Bug 1665878 - Reset exclusion list when all target names are all excluded, r=dragana,necko-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D90822
2020-10-06 20:06:53 +00:00 · 2020-10-06 20:06:53 +00:00 · e15e30d8c5
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -8579,6 +8579,12 @@
  value: true
  mirror: always

+# When true, reset the exclusion list when all records are excluded.
+- name: network.dns.httpssvc.reset_exclustion_list
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "nglayout."
 #---------------------------------------------------------------------------
--- a/netwerk/dns/ChildDNSService.cpp
+++ b/netwerk/dns/ChildDNSService.cpp
@ -435,6 +435,11 @@ ChildDNSService::IsSVCDomainNameFailed(const nsACString& aOwnerName,
  return NS_ERROR_NOT_IMPLEMENTED;
 }

+NS_IMETHODIMP
+ChildDNSService::ResetExcludedSVCDomainName(const nsACString& aOwnerName) {
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
 //-----------------------------------------------------------------------------
 // ChildDNSService::nsIObserver
 //-----------------------------------------------------------------------------
--- a/netwerk/dns/nsDNSService2.cpp
+++ b/netwerk/dns/nsDNSService2.cpp
@ -1449,3 +1449,10 @@ nsDNSService::IsSVCDomainNameFailed(const nsACString& aOwnerName,
  *aResult = failedList->Contains(aSVCDomainName);
  return NS_OK;
 }
+
+NS_IMETHODIMP
+nsDNSService::ResetExcludedSVCDomainName(const nsACString& aOwnerName) {
+  MutexAutoLock lock(mLock);
+  mFailedSVCDomainNames.Remove(aOwnerName);
+  return NS_OK;
+}
--- a/netwerk/dns/nsIDNSService.idl
+++ b/netwerk/dns/nsIDNSService.idl
@ -212,6 +212,13 @@ interface nsIDNSService : nsISupports
    [noscript] boolean IsSVCDomainNameFailed(in ACString aOwnerName,
                                             in ACString aSVCDomainName);

+    /**
+     * Reset the exclusion list.
+     * @param aOwnerName
+     *        The owner name of this HTTPS RRs.
+     */
+    [noscript] void ResetExcludedSVCDomainName(in ACString aOwnerName);
+
    /**
     * Returns a string containing the URI currently used by the TRR service.
     */
--- a/netwerk/protocol/http/nsHttpTransaction.cpp
+++ b/netwerk/protocol/http/nsHttpTransaction.cpp
@ -16,6 +16,7 @@
 #include "TunnelUtils.h"
 #include "base/basictypes.h"
 #include "mozilla/Tokenizer.h"
+#include "mozilla/StaticPrefs_network.h"
 #include "nsCRT.h"
 #include "nsComponentManagerUtils.h"  // do_CreateInstance
 #include "nsHttpBasicAuth.h"
@ -2911,6 +2912,7 @@ NS_IMETHODIMP nsHttpTransaction::OnLookupComplete(nsICancelable* aRequest,
      Some(hasIPAddress ? HTTPSSVC_WITH_IPHINT_RECEIVED_STAGE_1
                        : HTTPSSVC_WITHOUT_IPHINT_RECEIVED_STAGE_1);

+  nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID);
  nsCOMPtr<nsISVCBRecord> svcbRecord;
  if (NS_FAILED(record->GetServiceModeRecord(mCaps & NS_HTTP_DISALLOW_SPDY,
                                             mCaps & NS_HTTP_DISALLOW_HTTP3,
@ -2922,7 +2924,17 @@ NS_IMETHODIMP nsHttpTransaction::OnLookupComplete(nsICancelable* aRequest,
                          allRecordsExcluded
                              ? HTTPSSVC_CONNECTION_ALL_RECORDS_EXCLUDED
                              : HTTPSSVC_CONNECTION_NO_USABLE_RECORD);
-    return NS_ERROR_FAILURE;
+    if (allRecordsExcluded &&
+        StaticPrefs::network_dns_httpssvc_reset_exclustion_list() && dns) {
+      Unused << dns->ResetExcludedSVCDomainName(mConnInfo->GetOrigin());
+      if (NS_FAILED(record->GetServiceModeRecord(mCaps & NS_HTTP_DISALLOW_SPDY,
+                                                 mCaps & NS_HTTP_DISALLOW_HTTP3,
+                                                 getter_AddRefs(svcbRecord)))) {
+        return NS_ERROR_FAILURE;
+      }
+    } else {
+      return NS_ERROR_FAILURE;
+    }
  }

  // Remember this RR set. In the case that the connection establishment failed,
@ -2941,7 +2953,6 @@ NS_IMETHODIMP nsHttpTransaction::OnLookupComplete(nsICancelable* aRequest,
  }

  // Prefetch the A/AAAA records of the target name.
-  nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID);
  if (dns) {
    uint32_t flags =
        nsIDNSService::GetFlagsFromTRRMode(mConnInfo->GetTRRMode());
--- a/netwerk/test/unit/test_trr_https_fallback.js
+++ b/netwerk/test/unit/test_trr_https_fallback.js
@ -88,6 +88,8 @@ registerCleanupFunction(() => {
  prefs.clearUserPref("network.dns.use_https_rr_as_altsvc");
  prefs.clearUserPref("network.dns.echconfig.enabled");
  prefs.clearUserPref("network.dns.echconfig.fallback_to_origin");
+  prefs.clearUserPref("network.dns.httpssvc.reset_exclustion_list");
+  trrServer.stop();
 });

 class DNSListener {
@ -591,3 +593,104 @@ add_task(async function testFallbackToTheOrigin3() {

  await trrServer.stop();
 });
+
+add_task(async function testResetExclusionList() {
+  trrServer = new TRRServer();
+  await trrServer.start();
+  Services.prefs.setIntPref("network.trr.mode", 3);
+  Services.prefs.setCharPref(
+    "network.trr.uri",
+    `https://foo.example.com:${trrServer.port}/dns-query`
+  );
+  Services.prefs.setBoolPref(
+    "network.dns.httpssvc.reset_exclustion_list",
+    false
+  );
+
+  await trrServer.registerDoHAnswers("test.reset.com", "HTTPS", [
+    {
+      name: "test.reset.com",
+      ttl: 55,
+      type: "HTTPS",
+      flush: false,
+      data: {
+        priority: 1,
+        name: "test.reset1.com",
+        values: [
+          { key: "alpn", value: "h2,h3" },
+          { key: "port", value: h2Port },
+          { key: "echconfig", value: "456..." },
+        ],
+      },
+    },
+    {
+      name: "test.reset.com",
+      ttl: 55,
+      type: "HTTPS",
+      flush: false,
+      data: {
+        priority: 2,
+        name: "test.reset2.com",
+        values: [
+          { key: "alpn", value: "h2,h3" },
+          { key: "echconfig", value: "456..." },
+        ],
+      },
+    },
+  ]);
+
+  let listener = new DNSListener();
+
+  let request = dns.asyncResolve(
+    "test.reset.com",
+    dns.RESOLVE_TYPE_HTTPSSVC,
+    0,
+    null, // resolverInfo
+    listener,
+    mainThread,
+    defaultOriginAttributes
+  );
+
+  let [inRequest, inRecord, inStatus] = await listener;
+  Assert.equal(inRequest, request, "correct request was used");
+  Assert.equal(inStatus, Cr.NS_OK, "status OK");
+
+  certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+    true
+  );
+
+  // After this request, test.reset1.com and test.reset2.com should be both in
+  // the exclusion list.
+  let chan = makeChan(`https://test.reset.com:${h2Port}/server-timing`);
+  await channelOpenPromise(chan, CL_EXPECT_LATE_FAILURE | CL_ALLOW_UNKNOWN_CL);
+
+  // This request should be also failed, because all records are excluded.
+  chan = makeChan(`https://test.reset.com:${h2Port}/server-timing`);
+  await channelOpenPromise(chan, CL_EXPECT_LATE_FAILURE | CL_ALLOW_UNKNOWN_CL);
+
+  await trrServer.registerDoHAnswers("test.reset1.com", "A", [
+    {
+      name: "test.reset1.com",
+      ttl: 55,
+      type: "A",
+      flush: false,
+      data: "127.0.0.1",
+    },
+  ]);
+
+  Services.prefs.setBoolPref(
+    "network.dns.httpssvc.reset_exclustion_list",
+    true
+  );
+
+  // After enable network.dns.httpssvc.reset_exclustion_list and register
+  // A record for test.reset1.com, this request should be succeeded.
+  chan = makeChan(`https://test.reset.com:${h2Port}/server-timing`);
+  await channelOpenPromise(chan);
+
+  certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData(
+    false
+  );
+
+  await trrServer.stop();
+});