diff --git a/dom/media/webrtc/transport/test/webrtcproxychannel_unittest.cpp b/dom/media/webrtc/transport/test/webrtcproxychannel_unittest.cpp index 02fe7c74d23e..77233926d01f 100644 --- a/dom/media/webrtc/transport/test/webrtcproxychannel_unittest.cpp +++ b/dom/media/webrtc/transport/test/webrtcproxychannel_unittest.cpp @@ -178,7 +178,11 @@ class FakeSocketTransportProvider : public nsISocketTransport { MOZ_ASSERT(false); return NS_OK; } - NS_IMETHOD GetEsniUsed(bool* aEsniUsed) override { + NS_IMETHOD GetEchConfigUsed(bool* aEchConfigUsed) override { + MOZ_ASSERT(false); + return NS_OK; + } + NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override { MOZ_ASSERT(false); return NS_OK; } diff --git a/netwerk/base/FuzzySecurityInfo.cpp b/netwerk/base/FuzzySecurityInfo.cpp index a9de48d52358..48a576a6883b 100644 --- a/netwerk/base/FuzzySecurityInfo.cpp +++ b/netwerk/base/FuzzySecurityInfo.cpp @@ -311,10 +311,10 @@ FuzzySecurityInfo::SetNPNList(nsTArray& protocolArray) { } NS_IMETHODIMP -FuzzySecurityInfo::GetEsniTxt(nsACString& aEsniTxt) { return NS_OK; } +FuzzySecurityInfo::GetEchConfig(nsACString& aEchConfig) { return NS_OK; } NS_IMETHODIMP -FuzzySecurityInfo::SetEsniTxt(const nsACString& aEsniTxt) { +FuzzySecurityInfo::SetEchConfig(const nsACString& aEchConfig) { MOZ_CRASH("Unused"); return NS_OK; } diff --git a/netwerk/base/nsISocketTransport.idl b/netwerk/base/nsISocketTransport.idl index c06aaafac21e..e7252009af67 100644 --- a/netwerk/base/nsISocketTransport.idl +++ b/netwerk/base/nsISocketTransport.idl @@ -255,9 +255,9 @@ interface nsISocketTransport : nsITransport /** * If we know that a server speaks only tls <1.3 there is no need to try - * to use esni and query dns for esni keys. + * to use ech and query dns for echconfig. */ - const unsigned long DONT_TRY_ESNI = (1 << 10); + const unsigned long DONT_TRY_ECH = (1 << 10); /** * These two bits encode the TRR mode of the request. @@ -326,10 +326,12 @@ interface nsISocketTransport : nsITransport readonly attribute boolean resetIPFamilyPreference; /** - * This attribute holds information whether esni has been used. + * This attribute holds information whether echconfig has been used. * The value is set after PR_Connect is called. */ - readonly attribute boolean esniUsed; + readonly attribute boolean echConfigUsed; + + void setEchConfig(in ACString echConfig); /** * IP address resolved using TRR. diff --git a/netwerk/base/nsSocketTransport2.cpp b/netwerk/base/nsSocketTransport2.cpp index edc9e8547d8f..562172e76b03 100644 --- a/netwerk/base/nsSocketTransport2.cpp +++ b/netwerk/base/nsSocketTransport2.cpp @@ -710,10 +710,7 @@ nsSocketTransport::nsSocketTransport() mInputClosed(true), mOutputClosed(true), mResolving(false), - mDNSLookupStatus(NS_OK), - mDNSARequestFinished(0), - mEsniQueried(false), - mEsniUsed(false), + mEchConfigUsed(false), mResolvedByTRR(false), mNetAddrIsSet(false), mSelfAddrIsSet(false), @@ -1072,36 +1069,6 @@ nsresult nsSocketTransport::ResolveHost() { dns->AsyncResolveNative(SocketHost(), nsIDNSService::RESOLVE_TYPE_DEFAULT, dnsFlags, nullptr, this, mSocketTransportService, mOriginAttributes, getter_AddRefs(mDNSRequest)); - mEsniQueried = false; - if (mSocketTransportService->IsEsniEnabled() && NS_SUCCEEDED(rv) && - !(mConnectionFlags & (DONT_TRY_ESNI | BE_CONSERVATIVE))) { - bool isSSL = false; - for (unsigned int i = 0; i < mTypes.Length(); ++i) { - if (mTypes[i].EqualsLiteral("ssl")) { - isSSL = true; - break; - } - } - if (isSSL) { - SOCKET_LOG((" look for esni txt record")); - nsAutoCString esniHost; - esniHost.Append("_esni."); - // This might end up being the SocketHost - // see https://github.com/ekr/draft-rescorla-tls-esni/issues/61 - esniHost.Append(SocketHost()); - rv = dns->AsyncResolveNative(esniHost, nsIDNSService::RESOLVE_TYPE_TXT, - dnsFlags, nullptr, this, - mSocketTransportService, mOriginAttributes, - getter_AddRefs(mDNSTxtRequest)); - if (NS_FAILED(rv)) { - SOCKET_LOG((" dns request by type failed.")); - mDNSTxtRequest = nullptr; - rv = NS_OK; - } else { - mEsniQueried = true; - } - } - } if (NS_SUCCEEDED(rv)) { SOCKET_LOG((" advancing to STATE_RESOLVING\n")); @@ -1558,15 +1525,16 @@ nsresult nsSocketTransport::InitiateSocket() { } #endif - if (!mDNSRecordTxt.IsEmpty() && !mUsingQuic && mSecInfo) { + if (!mEchConfig.IsEmpty() && + !(mConnectionFlags & (DONT_TRY_ECH | BE_CONSERVATIVE)) && mSecInfo) { nsCOMPtr secCtrl = do_QueryInterface(mSecInfo); if (secCtrl) { - SOCKET_LOG(("nsSocketTransport::InitiateSocket set esni keys.")); - rv = secCtrl->SetEsniTxt(mDNSRecordTxt); + SOCKET_LOG(("nsSocketTransport::InitiateSocket set echconfig.")); + rv = secCtrl->SetEchConfig(mEchConfig); if (NS_FAILED(rv)) { return rv; } - mEsniUsed = true; + mEchConfigUsed = true; } } @@ -2181,14 +2149,12 @@ void nsSocketTransport::OnSocketEvent(uint32_t type, nsresult status, break; case MSG_DNS_LOOKUP_COMPLETE: - if (mDNSRequest || - mDNSTxtRequest) { // only send this if we actually resolved anything + if (mDNSRequest) { // only send this if we actually resolved anything SendStatus(NS_NET_STATUS_RESOLVED_HOST); } SOCKET_LOG((" MSG_DNS_LOOKUP_COMPLETE\n")); mDNSRequest = nullptr; - mDNSTxtRequest = nullptr; if (mDNSRecord) { mDNSRecord->GetNextAddr(SocketPort(), &mNetAddr); mDNSRecord->IsTRR(&mResolvedByTRR); @@ -2461,11 +2427,6 @@ void nsSocketTransport::OnSocketDetached(PRFileDesc* fd) { mDNSRequest = nullptr; } - if (mDNSTxtRequest) { - mDNSTxtRequest->Cancel(NS_ERROR_ABORT); - mDNSTxtRequest = nullptr; - } - // // notify input/output streams // @@ -2990,65 +2951,21 @@ nsSocketTransport::OnLookupComplete(nsICancelable* request, nsIDNSRecord* rec, ".", this, static_cast(status))); - if (request == mDNSTxtRequest) { - if (NS_SUCCEEDED(status)) { - nsCOMPtr txtResponse = do_QueryInterface(rec); - txtResponse->GetRecordsAsOneString(mDNSRecordTxt); - mDNSRecordTxt.Trim(" "); - } - Telemetry::Accumulate(Telemetry::ESNI_KEYS_RECORDS_FOUND, - NS_SUCCEEDED(status)); - // flag host lookup complete for the benefit of the ResolveHost method. - if (!mDNSRequest) { - mResolving = false; - MOZ_ASSERT(mDNSARequestFinished); - Telemetry::Accumulate( - Telemetry::ESNI_KEYS_RECORD_FETCH_DELAYS, - PR_IntervalToMilliseconds(PR_IntervalNow() - mDNSARequestFinished)); - - nsresult rv = - PostEvent(MSG_DNS_LOOKUP_COMPLETE, mDNSLookupStatus, nullptr); - - // if posting a message fails, then we should assume that the socket - // transport has been shutdown. this should never happen! if it does - // it means that the socket transport service was shutdown before the - // DNS service. - if (NS_FAILED(rv)) { - NS_WARNING("unable to post DNS lookup complete message"); - } - } else { - mDNSTxtRequest = nullptr; - } - return NS_OK; - } - - if (NS_FAILED(status) && mDNSTxtRequest) { - mDNSTxtRequest->Cancel(NS_ERROR_ABORT); - } else if (NS_SUCCEEDED(status)) { + if (NS_SUCCEEDED(status)) { mDNSRecord = do_QueryInterface(rec); MOZ_ASSERT(mDNSRecord); } // flag host lookup complete for the benefit of the ResolveHost method. - if (!mDNSTxtRequest) { - if (mEsniQueried) { - Telemetry::Accumulate(Telemetry::ESNI_KEYS_RECORD_FETCH_DELAYS, 0); - } - mResolving = false; - nsresult rv = PostEvent(MSG_DNS_LOOKUP_COMPLETE, status, nullptr); + mResolving = false; + nsresult rv = PostEvent(MSG_DNS_LOOKUP_COMPLETE, status, nullptr); - // if posting a message fails, then we should assume that the socket - // transport has been shutdown. this should never happen! if it does - // it means that the socket transport service was shutdown before the - // DNS service. - if (NS_FAILED(rv)) { - NS_WARNING("unable to post DNS lookup complete message"); - } - } else { - mDNSLookupStatus = - status; // remember the status to send it when esni lookup is ready. - mDNSRequest = nullptr; - mDNSARequestFinished = PR_IntervalNow(); + // if posting a message fails, then we should assume that the socket + // transport has been shutdown. this should never happen! if it does + // it means that the socket transport service was shutdown before the + // DNS service. + if (NS_FAILED(rv)) { + NS_WARNING("unable to post DNS lookup complete message"); } return NS_OK; @@ -3623,8 +3540,14 @@ nsSocketTransport::GetResetIPFamilyPreference(bool* aReset) { } NS_IMETHODIMP -nsSocketTransport::GetEsniUsed(bool* aEsniUsed) { - *aEsniUsed = mEsniUsed; +nsSocketTransport::GetEchConfigUsed(bool* aEchConfigUsed) { + *aEchConfigUsed = mEchConfigUsed; + return NS_OK; +} + +NS_IMETHODIMP +nsSocketTransport::SetEchConfig(const nsACString& aEchConfig) { + mEchConfig = aEchConfig; return NS_OK; } diff --git a/netwerk/base/nsSocketTransport2.h b/netwerk/base/nsSocketTransport2.h index d28cac3be9af..b11b1c04b7af 100644 --- a/netwerk/base/nsSocketTransport2.h +++ b/netwerk/base/nsSocketTransport2.h @@ -327,12 +327,8 @@ class nsSocketTransport final : public nsASocketHandler, nsCOMPtr mDNSRequest; nsCOMPtr mDNSRecord; - nsresult mDNSLookupStatus; - PRIntervalTime mDNSARequestFinished; - nsCOMPtr mDNSTxtRequest; - nsCString mDNSRecordTxt; - bool mEsniQueried; - bool mEsniUsed; + nsCString mEchConfig; + bool mEchConfigUsed; bool mResolvedByTRR; // mNetAddr/mSelfAddr is valid from GetPeerAddr()/GetSelfAddr() once we have diff --git a/netwerk/dns/HTTPSSVC.cpp b/netwerk/dns/HTTPSSVC.cpp index 98ee766d911a..e29787878279 100644 --- a/netwerk/dns/HTTPSSVC.cpp +++ b/netwerk/dns/HTTPSSVC.cpp @@ -214,6 +214,11 @@ Maybe SVCBRecord::GetPort() { return mPort; } Maybe SVCBRecord::GetAlpn() { return mAlpn; } +NS_IMETHODIMP SVCBRecord::GetEchConfig(nsACString& aEchConfig) { + aEchConfig = mData.mEchConfig; + return NS_OK; +} + NS_IMETHODIMP SVCBRecord::GetValues(nsTArray>& aValues) { for (const auto& v : mData.mSvcFieldValue) { RefPtr param = new SvcParam(v.mValue); diff --git a/netwerk/dns/HTTPSSVC.h b/netwerk/dns/HTTPSSVC.h index 7b38df6f65a1..29bd64a950fe 100644 --- a/netwerk/dns/HTTPSSVC.h +++ b/netwerk/dns/HTTPSSVC.h @@ -89,6 +89,7 @@ struct SVCB { void GetIPHints(CopyableTArray& aAddresses) const; uint16_t mSvcFieldPriority = 0; nsCString mSvcDomainName; + nsCString mEchConfig; bool mHasIPHints = false; bool mHasEchConfig = false; CopyableTArray mSvcFieldValue; diff --git a/netwerk/dns/TRR.cpp b/netwerk/dns/TRR.cpp index c253887a473d..ed71ec3b6152 100644 --- a/netwerk/dns/TRR.cpp +++ b/netwerk/dns/TRR.cpp @@ -1097,6 +1097,7 @@ nsresult TRR::DohDecode(nsCString& aHost) { } if (value.mValue.is()) { parsed.mHasEchConfig = true; + parsed.mEchConfig = value.mValue.as().mValue; } parsed.mSvcFieldValue.AppendElement(value); } diff --git a/netwerk/dns/nsIDNSByTypeRecord.idl b/netwerk/dns/nsIDNSByTypeRecord.idl index 33b14a48b31a..fa8a91c8a40e 100644 --- a/netwerk/dns/nsIDNSByTypeRecord.idl +++ b/netwerk/dns/nsIDNSByTypeRecord.idl @@ -92,6 +92,7 @@ interface nsISVCBRecord : nsISupports { readonly attribute ACString name; [noscript, nostdcall, notxpcom] readonly attribute MaybePort port; [noscript, nostdcall, notxpcom] readonly attribute MaybeAlpn alpn; + readonly attribute ACString echConfig; readonly attribute bool hasIPHintAddress; readonly attribute Array values; }; diff --git a/netwerk/ipc/NeckoChannelParams.ipdlh b/netwerk/ipc/NeckoChannelParams.ipdlh index 40139e6829b2..a91f2f6c63f7 100644 --- a/netwerk/ipc/NeckoChannelParams.ipdlh +++ b/netwerk/ipc/NeckoChannelParams.ipdlh @@ -367,6 +367,7 @@ struct HttpConnectionInfoCloneArgs nsCString topWindowOrigin; bool isHttp3; bool hasIPHintAddress; + nsCString echConfig; ProxyInfoCloneArgs[] proxyInfo; }; diff --git a/netwerk/protocol/http/TunnelUtils.cpp b/netwerk/protocol/http/TunnelUtils.cpp index 6e3062ff8b1c..b4b2916fc7d6 100644 --- a/netwerk/protocol/http/TunnelUtils.cpp +++ b/netwerk/protocol/http/TunnelUtils.cpp @@ -2060,9 +2060,17 @@ SocketTransportShim::GetFirstRetryError(nsresult* aFirstRetryError) { } NS_IMETHODIMP -SocketTransportShim::GetEsniUsed(bool* aEsniUsed) { +SocketTransportShim::GetEchConfigUsed(bool* aEchConfigUsed) { if (mIsWebsocket) { - LOG3(("WARNING: SocketTransportShim::GetEsniUsed %p", this)); + LOG3(("WARNING: SocketTransportShim::GetEchConfigUsed %p", this)); + } + return NS_ERROR_NOT_IMPLEMENTED; +} + +NS_IMETHODIMP +SocketTransportShim::SetEchConfig(const nsACString& aEchConfig) { + if (mIsWebsocket) { + LOG3(("WARNING: SocketTransportShim::SetEchConfig %p", this)); } return NS_ERROR_NOT_IMPLEMENTED; } diff --git a/netwerk/protocol/http/nsHttpConnection.cpp b/netwerk/protocol/http/nsHttpConnection.cpp index aa6d454065c9..7b7e64717ff4 100644 --- a/netwerk/protocol/http/nsHttpConnection.cpp +++ b/netwerk/protocol/http/nsHttpConnection.cpp @@ -443,8 +443,6 @@ bool nsHttpConnection::EnsureNPNComplete(nsresult& aOut0RTTWriteHandshakeValue, nsCOMPtr info; nsCOMPtr ssl; nsAutoCString negotiatedNPN; - // This is neede for telemetry - bool handshakeSucceeded = false; GetSecurityInfo(getter_AddRefs(securityInfo)); if (!securityInfo) { @@ -561,8 +559,6 @@ bool nsHttpConnection::EnsureNPNComplete(nsresult& aOut0RTTWriteHandshakeValue, this, mConnInfo->HashKey().get(), negotiatedNPN.get(), mTLSFilter ? " [Double Tunnel]" : "")); - handshakeSucceeded = true; - int16_t tlsVersion; ssl->GetSSLVersionUsed(&tlsVersion); mConnInfo->SetLessThanTls13( @@ -701,19 +697,6 @@ npnComplete: mDid0RTTSpdy = false; } - if (ssl) { - // Telemetry for tls failure rate with and without esni; - bool esni = false; - rv = mSocketTransport->GetEsniUsed(&esni); - if (NS_SUCCEEDED(rv)) { - Telemetry::Accumulate( - Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE, - (esni) - ? ((handshakeSucceeded) ? ESNI_SUCCESSFUL : ESNI_FAILED) - : ((handshakeSucceeded) ? NO_ESNI_SUCCESSFUL : NO_ESNI_FAILED)); - } - } - if (rv == psm::GetXPCOMFromNSSError( mozilla::pkix::MOZILLA_PKIX_ERROR_MITM_DETECTED)) { gSocketTransportService->SetNotTrustedMitmDetected(); diff --git a/netwerk/protocol/http/nsHttpConnectionInfo.cpp b/netwerk/protocol/http/nsHttpConnectionInfo.cpp index 7cb589c4e606..5bf4369c4b7d 100644 --- a/netwerk/protocol/http/nsHttpConnectionInfo.cpp +++ b/netwerk/protocol/http/nsHttpConnectionInfo.cpp @@ -339,6 +339,7 @@ already_AddRefed nsHttpConnectionInfo::Clone() const { clone->SetIPv4Disabled(GetIPv4Disabled()); clone->SetIPv6Disabled(GetIPv6Disabled()); clone->SetHasIPHintAddress(HasIPHintAddress()); + clone->SetEchConfig(GetEchConfig()); MOZ_ASSERT(clone->Equals(this)); return clone.forget(); @@ -393,6 +394,10 @@ nsHttpConnectionInfo::CloneAndAdoptHTTPSSVCRecord( clone->SetHasIPHintAddress(hasIPHint); } + nsAutoCString echConfig; + Unused << aRecord->GetEchConfig(echConfig); + clone->SetEchConfig(echConfig); + return clone.forget(); } @@ -421,6 +426,7 @@ void nsHttpConnectionInfo::SerializeHttpConnectionInfo( aArgs.topWindowOrigin() = aInfo->GetTopWindowOrigin(); aArgs.isHttp3() = aInfo->IsHttp3(); aArgs.hasIPHintAddress() = aInfo->HasIPHintAddress(); + aArgs.echConfig() = aInfo->GetEchConfig(); if (!aInfo->ProxyInfo()) { return; @@ -465,6 +471,7 @@ nsHttpConnectionInfo::DeserializeHttpConnectionInfoCloneArgs( cinfo->SetIPv4Disabled(aInfoArgs.isIPv4Disabled()); cinfo->SetIPv6Disabled(aInfoArgs.isIPv6Disabled()); cinfo->SetHasIPHintAddress(aInfoArgs.hasIPHintAddress()); + cinfo->SetEchConfig(aInfoArgs.echConfig()); return cinfo.forget(); } @@ -491,6 +498,7 @@ void nsHttpConnectionInfo::CloneAsDirectRoute(nsHttpConnectionInfo** outCI) { clone->SetIPv4Disabled(GetIPv4Disabled()); clone->SetIPv6Disabled(GetIPv6Disabled()); clone->SetHasIPHintAddress(HasIPHintAddress()); + clone->SetEchConfig(GetEchConfig()); clone.forget(outCI); } diff --git a/netwerk/protocol/http/nsHttpConnectionInfo.h b/netwerk/protocol/http/nsHttpConnectionInfo.h index c554b0d0aa8e..c0c16d16496b 100644 --- a/netwerk/protocol/http/nsHttpConnectionInfo.h +++ b/netwerk/protocol/http/nsHttpConnectionInfo.h @@ -212,6 +212,8 @@ class nsHttpConnectionInfo final : public ARefBase { void SetHasIPHintAddress(bool aHasIPHint) { mHasIPHintAddress = aHasIPHint; } bool HasIPHintAddress() const { return mHasIPHintAddress; } + const nsCString& GetEchConfig() const { return mEchConfig; } + private: // These constructor versions are intended to be used from Clone() and // DeserializeHttpConnectionInfoCloneArgs(). @@ -234,6 +236,7 @@ class nsHttpConnectionInfo final : public ARefBase { nsProxyInfo* proxyInfo, const OriginAttributes& originAttributes, bool EndToEndSSL, bool aIsHttp3); void SetOriginServer(const nsACString& host, int32_t port); + void SetEchConfig(const nsACString& aEchConfig) { mEchConfig = aEchConfig; } nsCString mOrigin; int32_t mOriginPort; @@ -264,6 +267,7 @@ class nsHttpConnectionInfo final : public ARefBase { bool mIsHttp3; bool mHasIPHintAddress = false; + nsCString mEchConfig; // for RefPtr NS_INLINE_DECL_THREADSAFE_REFCOUNTING(nsHttpConnectionInfo, override) diff --git a/netwerk/protocol/http/nsHttpConnectionMgr.cpp b/netwerk/protocol/http/nsHttpConnectionMgr.cpp index 83f2e2b68ba7..1a55da7b5b0a 100644 --- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp +++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp @@ -4237,7 +4237,7 @@ nsresult nsHttpConnectionMgr::nsHalfOpenSocket::SetupStreams( } if (ci->GetLessThanTls13()) { - tmpFlags |= nsISocketTransport::DONT_TRY_ESNI; + tmpFlags |= nsISocketTransport::DONT_TRY_ECH; } if (((mCaps & NS_HTTP_BE_CONSERVATIVE) || ci->GetBeConservative()) && @@ -4330,6 +4330,11 @@ nsresult nsHttpConnectionMgr::nsHalfOpenSocket::SetupStreams( rv = socketTransport->SetSecurityCallbacks(this); NS_ENSURE_SUCCESS(rv, rv); + if (gHttpHandler->EchConfigEnabled()) { + rv = socketTransport->SetEchConfig(ci->GetEchConfig()); + NS_ENSURE_SUCCESS(rv, rv); + } + Telemetry::Accumulate(Telemetry::HTTP_CONNECTION_ENTRY_CACHE_HIT_1, mEnt->mUsedForConnection); mEnt->mUsedForConnection = true; diff --git a/netwerk/socket/nsISSLSocketControl.idl b/netwerk/socket/nsISSLSocketControl.idl index 8f23ebb1ebfa..a5855eeeac24 100644 --- a/netwerk/socket/nsISSLSocketControl.idl +++ b/netwerk/socket/nsISSLSocketControl.idl @@ -146,10 +146,10 @@ interface nsISSLSocketControl : nsISupports { [infallible] readonly attribute boolean failedVerification; /* - * esniTxt is a string that consists of the concatenated _esni. TXT records. - * This is a base64 encoded ESNIKeys structure. + * echConfig is defined for conveying the ECH configuration. + * This is encoded in base64. */ - attribute ACString esniTxt; + attribute ACString echConfig; /** * The id used to uniquely identify the connection to the peer. diff --git a/security/manager/ssl/CommonSocketControl.cpp b/security/manager/ssl/CommonSocketControl.cpp index 40dbd6dd5937..d1ed153a1940 100644 --- a/security/manager/ssl/CommonSocketControl.cpp +++ b/security/manager/ssl/CommonSocketControl.cpp @@ -276,12 +276,12 @@ CommonSocketControl::GetFailedVerification(bool* arg) { } NS_IMETHODIMP -CommonSocketControl::GetEsniTxt(nsACString& aEsniTxt) { +CommonSocketControl::GetEchConfig(nsACString& aEchConfig) { return NS_ERROR_NOT_IMPLEMENTED; } NS_IMETHODIMP -CommonSocketControl::SetEsniTxt(const nsACString& aEsniTxt) { +CommonSocketControl::SetEchConfig(const nsACString& aEchConfig) { return NS_ERROR_NOT_IMPLEMENTED; } diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp index 9dea4c40f0e2..681ca17855d5 100644 --- a/security/manager/ssl/nsNSSIOLayer.cpp +++ b/security/manager/ssl/nsNSSIOLayer.cpp @@ -697,33 +697,35 @@ PRStatus nsNSSSocketInfo::CloseSocketAndDestroy() { } NS_IMETHODIMP -nsNSSSocketInfo::GetEsniTxt(nsACString& aEsniTxt) { - aEsniTxt = mEsniTxt; +nsNSSSocketInfo::GetEchConfig(nsACString& aEchConfig) { + aEchConfig = mEchConfig; return NS_OK; } NS_IMETHODIMP -nsNSSSocketInfo::SetEsniTxt(const nsACString& aEsniTxt) { - mEsniTxt = aEsniTxt; +nsNSSSocketInfo::SetEchConfig(const nsACString& aEchConfig) { + mEchConfig = aEchConfig; - if (mEsniTxt.Length()) { - nsAutoCString esniBin; - if (NS_OK != Base64Decode(mEsniTxt, esniBin)) { +#if 0 + if (mEchConfig.Length()) { + nsAutoCString echBin; + if (NS_OK != Base64Decode(mEchConfig, echBin)) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, - ("[%p] Invalid ESNIKeys record. Couldn't base64 decode\n", + ("[%p] Invalid EchConfig record. Couldn't base64 decode\n", (void*)mFd)); return NS_OK; } - if (SECSuccess != - SSL_EnableESNI(mFd, reinterpret_cast(esniBin.get()), - esniBin.Length(), nullptr)) { + if (SECSuccess != SSL_SetClientEchConfigs( + mFd, reinterpret_cast(echBin.get()), + echBin.Length())) { MOZ_LOG(gPIPNSSLog, LogLevel::Error, - ("[%p] Invalid ESNIKeys record %s\n", (void*)mFd, + ("[%p] Invalid EchConfig record %s\n", (void*)mFd, PR_ErrorToName(PR_GetError()))); return NS_OK; } } +#endif return NS_OK; } diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h index c29616aca743..17144daac282 100644 --- a/security/manager/ssl/nsNSSIOLayer.h +++ b/security/manager/ssl/nsNSSIOLayer.h @@ -66,8 +66,8 @@ class nsNSSSocketInfo final : public CommonSocketControl { void SetDenyClientCert(bool aDenyClientCert) override; NS_IMETHOD GetClientCert(nsIX509Cert** aClientCert) override; NS_IMETHOD SetClientCert(nsIX509Cert* aClientCert) override; - NS_IMETHOD GetEsniTxt(nsACString& aEsniTxt) override; - NS_IMETHOD SetEsniTxt(const nsACString& aEsniTxt) override; + NS_IMETHOD GetEchConfig(nsACString& aEchConfig) override; + NS_IMETHOD SetEchConfig(const nsACString& aEchConfig) override; NS_IMETHOD GetPeerId(nsACString& aResult) override; PRStatus CloseSocketAndDestroy(); @@ -180,7 +180,7 @@ class nsNSSSocketInfo final : public CommonSocketControl { nsresult ActivateSSL(); - nsCString mEsniTxt; + nsCString mEchConfig; nsCString mPeerId; bool mEarlyDataAccepted; bool mDenyClientCert;