зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1767974 - Add preferences for ECH GREASE Mode. r=keeler,dragana
Differential Revision: https://phabricator.services.mozilla.com/D145608
This commit is contained in:
Родитель
626ab8dc0c
Коммит
8948a1a9a2
|
@ -12193,6 +12193,7 @@
|
|||
#endif
|
||||
mirror: always
|
||||
|
||||
|
||||
# Whether or not OCSP is required.
|
||||
# true => hard-fail (if an OCSP request times out, stop the connection)
|
||||
# false => soft-fail (if an OCSP request times out, continue the connection)
|
||||
|
@ -12340,6 +12341,19 @@
|
|||
value: false
|
||||
mirror: always
|
||||
|
||||
# Probability of GREASEing a TLS connection with ECH (0-100)
|
||||
# 0 means never GREASE, 100 means always GREASE
|
||||
- name: security.tls.ech.grease_probability
|
||||
type: RelaxedAtomicUint32
|
||||
value: 0
|
||||
mirror: always
|
||||
|
||||
# ECH GREASE Padding target (1-255)
|
||||
- name: security.tls.ech.grease_size
|
||||
type: RelaxedAtomicUint32
|
||||
value: 100
|
||||
mirror: always
|
||||
|
||||
- name: security.tls.hello_downgrade_check
|
||||
type: RelaxedAtomicBool
|
||||
value: true
|
||||
|
|
|
@ -23,6 +23,8 @@
|
|||
#include "mozilla/DebugOnly.h"
|
||||
#include "mozilla/Logging.h"
|
||||
#include "mozilla/Preferences.h"
|
||||
#include "mozilla/RandomNum.h"
|
||||
#include "mozilla/StaticPrefs_security.h"
|
||||
#include "mozilla/Telemetry.h"
|
||||
#include "mozilla/ipc/BackgroundChild.h"
|
||||
#include "mozilla/ipc/PBackgroundChild.h"
|
||||
|
@ -41,6 +43,7 @@
|
|||
#include "nsContentUtils.h"
|
||||
#include "nsIClientAuthDialogs.h"
|
||||
#include "nsISocketProvider.h"
|
||||
#include "nsISocketTransport.h"
|
||||
#include "nsIWebProgressListener.h"
|
||||
#include "nsNSSCertHelper.h"
|
||||
#include "nsNSSComponent.h"
|
||||
|
@ -2687,6 +2690,28 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
|
|||
}
|
||||
}
|
||||
|
||||
// Enable ECH GREASE if suitable. Has no impact if 'real' ECH is being used.
|
||||
if (range.max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
|
||||
!(infoObject->GetProviderFlags() & (nsISocketProvider::BE_CONSERVATIVE |
|
||||
nsISocketTransport::DONT_TRY_ECH)) &&
|
||||
StaticPrefs::security_tls_ech_grease_probability()) {
|
||||
if ((RandomUint64().valueOr(0) % 100) >=
|
||||
100 - StaticPrefs::security_tls_ech_grease_probability()) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
|
||||
("[%p] nsSSLIOLayerSetOptions: enabling TLS ECH Grease\n", fd));
|
||||
if (SECSuccess != SSL_EnableTls13GreaseEch(fd, PR_TRUE)) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
// ECH Padding can be between 1 and 255
|
||||
if (SECSuccess !=
|
||||
SSL_SetTls13GreaseEchSize(
|
||||
fd, std::clamp(StaticPrefs::security_tls_ech_grease_size(), 1U,
|
||||
255U))) {
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Include a modest set of named groups.
|
||||
// Please change getKeaGroupName in nsNSSCallbacks.cpp when changing the list
|
||||
// here.
|
||||
|
|
Загрузка…
Ссылка в новой задаче