Bug 1816952: Add HTTP3 ECH GREASE Pref. r=kershaw,necko-reviewers

This has been tested manually with Wireshark as we don't have a H3 web server which can signal whether GREASE was added to the ClientHello or not. Differential Revision: https://phabricator.services.mozilla.com/D170057
2024-10-08 19:04:45 +00:00 · 2023-02-16 16:10:52 +00:00 · 2023-02-16 16:10:52 +00:00 · 997470442d
commit 997470442d
parent 641ff896a7
3 changed files with 28 additions and 10 deletions
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -13656,6 +13656,12 @@
 #endif
  mirror: always

+# Whether to apply ECH GREASE settings to HTTP3/QUIC connections
+- name: security.tls.ech.grease_http3
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 # Whether to retry connections without ECH Grease
 - name: security.tls.ech.disable_grease_on_fallback
  type: RelaxedAtomicBool
--- a/netwerk/protocol/http/Http3Session.cpp
+++ b/netwerk/protocol/http/Http3Session.cpp
@ -16,6 +16,7 @@
 #include "SSLServerCertVerification.h"
 #include "SSLTokensCache.h"
 #include "ScopedNSSTypes.h"
+#include "mozilla/RandomNum.h"
 #include "mozilla/RefPtr.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/net/DNS.h"
@ -171,8 +172,17 @@ nsresult Http3Session::Init(const nsHttpConnectionInfo* aConnInfo,
    ZeroRttTelemetry(ZeroRttOutcome::NOT_USED);
  }

-  if (gHttpHandler->EchConfigEnabled(true)) {
-    mSocketControl->SetEchConfig(mConnInfo->GetEchConfig());
+  auto config = mConnInfo->GetEchConfig();
+  if (config.IsEmpty()) {
+    if (StaticPrefs::security_tls_ech_grease_http3() && config.IsEmpty()) {
+      if ((RandomUint64().valueOr(0) % 100) >=
+          100 - StaticPrefs::security_tls_ech_grease_probability()) {
+        // Setting an empty config enables GREASE mode.
+        mSocketControl->SetEchConfig(config);
+      }
+    }
+  } else if (gHttpHandler->EchConfigEnabled(true) && !config.IsEmpty()) {
+    mSocketControl->SetEchConfig(config);
    HttpConnectionActivity activity(
        mConnInfo->HashKey(), mConnInfo->GetOrigin(), mConnInfo->OriginPort(),
        mConnInfo->EndToEndSSL(), !mConnInfo->GetEchConfig().IsEmpty(),
@ -190,14 +200,12 @@ nsresult Http3Session::Init(const nsHttpConnectionInfo* aConnInfo,
 }

 void Http3Session::DoSetEchConfig(const nsACString& aEchConfig) {
-  if (!aEchConfig.IsEmpty()) {
-    LOG(("Http3Session::DoSetEchConfig %p", this));
-    nsTArray<uint8_t> config;
-    config.AppendElements(
-        reinterpret_cast<const uint8_t*>(aEchConfig.BeginReading()),
-        aEchConfig.Length());
-    mHttp3Connection->SetEchConfig(config);
-  }
+  LOG(("Http3Session::DoSetEchConfig %p", this));
+  nsTArray<uint8_t> config;
+  config.AppendElements(
+      reinterpret_cast<const uint8_t*>(aEchConfig.BeginReading()),
+      aEchConfig.Length());
+  mHttp3Connection->SetEchConfig(config);
 }

 nsresult Http3Session::SendPriorityUpdateFrame(uint64_t aStreamId,
--- a/toolkit/components/nimbus/FeatureManifest.yaml
+++ b/toolkit/components/nimbus/FeatureManifest.yaml
@ -896,6 +896,10 @@ echPrefs:
      description: Probability of GREASEing a TLS connection with ECH (0-100).
      type: int
      setPref: "security.tls.ech.grease_probability"
+    h3GreaseEnabled:
+      description: Whether to apply GREASE settings to H3/QUIC connections.
+      type: boolean
+      setPref: "security.tls.ech.grease_http3"
    disableGreaseOnFallback:
      description: Whether to disable GREASE when retrying a connection.
      type: boolean