Bug 1718719 - Disable the TLS early-data if proxy is use r=necko-reviewers,keeler,kershaw (9c541210) · Commits · The Tor Project / Applications / Tor Browser

netwerk/base/FuzzySecurityInfo.cpp

+4 −0

Original line number	Diff line number	Diff line
		@@ -365,5 +365,9 @@ NS_IMETHODIMP FuzzySecurityInfo::GetIsBuiltCertChainRootBuiltInRoot(
		return NS_OK;
		}

		NS_IMETHODIMP FuzzySecurityInfo::DisableEarlyData(void) {
		return NS_OK;
		}

		} // namespace net
		} // namespace mozilla

+5 −0

Original line number	Diff line number	Diff line
		@@ -1006,6 +1006,11 @@ nsresult nsHttpConnection::InitSSLParams(bool connectingToProxy,
		return rv;
		}

		// If proxy is use, don't use early-data.
		if (mConnInfo->UsingProxy()) {
		ssl->DisableEarlyData();
		}

		if (proxyStartSSL) {
		rv = ssl->ProxyStartSSL();
		if (NS_FAILED(rv)) {

+5 −0

Original line number	Diff line number	Diff line
		@@ -166,5 +166,10 @@ interface nsISSLSocketControl : nsISupports {
		* The echConfig that should be used to retry for the connection setup.
		*/
		readonly attribute ACString retryEchConfig;

		/**
		* Disable early data.
		*/
		[noscript] void disableEarlyData();
		};

+3 −0

Original line number	Diff line number	Diff line
		@@ -354,3 +354,6 @@ NS_IMETHODIMP
		CommonSocketControl::GetRetryEchConfig(nsACString& aEchConfig) {
		return NS_ERROR_NOT_IMPLEMENTED;
		}

		NS_IMETHODIMP
		CommonSocketControl::DisableEarlyData(void) { return NS_ERROR_NOT_IMPLEMENTED; }

+15 −0

Original line number	Diff line number	Diff line
		@@ -441,6 +441,21 @@ void nsNSSSocketInfo::SetSharedOwningReference(SharedSSLState* aRef) {
		mOwningSharedRef = aRef;
		}

		NS_IMETHODIMP
		nsNSSSocketInfo::DisableEarlyData() {
		if (!mFd) {
		return NS_OK;
		}
		if (IsCanceled()) {
		return NS_OK;
		}

		if (SSL_OptionSet(mFd, SSL_ENABLE_0RTT_DATA, false) != SECSuccess) {
		return NS_ERROR_FAILURE;
		}
		return NS_OK;
		}

		void nsSSLIOLayerHelpers::Cleanup() {
		MutexAutoLock lock(mutex);
		mTLSIntoleranceInfo.Clear();