subcerts). DCs
+     * are used opportunistically if (1) the client indicates support, (2) TLS
+     * 1.3 or higher is negotiated, and (3) the selected certificate is
+     * configured with a DC.
+     *
+     * Note that it's the caller's responsibility to ensure that the DC is
+     * well-formed.
+     */
+    const SECItem* delegCred;
+
+    /* The secret key corresponding to the |delegCred|.
+     *
+     * Note that it's the caller's responsibility to ensure that this matches
+     * the DC public key.
+     */
+    const SECKEYPrivateKey* delegCredPrivKey;
 } SSLExtraServerCertData;
 
 typedef struct SSLChannelInfoStr {
@@ -273,7 +299,13 @@ typedef struct SSLChannelInfoStr {
     PRUint16 protocolVersion;
     PRUint16 cipherSuite;
 
-    /* server authentication info */
+    /* The strength of the key used to authenticate the peer.  Before
+     * interpreting this value, check authType, signatureScheme, and
+     * peerDelegCred, to determine the type of the key and how it was used.
+     *
+     * Typically, this is the length of the key from the peer's end-entity
+     * certificate.  If delegated credentials are used (i.e., peerDelegCred is
+     * PR_TRUE), then this is the strength of the delegated credential key. */
     PRUint32 authKeyBits;
 
     /* key exchange algorithm info */
@@ -321,6 +353,11 @@ typedef struct SSLChannelInfoStr {
      * otherwise. */
     PRBool resumed;
 
+    /* Indicates whether the peer used a delegated credential (DC) for
+     * authentication.
+     */
+    PRBool peerDelegCred;
+
     /* When adding new fields to this structure, please document the
      * NSS version in which they were added. */
 } SSLChannelInfo;
@@ -328,6 +365,12 @@ typedef struct SSLChannelInfoStr {
 /* Preliminary channel info */
 #define ssl_preinfo_version (1U << 0)
 #define ssl_preinfo_cipher_suite (1U << 1)
+#define ssl_preinfo_0rtt_cipher_suite (1U << 2)
+/* ssl_preinfo_peer_auth covers peerDelegCred, authKeyBits, and scheme. Not
+ * included in ssl_preinfo_all as it is client-only. */
+#define ssl_preinfo_peer_auth (1U << 3)
+/* ssl_preinfo_all doesn't contain ssl_preinfo_0rtt_cipher_suite because that
+ * field is only set if 0-RTT is sent (client) or accepted (server). */
 #define ssl_preinfo_all (ssl_preinfo_version | ssl_preinfo_cipher_suite)
 
 typedef struct SSLPreliminaryChannelInfoStr {
@@ -359,6 +402,23 @@ typedef struct SSLPreliminaryChannelInfoStr {
      * resume this session. */
     PRUint32 maxEarlyDataSize;
 
+    /* The following fields were added in NSS 3.43. */
+    /* This reports the cipher suite used for 0-RTT if it sent or accepted.  For
+     * a client, this is set earlier than |cipherSuite|, and will match that
+     * value if 0-RTT is accepted by the server.  The server only sets this
+     * after accepting 0-RTT, so this will contain the same value. */
+    PRUint16 zeroRttCipherSuite;
+
+    /* The following fields were added in NSS 3.48. */
+    /* These fields contain information about the key that will be used in
+     * the CertificateVerify message. If Delegated Credentials are being used,
+     * this is the DC-contained SPKI, else the EE-cert SPKI. These fields are
+     * valid only after the Certificate message is handled. This can be determined
+     * by checking the valuesSet field against |ssl_preinfo_peer_auth|. */
+    PRBool peerDelegCred;
+    PRUint32 authKeyBits;
+    SSLSignatureScheme signatureScheme;
+
     /* When adding new fields to this structure, please document the
      * NSS version in which they were added. */
 } SSLPreliminaryChannelInfo;
@@ -407,6 +467,12 @@ typedef struct SSLCipherSuiteInfoStr {
      * this instead of |authAlgorithm|. */
     SSLAuthType authType;
 
+    /* The following fields were added in NSS 3.43. */
+    /* This reports the hash function used in the TLS KDF, or HKDF for TLS 1.3.
+     * For suites defined for versions of TLS earlier than TLS 1.2, this reports
+     * ssl_hash_none. */
+    SSLHashType kdfHash;
+
     /* When adding new fields to this structure, please document the
      * NSS version in which they were added. */
 } SSLCipherSuiteInfo;
@@ -450,10 +516,12 @@ typedef enum {
     ssl_tls13_psk_key_exchange_modes_xtn = 45,
     ssl_tls13_ticket_early_data_info_xtn = 46, /* Deprecated. */
     ssl_tls13_certificate_authorities_xtn = 47,
+    ssl_tls13_post_handshake_auth_xtn = 49,
     ssl_signature_algorithms_cert_xtn = 50,
     ssl_tls13_key_share_xtn = 51,
     ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
     ssl_renegotiation_info_xtn = 0xff01,
+    ssl_delegated_credentials_xtn = 0xff02,
     ssl_tls13_short_header_xtn = 0xff03, /* Deprecated. */
     ssl_tls13_encrypted_sni_xtn = 0xffce,
 } SSLExtensionType;