TLS 1.3 support (part 3), adapted from:

https://github.com/MoonchildProductions/Pale-Moon/commit/ac4f201752ddbd05b0cc35b76ea4d2e9d0efb8b8
https://github.com/MoonchildProductions/Pale-Moon/commit/2045154e7c80760829bdc634ec561fb2ee027a17
https://github.com/MoonchildProductions/Pale-Moon/commit/87b37fe5e3f463ebeb5094b3ba9275482812cc6b
https://github.com/MoonchildProductions/Pale-Moon/commit/1c55c0d271565bfc3e785430ef40c8469ff650c3

embedding/components/webbrowserpersist/nsWebBrowserPersist.cpp

@@ -1116,6 +1116,8 @@ NS_IMETHODIMP nsWebBrowserPersist::OnStatus(
         case NS_NET_STATUS_END_FTP_TRANSACTION:
         case NS_NET_STATUS_CONNECTING_TO:
         case NS_NET_STATUS_CONNECTED_TO:
+        case NS_NET_STATUS_TLS_HANDSHAKE_STARTING:
+        case NS_NET_STATUS_TLS_HANDSHAKE_ENDED:
         case NS_NET_STATUS_SENDING_TO:
         case NS_NET_STATUS_RECEIVING_FROM:
         case NS_NET_STATUS_WAITING_FOR:

netwerk/locales/en-US/necko.properties

@@ -17,6 +17,8 @@
 9=Wrote %1$S
 10=Waiting for %1$S…
 11=Looked up %1$S…
+12=Performing a TLS handshake to %1$S…
+13=The TLS handshake finished for %1$S…
 
 27=Beginning FTP transaction…
 28=Finished FTP transaction

netwerk/protocol/ftp/nsFtpConnectionThread.cpp

@@ -2025,6 +2025,8 @@ nsFtpState::OnTransportStatus(nsITransport *transport, nsresult status,
         case NS_NET_STATUS_RESOLVED_HOST:
         case NS_NET_STATUS_CONNECTING_TO:
         case NS_NET_STATUS_CONNECTED_TO:
+        case NS_NET_STATUS_TLS_HANDSHAKE_STARTING:
+        case NS_NET_STATUS_TLS_HANDSHAKE_ENDED:
             break;
         default:
             return NS_OK;

netwerk/protocol/http/Http2Session.cpp

@@ -2235,6 +2235,8 @@ Http2Session::OnTransportStatus(nsITransport* aTransport,
   case NS_NET_STATUS_RESOLVED_HOST:
   case NS_NET_STATUS_CONNECTING_TO:
   case NS_NET_STATUS_CONNECTED_TO:
+  case NS_NET_STATUS_TLS_HANDSHAKE_STARTING:
+  case NS_NET_STATUS_TLS_HANDSHAKE_ENDED:
   {
     Http2Stream *target = mStreamIDHash.Get(1);
     nsAHttpTransaction *transaction = target ? target->Transaction() : nullptr;
@@ -2301,7 +2303,13 @@ Http2Session::ReadSegmentsAgain(nsAHttpSegmentReader *reader,
   if (!stream) {
     LOG3(("Http2Session %p could not identify a stream to write; suspending.",
           this));
+    uint32_t availBeforeFlush = mOutputQueueUsed - mOutputQueueSent;
     FlushOutputQueue();
+    uint32_t availAfterFlush = mOutputQueueUsed - mOutputQueueSent;
+    if (availBeforeFlush != availAfterFlush) {
+      LOG3(("Http2Session %p ResumeRecv After early flush in ReadSegments", this));
+      ResumeRecv();
+    }
     SetWriteCallbacks();
     return NS_BASE_STREAM_WOULD_BLOCK;
   }

netwerk/protocol/http/nsHttpTransaction.cpp

@@ -2367,6 +2367,7 @@ nsHttpTransaction::Do0RTT()
 nsresult
 nsHttpTransaction::Finish0RTT(bool aRestart)
 {
+    LOG(("nsHttpTransaction::Finish0RTT %p %d\n", this, aRestart));
     MOZ_ASSERT(m0RTTInProgress);
     m0RTTInProgress = false;
     if (aRestart) {
@@ -2378,6 +2379,10 @@ nsHttpTransaction::Finish0RTT(bool aRestart)
         } else {
             return NS_ERROR_FAILURE;
         }
+    } else if (!mConnected) {
+        // this is code that was skipped in ::ReadSegments while in 0RTT
+        mConnected = true;
+        mConnection->GetSecurityInfo(getter_AddRefs(mSecurityInfo));
     }
     return NS_OK;
 }

security/manager/ssl/nsNSSCallbacks.cpp

@@ -1233,11 +1233,16 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   }
 
   PRBool siteSupportsSafeRenego;
-  rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
-                                        &siteSupportsSafeRenego);
-  MOZ_ASSERT(rv == SECSuccess);
-  if (rv != SECSuccess) {
-    siteSupportsSafeRenego = false;
+  if (channelInfo.protocolVersion != SSL_LIBRARY_VERSION_TLS_1_3) {
+    rv = SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn,
+                                          &siteSupportsSafeRenego);
+    MOZ_ASSERT(rv == SECSuccess);
+    if (rv != SECSuccess) {
+      siteSupportsSafeRenego = false;
+    }
+  } else {
+    // TLS 1.3 dropped support for renegotiation.
+    siteSupportsSafeRenego = true;
   }
   bool renegotiationUnsafe = !siteSupportsSafeRenego &&
                              ioLayerHelpers.treatUnsafeNegotiationAsBroken();