Bug 1627654 - Setup resumption callback when nsNSSSocketInfo is created r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D69883

--HG--
extra : moz-landing-system : lando

netwerk/base/FuzzySecurityInfo.cpp

@@ -335,8 +335,5 @@ FuzzySecurityInfo::GetPeerId(nsACString& aResult) {
   return NS_OK;
 }
 
-NS_IMETHODIMP
-FuzzySecurityInfo::SetResumptionTokenFromExternalCache() { return NS_OK; }
-
 }  // namespace net
 }  // namespace mozilla

netwerk/base/nsSocketTransport2.cpp

@@ -737,7 +737,6 @@ nsSocketTransport::nsSocketTransport()
       mFastOpenStatus(TFO_NOT_SET),
       mFirstRetryError(NS_OK),
       mDoNotRetryToConnect(false),
-      mSSLCallbackSet(false),
       mUsingQuic(false) {
   this->mNetAddr.raw.family = 0;
   this->mNetAddr.inet = {};
@@ -1278,36 +1277,6 @@ nsresult nsSocketTransport::BuildSocket(PRFileDesc*& fd, bool& proxyTransparent,
   return rv;
 }
 
-// static
-SECStatus nsSocketTransport::StoreResumptionToken(
-    PRFileDesc* fd, const PRUint8* resumptionToken, unsigned int len,
-    void* ctx) {
-  PRIntn val;
-  if (SSL_OptionGet(fd, SSL_ENABLE_SESSION_TICKETS, &val) != SECSuccess ||
-      val == 0) {
-    return SECFailure;
-  }
-
-  nsCOMPtr<nsISSLSocketControl> secCtrl =
-      do_QueryInterface(static_cast<nsSocketTransport*>(ctx)->mSecInfo);
-  if (!secCtrl) {
-    return SECFailure;
-  }
-  nsAutoCString peerId;
-  secCtrl->GetPeerId(peerId);
-
-  nsCOMPtr<nsITransportSecurityInfo> secInfo = do_QueryInterface(secCtrl);
-  if (!secInfo) {
-    return SECFailure;
-  }
-
-  if (NS_FAILED(SSLTokensCache::Put(peerId, resumptionToken, len, secInfo))) {
-    return SECFailure;
-  }
-
-  return SECSuccess;
-}
-
 nsresult nsSocketTransport::InitiateSocket() {
   SOCKET_LOG(("nsSocketTransport::InitiateSocket [this=%p]\n", this));
 
@@ -1622,19 +1591,6 @@ nsresult nsSocketTransport::InitiateSocket() {
     }
   }
 
-  nsCOMPtr<nsISSLSocketControl> secCtrl = do_QueryInterface(mSecInfo);
-  if (usingSSL && secCtrl && SSLTokensCache::IsEnabled()) {
-    rv = secCtrl->SetResumptionTokenFromExternalCache();
-    if (NS_FAILED(rv)) {
-      SOCKET_LOG(("SetResumptionTokenFromExternalCache failed [rv=%" PRIx32
-                  "]\n",
-                  static_cast<uint32_t>(rv)));
-      return rv;
-    }
-    SSL_SetResumptionTokenCallback(fd, &StoreResumptionToken, this);
-    mSSLCallbackSet = true;
-  }
-
   bool connectCalled = true;  // This is only needed for telemetry.
   status = PR_Connect(fd, &prAddr, NS_SOCKET_CONNECT_TIMEOUT);
   PRErrorCode code = PR_GetError();
@@ -2121,11 +2077,6 @@ void nsSocketTransport::ReleaseFD_Locked(PRFileDesc* fd) {
   NS_ASSERTION(mFD == fd, "wrong fd");
 
   if (--mFDref == 0) {
-    if (mSSLCallbackSet) {
-      SSL_SetResumptionTokenCallback(fd, nullptr, nullptr);
-      mSSLCallbackSet = false;
-    }
-
     if (gIOService->IsNetTearingDown() &&
         ((PR_IntervalNow() - gIOService->NetTearingDownStarted()) >
          gSocketTransportService->MaxTimeForPrClosePref())) {

netwerk/base/nsSocketTransport2.h

@@ -174,10 +174,6 @@ class nsSocketTransport final : public nsASocketHandler,
   virtual ~nsSocketTransport();
 
  private:
-  static SECStatus StoreResumptionToken(PRFileDesc* fd,
-                                        const PRUint8* resumptionToken,
-                                        unsigned int len, void* ctx);
-
   // event types
   enum {
     MSG_ENSURE_CONNECT,
@@ -475,11 +471,6 @@ class nsSocketTransport final : public nsASocketHandler,
 
   bool mDoNotRetryToConnect;
 
-  // True if SSL_SetResumptionTokenCallback was called. We need to clear the
-  // callback when mFD is nulled out to make sure the ssl layer cannot call
-  // the callback after nsSocketTransport is destroyed.
-  bool mSSLCallbackSet;
-
   // If the connection is used for QUIC this is set to true. That will mean
   // that UDP will be used. QUIC do not have a SocketProvider because it is a
   // mix of transport and application(HTTP) level protocol. nsSocketTransport

netwerk/socket/nsISSLSocketControl.idl

@@ -71,10 +71,6 @@ interface nsISSLSocketControl : nsISupports {
      */
     boolean isAcceptableForHost(in ACString hostname);
 
-    /* Read the resumption token from SSLTokansCache and set it to the socket.
-     */
-    [noscript] void setResumptionTokenFromExternalCache();
-
     /* The Key Exchange Algorithm is used when determining whether or
        not HTTP/2 can be used.
 

security/manager/ssl/CommonSocketControl.cpp

@@ -251,8 +251,3 @@ NS_IMETHODIMP
 CommonSocketControl::GetPeerId(nsACString& aResult) {
   return NS_ERROR_NOT_IMPLEMENTED;
 }
-
-NS_IMETHODIMP
-CommonSocketControl::SetResumptionTokenFromExternalCache() {
-  return NS_ERROR_NOT_IMPLEMENTED;
-}

security/manager/ssl/nsNSSIOLayer.cpp

@@ -677,6 +677,12 @@ PRStatus nsNSSSocketInfo::CloseSocketAndDestroy() {
     poppedPlaintext->dtor(poppedPlaintext);
   }
 
+  // We need to clear the callback to make sure the ssl layer cannot call the
+  // callback after mFD is nulled.
+  if (net::SSLTokensCache::IsEnabled()) {
+    SSL_SetResumptionTokenCallback(mFd, nullptr, nullptr);
+  }
+
   PRStatus status = mFd->methods->close(mFd);
 
   // the nsNSSSocketInfo instance can out-live the connection, so we need some
@@ -757,8 +763,7 @@ nsNSSSocketInfo::GetPeerId(nsACString& aResult) {
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsNSSSocketInfo::SetResumptionTokenFromExternalCache() {
+nsresult nsNSSSocketInfo::SetResumptionTokenFromExternalCache() {
   if (!mozilla::net::SSLTokensCache::IsEnabled()) {
     return NS_OK;
   }
@@ -2323,6 +2328,29 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
   return NS_OK;
 }
 
+SECStatus StoreResumptionToken(PRFileDesc* fd, const PRUint8* resumptionToken,
+                               unsigned int len, void* ctx) {
+  PRIntn val;
+  if (SSL_OptionGet(fd, SSL_ENABLE_SESSION_TICKETS, &val) != SECSuccess ||
+      val == 0) {
+    return SECFailure;
+  }
+
+  nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*)ctx;
+  if (!infoObject) {
+    return SECFailure;
+  }
+
+  nsAutoCString peerId;
+  infoObject->GetPeerId(peerId);
+  if (NS_FAILED(
+          net::SSLTokensCache::Put(peerId, resumptionToken, len, infoObject))) {
+    return SECFailure;
+  }
+
+  return SECSuccess;
+}
+
 nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port,
                                  nsIProxyInfo* proxy,
                                  const OriginAttributes& originAttributes,
@@ -2421,6 +2449,14 @@ nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port,
 
   infoObject->SharedState().NoteSocketCreated();
 
+  if (net::SSLTokensCache::IsEnabled()) {
+    rv = infoObject->SetResumptionTokenFromExternalCache();
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+    SSL_SetResumptionTokenCallback(sslSock, &StoreResumptionToken, infoObject);
+  }
+
   return NS_OK;
 loser:
   NS_IF_RELEASE(infoObject);

security/manager/ssl/nsNSSIOLayer.h

@@ -69,7 +69,6 @@ class nsNSSSocketInfo final : public CommonSocketControl {
   NS_IMETHOD GetEsniTxt(nsACString& aEsniTxt) override;
   NS_IMETHOD SetEsniTxt(const nsACString& aEsniTxt) override;
   NS_IMETHOD GetPeerId(nsACString& aResult) override;
-  NS_IMETHOD SetResumptionTokenFromExternalCache() override;
 
   PRStatus CloseSocketAndDestroy();
 
@@ -160,6 +159,8 @@ class nsNSSSocketInfo final : public CommonSocketControl {
 
   void SetSharedOwningReference(mozilla::psm::SharedSSLState* ref);
 
+  nsresult SetResumptionTokenFromExternalCache();
+
  protected:
   virtual ~nsNSSSocketInfo();